Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: PhatBot exploiting LSASS? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
PhatBot exploiting LSASS?
PhatBot exploiting LSASS?

The ISC has come into possession of what appears to be a new version of PhatBot that contains code to exploit the LSASS (LSASS: Local Security Authority Subsystem Service) vulnerabilities patched under MS04-11. Reference these old diary entries:

We are currently focusing on some keywords found in the executable that indicate that an LSASS exploit has been added, specifically, the command string "CScannerLSASS".

We are currently investigating the code, and will update the diary as new information becomes available.

Traffic matching this bot was first observed yesterday evening (EDT) at multiple US .edu's.

The bot appears to inherit all other functions usually associated with 'phatbot'.

Handler on duty: Tom Liston ( )

Happy 11th Birthday to Mary Liston!

160 Posts
Apr 28th 2004

Sign Up for Free or Log In to start participating in the conversation!