Did you apply the workaround suggested by Microsoft for the DNS RPC vulnerability? Do you think you’re safe because you don’t allow RPC ports at the perimeter firewall?
Do you meet these two conditions?
- I have Active Directory with the usual Windows-based DNS servers
- I have users
If so, you are in deep trouble. Exploit code for the DNS RPC vulnerability has been incorporated to the Nirbot malware, which is self updating. So, if you were already infected, now your zombie machines can own your Domain Controllers.
Game over.
The latest turn in the Nirbot saga is that they’ve gone and incorporated the MS Windows DNS RPC interface exploit into their bot. We started seeing this in ATLAS starting Sunday evening GMT and it appears that this flood of MS DNS RPC exploits was seeded into an existing botnet. It appears that one of the public exploits was rolled into the bot over the weekend.
The malware connects to x.rofflewaffles.us at port tcp/8080. Block that. Also from Arbor: “Signs of infections include connections to hosts with that hostname on that port, scans on TCP port 1025 (and other exploits in the bot include SYMC06-010, MS06-040, and weak passwords)“
0 Responses to “Nirbot actively exploiting the DNS RPC vulnerability”
Leave a Reply