[unisog] Apparent spread of LSASS exploitation

Douglas Brown dugbrown at email.unc.edu
Wed Apr 28 18:33:35 GMT 2004


I have some pcaps on what we're seeing; I'd rather not send them to the 
list - but if any of my trusted colleagues would like a copy for their 
own filter writing, please write me directly and I'll send them your way.

hope this helps,
-Doug
-- 
Douglas Brown, CISSP
Manager of Security Resources
UNC Chapel Hill
Abernethy 105

Lang, Michael wrote:
> I'm pretty sure it's lsass, 'strings msiwin84.exe | grep sa' returns 'lsarpc'
> 
> Hmmm....
> 
> It has to be something from the April group of vulnerabilities, there is no way we would have 1000+ infections from the old vulnerabilities.  I've been all over the old variants and this one, I'm 99% sure it exploits something from April's batch of vulnerabilities.
> 
> Is it safe for me to post a web link to the binary on this list?  A bunch of people seam interested in it.
> 
> - Mike
> 



More information about the unisog mailing list