LSASS exploit

Discussion in 'malware problems & news' started by gerardwil, May 7, 2004.

Thread Status:
Not open for further replies.
  1. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    EU
    http://www.sans.org/

    A reader asked why we recommend a complete rebuild of systems
    infected with 'sasser', given that 'sasser' is rather easy to clean.
    The problem with 'sasser' is that it is an indicator exploit. The fact
    that you are infected with 'sasser' indicated that you where
    vulnerable to the LSASS exploit. Before sasser, a large number of
    bot variants exploited this vulnerability. We find that many systems
    infected with 'sasser' are infected with one or more bots in addition
    to 'sasser'.
    Each day, we receive several distinct 'bot' samples. Anti virus
    signatures are typically not able to keep up with all versions, and
    many 'bots' include specific code to plant backdoors, disable
    firewalls and anti virus products, or to add additional system
    accounts.
    Antivirus software is not able to reliable detect and clean all these
    bots. As a result, it is impossible to tell if any of these bots is left on
    your system. Only a through (and costly) forensics analysis by a
    trained specialist will provide some comfort.
    As a result: If you are infected by 'sasser', try to rebuild your system
    from scratch.
     
    gerardwil, May 7, 2004
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...