Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

early warning: Backdoor.Wasax

From: Doug Pearson <dodpears () INDIANA EDU>
Date: Wed, 14 Apr 2004 16:06:52 -0500
Dear all,

We've been asked to share information about a potentially serious backdoor exploit of Windows that attempts to crack 
passwords against ADS domain controllers. Disruptive levels of activity against domain controllers have been seen. The 
backdoor seems to have a number of functions in addition to password cracking. From the names of the commands it 
appears it can open a remote shell and capture keystrokes as well. Information on the exploit has not been publicly 
released yet. It is detected by Symantec Rapid Release Definitions 4/14/04 rev. 34, and is tentatively known as 
Backdoor.Wasax. The possible and unconfirmed attack vector is, MS03-043, but not necessarily. Security engineers at the 
reporting university are working with Microsoft to dissect the exploit.

Evidence of the exploit includes:

        1. %systemroot%\system32\rasaccs.dll
        2. svchost listening on 1129/tcp

        3. unusual levels of activity against ADS domain controllers

Regards,

Doug Pearson
Research and Education Networking ISAC
http://www.ren-isac.net
Watch Desk 24x7: +1(317)278-6630

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: