Nirbot’s Latest Move: MS DNS Exploits

The latest turn in the Nirbot saga is that they’ve gone and incorporated the MS Windows DNS RPC interface exploit into their bot. We started seeing this in ATLAS starting Sunday evening GMT and it appears that this flood of MS DNS RPC exploits was seeded into an existing botnet. It appears that one of the public exploits was rolled into the bot over the weekend.

nirbot_ms_dns_exploits

Here’s some C&C information for you:

  • Host: x.rofflewaffles.us
  • Port: 8080

I’m not going to share passwords or any other specific information with you at this time. The malware on the bots has been updated as they join the channel. Signs of infections include connections to hosts with that hostname on that port, scans on TCP port 1025 (and other exploits in the bot include SYMC06-010, MS06-040, and weak passwords).

Links around the net on this topic include:

3 Responses to “Nirbot’s Latest Move: MS DNS Exploits”

April 17, 2007 at 11:47 am, www.andrewhay.ca » Suggested Blog Reading - Tuesday April 17th, 2007 said:

[…] Nirbot’s Latest Move: MS DNS Exploits The latest turn in the Nirbot saga is that they’ve gone and incorporated the MS Windows DNS RPC interface exploit into their bot. We started seeing this in ATLAS starting Sunday evening GMT and it appears that this flood of MS DNS RPC exploits was seeded into an existing botnet. It appears that one of the public exploits was rolled into the bot over the weekend. […]

April 17, 2007 at 3:50 pm, Nirbot actively exploiting the DNS RPC vulnerability at Security Samizdat said:

[…] According to Arbor Networks: The latest turn in the Nirbot saga is that they’ve gone and incorporated the MS Windows DNS RPC interface exploit into their bot. We started seeing this in ATLAS starting Sunday evening GMT and it appears that this flood of MS DNS RPC exploits was seeded into an existing botnet. It appears that one of the public exploits was rolled into the bot over the weekend. […]

April 23, 2007 at 10:53 am, Nirbot Neutered? · Security to the Core | Arbor Networks Security Blog said:

[…] Nirbot – Even Botters Need AttentionNirbot’s Latest Move: MS DNS Exploits […]

Comments are closed.