|
New Rinbot Variant Scans Networks for Unpatched Vulnerability
AUSTIN, Texas—April 18, 2007—Mirage Networks®, Inc. announced today that its
zero-day technology stops a new variant of the Rinbot worm that is specifically
targeting the Microsoft Domain Name System Server Service, the company
announced today. Microsoft recognized the server software vulnerability in an
advisory issued last Thursday. Two days following the advisory, a public exploit
appeared detailing the means by which the vulnerability could be used. Microsoft has
acknowledged the proof-of-concept code and suggested a temporary workaround,
but has not yet released a patch.
The Rinbot variant seeks to establish an Internet Relay Chat backdoor, giving the
exploiter complete control over the compromised system. The worm scans the
network for a vulnerable server, against which it launches a series of exploits,
including one that takes advantage of the DNS software weakness. When successful,
the worm conscripts the machine into a botnet that allows the attacker unrestricted
remote access to the system.
“This exploit is especially troubling because it targets servers, which have fairly
unrestricted access to other servers and typically do not submit to network access
control scans on entry,” said Grant Hartline, chief technical officer for Mirage
Networks. “This means that even if a patch is made available, administrators cannot
themselves enforce a system-wide application of the patch. Rather, they must work
with the teams individually responsible for each server to perform the upgrade.
Additionally, the exploit specifically targets and commandeers DNS servers. These
servers play a critical role in the company’s public Web presence.”
Mirage Endpoint Control thwarts this attack by flagging the IP-based reconnaissance
activity of the worm as threatening behavior and quarantining the system
responsible for the suspicious sniffing.
“IP-based port scanning is one of the hallmarks of malicious software, so when
Mirage Endpoint Control detects this activity, it triggers a quarantine of the offending
device. This and other behavioral rules are the backbone of Mirage Endpoint
Control,” said Hartline. “Behavioral rule-based security gives our network access
control technology an unparalleled ability to quarantine a dangerous system before it
causes a catastrophic network-wide infection without relying solely on entry-based
scans.”
By relying on behavioral rules rather than agents, signature files, and patches,
Mirage Endpoint Control ensures effective containment of network threats even if, as
in this case, no patches have been issued to correct the underlying problem.
About Mirage Networks
Mirage Networks, Inc. is the leading provider of Network Access Control (NAC)
solutions, including both pre- and post-admission security. The Austin, Texas-based
company's patented technology gives organizations control over unknown, out-of-
policy, and infected devices resulting in increased network uptime, policy compliance
and reduced operational costs. Mirage's NAC appliances work in all network
environments, deploy out-of-band and require neither signatures nor agents to
enforce policies and terminate zero-day threats. Mirage Networks' Endpoint Control
is a consistent winner of industry awards and recognition. Learn more at
http://www.miragenetworks.com.
Contacts
Mirage Networks
Alison Guzzio, 610-925-2761
alison@inktankstrategic.com
© 2007, Mirage Networks, Inc. All rights reserved worldwide. Mirage Networks, its product and program names and design marks are trademarks of Mirage Networks, Inc.
|
