Rinbot Worm Prompts Repeated Denials
March 1, 2007
Is Rinbot the little worm that isn't? Or is it simply the worm that no one wants to acknowledge exists? Here's a timeline of this "non-threat":
February 8, 2007: The Taipai Times reports a new trojan that infected thousands of MSN Messenger users via the Kelvir.B instant messaging worm. According to the article, MSN representatives and Trend Micro identify the downloaded trojan as a new threat, which Trend Micro dubs BKDR_RINBOT.A.
A researcher for Symantec quickly dismisses the notion of a new threat, claiming it was the Backdoor.irc.bot worm - which ironically is Symantec's generic detection name for a particular class of threats that have not yet been positively identified.
February 27th, 2007: A Michigan county network is brought down by what the Ironwood Daily Globe reports as W32.Rintob.B. The article states the infection originated "from a 'trusted point' in the State of Michigan's system in Lansing" and pointed to "hackers from the United Kingdom" as the likely origination.
March 1, 2007:CNN Money reports yet another new member of the Rinbot family - this time attacking Turner Broadcasting System servers. The latest Rinbot variant includes messages in its code directed towards antivirus vendor Symantec, and exploiting a vulnerability in certain Symantec products in order to spread. In something of a full circle, the latest Rinbot attack promptly gets dismissed by Verisign's iDefense as "just one of thousands of bots crawling the Internet today...this doesn't even hardly show up on the radar screen".
(Source: SC Magazine)
Rinbot exploits vulnerabilities; creates a backdoor
There are, clearly, multiple variants of Rinbot. Some may be in trojan form, piggybacking on the Kelvir.B worm. Others include their own worm functionality and spread by exploiting the vulnerabilities described in SYM06-010 and MS06-040. The SYM06-010 vulnerability affect Symantec AntiVirus Corporate Edition and Symantec Client Security. Patches for SYM06-010 were provided in May 2006 and patches for MS06-040 were provided in August 2006. Rinbot can also spread to systems by exploiting weak or non-existent passwords.
Exact symptoms of infection vary based on the variant but in all known cases, once seated on the system, Rinbot accesses a particular IRC server, opens a backdoor on the infected system and accepts remote commands from attackers. For details on a specific Rinbot variant, see the links above.
As with any other malware, prevention can best be achieved by following these Computer Safety Tips.
Is Rinbot the little worm that isn't? Or is it simply the worm that no one wants to acknowledge exists? Here's a timeline of this "non-threat":
February 8, 2007: The Taipai Times reports a new trojan that infected thousands of MSN Messenger users via the Kelvir.B instant messaging worm. According to the article, MSN representatives and Trend Micro identify the downloaded trojan as a new threat, which Trend Micro dubs BKDR_RINBOT.A.
A researcher for Symantec quickly dismisses the notion of a new threat, claiming it was the Backdoor.irc.bot worm - which ironically is Symantec's generic detection name for a particular class of threats that have not yet been positively identified.
February 27th, 2007: A Michigan county network is brought down by what the Ironwood Daily Globe reports as W32.Rintob.B. The article states the infection originated "from a 'trusted point' in the State of Michigan's system in Lansing" and pointed to "hackers from the United Kingdom" as the likely origination.
March 1, 2007:CNN Money reports yet another new member of the Rinbot family - this time attacking Turner Broadcasting System servers. The latest Rinbot variant includes messages in its code directed towards antivirus vendor Symantec, and exploiting a vulnerability in certain Symantec products in order to spread. In something of a full circle, the latest Rinbot attack promptly gets dismissed by Verisign's iDefense as "just one of thousands of bots crawling the Internet today...this doesn't even hardly show up on the radar screen".
(Source: SC Magazine)
Rinbot exploits vulnerabilities; creates a backdoor
There are, clearly, multiple variants of Rinbot. Some may be in trojan form, piggybacking on the Kelvir.B worm. Others include their own worm functionality and spread by exploiting the vulnerabilities described in SYM06-010 and MS06-040. The SYM06-010 vulnerability affect Symantec AntiVirus Corporate Edition and Symantec Client Security. Patches for SYM06-010 were provided in May 2006 and patches for MS06-040 were provided in August 2006. Rinbot can also spread to systems by exploiting weak or non-existent passwords.
Exact symptoms of infection vary based on the variant but in all known cases, once seated on the system, Rinbot accesses a particular IRC server, opens a backdoor on the infected system and accepts remote commands from attackers. For details on a specific Rinbot variant, see the links above.
As with any other malware, prevention can best be achieved by following these Computer Safety Tips.
Source...