TROJAN HORSE

[Virion]

I've always thought it's best to scan everything I download. Thus, when I downloaded the eq emu files very recently (actually yesterday afternoon, before your post was made, which would make the virus' time on your system two days, not a week) , I found no viruses in the files after doing my routine check (I check for new definitions daily, as well.) I think is that the virus came from a file not directly hosted by eqemu, because as far as I can tell their files on sourceforge are clean (wouldn't sourceforge be in your recently visited sites list if you downloaded the eqemu files?). Also, the virus itself is rather old and, as far as I can tell, has been in popular antivirus programs for roughly 2 - 7 months (also, the virus itself consists of only two files according to several av site listings, an exe and dll). I don't want to cause any trouble, but I just thought that this information might be useful in finding the real origin of this virus.

[Merth]

I'm sorry that I didn't make it clear enough in my first post to this thread:

Quote:

It's really quite simple to pinpoint whether or not the binaries you downloaded from here contain a trojan or virus: just download them again and run them through a pitbull of a virus check. That seems pretty definitive to me!

This was a direct request. Please download those executables again and run them through the anti virus program. It's not rocket science.

Once you have located the executable that introduced the virus, post THAT LINK to this board. We'll test it out, find this alleged trojan, and lay the smack down.

Q.E.D.

Until you can provide a link that we can verify, I find no credibility in your accusation - mainly because I've been a perma IRC citizen here for several months, and I've used numerous binaries related to this site.

[Goauld]

Perhaps you're not paying proper attention here.

I have quite clearly stated that I confirm that the source of this trojan was the IRC channel EQEMU, not the EQEmu source files.

Hopefully thats drawn back the cloud on this issue for you guys.

The fact remains, that either your Ops or IRC channel users are indulging in the planting of Trojans. The Backdoor.Codeflood variant I received via the IRC channel is predominantly used for DDoS attacks.

Now, if you're actively condoning that, or shielding the guilty party(s), then that is kinda irresponsible and stupid. If my ISP approaches me with any kind of accusation relating to involvement in (illegal) DDoS attacks orginating from my IP, my finger will be firmly pointed in the direction of your IRC channel.

Heads up...

[Goauld]

And there were 3 files planted on my sys, as follows;

BFTAWUL.DLL
GIYGFQM.DLL
GIYGFQM.EXE

All of the above were created on 28/07/03 and their naming is entirely random. Residing in \Windows\System32 the EXE is called from the registery on startup.

As previously stated, these did NOT originate from the EQEMU source, but from a malicious (as yet unidentified) IRC user.

Now, is it just a coincidence that the same channel that this joins upon finding a connection is the `Forever Hacking' as featured in Shawn319's sig?

I'm getting a sense that you guys are shielding someone.

Dog......meet .....Bone......

I'm sure you're aware of the phrase and the implication.

[Trumpcard]

Forever hacking was the name of a server, about the most popular eqemu server. If it WAS someone affiliated with that server, it could be one of the 2000+ registered users of it.

What makes you think we would shield anyone from something like this, when it been so BLAZINGLY apparent that we've done everything possible to keep this project as legitimate and on the up and up , and safe as possible.

You can blame an EQEMU user, or even a bot someone put into IRC, but to personally blame the eqemu ops/devs, especially with no basis whatsoever is a tad on the hyper-reactional side.

As far as the connection between Shawn's sig and a channel name, we'll , thats like saying because someone caught the 'west nile virus' , it MUST have been that shifty egyptian guy that lives on the corner that gave it to them....

[Goauld]

Quote:

Originally Posted by Goauld

As previously stated, these did NOT originate from the EQEMU source, but from a malicious (as yet unidentified) IRC user.

Does that say to you that I am blaming the Ops or developers? Not the way I read, or intended it.

If you have logs for the channel for 28/07/03, could you just look over them?

<Bangs head against brick wall>

[Talon0202]

Quote:

Now, is it just a coincidence that the same channel that this joins upon finding a connection is the `Forever Hacking' as featured in Shawn319's sig?

I'm getting a sense that you guys are shielding someone.

Dog......meet .....Bone......

I'm sure you're aware of the phrase and the implication.

Shawn319 is an Op.....seems to me that's blaming him...

[Merth]

This is my understanding of what you have stated, G boy:

Quote:

Originally Posted by Goauld

Having checked my site access for the day and checking against the creation dates for the EXE & 2 DLL's this entailed I am certain that this minefield-like site is the culprit.

Ok, you believe you have 3 infected binaries that came from this site - not IRC.

Quote:

Originally Posted by Goauld

That is also the IRC Channel that the Codeflood.Backdoor connects to whenever an internet connection is established.

Ok, this thing that has infected your system also happens to make a connection to an IRC channel - which I don't see how you were able to figure out since netstat or other such tools don't decode above the IP layer. But, you were the one that stated it without support.

Quote:

Originally Posted by Goauld

Obviously the word of an administrator who runs a company LAN for a living isn't good enough for you.

The holier-than-thou attitude is a little annoying, but what I find really disturbing is that throughout the thread, you assumed we knew this and regarded you as such.

Is the word of an EQEMu dev not good enough for you? If not, then perhaps you can understand why the word of some random Joe Blow from the internet is not good enough for me.

Quote:

Originally Posted by Goauld

Perhaps you're not paying proper attention here.

I have quite clearly stated that I confirm that the source of this trojan was the IRC channel EQEMU, not the EQEmu source files.

No, you have not. You stated that the trojan was making a connection to the IRC channel. See above quote. Please pay attention and quit telling others to do it for you.

