T
Tom Adams
How does backdoor.coreflood work. What is it's method of infection?
Are there browser settings that will stop it?
Are there browser settings that will stop it?
N
null
Looks like it depends on IE6 without service packs to get started:
http://vil.nai.com/vil/content/v_100313.htm
Google coreflood to see McAfee's description and others.
Art
http://www.epix.net/~artnpeg
T
Tom Adams
The system that had the infected file was running IE6 with SP1. At
least, I think so; the Help pop-up shows "Update versions: SP1". I
guess that means
SP1 is installed.
The file was detected and quarantined by Norton anti-virus and
reported to the administrator of our network.
I tried google, but many of the sites provide no explanation. The
site for Norton that we naturally check provided nothing except the
general exhortations
to keep everything up-to-date all the time. Good advice, of course.
N
Nick FitzGerald
Don't believe everything you read... 
That is how coreFlood _was_ being distributed when it was first
discovered. However, it is not self-spreading, so that description
could just as well say "it arrives in postal mail on a floppy disk
with instructions printed on the label to run setup.exe...".
That is, it can be delivered other ways, and has been...
In the last 48-72 hours there have been several reports of CoreFlood
being distributed in a manner much the same as the Surferbar IE
toolbar that folk have been complaining about. To save repeating
myself, I'll simply point you to the 'Weird mail trying top get
"a.cgi", any ideas ?' thread where you should read my description of
SurferBar's installation (obviously the part of that post describing
what Surferbar does is irrelevant to your case though...).
In short, IE 6.0 SP1 is an insufficient patch level. MS has had a
hotfix out for a few weeks now -- MS03-032 -- that among other things
fixes the so-called Object Data Tag vulnerability. This is exploited
in the SurferBar and recent CoreFlood installers -- after ensuring
that CoreFlood is not running on your machines, evaluate why your IE
patching has let you fall so far behind. Most recent IE bugs such as
this (which, BTW, MS often initially only rates as "important" rather
than "critical" severity -- you'd almost think it was a deliberate
ploy to reduce the attention their poatches initially draw from the
media, but it blows up when something like this exploits it and shows
how trivial it really is to exploit) are simple to exploit _and_ the
discoverers (or others) often post PoC exploits that are then simply
used in "cut'n'paste mode" by the spammers, virus writers, etc. Of
late, the time between release and exploitation of these "auto-run
from IE" bugs has been reducing steadily from several months to only
a few weeks.
I know it is popular to bash MS for its woeful security record and
doubly so IE, but I mean the following in all seriousness. Internet
Explorer has such a poor security record and it is continually being
severely compromised (new bugs of the nature of MS03-032 appear at
least every two months and about half of them get used for viral or
other malware purposes) that it is insane to allow it to be used in
"normal operations" by staff who are not seasoned security experts.
Seriously -- I am not joking. Take the hit, get and install one of
the Mozilla-based browsers, or shell out a little money for Opera
and get a real quality browser. Neither is perfect (in fact, they
may be just as bad as IE) _BUT_ they simply are not being taregtted in
way that IE is, so by prohibiting use of IE (do it the hard way with
proper file system permissions in an NT-based OS, rather than just
with a written company policy) you immediately remove yourself from
the target of opportunity fish bowl, in which you are currently a
free-swimming target. Replacing IE will cause you a few problems --
some (fewer than before, but still enough to potentially be a
nuisance) really badly authored and designed web sites will be
difficult to impossible to view. This is not because Opera or Mozilla
are poor browsers but because those pages are very badly authored and
depend either on IE-only stupidities (be they bugs or "tricks") and
related IE-blindness in the pages' designers. This is a common
problem on the web, but is really a problem for the owners/operators
of such sites. By employing such ignorant web designers (who will
seldom, if ever, acknowledge that they themselves are the problem --
they _will_ blame your choice of browser, so be ready for ignorant
criticism from one of the most security-ignorant groups on the planet)
these sites are saying to their customers "We don't care if you are
more concerned about computer security than we are". This is clearly
not a very customer-friendly orientation and you should point this out
loudly at every chance you get as it is your only hope of breaking the
circle of IE-ignorance you will be battling in such cases.
So, follow it and get the now old, in security terms, MS03-032 patch.
That is how coreFlood _was_ being distributed when it was first
discovered. However, it is not self-spreading, so that description
could just as well say "it arrives in postal mail on a floppy disk
with instructions printed on the label to run setup.exe...".
That is, it can be delivered other ways, and has been...
In the last 48-72 hours there have been several reports of CoreFlood
being distributed in a manner much the same as the Surferbar IE
toolbar that folk have been complaining about. To save repeating
myself, I'll simply point you to the 'Weird mail trying top get
"a.cgi", any ideas ?' thread where you should read my description of
SurferBar's installation (obviously the part of that post describing
what Surferbar does is irrelevant to your case though...).
In short, IE 6.0 SP1 is an insufficient patch level. MS has had a
hotfix out for a few weeks now -- MS03-032 -- that among other things
fixes the so-called Object Data Tag vulnerability. This is exploited
in the SurferBar and recent CoreFlood installers -- after ensuring
that CoreFlood is not running on your machines, evaluate why your IE
patching has let you fall so far behind. Most recent IE bugs such as
this (which, BTW, MS often initially only rates as "important" rather
than "critical" severity -- you'd almost think it was a deliberate
ploy to reduce the attention their poatches initially draw from the
media, but it blows up when something like this exploits it and shows
how trivial it really is to exploit) are simple to exploit _and_ the
discoverers (or others) often post PoC exploits that are then simply
used in "cut'n'paste mode" by the spammers, virus writers, etc. Of
late, the time between release and exploitation of these "auto-run
from IE" bugs has been reducing steadily from several months to only
a few weeks.
