DCOM and LSASS Exploits

[left][left]
Getting DCOM and LSASS exploit alerts
For the last few days I had been getting DCOM and LSASS exploit alerts from Avast 6 Free Edition. The attacks were made from not only the other IPs of my ISP but also from some foreign IPs what made me think that there might be some virus or worm or other malware lurking in my computer.[center]
http://t2.gstatic.com/images?q=tbn:ANd9GcSvm97Xj51pB3dlqbGZ9vLwOrI_xMWwz3k35HTiHAc6sFzBdOM4&t=1
In the mean time I noticed from the task manager that there are a few svchost.exe processes running in my computer. Though svchost.exe is a system process which hosts multiple Windows services but I had not noticed a lot of them them in task manager for the last few months. This is another reason to strengthen my assumption. So, I made a full scan with Avast and It found nothing. I also tried with Malwarebytes’ Anti-Malware and failed to find anything. After that I reinstalled my Windows 7 and now not getting any alerts from Avast. But was I really infected by any malware though I think so !!

Past Experience with Conficker worm
Here I want to mention a thing that two years ago when I used Windows XP and installed Avira Security Suite I just got infected by the Conficker worm. After that Avira became disabled and I could not go to any antivirus website. The matter was probably that the other computers on my LAN were infected by it and from those hosts the worm was trying to exploit buffer overflow vulnerability. As Avira Internet Security replaced the Windows Firewall with its own Firewall which was not got enough to protect against Conficker worm I had just got infected. Then I installed Windows again and installed Kaspersky Internet Security. The matter was a bit different, the worm could penetrate into my system, exist on my hard disk as I got alert by Kaspersky but failed to infect my computer and killed by Kaspersky. Generally both of Avira and Kaspersky could defend Conficker worm that was in the flash drive, but they failed to defend them if the attacks were made from the LAN using buffer overflow vulnerability. Conficker worm injects its code in the svchost.exe and hence the infected pc can not connect to any antivirus website. I found the solution to this problem by first cleaning the infected pc with a good tool made by Kaspersky: http://support.kaspersky.com/downloads/utils/kk.zip and then installing a free antivirus that has not its own firewall.

I think any pc with up to date Windows shouldn’t get infected by this worm, but it was those internet securities’ disability to deal with the case properly. My suggestion is if you are using any internet security and still getting attacked by Conficker worm you should first clean your system using the tool mentioned above or any other tool out there (i.e., Microsoft Malicious Software Remover Tool). Disable your internet security’s firewall, and enable windows firewall. Windows firewall should not be deactivated even for a second, as the worm can attack any time.

Sorry but the over dramatic headline “Getting DCOM and LSASS exploit alerts: Probably you are infected” is false, it doesn’t mean you are probably infected, it means nothing more that an attempt has been made to use those exploits to gain access to your system, nothing more nothing less.

DCOM/LSASS Attacks are speculative, not targeted and tries to exploit a vulnerability in out of date OS, if your OS is up to date then you aren’t vulnerable to the exploit. That doesn’t stop them (usually someone from the same ISP with an infected computer, though not exclusively) trying to see if it can infect others.

Your firewall should be the first line of defence in this, but avast also monitors common attack ports using the Network Shield, ideally the firewall should block it and avast wouldn’t know about it, but for whatever reason avast is first in line over your firewall.

What is your firewall ?

If the infection was inside your system it would be trying to get out not in and would usually present itself as an avast alert blocking URL:MAL and from an internal process, svchost.exe, etc. Your firewall (depending on which) should also be blocking unauthorised outbound connections.

Thanks David, I am changing the heading which you have indicated as false.

I am not using any other firewall other than the Windows 7 firewall.

I have read your reply. But what do think that might be the causes of the following issues:

  1. I did not see the svchost.exe processes in my task manager for the last few months. After starting to get the DCOM and LSASS exploit alerts I found a few of them there.

  2. Now I have reinstalled Windows 7 and installed all those softwares that were installed before. But I can not see any svchost.exe process in the task manager and also not getting any exploit alerts.

  3. I was getting those exploit attacks from not only other IPs of my ISP, but also from some IPs of foreign countries.

I made a reference of the my previous Conficker(aka Kido) worm infection just for that because at that time I also got alerts from Avira Premium Security Suite and Kaspersky Internet Security. Most of the time Kaspersky could block the “Buffer Overflow Exploit” attack but sometimes the worm could penetrate into the system as I often found a arbitrarily named image file in my hard disk that Kaspersky detected as Conficker worm and Kaspersky could kill it sucessfully. Avira could not handle the situation as it was disabled within a few hours after the exploit alert and I could not go to any antivirus website. I didn’t face the problem during using Avira Free Edition that has not any firewall with it. Thus I could realize that both Avast and Kaspersky were deploying their own firewall disabling the default windows firewall and making my pc vulnerable to the worm.

As I am now using Avast 6 Free Edition obviously there is not any issue with the firewall and I am also not matching it with the previous Conficker worm issue. My point is that during Conficker worm attack I used to get buffer overflow exploit alerts by Avira and Kaspersky, sometimes the worm could penetrate into my system and both of them also detected the worm but they either totally (Avira) or partially (kaspersky) failed to defend this worm. As I was getting another exploit alert alerts from Avast I was tensed that if the situation go same!

The svchost.exe was an example only as generally it should only need an outbound connection for windows updates. In some cases malware uses this to try to piggyback of its having previously been allowed a connection, but a good firewall should be able to notice the difference.

The win7 firewall doesn’t have outbound protection enabled by default, so there would be no outbound checking, but it should really get in on the dcom/lsass exploit attempts rather than avast’s network shield, why it doesn’t I don’t know why/

It doesn’t matter where the exploit attempts come from ISP IP or other external IP as basically they use a random IP number generator in the hope of finding an IP with a really out of date OS, and that really is speculative.

Avast should detect and prevent conficker, so it shouldn’t be that trying to get out as these exploit attempts are external and not internal. If it were a conficker attempt then the alert would be different.

Avast free ‘doesn’t have’ a firewall the network shield isn’t a full firewall but monitors common worm/exploit ports. Even if you used the Avast Internet Security suite, which has a firewall it is compatible with the windows firewall and doesn’t disable it.