Security Incidents mailing list archives

Re: new IIS worm? (rcp lsass.exe)

From: Lasse Sundström <ljs () hutcs cs hut fi>
Date: Mon, 23 Sep 2002 21:20:24 +0300

Can anyone translate and shed a little more light on this?


Sorry for my lousy Danish (I haven't studied it, but it's close enough to
Swedish which is my second language) but here is a quick and dirty
translation of the page contents (the words in quotes are direct
translations to give you a feeling about the FUD/technical level of the document):

A Windows program by the author of the Slapper Worm is used in attacks
======================================================================

During the last few days eSec has registered a great increase in attacks
against Danish web servers. A trojan "robot program" is planted on the web
server during the attack which is based on a known security hole in
Microsoft IIS.

The program uses IRC to contact the "master" and enables the computer to be
used as remotely controlled "zombie" in a network that is capable of
producing a "horrible" DoS attack against others. The program is also
able to fetch and execute new programs via HTTP.

The program uses the following irc servers to communicate with the hacker
in a specially crafted messages  in IRC chat.

<The list of hosts omitted>

The program is named lsass.exe which is a valid Windows program but the
size of the trojan version is 9788 bytes.

If the latest Microsoft cumulative hotfix has been applied, the server is
not vulnerable to the attempt of sending this file to it.

The program presents itself as 
Kaiten Win32 API version 2002 by contem@efnet

The "Slapper Worm" which is currently attacking Apache is signed by the
"contem@efnet" -- the same author or group. Something in the content of the
program suggests that the author knows the German language.

eSecs <statement,considerations>:

This is yet another example of the trend that we have seen during the last
six months. The compromised Web servers are used to distribute games, films,
music etc. The web server continues to operate because the attackers do not
paint graffitis on the home pages and reveal the compromise that way.  

-- 
http://www.iki.fi/ljs

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

new IIS worm? (rcp lsass.exe) Christian Mock (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Björn Wallentinus (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Michael Thompson (Sep 23)
  - Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
  - Re: new IIS worm? (rcp lsass.exe) Lasse Sundström (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 23)
- <Possible follow-ups>
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) pj (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Bellenger, Bruno (Paris) (Sep 24)
  - Slapper worm DoS james (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 24)
  - Re: new IIS worm? (rcp lsass.exe) Eloy A. Paris (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Mark Challender (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
  - Re: new IIS worm? (rcp lsass.exe) James Williams (Sep 24)

(Thread continues...)