[unisog] Full-on LSASS worm? [was: Apparent spread ofLSASS exploitation]

Young, Beth A. youngba at more.net
Fri Apr 30 14:42:16 GMT 2004


 

> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Lang, Michael
> Sent: Friday, April 30, 2004 7:21 AM
> To: UNIversity Security Operations Group
> Subject: RE: [unisog] Full-on LSASS worm? [was: Apparent 
> spread ofLSASS exploitation]
> 
> We found a great way to detect our infected hosts.  It seams 
> that every infected host (W32.Gaobot.AFJ) on our network does 
> a dns lookup for:
> 
> malalala.bin-laden.cc
> 
> It's trivial to go through the dns server and look for the 
> IPs making those requests...
> 

We have a variant that is (was) trying to connect to 209.25.147.124.
We black-holed that IP address so the infected machines can't get
instructions from the IRC server and we are now in the process of
cleaning up the mess.

Beth

Beth Young, CISSP
MOREnet Security
1.800.509.6673
http://www.more.net 



More information about the unisog mailing list