DNS Exploit Used to Plant Backdoor on Windows Servers

Security engineers are confirming that customers whose Windows servers were confirmed penetrated by a version of the recent DNS service exploit, were infected by any of three variants of backdoor worms identified by Sophos as W32/Delbot.

Sophos believes this to be a variant of the same worm that infected systems susceptible to vulnerabilities discovered in Symantec Anti-virus software late last year. In fact, versions of the worm that infect systems through the DNS service exploit are capable of spreading themselves via the Symantec exploit as well, along with other buffer overflow exploits.

The discovery is in indicator that the perpetrator may be more interested in identity theft and corporate electronic voyeurism than in disturbing the domain name system itself, as some sources earlier reported.

DNS services on Windows Server-based computers provide routing within company domains, not on the broader Internet.

In an update to its advisory today, Microsoft promised customers that something would be ready to address the DNS problem by May 8 -- the next Patch Tuesday -- although it wasn't explicit as to what that something was.

"We have teams around the world working on it twenty-four hours a day," reads the Security Response Center blog, "and hope to have updates no later than May 8, 2007 for the May monthly bulletin release." It went on to remind customers that the company has to write these updates in 133 languages, and tested independently.