-UPDATE- Sasser Worm , Week in Review; LSASS Exploit Analysis; SANSFIRE 2004
Sasser Worm
ISC is aware of the LSASS Sasser worm.
This worm is spreading through the MS04-011 (LSASS) vulnerability.
According to AV companies, this worm will generate traffic on ports 445, 5554 and 9996. Also, it will copy itself in the windows folder, under the name of avserve.exe, create a file at c:\ called win.log and add the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe
Another sign of infection is frequent crashes of 'LSASS.EXE'.
Expect frequent updates.
References: http://www.f-secure.com/v-descs/sasser.shtml
http://www.sophos.com/virusinfo/analyses/w32sassera.html
Due to the release of this worm, we moved to infocon yellow for the next
24 hrs. The exact impact is not clear at this point.
Week in review. Many organizations including the Storm Center have been predicting a wide-spread malware outbreak that would exploit one or more of the vulnerabilities contained in the April Microsoft security bulletins. So far this week we have not seen any worm code, but the Ago|Gao|Phatbot family continues to grow and mutate. There are now several hundred variations of this bot family and there does not appear to be an end in sight. The family added tcp/1025 to its list of ports to scan, apparently hunting for RPC/LSASS and RPC/DCOM vulnerabilities. Increased scanning reported by DShield users on port 135, 139, 445, 1025, 1433, 2745, 3127, and 5000 is probably related to this family of bots. File names reported to the ISC this week that appear to be versions of the bot family include wmiprvsw.exe, wmipsvsc.exe, msiwin84.exe, and msiwin98.exe.
Other items included new versions of the Bagle and Netsky viruses plus increased scanning for open mail proxies on ports 559 and 65506.
LSASS exploit analysis. At the beginning of the week a Windows RPC/LSASS (MS04-011) remote exploit began circulating. Later in the week a universal exploit for lsasrv.dll was made public. Kyle Haugsness, one of our incident handlers, assembled the following analysis:
The Microsoft LSASS vulnerability released on April 13, 2004 is currently being exploited in the wild. At least two published exploits have been confirmed to gain full remote administrative privileges on Windows 2000 (Pro and Server) and Windows XP (see http://www.k-otik.com/exploits/ ). Due to the nature of the vulnerability, the exploit can be launched against several TCP/UDP ports (see list below). Exploit code in the wild has been observed attacking TCP 1025. Additionally, a working exploit appears to have been included in recent versions of the Phatbot/Agobot family of malware, which spreads in a wormlike fashion.
A machine infected with Phatbot/Agobot has been known to scan some of the following TCP ports in rapid succession (and not necessarily this order): 2745 1025 80 3127 6129 1433 5000 445 443 135
In addition to TCP 1025, the following ports are vulnerable to the LSASS
exploit:
TCP 135, 139, 445, and 593.
UDP 135, 137, 138, and 445.
The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx The vulnerability has been assigned CVE reference number CAN-2003-0533,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0533
SANSFIRE 2004 Finally, I'd like to put in a plug for this summer's hottest computer security conference - SANSFIRE in Monterey California. Come meet several of the ISC handlers and attend one of SANS' 14 training tracks the first week in July. See you there! http://www.sans.org/sansfire2004/
Marcus H. Sachs
The SANS Institute
Handler on Duty
ISC is aware of the LSASS Sasser worm.
This worm is spreading through the MS04-011 (LSASS) vulnerability.
According to AV companies, this worm will generate traffic on ports 445, 5554 and 9996. Also, it will copy itself in the windows folder, under the name of avserve.exe, create a file at c:\ called win.log and add the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe
Another sign of infection is frequent crashes of 'LSASS.EXE'.
Expect frequent updates.
References: http://www.f-secure.com/v-descs/sasser.shtml
http://www.sophos.com/virusinfo/analyses/w32sassera.html
Due to the release of this worm, we moved to infocon yellow for the next
24 hrs. The exact impact is not clear at this point.
Week in review. Many organizations including the Storm Center have been predicting a wide-spread malware outbreak that would exploit one or more of the vulnerabilities contained in the April Microsoft security bulletins. So far this week we have not seen any worm code, but the Ago|Gao|Phatbot family continues to grow and mutate. There are now several hundred variations of this bot family and there does not appear to be an end in sight. The family added tcp/1025 to its list of ports to scan, apparently hunting for RPC/LSASS and RPC/DCOM vulnerabilities. Increased scanning reported by DShield users on port 135, 139, 445, 1025, 1433, 2745, 3127, and 5000 is probably related to this family of bots. File names reported to the ISC this week that appear to be versions of the bot family include wmiprvsw.exe, wmipsvsc.exe, msiwin84.exe, and msiwin98.exe.
Other items included new versions of the Bagle and Netsky viruses plus increased scanning for open mail proxies on ports 559 and 65506.
LSASS exploit analysis. At the beginning of the week a Windows RPC/LSASS (MS04-011) remote exploit began circulating. Later in the week a universal exploit for lsasrv.dll was made public. Kyle Haugsness, one of our incident handlers, assembled the following analysis:
The Microsoft LSASS vulnerability released on April 13, 2004 is currently being exploited in the wild. At least two published exploits have been confirmed to gain full remote administrative privileges on Windows 2000 (Pro and Server) and Windows XP (see http://www.k-otik.com/exploits/ ). Due to the nature of the vulnerability, the exploit can be launched against several TCP/UDP ports (see list below). Exploit code in the wild has been observed attacking TCP 1025. Additionally, a working exploit appears to have been included in recent versions of the Phatbot/Agobot family of malware, which spreads in a wormlike fashion.
A machine infected with Phatbot/Agobot has been known to scan some of the following TCP ports in rapid succession (and not necessarily this order): 2745 1025 80 3127 6129 1433 5000 445 443 135
In addition to TCP 1025, the following ports are vulnerable to the LSASS
exploit:
TCP 135, 139, 445, and 593.
UDP 135, 137, 138, and 445.
The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx The vulnerability has been assigned CVE reference number CAN-2003-0533,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0533
SANSFIRE 2004 Finally, I'd like to put in a plug for this summer's hottest computer security conference - SANSFIRE in Monterey California. Come meet several of the ISC handlers and attend one of SANS' 14 training tracks the first week in July. See you there! http://www.sans.org/sansfire2004/
Marcus H. Sachs
The SANS Institute
Handler on Duty
Keywords:
0 comment(s)
×
Diary Archives
Comments
Anonymous
Dec 3rd 2022
10 months ago
Anonymous
Dec 3rd 2022
10 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
9 months ago