Educause Security Discussion mailing list archives
Apparent spread of LSASS exploitation
From: Phil Rodrigues <phil.rodrigues () NYU EDU>
Date: Wed, 28 Apr 2004 09:20:49 -0400
Hi all, The Internet Storm Center posted that some .edu's have seen what appears to be a mass exploitation of their systems with a variant of the PolyBot worm that uses the LSASS exploit: http://isc.incidents.org/diary.php?date=2004-04-27 Others have reported successfully compiling and using the LSASS exploit code against unpatched Windows 2000 SP 4 systems. When used against some Windows XP systems it causes the service to crash and starts a count-down timer (ala Nimda). If you have received reports of Windows XP systems that are suddenly in a system shut-down countdown timer, or your network folks are seeing lots of PolyBot / AgoBot-ish scans (maybe with 1433/tcp included) coming from large sections of your network, you may be the target of attacks exploiting LSASS. This is the same pattern we all saw pre-Blaster: publicly available code for a root exploit on unpatched Windows systems, selected .edu networks targeted by custom attacks, indications of wide-spread use of the exploit code. A week or so later Blaster appeared. Perhaps this will encourage us all to patch ASAP. Hopefully I am wrong, and these reports will lead nowhere. :-) Phil Rodrigues Sr Network Security Analyst New York UniversityHi all, The Internet Storm Center posted that some .edu's have seen what appears to be a mass exploitation of their systems with a variant of the PolyBot worm that uses the LSASS exploit: http://isc.incidents.org/diary.php?date=2004-04-27 Others have reported sucessfully compiling and using the LSASS exploit code against unpatched Windows 2000 SP 4 systems. When used against some Windows XP systems it causes the service to crash and starts a count-down timer (ala Nimda). If you have received reports of Windows XP systems that are suddenly in a system shut-down countdown timer, or your network folks are seeing lots of PolyBot / AgoBot-ish scans (maybe with 1433/tcp included) coming from large sections of your network, you may be the target of attacks exploiting LSASS. This is the same pattern we all saw pre-Blaster: publically available code for a root exploit on unpatched Windows systems, selected .edu networks targetted by custom attacks, indications of wide-spread use of the exploit code. A week or so later Blaster appeared. Perhaps this will encourage us all to patch ASAP. Hopefully I am wrong, and these reports will lead nowhere. :-) Phil Rodrigues Sr Network Security Analyst New York University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Apparent spread of LSASS exploitation Phil Rodrigues (Apr 28)