• PC World
• »Security

Security researchers late Monday spotted botworms exploiting a zero-day bug in Microsoft Corp.'s Windows DNS Server Service, confirming suspicions earlier in the day that hackers were sniffing out vulnerable systems.

McAfee Inc.'s Avert Labs was the first to report that a new Nirbot variant -- the worm also goes by the name Rinbot -- was trying to exploit the DNS vulnerability in the wild. In a blog entry Monday afternoon, virus research manager Craig Schmugar said the botworm was an "internet relay chat [IRC] controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer." Later Monday, McAfee announced it had found a second Nirbot/Rinbot variant exploiting the bug.

According to McAfee's analysis, the new Nirbot botworms scan for vulnerable servers, then use multiple exploits -- including the unpatched DNS flaw -- in an attempt to hijack the machine.

Earlier Monday, Symantec Corp. warned of an extraordinary spike in scans for TCP and UDP Port 1025, the first available port used by Windows's RPC (Remote Procedure Call) protocol. The bug in Windows 2000 Server and Windows Server 2003 that Microsoft disclosed last week can be exploited by sending a malicious RPC packet via Port 1025 or higher. Monday evening, Symantec confirmed that the source of the increased Port 1025 activity was the Nirbot/Rinbot, and like McAfee, posted an initial analysis of the worm.

The SANS Institute's Internet Storm Center added its voice to the chorus. "We are currently tracking a new version of the Rinbot worm that in addition to its regular scans, is also scanning for port 1025/tcp," said analyst Maarten Van Horenbeeck. "Once connected, it attempts to do a Windows 2000 DnsservQuery, attempting to exploit the recent Microsoft DNS RPC vulnerability."

Also last night, Microsoft corroborated the McAfee and Symantec reports. "We are seeing a new attack that is attempting to exploit this vulnerability," said Christopher Budd, Microsoft Security Response Center (MSRC) program manager, on the MSRC blog. "At this time, the attack does not appear widespread."

Microsoft, which has not yet produced a patch for the vulnerability, continued to urge users to disable remote management over RPC and block inbound Ports 1025 and higher.

If the past is any prologue, the fast-moving situation may move Microsoft to issue an out-of-cycle patch before the next-scheduled security update, due May 8. Budd's comments seemed to lean that way. "Our teams are continuing to work around the clock on a security update for this issue," he said last night.

The only bright spot may be that users still have time to patch. "The exploit used in the bot appears somewhat rudimentary, because it is currently targeting only TCP port 1025, which is believed to be a static port," said Symantec in a warning to customers of its DeepSight threat network late Monday. "In light of this poor design, we believe that the success of exploitation may be limited until an improved exploit is included in the bot."

Microsoft first noted the DNS Server vulnerability last Thursday; by Saturday, proof-of-concept exploit code had gone public.