Security Incidents mailing list archives
Re: new IIS worm? (rcp lsass.exe)
From: Lasse Sundström <ljs () hutcs cs hut fi>
Date: Mon, 23 Sep 2002 21:20:24 +0300
Can anyone translate and shed a little more light on this?
Sorry for my lousy Danish (I haven't studied it, but it's close enough to Swedish which is my second language) but here is a quick and dirty translation of the page contents (the words in quotes are direct translations to give you a feeling about the FUD/technical level of the document): A Windows program by the author of the Slapper Worm is used in attacks ====================================================================== During the last few days eSec has registered a great increase in attacks against Danish web servers. A trojan "robot program" is planted on the web server during the attack which is based on a known security hole in Microsoft IIS. The program uses IRC to contact the "master" and enables the computer to be used as remotely controlled "zombie" in a network that is capable of producing a "horrible" DoS attack against others. The program is also able to fetch and execute new programs via HTTP. The program uses the following irc servers to communicate with the hacker in a specially crafted messages in IRC chat. <The list of hosts omitted> The program is named lsass.exe which is a valid Windows program but the size of the trojan version is 9788 bytes. If the latest Microsoft cumulative hotfix has been applied, the server is not vulnerable to the attempt of sending this file to it. The program presents itself as Kaiten Win32 API version 2002 by contem@efnet The "Slapper Worm" which is currently attacking Apache is signed by the "contem@efnet" -- the same author or group. Something in the content of the program suggests that the author knows the German language. eSecs <statement,considerations>: This is yet another example of the trend that we have seen during the last six months. The compromised Web servers are used to distribute games, films, music etc. The web server continues to operate because the attackers do not paint graffitis on the home pages and reveal the compromise that way. -- http://www.iki.fi/ljs ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- new IIS worm? (rcp lsass.exe) Christian Mock (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Björn Wallentinus (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Michael Thompson (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Lasse Sundström (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 23)
- <Possible follow-ups>
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) pj (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Bellenger, Bruno (Paris) (Sep 24)
- Slapper worm DoS james (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Eloy A. Paris (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Mark Challender (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) James Williams (Sep 24)
(Thread continues...)