Microsoft Windows Lsass Buffer Overrun Vulnerability Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Microsoft Windows LSASS (Local Security Authority Subsystem Service) or shortly known as WinLsassBo is an exploit to remotely buffer overrun vulnerability. It has been discovered in the first quarter of the year 2004 . It has been discovered first and reported to Microsoft by eEye Digital Security.

The vulnerability eventually provides authentication and allow malicious code to be execute on a vulnerable system, thus it will compromise the whole system if the attacker is able to understand the buffer flow perfectly.

Microsoft 2000 and Microsoft XP operating system can be exploited by an anonymous using this technique and vulnerabilities. This threat also affected Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003.

This issue could be exploited by an anonymous user on Microsoft Windows 2000 and XP operating systems. The issue may reportedly only be exploited by local, authenticated users on Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003. The file that is being highly vulnerable to the system is LSASRV.DLL , which is one of the core startup files in Windows Based Operating System.

A lot of exploit code regarding this vulnerabilities has been released , one of the famous that is being use by most the attackers is HOD-ms04011-lsasrv-expl.c , which is being written in C language. Another exploit script which attacks xp users in home is called xphack.c. Comparing between this two exploit code, the first one uses more resource than the xphack.c as it is mainly use to targeted Server Based Operating System, in this case, Windows Server 2003. The code will run remotely if the individuals that run the code have an access to the local network of the system.

The recommendation that is being ask before the solution for the problems is released is the computer owner / or the network administrator must permit only trusted individuals in a local network. Any individual that is not trusted will not have any access to the system by any chance.

External access also being block at the network boundary.However, the service is unlocked if it is required for external party. By doing all this will block and limit exposure to exploitation of this and other latent vulnerabilities. This includes blocking RPC ports such as UDP ports from 135 till 139 and 445 .TCP ports also being block from 138-139, and 445.

Network intrusion detection systems are also being deployed to monitor traffic for malicious activity. Anomalous or suspicious activity is also being monitored to ensure that none of the background works can be proceed. This will at least provide a method to detect attacks attempts or activity that is the result of successful exploitation of this threat and any vulnerabilities that is related to this problem.

A lot of antivirus has also patches their products to overcome this type of vulnerabilities before the official patch is released. One of them is Symantec. Avaya , which provide a system that is based on the Windows Operating system also involved in this situation . One of the reason is because their main products is also affected with this vulnerability. To ensure that their system is not affected, they provide an announcement on how Microsoft Recommends to protect their system while waiting for them to release the bug-fix or known as patches.

On the same year (April 2004) ,The solution for this threat or vulnerabilities is released to apply patches and updates that is being provided by Microsoft itself. The patches given for all Microsoft Operating System that is affected or vulnerable to this threat. All affected products are highly recommended to patch this to avoid any vulnerabilities to the system .

Chapter 2 - Botnets

Background Study of Botnets

Botnets or also known as robot network is a collation of computers that runs a computer application controlled and manipulated only by the owner or the software source. The botnets may refer to a legitimate network of several computers that eventually share program processing among them.

Botnets are known by people because of its capabilities to infect a group of computers with the malicious kind of robot software, the bots, which provide a security threat the computer owner. If a robot software(also known as malicious software or malware) , has been successfully installed in a computer, the computer will become a zombie or a drone, which will unable to resist the commands of the bot commander.

Botnets may be small or large depending on the complexity and sophistication of the bots used. A large botnets may be composed of ten thousand individual zombies. A small botnets, on the other hand may be composed of only a thousand drones. Usually, the owners of the zombie computers do not know that their computers and their computers' resources are being remotely controlled and exploited by an individual or a group of malware runners through Internet Relay Chat(IRC) .

There are various types of malicious bots that have already infected and are continuing to infect the internet. Some bots have their own spreaders - the script that lets them infect other computers (this is the reason why some people dub botnets as computer viruses) - while some smaller types of bots do not have such capabilities.

