Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Report of Coreflood.dr Infection InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Report of Coreflood.dr Infection

Published: 2008-06-25
Last Updated: 2008-06-25 03:02:45 UTC
by Deborah Hale (Version: 1)
3 comment(s)

We have had a report tonight of an outbreak of an old friend - a blast from the past.  It appears that this particular outbreak has impacted/infected about 600 machines in a roughly 3000 pc network.  Rick, our reader reporting this, said that they have not been able to determine the exact infection entry point yet but they suspect it is according to Rick:

"Current theory is iframe in web page browsed by an 'IU' (Idiot User). "

I like that line, don't you.  Anyway, he said that they have discovered that this infection has resulted in a bunch of new user id's being created on the computers.  When I asked him if they had discovered the mechanism used to spread to the machines, his reply was:


"My current theory is that the patient 0 system's user was set for sub-domain admin privs, and that allowed it to connect to the C$ share on other systems to infect those systems. Each time an infected system connected to a new system, a user profile was created on that new system. Eventually, all of those infected systems connecting to other systems gave the result of many (30+) user profiles on other systems."

He said that McAfee is reporting "buffer overflow" in a pop-up message on some of the systems and Norton is reporting it as Coreflood.dr.

Rick is hoping some of our readers may have dealt with this bad boy in the past and can provide us with a little insight into what they are seeing.  Please let us know if you have any tips for Rick and his team.

Keywords: Trojan Infection
3 comment(s)
Diary Archives