‘Worm Analysis – Microsoft LSASS Buffer Overflow from Exploit to Worm’

Summary

‘The document linked below provides a thorough analysis of a worm that exploits the vulnerability discussed in Windows Local Security Authority Service Remote Buffer Overflow (MS04-011). The paper explains the original exploit code, how it is used by a malicious attacker, and how the worm was developed from it.’

Credit:

‘The original article can be found at: http://www.giac.org/practical/GCIH/Travis_Abrams_GCIH.pdf


Details

Statement of Purpose:
This paper is an analysis of the vulnerability in the Microsoft Local Security Authority Service. This vulnerability has been widely exploited and at the time of this writing it has been implemented into most new worms that are released. Publicly released exploit code (released by houseofdabus) will be examined to show how it is compiled and then used against targets. We will show the attacker can use tools such as Netcat to gain access to the compromised machines. We will then review how with the use of tools such as Snort and Ethereal we can detect and monitor the attack. Lastly, we will show common utilities can be combined to create a snapshot of a compromised system. Next a worm that utilizes this attack will be analyzed. For this paper we will review the Korgo.V worm. This paper reviews the 5 steps of system exploitation. These steps are Reconnaissance, Scanning, Exploiting the System, Keeping Access and Covering Tracks. Finally, the six step Incident Handling process developed by the SANS Institute to show how to contain this threat is examined. We will also review a few different ways companies can prevent this type of threat from wreaking havoc on their networks.

The whitepaper can be found at: Microsoft LSASS Buffer Overflow from exploit to worm

Categories: Reviews