Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-sigs] New LSASS Worm?

from [Wiryanto Victor] Network Security [Permanent Link]
Subject: RE: [Snort-sigs] New LSASS Worm?
Date: Fri, 4 Feb 2005 09:18:38 +0800 
Hi,

Many thanks for your input, I think the worm has gotten many anti-virus
vendors' attentions.
McAfee has released another definitions update to handle this worm
(http://vil.nai.com/vil/content/v_131539.htm).

Thanks to all those who sent private messages to me, it has been great
enlightenment.

Cheers,

-----Original Message-----
From: James Riden [mailto:j.riden@massey.ac.nz]
Sent: Friday, February 04, 2005 3:52 AM
To: Wiryanto Victor
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] New LSASS Worm?


"Wiryanto Victor" <wiryanto.victor@sembenviro.com> writes:


Hello,

I know this is slightly off-topic, but I am really desperate for a clue.

For the past two days, I have been detecting heaps of traffic activities
made to  66.250.45.20, 147.32.123.94, 147.83.113.190 and 152.7.64.152.
This is happenning to some of my hosts (Windows 2000) which were not

patched

up with MS04-011 vulnerabilities. These hosts, not only making connections
to TCP port 5190 of these networks, but also trying to spread via TCP port
445 to other Windows 2000/XP machines on the network.

I have tried everything I could do at these host, such as, installing

latest

virus definition, and scanned them in safe mode, but the anti virus

(McAfee)

is not able to detect any viruses nor worms. I end up manually re-route

all

the traffic going to these network at the router's end.

Is there anybody who's having the same problem as me? Any help or
enlightment would be appreciated.


What's the traffic to 5190? Is it possible the machines are phoning
home via IRC channels? What happens if you do a snort lookup against
the IP address of your infected machines - are there any other alerts
from them? What about tagged packets?


To identify the malware, grab a machine - if you can't take one of the
existing ones, set up another box and try to get it infected. Then try
to find the binary which is causing the trouble and submit it to your
favourite AV vendor(s).

A good place to start looking is the auto-run keys in the registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and \RunServices

I think HijackThis will tell you about stuff that auto-boots with the
machine. I found a bot variant this way, but the malicious code is
getting sneakier and better at hiding all the time.

Oh, and some AV scanners, such as ClamAV will try to detect generic
MS04-011 exploit code, so may possibly identify otherwise unknown
binaries as malicious.


If you just want to get up and running again, make a backup of *data
only* from these boxes, reinstall from scratch and put your data back
on. And make sure it's fully patched this time.

cheers,
 Jamie
--
James Riden / j.riden@massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/





-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  Re: [Snort-users] streaming media detection, Joel Esler
Previous by Thread:  Re: [Snort-sigs] New LSASS Worm?, James Riden
Next by Thread:  Re: [Snort-users] streaming media detection, Seth Art
Indexes:  [Date] [Thread] [Top] [All Lists]