• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Working LSASS (MS04-011) Win32 Exploit

B

Boscoh

Senior member
I just tested the exploit code for the LSASS vulnerability against an unpatched Windows XP Pro machine. It crashes the service successfully and initiates a shutdown timer.

If you guys have unpatched systems, I'd suggest you patch 'em up at the first opportunity.

They're already thinking a new version of PhatBot is exploiting LSASS.

Just some FYI.
 
It works on Win2k SP4 as well.

As I mentioned above, SANS has found some stuff in the source of a new PhatBot variant that indicates it's exploiting LSASS. According to them, the traffic patterns of LSASS exploitation suggest there is a worm circulating. It's not coming, it's already here.
 
Symantec just released a news bulletin, they've found some code in the wild. It's unclear if it's a bot or wormcode at this point.
 
Any of you being hit by this? There is at least one confirmed worm out there in the wild. Gaobot.AFJ I think is what Symantec has classified it as.

There are some snort rules which might detect exploitation of the LSASS vulnerability if anyone wants me to post them.
 
From what I've read yes...it's not a completely autonomous worm from what I've read. It gets infected, and connects to an IRC server and waits for instructions (like a zombie). One of the instructions is to scan for other hosts.

All this is preliminary info, the AV companies seem to be having a hard time ID'ing this one correctly.

There IS something out there that is crashing the LSASS service on systems, that much I know.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top