Rinbot, an On and Off Threat

The existence of the Rinbot worm persists and inflicts companies at large, several security firms said. Symantec Corp. announced, its honeypot network detected traffic giving signs of a botnet spreading the malicious software, so published ComputerWorld on March 7, 2007.

According to previous reports the virus had infected CNN and its parent organization, Turner Broadcasting System. The Rinbot computer worm, also known as Delbot captures network systems and commandeers computers remotely.

The Rinbot threat appears on and off. It exploits a batch of vulnerabilities that were patched long back. One of the vulnerabilities is in Microsoft Windows' Server Service that was patched in August 2006. The other is in Symantec's Client Security and anti-virus software that was fixed in June last.

Shirley Powell, a spokeswoman for Turner Broadcasting restrained from naming the exploit that attacked the organization's network. But she said via e-mail it was certain that a virus hit their company. The impact was minimal, however, remedial action was ongoing, she said.

ComputerWorld reported that on March 6, 2007, Symantec posted a warning for the benefit of its DeepSight customers that honeypots had identified botnet traffic responsible for the proliferation of Rinbot. Honeypots are unguarded and un-patched PCs, deliberately set so, to draw in exploits to assess their evaluation. When the attack struck Symantec honeypot it exploited the Microsoft flaw to hijack the PC, and then install the Rinbot.

According to Graham Cluley, senior technology consultant with Boston-based IT security firm Sophos, it is the latest attack of the 7th version of Rinbot. The worm had appeared first in March 2005. In Cluley's opinion the CNN and the virus incident had resulted in unnecessary panic. So people thought it was a more difficult situation to deal. Ecommercetimes published this statement on March 9, 2007.

In its alert Symantec said the botnet was sending instructions to the hijacked PC to download a different piece of malware or a new Rinbot variant.

The case of vulnerable anti-virus program is not unique to security vendor Symantec. However, a greater number of exploits in the wild have triggered Symantec's bugs than have done for its rivals.

Related article: Rinbot Worm Strikes To Infect CNN Network

» SPAMfighter News - 3/23/2007