Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: h00d IRC bot, localhost port 80 traffic - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
h00d IRC bot, localhost port 80 traffic
mirc based irc bot "h00d.exe"

A user reported an mirc based irc bot. McAfee identified the trojan as 'IRC/Flood.cd.dr'. The filename
of the listener was 'h00d.exe' and the trojan was found in C:\winnt\system32\have\h00d.exe .

A number of other files where found in the same directory.

As typical for this class of malware, the trojan connected to an IRC channel for remote control. The IRC server involved does no longer appear to be active.
'localhost' Port 80 Traffic

Brian Coyle suggested on our 'Intrusions' list, that the port 80 traffic from 'localhost' is a side effect of the Blaster worm and counter measures.

Some ISPs still resolve 'windowsupdate.com' to '127.0.0.1'. Blaster infected systems will attempt to participate in the DDOS against this side. This DDOS uses spoofed packets. The host will send a spoofed packet to 127.0.0.1 (=itself). This packet will generate a RST/ACK packet to the spoofed address.

The host whose address was spoofed will receive this packet if it is not dropped by egress/ingress filters.

It is recommended to remove the windowsupdate.com domain, and in addition, respective egress/ingress filters should be applied to avoid traffic from 'localhost' to leave or enter your network.
I will be teaching next: Intrusion Detection In-Depth - SANS Madrid March 2019

Johannes

3394 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!