Samples of Botnets

One of the best groups of botnets is XtremBot, Agobot, Forbot, and Phatbot .It have more than 500 versions of variation for the internet today. The bot is written using C++ with cross platform capabilities as a compiler and GPL as the Glossary Link source code. These type of botnets is in a range from the fairly simple to highly abstract module-based designs. It is one of the highly code modular design, thus making commands or scanners to increase its efficiency in taking advantage of vulnerabilities is most likely easy. It can use libpcap Glossary Link packet sniffing library, Glossary Link NTFS ADS and PCRE. Agobot is quite distinct in that it is the only bot that makes use of other control protocols besides IRC.

Compare to the above group of bots, UrXBot, SDBot, UrBot and RBot are less abstract in design and written in rudimentary C compiler language. Although its implementation is less varied and its design less sophisticated, these type of bots are well known and widely used in the internet.

GT-Bots and mIRC based bots ,These kind of bots have many versions in the internet mainly because mIRC is one of the most used IRC client for windows. GT stands for global threat and is the common name for bots scripted using mIRC. GT-bots make use of the mIRC chat client to launch a set of binaries (mainly DLLs) and scripts; their scripts often have the file extensions .mrc .


Dataspy Network X (DSNX) bot is written in C++ and has a convenient plugin interface. An attacker can easily write scanners and spreaders as plugins and extend the bot's features and the code is published under the General Public License (GPL). One major disadvantage of this bot is the default version does not come with any spreaders. But plugins are available to overcome this gap. Furthermore, plugins that offer services like DDoS-attacks, portscan-interface or hidden HTTP-server are available.

Q8 Bots

Q8bot is a very small bot, consisting of 926 lines of C-code. In addition, It is written for Unix/Linux systems. It implements all common features of a bot such as Dynamic updating via HTTP-downloads, various DDoS-attacks such as UDP-flood and execution of random commands. In the version that have been captured, spreaders are missing but a reasonable assuming versions of this bot does exist which also include spreaders.


Kaiten also lacks a spreader and is also written and compiled for Unix/Linux systems. A very vulnerable user authentication makes it very easy to hijack a botnet running with kaiten. This bot consists of just one file. Thus it is very easy to fetch the source code using a free utility for retrieving files called wget, and compile it on a vulnerable box using a script. Kaiten offers an easy remote shell. So checking for further vulnerabilities to gain privileged access can be done via Internet Relay Chat (IRC).

Perl-based bots

There are several different versions of a very simple based on the Perl programming language. These bots are very small and contain in most cases only a few hundred lines of code written. They offer only a basic principle set of commands (most often DDoS-attacks) and are used on Unix-based systems.

Uses of Botnets

A botnet is a tool. There are many different motives for using them as there are people. The most common uses were criminally motivated or for destructive purposes. Based on some of the data that has been captured, the possibilities to use botnets can be categorized as listed below. Since that botnet is just a tool, there are most likely other potential uses that have not been found yet.

Distributed Denial-of-Service Attacks

Botnets are usually used for Distributed Denial-of-Service attacks (DDoS). A DDoS attack is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system. In addition, the resources on the path can be exhausted if the DDoS-attack causes many packets per second. Each bot that have been analyzed so far includes several different possibilities to carry out a DDoS attack against other hosts. Most commonly implemented and also very often used are TCP SYN and UDP flood attacks. Script kiddies apparently consider DDoS an appropriate solution to every social problem.

Further research showed that botnets are even used to run commercial DDoS attacks against competing corporations such as Operation Cyberslam documents the story of Jay R. DDoS attacks are not limited to web servers, virtually any service available on the Internet can be the target of such an attack. Higher-level protocols can be used to increase the load even more effectively by using very specific attacks, such as running exhausting search queries on bulletin boards or recursive HTTP-floods on the victim's website. Recursive HTTP-flood means that the bots start from a given HTTP link and then follows all links on the provided website in a recursive way. This is also called spidering.


