[unisog] Apparent spread of LSASS exploitation

Brian Eckman eckman at umn.edu
Wed Apr 28 18:29:42 GMT 2004

Lang, Michael wrote:
 > I'm pretty sure it's lsass, 'strings msiwin84.exe | grep sa' returns
 > 'lsarpc'
 > Hmmm....
 > It has to be something from the April group of vulnerabilities, there
 > is no way we would have 1000+ infections from the old
 > vulnerabilities.  I've been all over the old variants and this one,
 > I'm 99% sure it exploits something from April's batch of
 > vulnerabilities.

1000+?!?!?  Sorry, I had no idea!

 > Is it safe for me to post a web link to the binary on this list?  A
 > bunch of people seam interested in it.

I guess it depends on your definition of safe. There are certainly very 
solid arguments against putting it on a public HTTP server. However, I 
wouldn't be one of the people complaining :)  (Beggars can't be choosers)

Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

More information about the unisog mailing list