[unisog] Apparent spread of LSASS exploitation
mike.lang at uconn.edu
Wed Apr 28 17:27:25 GMT 2004
I'm pretty sure it's lsass, 'strings msiwin84.exe | grep sa' returns 'lsarpc'
It has to be something from the April group of vulnerabilities, there is no way we would have 1000+ infections from the old vulnerabilities. I've been all over the old variants and this one, I'm 99% sure it exploits something from April's batch of vulnerabilities.
Is it safe for me to post a web link to the binary on this list? A bunch of people seam interested in it.
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of Brian Eckman
Sent: Wednesday, April 28, 2004 1:16 PM
To: UNIversity System Operators Group Mailing list
Subject: Re: [unisog] Apparent spread of LSASS exploitation
Lang, Michael wrote:
> I believe so, hard to tell because I have ACL's that block 135,445. I saw a boat load of 1025...
> - Mike
Do you have any evidence that it was trying to specifically exploit the
LSASS flaw, and not something else that might listen on 1025/tcp?
Polybot has been targeting 1025/tcp for months, well before MS04-011 was
known. I believe it was either MS03-001 or MS03-049 that it was trying
to exploit over that port.
It's important to differentiate, as if it is targeting the LSASS flaw,
then a bunch of us on this list would love to have a copy. If it's just
targetting 1025/tcp, it's likely not of interest.
Please send a copy to me if you have time. A password protected ZIP file
> -----Original Message-----
> From: Gary Flynn [mailto:flynngn at jmu.edu]
> Sent: Wednesday, April 28, 2004 12:56 PM
> To: UNIversity System Operators Group Mailing list
> Cc: Lang, Michael
> Subject: Re: [unisog] Apparent spread of LSASS exploitation
> Lang, Michael wrote:
>>I have it and sent a copy to ISC, I can send a copy to anyone who wants it.
>>Symantec detects it as W32.Gaobot.AFJ in the liveupdate released within the hour.
> Do you know if it scans port 135 or 445 like previous versions?
> The reason I ask is that is how I'm detecting and quarantining
> infected computers.
> Gary Flynn
> Security Engineer
> James Madison University
> unisog mailing list
> unisog at lists.sans.org
OIT Security and Assurance
University of Minnesota
"There are 10 types of people in this world. Those who
understand binary and those who don't."
unisog mailing list
unisog at lists.sans.org
More information about the unisog