Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-12-17 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

h00d IRC bot, localhost port 80 traffic

Published: 2003-12-17
Last Updated: 2003-12-18 00:31:52 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
mirc based irc bot "h00d.exe"

A user reported an mirc based irc bot. McAfee identified the trojan as 'IRC/Flood.cd.dr'. The filename
of the listener was 'h00d.exe' and the trojan was found in C:\winnt\system32\have\h00d.exe .

A number of other files where found in the same directory.

As typical for this class of malware, the trojan connected to an IRC channel for remote control. The IRC server involved does no longer appear to be active.
'localhost' Port 80 Traffic

Brian Coyle suggested on our 'Intrusions' list, that the port 80 traffic from 'localhost' is a side effect of the Blaster worm and counter measures.

Some ISPs still resolve 'windowsupdate.com' to '127.0.0.1'. Blaster infected systems will attempt to participate in the DDOS against this side. This DDOS uses spoofed packets. The host will send a spoofed packet to 127.0.0.1 (=itself). This packet will generate a RST/ACK packet to the spoofed address.

The host whose address was spoofed will receive this packet if it is not dropped by egress/ingress filters.

It is recommended to remove the windowsupdate.com domain, and in addition, respective egress/ingress filters should be applied to avoid traffic from 'localhost' to leave or enter your network.
Keywords:
0 comment(s)
Diary Archives