Thanks to everyone who responded. It looks like Joe
(and others) are correct. The infected machines did
not have the MS03-032 patch applied. They were among a
small group of our machines that didn't yet get the
patch.
--- Joe Stewart <jstewart (at) lurhq (dot) com [email concealed]> wrote:
> On Thursday 04 September 2003 02:05 pm, Reid Forrest
> wrote:
> > We've had three machines across multiple sites
> come up
> > with the backdoor.coreflood trojan today. NAV
> caught
> > them all, but I'm wondering how it got in. We
> block
> > .exe attachments.
> >
> > It's my understanding that this thing doesn't
> > propagate itself. One instance I can understand,
> but
> > three seemingly unrelated infections are puzzling.
> >
> > Is anyone else seeing this, or have any ideas?
>
> It sounds like your users visited a site hosted at
> Interland last week
> and were hit by the IE exploit a hacker appended to
> the pages in an
> IFRAME. The description as backdoor.coreflood is
> misleading; the
> trojan you found was probably a proxy server, not an
> IRC bot. The
> proxy server shares a lot of base code with the
> coreflood IRC bot
> and uses the same style of DLL injection, but the
> functionality is
> completely different.
>
> -Joe
>
> --
> Joe Stewart, GCIH
> Senior Security Researcher
> LURHQ Corporation
> http://www.lurhq.com/
>
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
(and others) are correct. The infected machines did
not have the MS03-032 patch applied. They were among a
small group of our machines that didn't yet get the
patch.
--- Joe Stewart <jstewart (at) lurhq (dot) com [email concealed]> wrote:
> On Thursday 04 September 2003 02:05 pm, Reid Forrest
> wrote:
> > We've had three machines across multiple sites
> come up
> > with the backdoor.coreflood trojan today. NAV
> caught
> > them all, but I'm wondering how it got in. We
> block
> > .exe attachments.
> >
> > It's my understanding that this thing doesn't
> > propagate itself. One instance I can understand,
> but
> > three seemingly unrelated infections are puzzling.
> >
> > Is anyone else seeing this, or have any ideas?
>
> It sounds like your users visited a site hosted at
> Interland last week
> and were hit by the IE exploit a hacker appended to
> the pages in an
> IFRAME. The description as backdoor.coreflood is
> misleading; the
> trojan you found was probably a proxy server, not an
> IRC bot. The
> proxy server shares a lot of base code with the
> coreflood IRC bot
> and uses the same style of DLL injection, but the
> functionality is
> completely different.
>
> -Joe
>
> --
> Joe Stewart, GCIH
> Senior Security Researcher
> LURHQ Corporation
> http://www.lurhq.com/
>
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
[ reply ]