[Snort-sigs] New LSASS Worm?
j.riden at ...1766...
Thu Feb 3 11:58:13 EST 2005
"Wiryanto Victor" <wiryanto.victor at ...2983...> writes:
> I know this is slightly off-topic, but I am really desperate for a clue.
> For the past two days, I have been detecting heaps of traffic activities
> made to 22.214.171.124, 126.96.36.199, 188.8.131.52 and 184.108.40.206.
> This is happenning to some of my hosts (Windows 2000) which were not patched
> up with MS04-011 vulnerabilities. These hosts, not only making connections
> to TCP port 5190 of these networks, but also trying to spread via TCP port
> 445 to other Windows 2000/XP machines on the network.
> I have tried everything I could do at these host, such as, installing latest
> virus definition, and scanned them in safe mode, but the anti virus (McAfee)
> is not able to detect any viruses nor worms. I end up manually re-route all
> the traffic going to these network at the router's end.
> Is there anybody who's having the same problem as me? Any help or
> enlightment would be appreciated.
What's the traffic to 5190? Is it possible the machines are phoning
home via IRC channels? What happens if you do a snort lookup against
the IP address of your infected machines - are there any other alerts
from them? What about tagged packets?
To identify the malware, grab a machine - if you can't take one of the
existing ones, set up another box and try to get it infected. Then try
to find the binary which is causing the trouble and submit it to your
favourite AV vendor(s).
A good place to start looking is the auto-run keys in the registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and \RunServices
I think HijackThis will tell you about stuff that auto-boots with the
machine. I found a bot variant this way, but the malicious code is
getting sneakier and better at hiding all the time.
Oh, and some AV scanners, such as ClamAV will try to detect generic
MS04-011 exploit code, so may possibly identify otherwise unknown
binaries as malicious.
If you just want to get up and running again, make a backup of *data
only* from these boxes, reinstall from scratch and put your data back
on. And make sure it's fully patched this time.
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
More information about the Snort-sigs