Security Incidents mailing list archives
New SDBot variant
From: "Christopher Harrington" <charrington () nitrodata com>
Date: Tue, 10 Aug 2004 14:59:58 -0400
All, We are seeing what may be a new variant of SDBot. This variant spreads by exploiting the LSASS vulnerability. Once infected, the machine joins an IRC Bot net via TCP 6667. Some of the infected machines then download an executable via TFTP. This transfer is initiated over IRC. I have attached the Bintext output and an md5 for the file. The executable is named NTAPI32.exe and is downloaded to the system32 directory. The exe is 143.03 kb. I tried Symantec, Trend, F-Secure and Sophos...none could identify it. In the IRC logs there these entries: PRIVMSG #irc :[lsass]: Exploiting IP: 10.x.x.x. PRIVMSG #irc :[TFTP]: File transfer started to IP: 10.x.x.x (C:\WINDOWS\System32\ntapi32.exe) A quick (and untested :)) signature below: alert tcp any any -> any any ( msg: "LSASS expolit via IRC, possible SDBot variant"; content: ":[lsass]: Exploiting IP:"; classtype: misc-activity; rev: 1;) I will post more when I have it. Regards, --Chris -- Christopher Harrington, CISSP Director of Security Engineering NitroData Systems, Inc. 603-766-8160, ext. 25 http://www.nitroguard.com
Attachment:
NTAPI32.md5
Description:
Attachment:
bintext.txt
Description:
Current thread:
- New SDBot variant Christopher Harrington (Aug 10)