[unisog] Apparent spread of LSASS exploitation

Douglas Brown dugbrown at email.unc.edu
Wed Apr 28 18:33:35 GMT 2004

I have some pcaps on what we're seeing; I'd rather not send them to the 
list - but if any of my trusted colleagues would like a copy for their 
own filter writing, please write me directly and I'll send them your way.

hope this helps,
Douglas Brown, CISSP
Manager of Security Resources
UNC Chapel Hill
Abernethy 105

Lang, Michael wrote:
> I'm pretty sure it's lsass, 'strings msiwin84.exe | grep sa' returns 'lsarpc'
> Hmmm....
> It has to be something from the April group of vulnerabilities, there is no way we would have 1000+ infections from the old vulnerabilities.  I've been all over the old variants and this one, I'm 99% sure it exploits something from April's batch of vulnerabilities.
> Is it safe for me to post a web link to the binary on this list?  A bunch of people seam interested in it.
> - Mike

More information about the unisog mailing list