Some bots offer the possibility to open a SOCKS v4/v5 proxy. It is a generic proxy protocol for TCP/IP-based networking applications on a compromised machine. After enabling the SOCKS proxy, this machine can then be used for criminal tasks such as spamming. With the help of a botnet and thousands of bots, an attacker is able to send large amounts of bulk email (spam). Some bots also implement a special function to harvest email-addresses. This can be driven for sending phising-mails since phising is a special case of spam.

Sniffing Traffic

Bots can also use a packet sniffer to watch for interesting clear-text data passing by a compromised machine. Sniffers are mostly used to retrieve sensitive information such as usernames and passwords. But the sniffed data can also contain some other interesting information. If a machine is compromised more than once and also a member of more than one botnet, the packet sniffing allows to gather the key information of the other botnet.

From that, it is possible to "steal" another botnet.


If the compromised machine uses encrypted communication channels such as HTTPS or POP3S, then the attacker attempt to sniffed the network packets on the victim's computer is useless since the appropriate key to decrypt the packets is missing. But most bots also offer features to help in this situation. With the help of a keylogger it is very easy for an attacker to retrieve sensitive information. An implemented filtering mechanism for example "I am only interested in key sequences near the keyword ''" further helps in stealing secret data. Imagine that this keylogger runs on thousands of compromised machines in parallel we can see how quickly PayPal accounts are harvested.

Spreading new malware

In most cases, botnets are used to spread new bots. This is very easy since all bots has implement mechanisms to download and execute a file via HTTP or FTP. Usually email virus has been spread using a botnet. Example of a botnet with 10.000 hosts which acts as the start base for the mail virus allows very fast spreading and then causes more harm. The Witty worm, which attacked the ICQ protocol analyzing text implementation in Internet Security Systems (ISS) products is suspected to have been initially launched by a botnet due to the fact that the attacking hosts are not running any ISS services.

Installing Advertisement Addons and Browser Helper Objects (BHOs)

Botnets can also be used to gather financial advantages. This works by setting up a fake website with some advertisements for example an operator of this website launches a deal with some hosting companies that pay for clicks on ads. With the help of a botnet, these clicks can be "automated" so that instantly a few thousand bots click on the pop-ups. This process can be further upgraded if the bot hijacks the start-page of a compromised machine so that the "clicks" are executed each time the victim uses the browser.

Google AdSense abuse

A similar abuse is also possible with Google's AdSense program. It is a program that offers companies the possibility to display Google advertisements on their own website and earn money this way. The company earns money due to clicks on these ads, for example per 10.000 clicks in one month. An attacker can harm this program by leveraging his botnet to click on these advertisements in an automated fashion and then artificially increasing the click counter. This kind of usage for botnets is relatively uncommon but not a bad idea from an attacker's perspective.

Attacking IRC Chat Networks

Botnets are also used for attacks against Internet Relay Chat (IRC) networks. It is popular among the attackers is especially the so called "clone attack". In this kind of attack, the controller request each bot to connect a massive number of clones to the victim in an IRC network. The victim is flooded by service request from thousands of bots or thousands of channel-joins by these cloned bots. In this way, the victim in IRC network is brought down - same as the DDoS attack.

Manipulating online polls/games

Online polls/games are getting more and more attention and it is somehow easy to manipulate them with botnets. Since every bot has a distinct IP address, every vote will have the same credibility as a vote launched by a real person. Online games can be manipulated in a similar way.

Mass identity theft

Usually it is the combination of different functionality that can be used for a large scale identity theft. This is one of the fastest growing crimes on the Internet. Bogus emails ("phishing mails") that pretend to be legitimate (such as fake PayPal or banking emails) ask their intended victims to go online and submit their private information. These fake emails are generated and sent by bots via their spamming mechanism. These same bots can also host some multiple fake websites and act as a pretender to be Ebay, PayPal, or a bank, and gather personal information. After one of these fake sites is quickly shut down, another one can pop up. In addition, keylogging and sniffing of traffic can also be used for identity theft.

