Apparent spread of LSASS exploitation

[Phil Rodrigues <phil.rodrigues () NYU EDU>]

Hi all,

The Internet Storm Center posted that some .edu's have seen what appears
to be a mass exploitation of their systems with a variant of the PolyBot
worm that uses the LSASS exploit:

http://isc.incidents.org/diary.php?date=2004-04-27

Others have reported successfully compiling and using the LSASS exploit
code against unpatched Windows 2000 SP 4 systems.  When used against
some Windows XP systems it causes the service to crash and starts a
count-down timer (ala Nimda).

If you have received reports of Windows XP systems that are suddenly in
a system shut-down countdown timer, or your network folks are seeing
lots of PolyBot / AgoBot-ish scans (maybe with 1433/tcp included) coming
from large sections of your network, you may be the target of attacks
exploiting LSASS.

This is the same pattern we all saw pre-Blaster: publicly available code
for a root exploit on unpatched Windows systems, selected .edu networks
targeted by custom attacks, indications of wide-spread use of the
exploit code.  A week or so later Blaster appeared.  Perhaps this will
encourage us all to patch ASAP.

Hopefully I am wrong, and these reports will lead nowhere. :-)

Phil Rodrigues

Sr Network Security Analyst
New York UniversityHi all,

The Internet Storm Center posted that some .edu's have seen what appears
to be a mass exploitation of their systems with a variant of the PolyBot
worm that uses the LSASS exploit:

http://isc.incidents.org/diary.php?date=2004-04-27

Others have reported sucessfully compiling and using the LSASS exploit
code against unpatched Windows 2000 SP 4 systems.  When used against
some Windows XP systems it causes the service to crash and starts a
count-down timer (ala Nimda).

If you have received reports of Windows XP systems that are suddenly in
a system shut-down countdown timer, or your network folks are seeing
lots of PolyBot / AgoBot-ish scans (maybe with 1433/tcp included) coming
from large sections of your network, you may be the target of attacks
exploiting LSASS.

This is the same pattern we all saw pre-Blaster: publically available
code for a root exploit on unpatched Windows systems, selected .edu
networks targetted by custom attacks, indications of wide-spread use of
the exploit code.  A week or so later Blaster appeared.  Perhaps this
will encourage us all to patch ASAP.

Hopefully I am wrong, and these reports will lead nowhere. :-)

Phil Rodrigues

Sr Network Security Analyst
New York University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.