New Rinbot scanning for port 1025 DNS/RPC
We are currently tracking a new version of the Rinbot worm that in addition to its regular scans, is also scanning for port 1025/tcp. Once connected, it attempts to do a Windows 2000 DnsservQuery, attempting to exploit the recent Microsoft DNS RPC vulnerability. Detection of this virus is currently very poor, and we are working with the AV vendors to improve this:
AhnLab-V3 2007.4.14.0 04.16.2007 Win32/IRCBot.worm.199680.I
AntiVir 7.3.1.52 04.16.2007 HEUR/Crypted
AVG 7.5.0.447 04.16.2007 Win32/CryptExe
DrWeb 4.33 04.16.2007 BackDoor.IRC.Sdbot.1299
eSafe 7.0.15.0 04.16.2007 Suspicious Trojan/Worm
Fortinet 2.85.0.0 04.16.2007 suspicious
Kaspersky 4.0.2.24 04.16.2007 Backdoor.Win32.VanBot.bx
Prevx1 V2 04.16.2007 Malware.Trojan.Backdoor.Gen
Symantec 10 04.16.2007 W32.Rinbot.A
Webwasher-Gateway 6.0.1 04.16.2007 Heuristic.Crypted
McAfee also has a writeup on this worm here.
We would like to urge you to consider implementing the workarounds discussed in our previous diary entry here and closely review the Microsoft security advisory. (Thanks to David for submitting the initial binary).
New ClamAV version fixes buffer overflow vulnerability
If you're running a version of ClamAV 0.90, now is the time to upgrade to version 0.90.2, released last Friday. This version contains a fix for a buffer overflow vulnerability, CVE-2007-1997, identified by iDefense. An attacker can convince a user (or mail gateway) to scan a maliciously crafted CAB file that could lead to arbitrary code execution under the user account running the scanner.
As a temporary workaround, you could drop CAB files prior to executing the scanner. This is particulary relevant for e-mail gateways, which generally only need to allow a limited set of filetypes. The CAB format is an archive often used by Microsoft for software distribution, so on a web proxy this may be problematic.
Update on Microsoft DNS vulnerability
We received a couple of e-mails over the weekend asking us why this vulnerability was significant. Most public DNS servers should not be listening on the RPC ports, after all. Indeed, networks obliging to basic secure perimeter design would only allow port 53 UDP/TCP to the authorative DNS servers, and definitely not the additional RPC ports required for exploitation.
However, there are at least two design scenarios that could prove an issue:
- The many Windows servers in use at dedicated hosters. In a large number of cases, these will be single box, do-it-all type hosting machines on the Windows 2003 Web Edition platform. They would be running FTP, HTTP and DNS services, but are usually not shielded by a separate firewall.
- Active directory servers hosted on the internal network are often combined with DNS functionality. These machines are usually less protected than DMZ DNS servers, and other functionality provisioned may require the RPC ports to be available (e.g. some authentication services). If your active directory server is compromised, the game is essentially over.
UPDATE:
- Microsoft has now added that for users with valid authentication credentials, exploitation may be possible over port 445.
- A public exploit now appears to be available that supports the port 445 vector and support Windows 2003 Server SP2.
- CVE-2007-1748 is now used to track the vulnerability;
- Microsoft added to their advisory that DNS server local administration and configuration may not work if the computer name is 15 characters of longer. They suggest using the FQDN (Fully Qualified Domain Name) of the host to ensure this works correctly.
--
Maarten Van Horenbeeck
Malware distributed through German-language spam mail
Eric wrote in with a new malicious message that is making the rounds in Europe. It's written in German, and contains a link to a Geocities account with an invisible iframe link. The content of one of the e-mails is below:
"Die Berliner U-Bahn Mitarbeiter fanden die Reste eines unbekannten Flugkoerpers.
Interessant findet man auch die Ermittlung von moeglichen Gruenden des
Unwohlseins einiger U-Bahn Angestellten. Nach etlichen Inspektionen wurde ein
Fremdkoerper gefunden. Wie Wissenschaftler behaupten, koennte der Koerper so
gross wie ein Bus sein. Es wurde auch vermutet, er haette seltsame Strahlen
aussenden koennen und das wegen rund um dem Rumpf gebildeter "Totzone".
Naeheres dazu unter http://geocities.com/[filtered]"
Very interesting story about an unidentified flying object and body found in the Berlin underground. The geocities URL mentioned is different in every single mail, and points to an index.html which contains a hidden iframe pointing to a server in Hong Kong, 58.65.239.106. While this host has likely been victimized, you may wish to temporarily block it on your web proxy.
That server is hosting a file update.exe which has spotty AV coverage at this time:
AntiVir 7.3.1.52 04.16.2007 HEUR/Malware
F-Secure 6.70.13030.0 04.16.2007 W32/Malware
Ikarus T3.1.1.5 04.16.2007 Trojan-Spy.Win32.Goldun.lw
Norman 5.80.02 04.14.2007 W32/Malware
Sophos 4.16.0 04.12.2007 Mal/Binder-C
VBA32 3.11.3 04.14.2007 MalwareScope.Trojan-Spy.BZub.1
Webwasher-Gateway 6.0.1 04.16.2007 Heuristic.Malware
--
Maarten Van Horenbeeck
Comments