-UPDATE- Sasser Worm , Week in Review; LSASS Exploit Analysis; SANSFIRE 2004
Sasser Worm
ISC is aware of the LSASS Sasser worm.
This worm is spreading through the MS04-011 (LSASS) vulnerability.
According to AV companies, this worm will generate traffic on ports 445, 5554 and 9996. Also, it will copy itself in the windows folder, under the name of avserve.exe, create a file at c:\ called win.log and add the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe
Another sign of infection is frequent crashes of 'LSASS.EXE'.
Expect frequent updates.
References: http://www.f-secure.com/v-descs/sasser.shtml
http://www.sophos.com/virusinfo/analyses/w32sassera.html
Due to the release of this worm, we moved to infocon yellow for the next
24 hrs. The exact impact is not clear at this point.
Week in review. Many organizations including the Storm Center have been predicting a wide-spread malware outbreak that would exploit one or more of the vulnerabilities contained in the April Microsoft security bulletins. So far this week we have not seen any worm code, but the Ago|Gao|Phatbot family continues to grow and mutate. There are now several hundred variations of this bot family and there does not appear to be an end in sight. The family added tcp/1025 to its list of ports to scan, apparently hunting for RPC/LSASS and RPC/DCOM vulnerabilities. Increased scanning reported by DShield users on port 135, 139, 445, 1025, 1433, 2745, 3127, and 5000 is probably related to this family of bots. File names reported to the ISC this week that appear to be versions of the bot family include wmiprvsw.exe, wmipsvsc.exe, msiwin84.exe, and msiwin98.exe.
Other items included new versions of the Bagle and Netsky viruses plus increased scanning for open mail proxies on ports 559 and 65506.
LSASS exploit analysis. At the beginning of the week a Windows RPC/LSASS (MS04-011) remote exploit began circulating. Later in the week a universal exploit for lsasrv.dll was made public. Kyle Haugsness, one of our incident handlers, assembled the following analysis:
The Microsoft LSASS vulnerability released on April 13, 2004 is currently being exploited in the wild. At least two published exploits have been confirmed to gain full remote administrative privileges on Windows 2000 (Pro and Server) and Windows XP (see http://www.k-otik.com/exploits/ ). Due to the nature of the vulnerability, the exploit can be launched against several TCP/UDP ports (see list below). Exploit code in the wild has been observed attacking TCP 1025. Additionally, a working exploit appears to have been included in recent versions of the Phatbot/Agobot family of malware, which spreads in a wormlike fashion.
A machine infected with Phatbot/Agobot has been known to scan some of the following TCP ports in rapid succession (and not necessarily this order): 2745 1025 80 3127 6129 1433 5000 445 443 135
In addition to TCP 1025, the following ports are vulnerable to the LSASS
exploit:
TCP 135, 139, 445, and 593.
UDP 135, 137, 138, and 445.
The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx The vulnerability has been assigned CVE reference number CAN-2003-0533,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0533
SANSFIRE 2004 Finally, I'd like to put in a plug for this summer's hottest computer security conference - SANSFIRE in Monterey California. Come meet several of the ISC handlers and attend one of SANS' 14 training tracks the first week in July. See you there! http://www.sans.org/sansfire2004/
Marcus H. Sachs
The SANS Institute
Handler on Duty
ISC is aware of the LSASS Sasser worm.
This worm is spreading through the MS04-011 (LSASS) vulnerability.
According to AV companies, this worm will generate traffic on ports 445, 5554 and 9996. Also, it will copy itself in the windows folder, under the name of avserve.exe, create a file at c:\ called win.log and add the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe
Another sign of infection is frequent crashes of 'LSASS.EXE'.
Expect frequent updates.
References: http://www.f-secure.com/v-descs/sasser.shtml
http://www.sophos.com/virusinfo/analyses/w32sassera.html
Due to the release of this worm, we moved to infocon yellow for the next
24 hrs. The exact impact is not clear at this point.
Week in review. Many organizations including the Storm Center have been predicting a wide-spread malware outbreak that would exploit one or more of the vulnerabilities contained in the April Microsoft security bulletins. So far this week we have not seen any worm code, but the Ago|Gao|Phatbot family continues to grow and mutate. There are now several hundred variations of this bot family and there does not appear to be an end in sight. The family added tcp/1025 to its list of ports to scan, apparently hunting for RPC/LSASS and RPC/DCOM vulnerabilities. Increased scanning reported by DShield users on port 135, 139, 445, 1025, 1433, 2745, 3127, and 5000 is probably related to this family of bots. File names reported to the ISC this week that appear to be versions of the bot family include wmiprvsw.exe, wmipsvsc.exe, msiwin84.exe, and msiwin98.exe.
Other items included new versions of the Bagle and Netsky viruses plus increased scanning for open mail proxies on ports 559 and 65506.
LSASS exploit analysis. At the beginning of the week a Windows RPC/LSASS (MS04-011) remote exploit began circulating. Later in the week a universal exploit for lsasrv.dll was made public. Kyle Haugsness, one of our incident handlers, assembled the following analysis:
The Microsoft LSASS vulnerability released on April 13, 2004 is currently being exploited in the wild. At least two published exploits have been confirmed to gain full remote administrative privileges on Windows 2000 (Pro and Server) and Windows XP (see http://www.k-otik.com/exploits/ ). Due to the nature of the vulnerability, the exploit can be launched against several TCP/UDP ports (see list below). Exploit code in the wild has been observed attacking TCP 1025. Additionally, a working exploit appears to have been included in recent versions of the Phatbot/Agobot family of malware, which spreads in a wormlike fashion.
A machine infected with Phatbot/Agobot has been known to scan some of the following TCP ports in rapid succession (and not necessarily this order): 2745 1025 80 3127 6129 1433 5000 445 443 135
In addition to TCP 1025, the following ports are vulnerable to the LSASS
exploit:
TCP 135, 139, 445, and 593.
UDP 135, 137, 138, and 445.
The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx The vulnerability has been assigned CVE reference number CAN-2003-0533,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0533
SANSFIRE 2004 Finally, I'd like to put in a plug for this summer's hottest computer security conference - SANSFIRE in Monterey California. Come meet several of the ISC handlers and attend one of SANS' 14 training tracks the first week in July. See you there! http://www.sans.org/sansfire2004/
Marcus H. Sachs
The SANS Institute
Handler on Duty
Keywords:
0 comment(s)
×
Diary Archives
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago