Attacks On Microsoft Zero-Day Bug Picking UpAttacks On Microsoft Zero-Day Bug Picking Up

A botworm is continuing its attack on a zero-day bug in several of Microsoft's server products.

The Rinbot worm, which also is known as Delbot-AI and Nirbot, is exploiting a vulnerability in the Microsoft Domain Name System Server Service. The flaw lies in the way the Windows DNS Server's Remote Procedure Call (RPC) interface has been implemented.

Rinbot, which is an Internet Relay Chat controlled backdoor, has been able to exploit the flaw by sending a crafted RPC packet to vulnerable computers. If the worm successfully infects a PC, according to researchers at Sophos, it allows hackers to gain remote access over the computer, giving them the ability to control what it does and steal information from an unsuspecting user.

Craig Schmugar, a McAfee threat researcher, noted in a blog entry that two more variants have been discovered. One has a file name of mdnex.exe, and the other has a file name of mozila.exe.

"This flaw in Microsoft's code has only been known about for a handful of days, and already there is a worm which is taking advantage of the problem in its attempt to infect as many PCs as possible," said Graham Cluley, a senior technology consultant for Sophos, in a written advisory. "Time and time again, hackers are forcing companies like Microsoft to scrabble around to develop, test, and roll-out a software patch."

Christopher Budd, a security program manager with Microsoft, said in an online advisory that he hopes Microsoft will come out with a patch for the vulnerability no later than May 8, which is the due date for the company's next Patch Tuesday.

The DNS bug could affect servers running Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 SP 1, and Windows Server 2003 SP 2.

A Microsoft advisory states that Windows Vista, along with Microsoft Windows 2000 Professional SP 4 and Windows XP SP 2, do not contain the flawed code, and so they are not affected.

Amol Sarwate, manager of the vulnerability research lab at Qualys, Inc., explained in an earlier interview that this is a serious vulnerability because it is not a desktop problem but a server problem. That means it will affect all of the employees in a company that use that server.

The DNS server translates names into IP addresses. For example, when a user types "www.yahoo.com" into him browser, the DNS server translates that text address into an IP address so the request can be routed through to the correct servers.

The DNS servers are typically in data centers so an attacker can exploit it to change a DNS setting. Sarwate said that means when a user types in "yahoo.com", his browser will not go there but instead will go to a site the hacker directs him to. Hackers would most likely divert them to a malicious Web site where they would be infected with malware.