[unisog] Apparent spread of LSASS exploitation
dugbrown at email.unc.edu
Wed Apr 28 18:33:35 GMT 2004
I have some pcaps on what we're seeing; I'd rather not send them to the
list - but if any of my trusted colleagues would like a copy for their
own filter writing, please write me directly and I'll send them your way.
hope this helps,
Douglas Brown, CISSP
Manager of Security Resources
UNC Chapel Hill
Lang, Michael wrote:
> I'm pretty sure it's lsass, 'strings msiwin84.exe | grep sa' returns 'lsarpc'
> It has to be something from the April group of vulnerabilities, there is no way we would have 1000+ infections from the old vulnerabilities. I've been all over the old variants and this one, I'm 99% sure it exploits something from April's batch of vulnerabilities.
> Is it safe for me to post a web link to the binary on this list? A bunch of people seam interested in it.
> - Mike
More information about the unisog