Re: early warning: Backdoor.Wasax

[Rusma Mulyadi <rmulyadi () ARIZONA EDU>]

We have seen the same backdoor (rasaccs.dll) on our campus since
February 14.
We sent copies of the rootkit to various AV companies and haven't gotten
any direct response yet.

Rusma Mulyadi
SIRT - Univ of Arizona

Doug Pearson wrote:

> Dear all,
>
> We've been asked to share information about a potentially serious backdoor exploit of Windows that attempts to crack 
> passwords against ADS domain controllers. Disruptive levels of activity against domain controllers have been seen. The 
> backdoor seems to have a number of functions in addition to password cracking. From the names of the commands it appears it 
> can open a remote shell and capture keystrokes as well. Information on the exploit has not been publicly released yet. It is 
> detected by Symantec Rapid Release Definitions 4/14/04 rev. 34, and is tentatively known as Backdoor.Wasax. The possible and 
> unconfirmed attack vector is, MS03-043, but not necessarily. Security engineers at the reporting university are working with 
> Microsoft to dissect the exploit.
>
> Evidence of the exploit includes:
>
>        1. %systemroot%\system32\rasaccs.dll
>        2. svchost listening on 1129/tcp
>
>        3. unusual levels of activity against ADS domain controllers
>
> Regards,
>
> Doug Pearson
> Research and Education Networking ISAC
> http://www.ren-isac.net
> Watch Desk 24x7: +1(317)278-6630
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.