A bot program is spreading through Microsoft Domain Name Service (DNS) servers using a yet-to-be-patched flaw in the program's administrative interface, security companies said on Tuesday.
The bot program, known as Rinbot and Delbot, has started spreading using the recently acknowledged vulnerability in the remote procedure call (RPC) administrator interface for Microsoft DNS Server software. The bot software also compromises systems using a number of two other vulnerabilities: a flaw in the Windows Server service and a nearly-year-old flaw in Symantec's corporate antivirus scanner. Symantec is the owner of SecurityFocus.
One security administrator stated on the Full-Disclosure mailing list that four client had been hit by the bot program. Microsoft continued to characterize the threat as low, however.
"We have been monitoring the situation overnight and working with our Microsoft Security Response Alliance (MSRA) partners and attacks are still not widespread," Christopher Budd, program manger for Microsoft, stated in a blog post on Tuesday.
The assertion is seemingly backed up by data collected by security firm Arbor Networks, which shows only a moderate number of attacks against the Windows DNS Server flaw. Attacks against the year-old Symantec antivirus flaw continue to be much higher, according to the data.
The latest version of Rinbot compromises vulnerable systems, allows external access to the compromised computer, downloads updated malicious code from the Internet, and scans for open ports, weak passwords and the three aforementioned flaws, according to an advisory posted by antivirus firm Sophos.
Posted by: Robert Lemos