Re: new IIS worm? (rcp lsass.exe)

From: Lasse Sundström (ljsat_private)
Date: Mon Sep 23 2002 - 11:20:24 PDT

Next message: Anton Chuvakin, Ph.D., GCIA: ""Worm riders" on 4156?"

Previous message: Bellenger, Bruno (Paris): "RE: new IIS worm? (rcp lsass.exe)"
In reply to: Mike Lewinski: "Re: new IIS worm? (rcp lsass.exe)"
Next in thread: Nick FitzGerald: "Re: new IIS worm? (rcp lsass.exe)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Can anyone translate and shed a little more light on this?

Sorry for my lousy Danish (I haven't studied it, but it's close enough to
Swedish which is my second language) but here is a quick and dirty
translation of the page contents (the words in quotes are direct
translations to give you a feeling about the FUD/technical level of the document):

A Windows program by the author of the Slapper Worm is used in attacks
======================================================================

During the last few days eSec has registered a great increase in attacks
against Danish web servers. A trojan "robot program" is planted on the web
server during the attack which is based on a known security hole in
Microsoft IIS.

The program uses IRC to contact the "master" and enables the computer to be
used as remotely controlled "zombie" in a network that is capable of
producing a "horrible" DoS attack against others. The program is also
able to fetch and execute new programs via HTTP.

The program uses the following irc servers to communicate with the hacker
in a specially crafted messages  in IRC chat.

<The list of hosts omitted>

The program is named lsass.exe which is a valid Windows program but the
size of the trojan version is 9788 bytes.

If the latest Microsoft cumulative hotfix has been applied, the server is
not vulnerable to the attempt of sending this file to it.

The program presents itself as 
Kaiten Win32 API version 2002 by contem@efnet

The "Slapper Worm" which is currently attacking Apache is signed by the
"contem@efnet" -- the same author or group. Something in the content of the
program suggests that the author knows the German language.

eSecs <statement,considerations>:

This is yet another example of the trend that we have seen during the last
six months. The compromised Web servers are used to distribute games, films,
music etc. The web server continues to operate because the attackers do not
paint graffitis on the home pages and reveal the compromise that way.  

-- 
http://www.iki.fi/ljs

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Anton Chuvakin, Ph.D., GCIA: ""Worm riders" on 4156?"
Previous message: Bellenger, Bruno (Paris): "RE: new IIS worm? (rcp lsass.exe)"
In reply to: Mike Lewinski: "Re: new IIS worm? (rcp lsass.exe)"
Next in thread: Nick FitzGerald: "Re: new IIS worm? (rcp lsass.exe)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 08:37:01 PDT