Variants of the Rinbot worm are exploiting the Windows Server DNS Service vulnerability, researchers said today.
Ron O’Brien, senior security analyst at Sophos, told SCMagazine.com today that the worm has made the vulnerability much more than just a DNS-related headache for administrators because it can also use other vulnerabilities to propagate.
"I found this to be of particular interest, because we are effectively looking at the possibility of a computer talking directly to another computer…If the DNS server has been compromised, anyone who is dialing up that website can be directed to another website," he said. "It’s not strictly the vulnerability within the Microsoft DNS server, but the overall sophistication of the malware that is able to customize itself to take advantage of any situation that is presented."
Microsoft on Monday updated its advisory on the vulnerability, adding that new attacks were exploiting the flaw.
Christopher Budd, Microsoft security program manager, said on a company blog Monday that "a new attack...is attempting to exploit this vulnerability."
"At this time, the attack does not appear widespread," he said.
Symptoms of infection by either of the variants include unexpected HTTP traffic over non-standard ports and unusual DNS queries, according to McAfee.
Exploits were first publicly released for the DNS flaw on Sunday, but Microsoft and various security vendors reported that attacks were limited.
Paul Zinski, senior director of products and strategy at PatchLink, told SCMagazine.com today that although attacks are few, the vulnerability is dangerous because it can be exploited for redirection attacks.
"Some points of this have to be taken very seriously, because with DNS servers, if they’re attacked, they allow you to manipulate websites and redirect users to a site containing malicious code," he said.
Microsoft had previously updated its advisory on Sunday, noting that attackers can access the vulnerability over port 445 if they have valid login credentials.
Budd said on Sunday that administrators should employ feasible workarounds as soon as possible, including blocking TCP and UDP port 445 and all unsolicited traffic on ports greater than 1024.
Click here to email Online Editor Frank Washkuch Jr.
Looking for a new job? SCMagazine.com has the latest IT security employment opportunities. Click here for our jobs page.