MSMVPS.COM

The Ultimate Destination for Blogs by Current and Former Microsoft Most Valuable Professionals.

Sign in | Help

Security Manifest » ISC: New Phatbot Variant Exploits Recent Vulnerability

ISC: New Phatbot Variant Exploits Recent Vulnerability

Security Manifest

Home
Contact

Syndication

Recent Posts

Tags

Write-Ups

Security Blogs

Miscellaneous Blogs

Security Sites

Archives

BREAKING NEWS: Internet Storm Center Announces Troubling New Phatbot Variant

The Internet Storm Center has announced the discovery of yet another variant of the “Phatbot” family of worms. This variant appears to exploit a recent vulnerability. This would be the first worm to do so. From the diary of handler Tom Liston:

=====BEGIN QUOTE=====
PhatBot exploiting LSASS?
The ISC has come into possession of what appears to be a new version of PhatBot that contains code to exploit the LSASS (LSASS: Local Security Authority Subsystem Service) vulnerabilities patched under MS04-11. Reference these old diary entries:

http://isc.sans.org/diary.php?date=2004-04-26
http://isc.sans.org/diary.php?date=2004-04-25

We are currently focusing on some keywords found in the executable that indicate that an LSASS exploit has been added, specifically, the command string "CScannerLSASS".

We are currently investigating the code, and will update the diary as new information becomes available.

Traffic matching this bot was first observed yesterday evening (EDT) at multiple US .edu's.
The bot appears to inherit all other functions usually associated with 'phatbot'.
=====END QUOTE=====

It is unknown at this time whether the worm is spreading much, but this could become a Medium-risk event if the worm is seeded well enough.

Posted Apr 28 2004, 07:02 AM by trafton

Filed under: VIRUSES, SECURITY, Security (Medium), Security (Urgent), Viruses (Medium)

Comments

trafton wrote re:

on 12-30-2004 11:12

Pretty cool! Thank you!

trafton wrote re: ISC: New Phatbot Variant Exploits Recent Vulnerability

on 03-30-2005 18:31

http://hydrocodone.net2.ro/index.html http://hydrocodone.net2.ro/buyhydrocodone.html http://hydrocodone.net2.ro/buy_hydrocodone_online_.html http://hydrocodone.net2.ro/buy_cheap_hydrocodone_online.html http://hydrocodone.net2.ro/buy_hydrocodone_online.html http://hydrocodone.net2.ro/buy_hydrocodone_online_with_no_prescription.html http://hydrocodone.net2.ro/hydrocodone-buy-.html http://hydrocodone.net2.ro/buy_cheap_hydrocodone.html http://hydrocodone.net2.ro/buy-hydrocodone.html http://hydrocodone.net2.ro/buy-hydrocodone-club-join.html http://hydrocodone.net2.ro/buy-hydrocodone-cod.html http://hydrocodone.net2.ro/buyhydrocodoneline.html http://hydrocodone.net2.ro/buy-hydrocodone-overnight.html http://hydrocodone.net2.ro/buy_hydrocodone_prescription.html http://hydrocodone.net2.ro/buy_hydrocodone_where.html http://hydrocodone.net2.ro/buy-liquid-codeine-lortab-hydrocodone-cough-syrup.html http://hydrocodone.net2.ro/hydrocodone-buy-online-.html http://hydrocodone.net2.ro/hydrocodone_online_.html http://hydrocodone.net2.ro/online_hydrocodone_.html http://hydrocodone.net2.ro/bu_hydrocodone_online.html http://hydrocodone.net2.ro/buying_hydrocodone_online.html http://hydrocodone.net2.ro/cheap_hydrocodone_online.html http://hydrocodone.net2.ro/cheap_online_prescription_hydrocodone_overnight_delivery.html http://hydrocodone.net2.ro/cod_hydrocodone_online.html http://hydrocodone.net2.ro/hydrocodone_buying_narcotic_online.html http://hydrocodone.net2.ro/hydrocodone-free-online-prescription.html http://hydrocodone.net2.ro/hydrocodone_online_ordering.html http://hydrocodone.net2.ro/hydrocodone-online-pharmacy.html http://hydrocodone.net2.ro/hydrocodoneonlineprecriptions.html http://hydrocodone.net2.ro/hydrocodone-prescription-online.html http://hydrocodone.net2.ro/online-consultation-and-hydrocodone.html http://hydrocodone.net2.ro/onlinepharmacyandnoprescriptionandhydrocodone.html http://hydrocodone.net2.ro/online-pharmacy-drug-hydrocodone-10-500.html http://hydrocodone.net2.ro/onlinepharmacyhydrocodonevicodin.html http://hydrocodone.net2.ro/onlinepharmacysellhydrocodone.html http://hydrocodone.net2.ro/online-rx-hydrocodone.html http://hydrocodone.net2.ro/orderhydrocodoneonline.html http://hydrocodone.net2.ro/pain_medication_online_hydrocodone.html http://hydrocodone.net2.ro/purchase-hydrocodone-online.html
http://hydro1.zap3x.com/
http://www.hydro2.home.ro
http://www.hydro1.go.ro
http://vicodinphar.premium.ws/
http://premium.ws/vicodinphar/
http://www.vicodinphar.premium.ws/
http://www.premium.ws/vicodinphar/
http://phenterminepage.visit.ws/
http://visit.ws/phenterminepage/
http://www.phenterminepage.visit.ws/
http://www.visit.ws/phenterminepage/
http://hydrocodoneapap.rocks.it
http://hydrocodonebitartrate.does.it
http://hyd1.makes.it
http://hydphar.128bit.at
http://hydrocodoneorder.venture.at

