[unisog] Apparent spread of LSASS exploitation

Lang, Michael mike.lang at uconn.edu
Wed Apr 28 17:27:25 GMT 2004


I'm pretty sure it's lsass, 'strings msiwin84.exe | grep sa' returns 'lsarpc'

Hmmm....

It has to be something from the April group of vulnerabilities, there is no way we would have 1000+ infections from the old vulnerabilities.  I've been all over the old variants and this one, I'm 99% sure it exploits something from April's batch of vulnerabilities.

Is it safe for me to post a web link to the binary on this list?  A bunch of people seam interested in it.

- Mike

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of Brian Eckman
Sent: Wednesday, April 28, 2004 1:16 PM
To: UNIversity System Operators Group Mailing list
Subject: Re: [unisog] Apparent spread of LSASS exploitation


Lang, Michael wrote:
> I believe so, hard to tell because I have ACL's that block 135,445.  I saw a boat load of 1025...
> 
> - Mike

Mike,

Do you have any evidence that it was trying to specifically exploit the 
LSASS flaw, and not something else that might listen on 1025/tcp? 
Polybot has been targeting 1025/tcp for months, well before MS04-011 was 
known. I believe it was either MS03-001 or MS03-049 that it was trying 
to exploit over that port.

It's important to differentiate, as if it is targeting the LSASS flaw, 
then a bunch of us on this list would love to have a copy. If it's just 
targetting 1025/tcp, it's likely not of interest.

Please send a copy to me if you have time. A password protected ZIP file 
is preferred.

Thanks,
Brian

> 
> -----Original Message-----
> From: Gary Flynn [mailto:flynngn at jmu.edu]
> Sent: Wednesday, April 28, 2004 12:56 PM
> To: UNIversity System Operators Group Mailing list
> Cc: Lang, Michael
> Subject: Re: [unisog] Apparent spread of LSASS exploitation
> 
> 
> Lang, Michael wrote:
> 
> 
>>I have it and sent a copy to ISC, I can send a copy to anyone who wants it.
>>
>>Symantec detects it as W32.Gaobot.AFJ in the liveupdate released within the hour.
>> 
>>
> 
> Do you know if it scans port 135 or 445 like previous versions?
> The reason I ask is that is how I'm detecting and quarantining
> infected computers.
> 
> thanks,
> 
> Gary Flynn
> Security Engineer
> James Madison University
> 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 



-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."

_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list