> We've had three machines across multiple sites come up
> with the backdoor.coreflood trojan today. NAV caught
> them all, but I'm wondering how it got in. We block
> .exe attachments.
may give a few hints. A more-or-less encoded VB script downloads
ap216.exe from smart2com.net, if I recall. It's an upx-packed
binary which (probably) installs Coreflood -- I haven't analysed it
myself.
When it was first called to my attention, Norton antivirus did not
trigger on it. After an signature update from September 3, it does now
catch it, and identifies it as Coreflood.
Don't how the web-site vector is created. Look for 'iframe rip.asp'
in Google, and you get quite a few hits to investigate. Looks like
it has been in place at least since early August in some places.
--
Anders Thulin anders.thulin (at) kiconsulting (dot) se [email concealed] 040-661 50 63
Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden
------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
> We've had three machines across multiple sites come up
> with the backdoor.coreflood trojan today. NAV caught
> them all, but I'm wondering how it got in. We block
> .exe attachments.
http://ww2.ignite400.org/Lists/ign_list/Message/20819.html
may give a few hints. A more-or-less encoded VB script downloads
ap216.exe from smart2com.net, if I recall. It's an upx-packed
binary which (probably) installs Coreflood -- I haven't analysed it
myself.
When it was first called to my attention, Norton antivirus did not
trigger on it. After an signature update from September 3, it does now
catch it, and identifies it as Coreflood.
Don't how the web-site vector is created. Look for 'iframe rip.asp'
in Google, and you get quite a few hits to investigate. Looks like
it has been in place at least since early August in some places.
--
Anders Thulin anders.thulin (at) kiconsulting (dot) se [email concealed] 040-661 50 63
Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden
------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
[ reply ]