W32.Rinbot Worm – Security answers from Symantec

Symantec recently issued a warning about a worm named W32.Rinbot.L, Symantec Security Response is providing a summary of the issues as well as additional information that may be useful in helping users mitigate the threat.
The first signs of W32.Rinbot.L were seen in-the-wild on February 28, 2007. This worm spreads by attempting to access network file shares and SQL servers that may have weak passwords. It also attempts to attack systems by exploiting the following two known vulnerabilities:

Symantec Client Security and Symantec AntiVirus Elevation of privilege (BID 18107)
Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409)

Security patches for both of these vulnerabilities are available and Symantec Security Response highly recommends that users of the affected products apply these patches as soon as they are able. Applying these security patches will keep the worm from spreading via the vulnerabilities, but this will not keep the worm from spreading via weak passwords on file shares or SQL servers. System administrators and users are encouraged to use complex passwords for all accounts on servers and desktops. Passwords such as 'password', '12345' and 'administrator' are easily guessed by malicious code writers and thus do not create an effective barrier to entry on a system. Generally speaking passwords should contain a combination of letters, numbers and at least one special character. Minimum lengths of seven or eight characters should also be enforced. For the most part strong password enforcement rules can be deployed to systems by system administrators. Most operating systems have built-in password rules that can be utilized for this purpose.

Once it has infected a system, this worm will create a backdoor that is able to accept commands to perform various tasks, including:

1. Gather system information
2. Scan local network for computers to infect
3. Download and execute a specified file
4. Run an HTTP/FTP server
5. Update itself
6. Steal CD Keys
7. End analysis tools such as Filemon, Regmon, Ethereal, etc.

The worm uses a fixed list of account names and passwords in order to attempt to connect to other systems on the network. As such it is possible that under certain circumstances the attempts by the worm to access network shares may inadvertently lock out certain user accounts on those shares. System administrators are encouraged to monitor reports of frequent user account lock outs.
This worm appears to be gaining initial access within a network via silent downloads from compromised web sites. Many of the reported infections indicate that the files were detected in the temporary Internet files folder. Systems with updated virus detection signatures will be able to detect this threat before it is able to spread. System administrators should look for systems that do not have the most up-to-date detection signatures or have no antivirus protection at all. Special attention should be paid to external systems that physically connect to the network, such as those used by outside contractors or infrequently connected employees. Systems that connect to the network via VPN connections should also be monitored closely, as these systems may introduce a new threat to the network if the connected system is already infected with a threat such as W32.Rinbot.L.
Symantec Security Response strongly recommends that users read the information available on the Security Response Web site carefully, as it contains valuable information for users of Norton AntiVirus, Norton Internet Security, Symantec AntiVirus and Symantec Client Security.

 
Protect Yourself

To reduce the possibility of being affected by W32.Rinbot.L, Symantec Security Response advises users to do the following:
1. Keep antivirus and IPS detection signatures updated.
2. Regularly apply security patches and updates to all major software installed on the computer.
3. Use a security solution that contains antivirus and client firewall technologies, such as Symantec Client Security or Norton Internet Security, to protect against today's known and tomorrow's unknown threats.
4. Organizations should install and maintain a perimeter firewall to protect the entire internal network. Be sure to use permit by exception rules on the firewall.
5. Organizations should check all external systems for security compliancy before permitting any connectivity to an internal network
6. Enforce strong password usage throughout the network.