Mirage Networks Stops Zero-Day Exploit of Microsoft DNS

April 19, 2007; 02:07 AM
Mirage Networks®, Inc. announced that its zero-day technology stops a new variant of the Rinbot worm that is specifically targeting the Microsoft Domain Name System Server Service, the company announced today. Microsoft recognized the server software vulnerability in an advisory issued last Thursday. Two days following the advisory, a public exploit appeared detailing the means by which the vulnerability could be used. Microsoft has acknowledged the proof-of-concept code and suggested a temporary workaround, but has not yet released a patch.

The Rinbot variant seeks to establish an Internet Relay Chat backdoor, giving the exploiter complete control over the compromised system. The worm scans the network for a vulnerable server, against which it launches a series of exploits, including one that takes advantage of the DNS software weakness. When successful, the worm conscripts the machine into a botnet that allows the attacker unrestricted remote access to the system.

“This exploit is especially troubling because it targets servers, which have fairly unrestricted access to other servers and typically do not submit to network access control scans on entry,” said Grant Hartline, chief technical officer for Mirage Networks. “This means that even if a patch is made available, administrators cannot themselves enforce a system-wide application of the patch. Rather, they must work with the teams individually responsible for each server to perform the upgrade. Additionally, the exploit specifically targets and commandeers DNS servers. These servers play a critical role in the company’s public Web presence.”

Mirage Endpoint Control thwarts this attack by flagging the IP-based reconnaissance activity of the worm as threatening behavior and quarantining the system responsible for the suspicious sniffing.

“IP-based port scanning is one of the hallmarks of malicious software, so when Mirage Endpoint Control detects this activity, it triggers a quarantine of the offending device. This and other behavioral rules are the backbone of Mirage Endpoint Control,” said Hartline. “Behavioral rule-based security gives our network access control technology an unparalleled ability to quarantine a dangerous system before it causes a catastrophic network-wide infection without relying solely on entry-based scans.”

By relying on behavioral rules rather than agents, signature files, and patches, Mirage Endpoint Control ensures effective containment of network threats even if, as in this case, no patches have been issued to correct the underlying problem.

About Mirage Networks

Mirage Networks, Inc. is the leading provider of Network Access Control (NAC) solutions, including both pre- and post-admission security. The Austin, Texas-based company's patented technology gives organizations control over unknown, out-of-policy, and infected devices resulting in increased network uptime, policy compliance and reduced operational costs. Mirage's NAC appliances work in all network environments, deploy out-of-band and require neither signatures nor agents to enforce policies and terminate zero-day threats. Mirage Networks' Endpoint Control is a consistent winner of industry awards and recognition. Learn more at http://www.miragenetworks.com.