On Thursday 04 September 2003 02:05 pm, Reid Forrest wrote:
> We've had three machines across multiple sites come up
> with the backdoor.coreflood trojan today. NAV caught
> them all, but I'm wondering how it got in. We block
> .exe attachments.
>
> It's my understanding that this thing doesn't
> propagate itself. One instance I can understand, but
> three seemingly unrelated infections are puzzling.
>
> Is anyone else seeing this, or have any ideas?
It sounds like your users visited a site hosted at Interland last week
and were hit by the IE exploit a hacker appended to the pages in an
IFRAME. The description as backdoor.coreflood is misleading; the
trojan you found was probably a proxy server, not an IRC bot. The
proxy server shares a lot of base code with the coreflood IRC bot
and uses the same style of DLL injection, but the functionality is
completely different.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/
------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
> We've had three machines across multiple sites come up
> with the backdoor.coreflood trojan today. NAV caught
> them all, but I'm wondering how it got in. We block
> .exe attachments.
>
> It's my understanding that this thing doesn't
> propagate itself. One instance I can understand, but
> three seemingly unrelated infections are puzzling.
>
> Is anyone else seeing this, or have any ideas?
It sounds like your users visited a site hosted at Interland last week
and were hit by the IE exploit a hacker appended to the pages in an
IFRAME. The description as backdoor.coreflood is misleading; the
trojan you found was probably a proxy server, not an IRC bot. The
proxy server shares a lot of base code with the coreflood IRC bot
and uses the same style of DLL injection, but the functionality is
completely different.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/
------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
[ reply ]