Exploit details:There is a buffer overrun vulnerability in the service-wrapper Lsass.exe. By default the service-wrapper listens on port 139 and 445, so when sending a special crafted message to one of these ports, then it is possible to execute malicious commands within the context of the service-wrapper.
The following operating systems has this security hole:
- Windows 2000 SP1, SP2, SP3, SP4
- Windows XP SP1
More Info SecurityFocus.com (Exploit sample code)
Exploit side effects:The service wrapper Lsass.exe is vital for the operation of Windows, so when vulnerable to attacks then it might crash and cause Windows to shutdown. One of the following messages are usually shown when the Lsass.exe crashes:
The result of the attacks is usually that the system becomes infected with a virus, which take control of the CPU and the Internet bandwidth, and it is then used for attacking other machines on the Internet.
LSASS has terminated, the system is going to shutdown in 60 seconds...
Faulting application lsass.exe, version 5.1.2600.1106, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
The error: "C:\Windows\system32\lsass.exe terminated unexpectantly with status code - 1073741819"
LSA Shell (Export Version) has encountered a problem and needs to close. We are sorry for any inconvience.
The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. The shutdown was initiated by NT Authority\SYSTEM.
The system process "C:\winnt\system32\lsass.exe' terminated unexpectedly with status code 128. The system will now shutdown and restart.
Solution to prevent exploit:
- Consider enabling a firewall to prevent future attacks (Like Windows XP Firewall)
- Download and install the Microsoft patch MS04-011 Security Update for Microsoft Windows (835732).
- Download the newest virus database for your existing AntiVira Scanner and scan or use housecall.antivirus.com. (If using WinXP remember to turn off System Restore temporarily)
- Microsoft have created their own Microsoft Windows Malicious Software Removal Tool (Q890830) because newly installed systems are easily infected. (Replaces Q841720)
- McAfee have updated their Stinger to handle the most common infections caused by this exploit
- Check Windows Update to see if there are other critical patches for your system
Note it is possible to block the attacks without installing the patch by doing one of the following:
- Create an empty readonly file called "dcpromo.log" in %systemroot%\debug (Ex. C:\WinNT\Debug) by executing these two commands (Press Start-Button and Run...)
cmd /c type nul > %systemroot%\debug\dcpromo.log
attrib +R %systemroot%\debug\dcpromo.log
- Disable nbt.sys and block port 139 and 445
Exploiters:More information about the LSA attackers:
Updated: 21 January 2010