Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2008-06-25 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Podcast Episode Seven Posted

Published: 2008-06-25
Last Updated: 2008-06-25 14:21:13 UTC
by Joel Esler (Version: 1)
0 comment(s)

Thanks to all of those who joined us live last night!  It was great to have that live feedback.  Johannes, Paul, and I were all live on video and audio, and it worked great.

We published Episode Seven of the Internet Storm Center Podcast this morning.

It would be great if we could increase the live listener count, as I'd like to do a live Q&A via the listeners, (and other fun live events).  I will try and post the live stream address sooner next time.  I know I didn't give you guys alot of warning. 

We had Paul Asadoorian of PaulDotCom Security Weekly as a guest, and it's probably our best podcast yet!

Go grab it through iTunes, and for those of you that are not listeners of PaulDotCom, please subscribe to that one too!

Direct download of the mp3 is here, for those of you that are not iTunes users.

 

--

Joel Esler

http://www.joelesler.net

Keywords:
0 comment(s)

Report of Coreflood.dr Infection

Published: 2008-06-25
Last Updated: 2008-06-25 03:02:45 UTC
by Deborah Hale (Version: 1)
3 comment(s)

We have had a report tonight of an outbreak of an old friend - a blast from the past.  It appears that this particular outbreak has impacted/infected about 600 machines in a roughly 3000 pc network.  Rick, our reader reporting this, said that they have not been able to determine the exact infection entry point yet but they suspect it is according to Rick:

"Current theory is iframe in web page browsed by an 'IU' (Idiot User). "

I like that line, don't you.  Anyway, he said that they have discovered that this infection has resulted in a bunch of new user id's being created on the computers.  When I asked him if they had discovered the mechanism used to spread to the machines, his reply was:

 

"My current theory is that the patient 0 system's user was set for sub-domain admin privs, and that allowed it to connect to the C$ share on other systems to infect those systems. Each time an infected system connected to a new system, a user profile was created on that new system. Eventually, all of those infected systems connecting to other systems gave the result of many (30+) user profiles on other systems."

He said that McAfee is reporting "buffer overflow" in a pop-up message on some of the systems and Norton is reporting it as Coreflood.dr.

Rick is hoping some of our readers may have dealt with this bad boy in the past and can provide us with a little insight into what they are seeing.  Please let us know if you have any tips for Rick and his team.

Keywords: Trojan Infection
3 comment(s)
Diary Archives