HOME > VIRUS ALERTS


VIRUS ALERTS

Rinbot

Original issue date: March 10, 2007

It has been observed that a worm named Rinbot and its variants are circulating in the wild. It propagates via network shares and by exploiting software vulnerabilities. The worm is exploiting Symantec AntiVirus and Client Security Remote Buffer Overflow Vulnerability described in CIVN-2006-41 and Microsoft Windows Server Service Buffer Overrun Vulnerability described in CIVN-2006-75 . It opens a backdoor on random ports/ TCP port 4873 to connect to some IRC servers and listen to malicious commands from remote attackers. Gradually it is forming a botnet network to perform malicious activities.

Variants: W32.Rinbot.V, W32.Rinbot.T, W32.Rinbot.L, W32.Rinbot.H, W32.Rinbot.E, W32.Rinbot.F, W32.Rinbot.C, W32.Rinbot.D, W32.Rinbot.B, W32.Rinbot.A [Symantec], WORM_RINBOT.G, WORM_RINBOT.H, WORM_RINBOT.F, BKDR_RINBOT.B [ Trend Micro]

Upon execution the worm:

  • Copies itself to the windows system folder using file names of
    legitimate processes like csrs.exe,lsass.exe,iexplore.exe,winamp.exe
  • Adds registry values so as to launch the above mentioned processes
    • KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run \"Client Server Runtime Process"
      ="%System%\csrs.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run\"Local Security Authority Service"
      ="%System%\Isass.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
      \CurrentVersion\ Run\"Microsoft Internet Explorer"
      ="%System%\iexplore.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
      \CurrentVersion\Run\"Winamp Agent"
      ="%System%\winamp.exe"
  • Tries to copy itself to the IPC$ share and guess username and password if it is password protected.
  • Opens a back door on random ports/ TCP port 4873 to connect to IRC servers likely to be ftp.youcantseemy.info, ftp.canyouseemy.net, ftp.worldofhyip.info and receive commands from remote attacker to perform the following actions:
    • Gather system information like CPU speed , free disk space, free memory
    • Scan local network for machines to infect.
    • Download and execute some malicious file.
    • Log keystrokes
    • Run an http/ftp server
    • Update itself
    • Steal Cd Keys
    • Flush the DNS cache
    • List, start, or terminate processes
    • End analysis tools such as Filemon, Regmon, Ethereal, etc.
  • Spreads by exploiting various software vulnerabilities as described in CIVN-2006-41 , CIVN-2006-75 . It is also exploiting SQL Server 7.0 Service Pack Password vulnerability described in Microsoft Security Bulletin MS00-035 .

In view of rapid propagation and emergence of the Rinbot variants, users are advised to implement the following countermeasures:

  • Install and maintain a updated anti-virus software at gateway and desktop level.
  • Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities.
  • Monitor outgoing traffic to specified TCP port of the IRC command and control (C&C) server mentioned above.
  • Enable advanced TCP/IP filtering on systems

References

http://blog.trendmicro.com/rinbot-malware-on-the-loose/ http://www.symantec.com/enterprise/security_response/writeup.jsp?
docid= 2007-030816-3346-99
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName
=WORM%5FRINBOT%2EG
http://www.technewsworld.com/story/56072.html
http://www.net-security.org/news.php?id=13696

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003