trafton wrote pagerank main

on 08-17-2005 5:28

Thank you! http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com/improvepr/">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com/improvepr/ <a href='http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com'>improve pagerank default</a>. <a href="http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com ">PageRank 11</a>: do rank, google pagerank algorithm, testing of system. Also [url]http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com/linksale/[/url] and [link=http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com]google rank 20[/link] from http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com .

trafton wrote google pr main

on 08-17-2005 5:28

Thanks! http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com/contacts/">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com/contacts/ google pr. [URL=http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com]pagerank 5[/URL]: do rank, google pagerank algorithm, testing of system. Also [url=http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com]online pr16[/url] from http://www.dorank.com">http://www.dorank.com">http://www.dorank.com">http://www.dorank.com .

trafton wrote re: ISC: New Phatbot Variant Exploits Recent Vulnerability

on 10-06-2005 8:54

http://www.koutos-skata.loost.com @ http://www.pepiramenos-evarestos.loost.com @ http://www.adynamos-vizarou.loost.com @ http://www.movie-baniarisma-mpompina.loost.com @ http://www.free-glentzes-ikonidio.loost.com @ http://www.gouna-sto-banio.loost.com @ http://www.mpg-nearos-ikona.loost.com @ http://www.mathitria-hantres.loost.com @ http://www.kalos-kartoun.loost.com @ http://www.omorfi-sexi.loost.com @ http://www.iaponeza-paraxenos.loost.com @ http://www.koritsia-porno.loost.com @ http://www.password-kalitera-fotografia.loost.com @ http://www.ginekes-fantastika.loost.com @ http://www.movie-transexoual-sylogi.loost.com @ http://www.to-parti-perifronitikos.loost.com @ http://www.mpg-fisikos-poza.loost.com @ http://www.epithymo-orgasmos.loost.com @ http://www.picture-megali-klipaki.loost.com @ http://www.me-to-podi-tv.loost.com @ http://www.vasanizo-irinika.loost.com @ http://www.germanos-sto-spiti.loost.com @ http://www.neoteros-mikrokamomenos.loost.com @ http://www.videos-nikokira-ikona.loost.com @ http://www.mov-tsiboukono-mpompina.loost.com @ http://www.transexoual-mathitis.loost.com @ http://www.porno-neoteros-tenia.loost.com @ http://www.free-paralia-fotografia.loost.com @ http://www.xxx-dahtilo-foto.loost.com @ http://www.tsehos-exeretikos.loost.com @ http://www.free-epidixias-fotografia.loost.com @ http://www.picture-nikokira-eleftheros.loost.com @ http://www.videos-souideza-syloges.loost.com @ http://www.tv-kartoun-ikonidio.loost.com @ http://www.mpg-pahoulos-video.loost.com @ http://www.pehnidia-adynamos.loost.com @ http://www.sex-erasitehnis-haristikos.loost.com @ http://www.sex-hantres-eleftheros.loost.com @ http://www.kanapes-sta-skalia.loost.com @ http://www.download-sirsimo-foto.loost.com @ http://www.kouzina-fotografia.loost.com @ http://www.mov-pehnidiaris-klipakia.loost.com @ http://www.sex-praxi-ikonidio.loost.com @ http://www.lia-xxx.loost.com @ http://www.evropeos-xxx.loost.com @ http://www.sex-poza-mpompina.loost.com @ http://www.sex-kologlipsimo-ouranos.loost.com @ http://www.bikini-efharistos.loost.com @ http://www.movie-ikona-ikonidio.loost.com @ http://www.picture-kalogria-poza.loost.com

Add a Comment

Name: (required)

Website: (optional)

Comments (required)

Remember Me?

Copyright © is the original authors. Blog site is an independent site not sponsored by Microsoft. The Yoda blog server and the Brianna SQL server would like to thank www.ownwebnow.com and www.exchangedefender.com. They wouldn't be here and broadcasting without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems