Worm spreads via zero day Microsoft DNS vulnerability

Stan Beer
Wednesday, 18 April 2007 14:00

Your IT - Home IT

It security specialist Sophos has warned businesses of a worm that is exploiting an unpatched zero day vulnerability in Microsoft's software. The W32/Delbot-AI worm (also known as Nirbot or Rinbot) is taking advantage of a vulnerability in the way Microsoft Windows DNS Server's Remote Procedure Call (RPC) interface has been implemented. The hackers' worm has been able to exploit the flaw by sending a crafted RPC packet to vulnerable PCs.

If the worm successfully infects a PC it allows hackers to gain access over the computer, giving them the ability to control what it does and steal information from the unsuspecting user.

"This flaw in Microsoft's code has only been known about for a handful of days, and already there is a worm which is taking advantage of the problem in its attempt to infect as many PCs as possible. Time and time again hackers are forcing companies like Microsoft to scrabble around to develop, test and roll-out a software patch," said Graham Cluley, senior technology consultant for Sophos. "Businesses should ensure that their computers are properly configured, and protected with up-to-date anti-virus software, hardened firewalls and patches."

The worm can also exploit a vulnerability present in Symantec's anti-virus product line, which was patched a year ago.

Microsoft has published an advisory on its website giving guidance to companies who may be affected by the flaw in its software.

The news of the worm comes a week after Microsoft patched a series of other critical vulnerabilities in its software.

"The computer underground appear to be revelling in waiting until Microsoft has released its monthly batch of patches, before unleashing their latest attacks," continued Cluley. "It's not just businesses who are being affected by this, Microsoft will not be enjoying having the security of their software brought into question again."

Sophos suggests that every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx.