Re: Backdoor.coreflood infection

From: Reid Forrest (reidfo_at_yahoo.com)
Date: 09/05/03

  • Next message: Jack McCarthy: "Re: Backdoor.coreflood infection"
    Date: Fri, 5 Sep 2003 10:06:58 -0700 (PDT)
    To: Joe Stewart <jstewart@lurhq.com>
    
    

    Thanks to everyone who responded. It looks like Joe
    (and others) are correct. The infected machines did
    not have the MS03-032 patch applied. They were among a
    small group of our machines that didn't yet get the
    patch.

    --- Joe Stewart <jstewart@lurhq.com> wrote:
    > On Thursday 04 September 2003 02:05 pm, Reid Forrest
    > wrote:
    > > We've had three machines across multiple sites
    > come up
    > > with the backdoor.coreflood trojan today. NAV
    > caught
    > > them all, but I'm wondering how it got in. We
    > block
    > > .exe attachments.
    > >
    > > It's my understanding that this thing doesn't
    > > propagate itself. One instance I can understand,
    > but
    > > three seemingly unrelated infections are puzzling.
    > >
    > > Is anyone else seeing this, or have any ideas?
    >
    > It sounds like your users visited a site hosted at
    > Interland last week
    > and were hit by the IE exploit a hacker appended to
    > the pages in an
    > IFRAME. The description as backdoor.coreflood is
    > misleading; the
    > trojan you found was probably a proxy server, not an
    > IRC bot. The
    > proxy server shares a lot of base code with the
    > coreflood IRC bot
    > and uses the same style of DLL injection, but the
    > functionality is
    > completely different.
    >
    > -Joe
    >
    > --
    > Joe Stewart, GCIH
    > Senior Security Researcher
    > LURHQ Corporation
    > http://www.lurhq.com/
    >

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: Jack McCarthy: "Re: Backdoor.coreflood infection"

    Relevant Pages

    • compromised Real Server 8
      ... I have 2 Real Audio servers, version 8, which have apparently been ... The machines were patched up to date from Windows Update, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Incidents)
    • Spyware, the FBI, and The Failure of ISPs [telecom]
      ... Spyware, the FBI, and The Failure of ISPs ... sniffing to find infected machines and tell the customer in the first ... the miserable botnets that plagues the Internet to figure out how to ...
      (comp.dcom.telecom)
    • Re: Backdoor.coreflood infection
      ... RF> We've had three machines across multiple sites come up ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Incidents)
    • Re: PC trying to connect to a huge list of IP addresses. Aye Chihuahua!
      ... >Network Connections pops up a prompt literally about every 5 seconds ... >with photos of my niece or my parent's Solitaire scores! ... >list of IP addresses pointing to other infected machines? ...
      (comp.security.misc)
    • Re: How very safe and protected I feel!
      ... infected machines off the network so far, ... exam cramware (which didn't need a net connection anyhow), ... So I air-gapped the cat-5 and flipped the KVM back to my current desktop ...
      (alt.sysadmin.recovery)