How botnets works

It is one of the most often and efficient DDoS-Attack method. It is based on using like hundreds of zombie hosts. The zombie hosts are usually controlled by via IRC networks (Internet Relay Chat) whereby using a so-called botnets.

After all of the host has been infected, a bot uses Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), HyperText Transfer Protocol (HTTP), or CSend (an IRC extension to send files to other users, comparable to DCC) to transfer itself to the infected or "zombie" host. Then a code with binaries are starting to begin and tries to connect to the hard-coded master IRC server. Dynamic DNS names are usually provided rather than a hard coded IP address to ensure that the bot can be easily relocated. Some bots even remove themselves if the given master server is in localhost or in a private subnet, since the situation has been indicated an expected situations. The bot will try to join the master's channel by using a special crafted nickname such as USA|743634 or [UrX]-98439854 and also sometimes using a password to keep strangers out of the channel.

Chapter 3 -Solution on how to protect and defense from Botnets

There are several options to protect machines from receiving a DOS-Attack from a botnet. Some difficulties are also can be found whereby it is hard to identify a pattern of offending machines and their sheer volume of IP addresses that does not lend itself to the filtering of individual cases. We can use Passive OS fingerprinting where it can identify several types of attacks originating from a botnet. Network administrators also can configure a newer firewall equipment to take action on a botnet attack by using information obtained from passive OS fingerprinting.

Some botnets usually use a free DNS hosting services such as,, and to actually point a subdomain towards an IRC server that will harbor the bots. While these free DNS services do not expose themselves to host an attacks, they provide reference points such as a hard-coded into the botnets executable. By removing such services can bring down an entire botnet.

The host-based technology uses an experience-based techniques on trying to identify bots behavior that has bypassed or invaded some conventional anti-virus software. Network-based approaches tend to use the techniques such as shutting down C&C servers, nullrouting DNS entries, or completely shutting down IRC servers.

Now newer botnets are almost entirely Peer to peer or P2P with command-and-control implemented into the botnet itself. They are now dynamically updateable and variable. From this, they can certainly evade from having any single point of failure. Commanders can be identified without involving anything else through secure keys and all data except the binary itself can be encrypted. An example which is a spyware program may encrypt all suspected passwords with a public key hard coded or distributed into the bot software. By using the public key, the commander can read the data which they already captured.

Newer botnets have newer capabilities of detecting and reacting to attempts to figure out how they work. A large number of botnets that can detect that it is being studied can even DDoS those studying it off the internet.

Bot infections are usually through worms, which it uses the method of browsing the net looking for vulnerable machines. The first step to prevent from this infections is to keep a user system updated, downloading patches and system updates for both the OS and all the applications accessing the Internet. Automatic updates are a good idea. Also, be careful with opening suspicious attachments in emails. It is also wise to deactivate support for scripting languages such as ActiveX and JavaScript or atleast control their uses.

In addition, administrators should also always have an up to date information on the latest vulnerabilities, and should read Internet security resources on a daily basis. Administrators should also attempt to educate their users and define security and privacy policies.

If necessary, users also need to study the logs generated by IDS and firewall systems, mail servers, DHCP and proxy servers. This could help users to spot any abnormal traffic, which could be a sign of bot presence in the network. Once such traffic is noticed, a sniffer comes in handy in order to identify the subnet and the computer generating it.

It is also possible to use more sophisticated techniques to study and detect threats. One of these techniques is honeybots. Honeybots are machines built to become an easy target for attacks. Their main role is to become infected and allow the administrator to pinpoint the source of the problem and study the attack method.


In conclusion, regardless of the tools at our disposal, the most efficient defence against botnet attacks lies in the user himself and in his awareness. Botnet comes in many kind of forms and it have their own levels of harmness. Internet users should gain some knowledge about these threats so they can secure their computers more sufficiently. In this case, personal information such as username and passwords are the most important info for users. Most botnets are commonly used to gain these sort of personal informations.