Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

PhatBot exploiting LSASS?

Published: 2004-04-27
Last Updated: 2004-04-28 00:09:34 UTC
by Tom Liston (Version: 1)
0 comment(s)
PhatBot exploiting LSASS?

The ISC has come into possession of what appears to be a new version of PhatBot that contains code to exploit the LSASS (LSASS: Local Security Authority Subsystem Service) vulnerabilities patched under MS04-11. Reference these old diary entries:



http://isc.sans.org/diary.php?date=2004-04-26

http://isc.sans.org/diary.php?date=2004-04-25



We are currently focusing on some keywords found in the executable that indicate that an LSASS exploit has been added, specifically, the command string "CScannerLSASS".



We are currently investigating the code, and will update the diary as new information becomes available.



Traffic matching this bot was first observed yesterday evening (EDT) at multiple US .edu's.


The bot appears to inherit all other functions usually associated with 'phatbot'.
-------------------------------------------------------------

Handler on duty: Tom Liston ( http://www.labreatechnologies.com )

Happy 11th Birthday to Mary Liston!
Keywords:
0 comment(s)
Diary Archives