-
May 13th, 2004, 03:28 PM
#1
Member
sasser: find infected machine on network
hey guys
We (just like a lot of companies) got caught sleeping. We were hit yesterday by the sasser virus. Most of our machines have the MS security patch now and are protected. We have found that if we take a machine off the network (physically) it will not do the reboot. Leads me to believe that some infected machine on the network is broadcasting somesort of shutdown command to the rest. Is this what I have read about "broadcasting over port 5544". Is there a way that I could find on our network what machine is doing this broadcast to the others? Mind you we do not have a sniffer in place.
Thanks in advace.
-
May 13th, 2004, 03:34 PM
#2
What happens when sasser hits it overflows some buffer inside LSASS.exe. This overflow is exploitable. A side effect of this overflow is the crashing of LSASS. Because LSASS is an important process for windows, windows decides to shutdown.
As for detecting sasser look for large amounts of ICMP traffic. An infected machine will try to ping a host before attempting to infect.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
May 13th, 2004, 03:34 PM
#3
Download and install a sniffer. TCPDUMP is the more common version for *nix installs and WinDUMP is the version for Windows (both are Open Source). These, IMO, would be the easiest solution and fastest. You could also go for the graphical version by installing Ethereal (available both in windows and *nix format).
Alternatives would be to have an IDS up and running to detect attacks within the network. This would be more a long term solution. A look at SNORT would probably help.
-
May 13th, 2004, 04:04 PM
#4
A very easy way to find infected hosts (notice I didn't say vulnerable) is to DL Angry IP Scanner and search your subnets for machines with ports 5554, 9995 and 9996 TCP open. You can then clean them, patch them and move on to better things.
http://www.angryziber.com/ipscan/
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 13th, 2004, 10:43 PM
#5
If I remember well, Sasser infect Win Xp machine but only crash Windows 2000 without infecting them.
We have found that if we take a machine off the network (physically) it will not do the reboot
Those are Windows 2000 machine?
-
May 14th, 2004, 11:13 AM
#6
The reason Win2k (or XP for that matter) stops crashing when you remove it from the network is because LSASS is no longer being attacked by the worm.
Win2K machines certainly will become infected if you don't have the current AV signature for whichever AV product that you use.
Machines (XP and W2K) reboot if:
You don't have MS04-011 but you do have an AV signature capable of spotting the worm.
Machines (XP and W2K) become infected if:
You don't have MS04-011 and you don't have an AV signature capable of spotting the worm.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|