I know it is popular to bash MS for its woeful security record and
doubly so IE, but I mean the following in all seriousness. Internet
Explorer has such a poor security record and it is continually being
severely compromised (new bugs of the nature of MS03-032 appear at
least every two months and about half of them get used for viral or
other malware purposes) that it is insane to allow it to be used in
"normal operations" by staff who are not seasoned security experts.
Seriously -- I am not joking. Take the hit, get and install one of
the Mozilla-based browsers, or shell out a little money for Opera
and get a real quality browser. Neither is perfect (in fact, they
may be just as bad as IE) _BUT_ they simply are not being taregtted in
way that IE is, so by prohibiting use of IE (do it the hard way with
proper file system permissions in an NT-based OS, rather than just
with a written company policy) you immediately remove yourself from
the target of opportunity fish bowl, in which you are currently a
free-swimming target. Replacing IE will cause you a few problems --
some (fewer than before, but still enough to potentially be a
nuisance) really badly authored and designed web sites will be
difficult to impossible to view. This is not because Opera or Mozilla
are poor browsers but because those pages are very badly authored and
depend either on IE-only stupidities (be they bugs or "tricks") and
related IE-blindness in the pages' designers. This is a common
problem on the web, but is really a problem for the owners/operators
of such sites. By employing such ignorant web designers (who will
seldom, if ever, acknowledge that they themselves are the problem --
they _will_ blame your choice of browser, so be ready for ignorant
criticism from one of the most security-ignorant groups on the planet)
these sites are saying to their customers "We don't care if you are
more concerned about computer security than we are". This is clearly
not a very customer-friendly orientation and you should point this out
loudly at every chance you get as it is your only hope of breaking the
circle of IE-ignorance you will be battling in such cases.
So, follow it and get the now old, in security terms, MS03-032 patch.
T
Tom Adams
Nick FitzGerald said:Don't believe everything you read...
That is how coreFlood _was_ being distributed when it was first
discovered. However, it is not self-spreading, so that description
could just as well say "it arrives in postal mail on a floppy disk
with instructions printed on the label to run setup.exe...".
That is, it can be delivered other ways, and has been...
In the last 48-72 hours there have been several reports of CoreFlood
being distributed in a manner much the same as the Surferbar IE
toolbar that folk have been complaining about. To save repeating
myself, I'll simply point you to the 'Weird mail trying top get
"a.cgi", any ideas ?' thread where you should read my description of
SurferBar's installation (obviously the part of that post describing
what Surferbar does is irrelevant to your case though...).
In short, IE 6.0 SP1 is an insufficient patch level. MS has had a
hotfix out for a few weeks now -- MS03-032 -- that among other things
fixes the so-called Object Data Tag vulnerability. This is exploited
in the SurferBar and recent CoreFlood installers
So, do you get MS03-032 when you just go to the MS update site and do
the critical updates? I notice that I have that patch on my home
computer, and the only deliberate updates that I have done recently
are the criticals from MS update site. Or is there some auto-update
feature in my IE6 browser, I'm kinda clueless about this.
I had assumed that security was good at my work site, with all the
apparent security activity and the independent audits. But now I find
that my IE6 at work does not even have SP1 and my office mates
computer has only SP1 but not other critical patches. I think we must
be on our own about patching our PCs, but I have never seen a notice
telling us to do the critical patches. Apparently each PC at the
office is running software that is way out of date on security
patches.
T
Tom Adams
ZDnet is now reporting that the patch does not work:
http://news.zdnet.co.uk/software/0,39020381,39116180,00.htm
so there will be another patch soon.
I have a clue now, I checked my update history at the Windows Update site.
MS02-032 must be the same as update 882925
At work, we are prevented from using Windows update. So I have to use the
IE update page. If I apply the most recent cumulative update, do I get all
the other update? Or do I have to apply each patch one at a time?
Also, my work computer has Windows 98, but the update only mentions 98 SE. So
I am not sure I should appply it.
http://news.zdnet.co.uk/software/0,39020381,39116180,00.htm
so there will be another patch soon.
I have a clue now, I checked my update history at the Windows Update site.
MS02-032 must be the same as update 882925
At work, we are prevented from using Windows update. So I have to use the
IE update page. If I apply the most recent cumulative update, do I get all
the other update? Or do I have to apply each patch one at a time?
Also, my work computer has Windows 98, but the update only mentions 98 SE. So
I am not sure I should appply it.
T
Tom Adams
ZDnet is now reporting that the patch does not work:
http://news.zdnet.co.uk/software/0,39020381,39116180,00.htm
so there will be another patch soon.
I have a clue now, I checked my update history at the Windows Update site.
MS02-032 must be the same as update 882925
At work, we are prevented from using Windows update. So I have to use the
IE update page. If I apply the most recent cumulative update, do I get all
the other update? Or do I have to apply each patch one at a time?
Also, my work computer has Windows 98, but the update only mentions 98 SE. So
I am not sure I should appply it.
http://news.zdnet.co.uk/software/0,39020381,39116180,00.htm
so there will be another patch soon.
I have a clue now, I checked my update history at the Windows Update site.
MS02-032 must be the same as update 882925
At work, we are prevented from using Windows update. So I have to use the
IE update page. If I apply the most recent cumulative update, do I get all
the other update? Or do I have to apply each patch one at a time?
Also, my work computer has Windows 98, but the update only mentions 98 SE. So
I am not sure I should appply it.