Results 1 to 6 of 6

Thread: sasser: find infected machine on network

  1. #1
    Member
    Join Date
    Jan 2002
    Posts
    61

    sasser: find infected machine on network

    hey guys

    We (just like a lot of companies) got caught sleeping. We were hit yesterday by the sasser virus. Most of our machines have the MS security patch now and are protected. We have found that if we take a machine off the network (physically) it will not do the reboot. Leads me to believe that some infected machine on the network is broadcasting somesort of shutdown command to the rest. Is this what I have read about "broadcasting over port 5544". Is there a way that I could find on our network what machine is doing this broadcast to the others? Mind you we do not have a sniffer in place.

    Thanks in advace.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    What happens when sasser hits it overflows some buffer inside LSASS.exe. This overflow is exploitable. A side effect of this overflow is the crashing of LSASS. Because LSASS is an important process for windows, windows decides to shutdown.

    As for detecting sasser look for large amounts of ICMP traffic. An infected machine will try to ping a host before attempting to infect.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Download and install a sniffer. TCPDUMP is the more common version for *nix installs and WinDUMP is the version for Windows (both are Open Source). These, IMO, would be the easiest solution and fastest. You could also go for the graphical version by installing Ethereal (available both in windows and *nix format).

    Alternatives would be to have an IDS up and running to detect attacks within the network. This would be more a long term solution. A look at SNORT would probably help.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    A very easy way to find infected hosts (notice I didn't say vulnerable) is to DL Angry IP Scanner and search your subnets for machines with ports 5554, 9995 and 9996 TCP open. You can then clean them, patch them and move on to better things.

    http://www.angryziber.com/ipscan/
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    If I remember well, Sasser infect Win Xp machine but only crash Windows 2000 without infecting them.

    We have found that if we take a machine off the network (physically) it will not do the reboot
    Those are Windows 2000 machine?
    -Simon \"SDK\"

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    The reason Win2k (or XP for that matter) stops crashing when you remove it from the network is because LSASS is no longer being attacked by the worm.

    Win2K machines certainly will become infected if you don't have the current AV signature for whichever AV product that you use.

    Machines (XP and W2K) reboot if:

    You don't have MS04-011 but you do have an AV signature capable of spotting the worm.

    Machines (XP and W2K) become infected if:

    You don't have MS04-011 and you don't have an AV signature capable of spotting the worm.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •