Re: Backdoor.coreflood infection

From: Reid Forrest (reidfo_at_yahoo.com)
Date: 09/05/03

  • Next message: Jack McCarthy: "Re: Backdoor.coreflood infection"
    Date: Fri, 5 Sep 2003 10:06:58 -0700 (PDT)
    To: Joe Stewart <jstewart@lurhq.com>
    
    

    Thanks to everyone who responded. It looks like Joe
    (and others) are correct. The infected machines did
    not have the MS03-032 patch applied. They were among a
    small group of our machines that didn't yet get the
    patch.

    --- Joe Stewart <jstewart@lurhq.com> wrote:
    > On Thursday 04 September 2003 02:05 pm, Reid Forrest
    > wrote:
    > > We've had three machines across multiple sites
    > come up
    > > with the backdoor.coreflood trojan today. NAV
    > caught
    > > them all, but I'm wondering how it got in. We
    > block
    > > .exe attachments.
    > >
    > > It's my understanding that this thing doesn't
    > > propagate itself. One instance I can understand,
    > but
    > > three seemingly unrelated infections are puzzling.
    > >
    > > Is anyone else seeing this, or have any ideas?
    >
    > It sounds like your users visited a site hosted at
    > Interland last week
    > and were hit by the IE exploit a hacker appended to
    > the pages in an
    > IFRAME. The description as backdoor.coreflood is
    > misleading; the
    > trojan you found was probably a proxy server, not an
    > IRC bot. The
    > proxy server shares a lot of base code with the
    > coreflood IRC bot
    > and uses the same style of DLL injection, but the
    > functionality is
    > completely different.
    >
    > -Joe
    >
    > --
    > Joe Stewart, GCIH
    > Senior Security Researcher
    > LURHQ Corporation
    > http://www.lurhq.com/
    >

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: Jack McCarthy: "Re: Backdoor.coreflood infection"