W32.Rinbot.H is a worm that spreads through network shares and by exploiting certain vulnerabilities. It also opens a back door on the compromised computer. This exploit affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP operating systems. This worm was first discovered on February 26, 2007.
This vulnerability has already been exploited in several attacks. Cisco® has obtained exploit files, and has confirmed that Cisco Security Agent is effective in stopping these exploits, using the default security policy configuration. Current supported versions of Cisco Security Agent 4.5.x, 5.0.x, and 5.1.x are all effective in stopping the exploits seen to date.
Details of the Vulnerability
W32.Rinbot.H is a worm affecting Windows platforms. This worm also contains back-door functionality, allowing a malicious user remote access to the infected computer through IRC channels while running in the background.
When the worm executes, it copies itself to the following location:
Next, the worm creates the following registry entry so that it executes whenever Windows starts:
The worm may spread through network shares protected by weak passwords and by exploiting the following vulnerabilities:
Symantec Client Security and Symantec Antivirus Elevation of Privilege (BID 18107)
Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409)
Microsoft SQL Server User Authentication Remote Buffer Overflow Vulnerability (BID 5411) using UDP port 14341
How Cisco Security Agent Stops the Exploit
Cisco Security Agent default policies contain multiple rules that stop the exploit from doing any damage. No changes to the Cisco Security Agent binaries or default configuration are required to get this protection.
The following actions have been observed being blocked by Cisco Security Agent running the default security policies:
• Execution of a system function from a buffer, through a buffer overflow
• Modification of system files by a recently downloaded application
• Modification of registry keys
• Modification of system memory
This testing is shown in Figures 1 and 2.
Note: The exploit was tested at Cisco, with the agent in Test mode, which will cause the agent to alert (but not block) malicious behavior. This was done to observe all possible ways that the Cisco Security Agent default policies would stop the exploit. When the agent is in Protect mode (the typical operational configuration), the first rule would kill the exploit. No subsequent events would be seen, since the exploit would be terminated before it could perform any malicious actions.
Testing was performed against the Cisco Security Agent default policies. No binary or policy update was needed for Cisco Security Agents to be effective. In short, this was a true test of "day-zero" protection. This is similar to what Cisco has seen with earlier exploits and worms: the default Cisco Security Agent configuration stopped the exploit, with no binary or policy updates required. The following is a partial list of prior worms and exploits that Cisco Security Agent has stopped via the default security policy settings:
This exploit is only the latest example of new and mutating attacks that can seriously affect an organization's computing and network environments. The key to stopping these new attacks is two-fold: the ability to stop the attack without requiring any changes to the default configuration, and multiple rules in the default policies that provide defense in depth.
Figure 1. Cisco Security Agent Default Configuration Stops the Win32.Rinbot.H Exploit (Tested on Cisco Security Agent 5.1)
Figure 2. Cisco Security Agent Default Configuration Stops the Win32.Rinbot.H Exploit (Tested on Cisco Security Agent 5.1)