Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Bot Attacks Vulnerable Windows Systems, MS Patch Buggy

There was chaos in the security space Wednesday and Thursday as Microsoft announced a bug in a patch for a critical vulnerability, while Symantec retracted a claim that automated code was compromising one Windows vulnerability and also warned that a bot network was on the loose and taking advantage of another.
All the scrambling revolved around a pair of vulnerabilities that Microsoft first disclosed April 13 as part of its monthly release of bugs and patches for Windows.

Early Thursday morning, Symantec saw several of the honeypots -- servers purposefully left unprotected in the hope of attracting attacks -- on its DeepSight Threat network compromised via the LSASS vulnerability within Windows 2000, Windows XP, and Windows Server 2003.

LSASS (Local Security Authority Subsystem Service) is a component of Windows that provides an interface for managing local security, domain authentication, and Active Directory processes.

The exploit of LSASS is not a worm, said Alfred Huger, the senior director of engineering with Symantec's security response team, but is malicious code based on Gaobot, an automated Trojan that uses Internet Relay Channel (IRC) to communicate with its creator. The Gaobot code has been modified, he said, to spread through the LSASS vulnerability.

According to an alert released by Symantec Thursday, the unnamed bot can gather information from the infected hosts and make detection and removal difficult. It can harvest e-mail addresses, capture screens, terminate anti-virus software, and modify the local HOSTS file to prevent DNS queries on selected domains.

  • 1