Working LSASS (MS04-011) Win32 Exploit

[Boscoh]

I just tested the exploit code for the LSASS vulnerability against an unpatched Windows XP Pro machine. It crashes the service successfully and initiates a shutdown timer.

If you guys have unpatched systems, I'd suggest you patch 'em up at the first opportunity.

They're already thinking a new version of PhatBot is exploiting LSASS.

Just some FYI.

 

[n0cmonkey]

There's speculation of a worm being on the way. *sigh*

 

[Woodie]

I wouldn't call it "speculation"...more "98% confidence"

 

[spidey07]

crap...not another one.

 

[Boscoh]

It works on Win2k SP4 as well.

As I mentioned above, SANS has found some stuff in the source of a new PhatBot variant that indicates it's exploiting LSASS. According to them, the traffic patterns of LSASS exploitation suggest there is a worm circulating. It's not coming, it's already here.

 

[Woodie]

Symantec just released a news bulletin, they've found some code in the wild. It's unclear if it's a bot or wormcode at this point.

 

[Boscoh]

Any of you being hit by this? There is at least one confirmed worm out there in the wild. Gaobot.AFJ I think is what Symantec has classified it as.

There are some snort rules which might detect exploitation of the LSASS vulnerability if anyone wants me to post them.

 

[spidey07]

so there is a worm on the loose?

 

[Boscoh]

From what I've read yes...it's not a completely autonomous worm from what I've read. It gets infected, and connects to an IRC server and waits for instructions (like a zombie). One of the instructions is to scan for other hosts.

All this is preliminary info, the AV companies seem to be having a hard time ID'ing this one correctly.

There IS something out there that is crashing the LSASS service on systems, that much I know.

 

[Boscoh]

Well, it appears that there is a new class of worm out there exploiting MS04-011:

Sasser Worm

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A

ISC raised their status from green to yellow this morning, which is not something they do often. So I'm guessing the rate of infection is pretty fast.

Heads up.

EDIT: More info from ISS - http://xforce.iss.net/xforce/alerts/id/172

 

[Mucman]

The last posts on nanog are of people having this problem. Looks like it's starting to spread.