Botnet operators are already exploiting the Microsoft DNS server bug now as predicted, but that should be the least of your worries. The real danger lies in an attacker using the flaw to take over an enterprise's internal DNS server. (See Zero-Day Fever.)
Security experts say an attacker could use the vulnerability in Microsoft's Domain Name Server (DNS) Service to do more serious damage -- such as wresting control of the server, modifying its DNS records, and using it as a way to launch other attacks or to sabotage a particular company or organization.
"This could be a stepping stone into an enterprise," says Jose Nazario, senior software and security engineer for Arbor Networks, who has been studying the new exploits. "Also, if an attacker controls DNS, they can really alter an organization's situation. Imagine if an attacker redirected www.google.com to their own IP addresses with exploit code on it (i.e. the recent .ANI exploit). DNS is a great way to silently drive hosts to a malicious site."
The bug itself isn't in the DNS protocol, but in the way the Microsoft server software handles the remote procedure calls (RPCs) among the servers, so its scope is basically those organizations that run the server platform (not the massive banks of mostly Unix-based servers that make up the Internet's DNS infrastructure). Microsoft has hinted it may patch the DNS Service bug before its next Patch Tuesday, May 8.
So far, the botnet infections (many using worms and some non-Microsoft vulnerabilities, including a recycled old Symantec antivirus bug) seem to be limited, according to researchers. Although Nazario says the so-called Nirbot botnet could have a few thousand zombies. Sophos, meanwhile, so far has not received many calls from customers getting infected, says Ron O'Brien, senior security analyst for the anti-malware company. "That indicates that it's much more of a proof-of-concept exploit, versus something that's being widely deployed."
Still, the bots aren't the real problem here. "The only people that need to act quickly are enterprise customers with large internal networks," says HD Moore, creator of the popular open-source Metasploit hacking tool.
"For worm propagation, it's a bad target -- the port is dynamic, the number of targets few, and the percent of vulnerable systems actually allowing access to this port from the Internet even fewer," Moore says. But for an attacker hell-bent on sabotaging an organization or highjacking its internal DNS entries, "this bug is great," says Moore, who is also director of security research for BreakingPoint Systems. Once the attacker has penetrated the DNS server via the flawed RPC interface, he or she then adds a backdoor account, restarts the server, and it's owned, he adds.
The simplest scenario would be a denial-of-service attack on an organization's DNS server as part of the targeted attack. "That would cause a DNS outage for anyone who used that server," says David Ulevitch, CEO of OpenDNS, and founder of EveryDNS, both DNS services. "A less likely scenario is one where they are able to poison the DNS server to hand back malicious responses for specific records -- like a bank or Paypal."
Paul Mockapetris, co-creator of the DNS protocol and chairman and chief scientist of Nominum, estimates that there are thousands of organizations out there that haven't configured their Microsoft DNS service properly and are therefore vulnerable to attack. Contrary to popular belief that Microsoft DNS systems are not commonplace enough to cause major concern over these recent attacks, Nominum -- which specializes in DNS clusters for large service providers -- has seen an increase in enterprises using Microsoft's DNS and DHCP servers coming for help with security, he says.
And although the latest botnet-related exploits don't mean much to the Internet's DNS infrastructure, their potential to redirect traffic rings reminiscent of previous cache-poisoning attacks on the Net's DNS servers, experts say. "This has made people more aware of the damage if DNS is subverted," Mockapetris says. "And it may have motivated the dark side to think about how to do that" on the Internet.
So until a patch arrives from Microsoft, the best defense is to disable the RPC function. As for the Nirbot (a.k.a. Rinbot) infection specifically, be on the lookout for outbound connections to x.rofflewaffles.us, as well as port 8080 connections, security experts say. "Scans coming from their DNS server to TCP ports 1025 and 2967 are also tell-tale signs of this bot being present on their DNS server," Arbor's Nazario notes.
Kelly Jackson Higgins, Senior Editor, Dark Reading