Nirbot’s Latest Move: MS DNS Exploits
The latest turn in the Nirbot saga is that they’ve gone and incorporated the MS Windows DNS RPC interface exploit into their bot. We started seeing this in ATLAS starting Sunday evening GMT and it appears that this flood of MS DNS RPC exploits was seeded into an existing botnet. It appears that one of the public exploits was rolled into the bot over the weekend.
Here’s some C&C information for you:
- Host: x.rofflewaffles.us
- Port: 8080
I’m not going to share passwords or any other specific information with you at this time. The malware on the bots has been updated as they join the channel. Signs of infections include connections to hosts with that hostname on that port, scans on TCP port 1025 (and other exploits in the bot include SYMC06-010, MS06-040, and weak passwords).
Links around the net on this topic include:
- ATLAS Attack Report: Microsoft DNS DCE-RPC Exploit Attempt — I love it, this is why we built ATLAS!
- RPC DNS Worm
- First DNS Zero Day worm discovered
- News from Microsoft: DNS 0day being exploited in the wild
- RPC DNS Worm Spotted In The Wild
- Worm exploits Windows DNS hole
- Microsoft DNS Server Exploits Abound
- RPC DNS Worm in the Wild