LSASS exploit

Discussion in 'malware problems & news' started by gerardwil, May 7, 2004.

Thread Status:
Not open for further replies.
  1. gerardwil

    gerardwil Registered Member

    Jan 17, 2004
    The Netherlands

    A reader asked why we recommend a complete rebuild of systems
    infected with 'sasser', given that 'sasser' is rather easy to clean.
    The problem with 'sasser' is that it is an indicator exploit. The fact
    that you are infected with 'sasser' indicated that you where
    vulnerable to the LSASS exploit. Before sasser, a large number of
    bot variants exploited this vulnerability. We find that many systems
    infected with 'sasser' are infected with one or more bots in addition
    to 'sasser'.
    Each day, we receive several distinct 'bot' samples. Anti virus
    signatures are typically not able to keep up with all versions, and
    many 'bots' include specific code to plant backdoors, disable
    firewalls and anti virus products, or to add additional system
    Antivirus software is not able to reliable detect and clean all these
    bots. As a result, it is impossible to tell if any of these bots is left on
    your system. Only a through (and costly) forensics analysis by a
    trained specialist will provide some comfort.
    As a result: If you are infected by 'sasser', try to rebuild your system
    from scratch.
Thread Status:
Not open for further replies.