Educause Security Discussion mailing list archives
Re: early warning: Backdoor.Wasax
From: Rusma Mulyadi <rmulyadi () ARIZONA EDU>
Date: Thu, 15 Apr 2004 09:22:57 -0700
We have seen the same backdoor (rasaccs.dll) on our campus since February 14. We sent copies of the rootkit to various AV companies and haven't gotten any direct response yet. Rusma Mulyadi SIRT - Univ of Arizona Doug Pearson wrote:
Dear all, We've been asked to share information about a potentially serious backdoor exploit of Windows that attempts to crack passwords against ADS domain controllers. Disruptive levels of activity against domain controllers have been seen. The backdoor seems to have a number of functions in addition to password cracking. From the names of the commands it appears it can open a remote shell and capture keystrokes as well. Information on the exploit has not been publicly released yet. It is detected by Symantec Rapid Release Definitions 4/14/04 rev. 34, and is tentatively known as Backdoor.Wasax. The possible and unconfirmed attack vector is, MS03-043, but not necessarily. Security engineers at the reporting university are working with Microsoft to dissect the exploit. Evidence of the exploit includes: 1. %systemroot%\system32\rasaccs.dll 2. svchost listening on 1129/tcp 3. unusual levels of activity against ADS domain controllers Regards, Doug Pearson Research and Education Networking ISAC http://www.ren-isac.net Watch Desk 24x7: +1(317)278-6630 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- early warning: Backdoor.Wasax Doug Pearson (Apr 14)
- <Possible follow-ups>
- Re: early warning: Backdoor.Wasax Rusma Mulyadi (Apr 15)