MS04-011 LSASS Service DsRolerUpgradeDownlevelServer Overflow PCAP File Analysis

PCAP File Analysis

What is the file type?

What is the checksums?

How long did the attack take?

What is the hierarchy of the protocols involved?

Which systems (i.e., IP addresses) are involved?

What can you find out about the attacking host (e.g., where is it located)?

How many TCP sessions are contained in the dump file?

Which services were targeted?

The Windows Local Security Authority Subsystem Service (LSASS) RPC service of host V.I.D.C.M. IP address 192.150.11.111 (See https://msdn.microsoft.com/en us/library/aa939478
(v=winembedded.5).aspx):

Wireshark view:

Can you sketch an overview of the general actions performed by the attacker?

After exploitation of the control of the The IPC$ share known as a null session connection (See https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows), the attacker then writes a script for download the ssms.exe file from ftp (See below).

Command line view:

FTP session and successful ssme.exe file download:

Command line view:

What specific vulnerability was attacked?

MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow (See Microsoft Security Bulletin MS04-011 – Critical (See https://technet.microsoft.com/library/security/ms04-011).

Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm (See http://www.cvedetails.com/cve/cve-2003-0533).

DCERPC request fragmentation can be performed by setting ‘FragSize’ parameter:

Long frame:

Was there malware involved? Whats the name of the malware?

Yes. After searching on it MD5 signature it was identified a malware and a variant of the IRCBot family of worms and IRC backdoor Trojans.

W32.IRCBot is a detection for worms that spread using Internet Relay Chat (IRC). The IRC connection serves as a back door, allowing an attacker to perform a variety of actions on the compromised computer. An attacker usually gathers a large number of computers infected with W32.IRCBot worms and uses them as a bot network, controlled through IRC (See https://www.symantec.com/security_response/writeup.jsp?docid=2002-070818-0630-99).

The use of IRC separates threats from their traditional back door and worm counterparts in that the hacker does not issue commands directly to the back door. Rather they are routed through the IRC server and channel, and then on to the compromised computer. Without the IRC server or channel, the attacker is unable to control the compromised computer (See https://www.symantec.com/security_response/writeup.jsp?docid=2002-070818-0630-99)

Do you think this is a manual or an automated attack.

Automatic because it happened so fast.

About the Author

David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information insurance and cybersecurity for companies such as RSA Security and Cisco Systems. He is active in industry associations ISSA, OWASP, CSA among others. Mr. Zwickl holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado. Regis University’s School of Computer & Information Sciences has been designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS).

Leave a Reply

Your email address will not be published. Required fields are marked *