The Rinbot worm continues to pester and plague companies, several security organisations said, even as Symantec declared that its honeypot network had captured traffic showing that a botnet was spreading the malware.
Rinbot is an on-again, off-again threat that exploits a pair of long-patched vulnerabilities – one in Microsoft Windows' Server Service fixed in August 2006, the other in Symantec's own Client Security and Symantec AntiVirus software, which were patched in June. Rinbot was last in the news a week ago when Turner Broadcasting System, part of Time Warner and the parent of Cable News Network, were reportedly attacked by Rinbot, also known as Delbot.
Shirley Powell, a spokeswoman for Turner Broadcasting, declined to identify the exploit that hit the company's network. But she confirmed "we have been hit by a virus." The effect was minimal, but "repairs are ongoing," she said.
Security professionals urged users to patch their systems, but at least one said the Rinbot threat was overstated. "This is [just] one of thousands of bots crawling the internet today," said Ken Dunham, director of VeriSign's iDefense rapid-response team. "Some bots are more interesting than others, and some more sophisticated. There is no large global threat issue with Rinbot variants to date."
Yesterday, Symantec posted a warning to customers of its DeepSight threat alert network that honeypots – deliberately unpatched and unguarded PCs that try to attract exploits for evaluation – had detected botnet traffic connected to Rinbot's spread. In the attack against the Symantec honeypot, an exploit used the Microsoft vulnerability to compromise the PC, and then downloaded a Rinbot variant.
"The botnet is trying to instruct the compromised system to download another piece of malicious code or a new variant of the Rinbot or Spybot family worm," Symantec said in its alert.
Symantec is not the only security vendor that has had to deal with vulnerable antivirus software. But more in-the-wild exploits have leveraged Symantec's bugs than have attacked its rivals.
The company has even drawn expletive-laced tirades from hackers. In a blog entry a week ago, Symantec researcher Stephen Doherty wrote, "From time to time, virus writers leave messages in their code. Sometimes these are shout-outs to other virus writers, sometimes it is their own nickname and other times they send messages to us. Here is one that speaks for itself.
"Dear Symantec: For years I have longed for just one thing, to make malware with just the right sting, you detected my creation and got my domains killed, but I will not stop, I can rebuild. ..."