Security news17 April 2007
Worm spreads via zero day Microsoft DNS vulnerability Hackers attack unpatched flaw in Microsoft code to penetrate business servers
Infected PCs become part of a zombie network
Sophos, a world leader in IT security and control, has warned businesses of a worm that is exploiting an unpatched zero day vulnerability in Microsoft's software.
The W32/Delbot-AI worm (also known as Nirbot or Rinbot) is taking advantage of a vulnerability in the way Microsoft Windows DNS Server's Remote Procedure Call (RPC) interface has been implemented. The hackers' worm has been able to exploit the flaw by sending a crafted RPC packet to vulnerable PCs.
If the worm successfully infects a PC it allows hackers to gain access over the computer, giving them the ability to control what it does and steal information from the unsuspecting user.
"This flaw in Microsoft's code has only been known about for a handful of days, and already there is a worm which is taking advantage of the problem in its attempt to infect as many PCs as possible. Time and time again hackers are forcing companies like Microsoft to scrabble around to develop, test and roll-out a software patch," said Graham Cluley, senior technology consultant for Sophos. "Businesses should ensure that their computers are properly configured, and protected with up-to-date anti-virus software, hardened firewalls and patches."
The worm can also exploit a vulnerability present in Symantec's anti-virus product line, which was patched a year ago.
Microsoft has published an advisory on its website giving guidance to companies who may be affected by the flaw in its software.
The news of the worm comes a week after Microsoft patched a series of other critical vulnerabilities in its software.
"The computer underground appear to be revelling in waiting until Microsoft has released its monthly batch of patches, before unleashing their latest attacks," continued Cluley. "It's not just businesses who are being affected by this, but Microsoft will not be enjoying having the security of their software brought into question again."
Customers using Sophos anti-virus solutions have been automatically updated to protect against the W32/Delbot-AI worm, but are advised to consult Microsoft's knowledgebase article for further information and roll out Microsoft's patch when it becomes available.
Sophos suggests that every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx.
Sophos continues to recommend that all organizations protect their email with an integrated security solution to thwart malware, spyware, hackers and spam threats.
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
About Sophos
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.
