Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: PhatBot exploiting LSASS? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
PhatBot exploiting LSASS?
PhatBot exploiting LSASS?

The ISC has come into possession of what appears to be a new version of PhatBot that contains code to exploit the LSASS (LSASS: Local Security Authority Subsystem Service) vulnerabilities patched under MS04-11. Reference these old diary entries:



http://isc.sans.org/diary.php?date=2004-04-26

http://isc.sans.org/diary.php?date=2004-04-25



We are currently focusing on some keywords found in the executable that indicate that an LSASS exploit has been added, specifically, the command string "CScannerLSASS".



We are currently investigating the code, and will update the diary as new information becomes available.



Traffic matching this bot was first observed yesterday evening (EDT) at multiple US .edu's.


The bot appears to inherit all other functions usually associated with 'phatbot'.
-------------------------------------------------------------

Handler on duty: Tom Liston ( http://www.labreatechnologies.com )

Happy 11th Birthday to Mary Liston!
Tom

160 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!