New Lsass.exe hijack?

[Chuck]

I'm currently involved in a thread in the BBR Security forum, where a number of
apparent newbies are reporting what looks like an lsass.exe hijack - but one
that uses a registry key
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass] to change the
location of lsass.exe.
<http://www.dslreports.com/forum/remark,14621594>

I've been searching various forums like this one, and can't find any mention of
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass", or any significant
substring. Is this a new attack, or is it so old no one bothers any more?

 

[Guest]

Hello Chuck

A suggestion: before any doubt, advice not only requests since it beams, but
look for in google.

Engel

 

[Chuck]

Hello Chuck

A suggestion: before any doubt, advice not only requests since it beams, but
look for in google.

Engel

Hi Engel,

Actually, I did Google, and Yahoo, for it.

Google Groups, and Yahoo, return no hits for the complete string
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass". Google Web
returns one hit,
<http://forum.hardware.fr/hardwarefr...ones-merci-pour-votre-aide-sujet-221234-1.htm>.

Trying substrings, like "CurrentControlSet\Services\lsass", returns more hits,
but the ones that actually go somewhere are also in French. That's not terribly
useful to me - my French is very weak. I was hoping for some English speaking
experts.

 

[Guest]

Hi Chuck;

Gime the URL in French, maybe I can give you the translation.

Engel