Variants of the Rinbot worm are exploiting the Windows Server DNS Service vulnerability, researchers said today.The worm exploits the flaw by sending a specially crafted Remote Procedure Call (RPC) packet to targeted PCs, analysts said.
Ron O’Brien, senior security analyst at Sophos, told SCMagazine.com today that the worm has made the vulnerability much more than just a DNS-related headache for administrators because it can also use other vulnerabilities to propagate.
"I found this to be of particular interest, because we are effectively looking at the possibility of a computer talking directly to another computer. If the DNS server has been compromised, anyone who is dialing up that website can be directed to another website," he said. "It’s not strictly the vulnerability within the Microsoft DNS server, but the overall sophistication of the malware that is able to customize itself to take advantage of any situation that is presented."
Microsoft on Monday updated its advisory on the vulnerability, adding that new attacks were exploiting the flaw.
Christopher Budd, Microsoft security program manager, said on a company blog on Monday that "a new attack...is attempting to exploit this vulnerability."
"At this time, the attack does not appear widespread," he said.
Craig Schmugar, threat research manager at McAfee Avert Labs, said in a late Monday post on the lab's blog that two variants, mdnex.exe and mozila.exe, were exploiting the flaw.
Symptoms of infection by either of the variants include unexpected HTTP traffic over non-standard ports and unusual DNS queries, according to McAfee.
Exploits were first publicly released for the DNS flaw on Sunday, but Microsoft and various security vendors reported that attacks were limited.
By Monday, a Metasploit module had been released and code had been released on Milw0rm and other exploit sites.
Paul Zinski, senior director of products and strategy at PatchLink, told SCMagazine.com today that although attacks are few, the vulnerability is dangerous because it can be exploited for cross-site scripting attacks.
"Some points of this have to be taken very seriously, because with DNS servers, if they’re attacked, they allow you to manipulate websites and redirect users to a site containing malicious code," he said.
Microsoft had previously updated its advisory on Sunday, noting that attackers can access the vulnerability over port 445 if they have valid login credentials.
Budd said on Sunday that administrators should employ feasible workarounds as soon as possible, including blocking TCP and UDP port 445 and all unsolicited traffic on ports greater than 1024.