Quote:

Originally Posted by Goauld

As previously stated, these did NOT originate from the EQEMU source, but from a malicious (as yet unidentified) IRC user.

No, you did not state this. You stated the trojan on your computer was making a connection to IRC.

But now that you have stated this - are you saying that you connected to IRC now? How did this trojan make its way to your system? Please explain, oh mighty LAN administrator. Did you accept a DCC from someone and then run the executable you downloaded? HOW DID THE FILES GET ONTO YOUR SYSTEM?

Given your accusations, it would seem that you have knowledge of how they got there.

Quote:

Originally Posted by Goauld

I'm getting a sense that you guys are shielding someone.

After reading the above quotations where I have pointed out the flaws we all see in your argument, would you care to revise this statement? I really don't like this absurb accusation. Stick to the evidence, G boy, that's the only thing that will get a verdict.

Quote:

Originally Posted by Goauld

Does that say to you that I am blaming the Ops or developers?

Yes, you are. See above quote. You are accusing "you guys", of which I am a part of.

Since we're making assumptions, let's make one based on your status in the professional world: Your LAN is safely behind a robust firewall, with no glaring security holes. Correct?

Goauld, you're really starting to get on my bad side, and believe me, that's quite a feat. I am only going to say this once more, and if you violate it, I will make sure you are removed from this community. Stick to the evidence. Don't assume, it only makes an ass out of you (not me).

[Goauld]

Let me clarify...

I am as certain as I can be that the Codeflood Trojan originated from your IRC channel (If you check back in this thread, it would seem that I am not alone in the receipt of malware from this channel).

I request once again, that if you maintain any logs that you inspect them. It's a simple enough request.

"Prove it" is the mantra of the guilty or the idle - you already are aware of the fact that my logs do not extend back as far as 28/07/03. Also worth considering, is the fact that this trojan gives COMPLETE system control - thus any logs present are effectivley rendered useless unless I submit my PC for expensive and costly forensic examination.

As I've already stated - this is my home system - used for leisure only. Although it is due for a reinstall and lockdown when it's placed behind a router when my 2nd PC arrives next week. At present, it's only protection is a software firewall with certain services restricted or disabled.

Fact is, you have some fool on your IRC channel who thinks this is funny. Whoever that is will continue to see this kind of thing as good fun as long as you ALLOW them to.

As per your comments, I'm surprised that you do not appreciate the chronology of this thread. My FIRST suspicion was directed to this site. This has been subsequently revised as I have investigated this issue.

I'll state now, I categorically RETRACT any accusation pertaining to this site being involved in the distribution of malware (if thats what it takes for you to understand). Someone is having fun on your IRC channel at your expense - obviously it is too much to ask for you to look into this.

I have investigated as well as I can do given the truncated nature of my logs. I ask now that you at least extend the same courtesy instead of attempting to discredit any legitimate concerns of your user base.

If you would rather ignore this issue, than allay the concerns of your users then so be it. Delete my account and pretend none of this happened. I'm sure this would suit you better.

Consider this possibility.

Someone is infecting visitors to your IRC channel with malware for conducting DDoS attacks. If such an attack is executed on a large scale, are you confident that you won't attract attention from the authorities? If you do, how will you convince them that it was a user, not an Op who had abused your resource? I would imagine that you maintain server side logs of all IRC activity. Or perhaps you don't? You tell me.

Lets just hope that the above scenario is hypothetical only and that the distributor of this trojan is only doing so out of bordeom and not to orchestrate any kind of large scale action.

At this juncture I'm disappointed with the attitude to what is clearly an abuse of your resources. The positive feedback I was hoping for isn't here.

[Merth]

Here's the facts:

Symantec Security Response - Backdoor.Coreflood

Quote:

Originally Posted by Symantec

Backdoor.Coreflood is a backdoor Trojan that is designed primarily to conduct Denial of Service attacks. The Trojan connects to an IRC server and gives control of the infected computer to a hacker.

..

The Trojan then connects to an IRC server and joins a predefined chat channel. It listens for commands to execute. These commands allow a hacker to gain unauthorized access to an infected computer and potentially conduct a Denial of Service attack against other computer systems.

This virus did not get onto your computer by connecting to IRC. You need to figure out HOW this trojan got onto your system. What have you been downloading?

Furthermore, you need to state why you believe it connects to the channel specified by Shawn319's signature. I don't see HOW you would know this.

Finally, I am just a dev for this project. I don't have access to any IRC logs. I don't even have access to our CVS to modify files. I prefer it that way so that I can avoid this sort of situation - malicious accusations from people trying to discredit my name.

[Goauld]

Quote:

Originally Posted by MerthEQ

This virus did not get onto your computer by connecting to IRC.

How do you arrive at this conclusion? The delivery method doesn''t seem to be referred to at the Symantec Security Response centre...

Quote:

Originally Posted by MerthEQ

I prefer it that way so that I can avoid this sort of situation - malicious accusations from people trying to discredit my name.

How am I trying to discredit you personally? I am merely asking you to look into this as most responsible resource providers would....

I'm not demanding help sorting the infection out - I've already sorted that out. I'm not after any kind of recompense. I'm simply asking you to look into it to allay a users concerns.

[Virion]

I can't possibly see how a log of the channel will help. If the file came from the irc server it would be dcc and thus not listed in the channel at all (not to mention you normally have to accept or have auto-download for dcc transfers on, and some irc clients like mIRC even warn about dcc auto transfer being a way to receive virii by accident, so I can't see why anyone would allow such a blatant security hole to be opened .) Also, as far as how the virus gets on to systems, McAfee has a better write-up on it (the method doesn't mention irc as a common source too.)

[Shawn319]

How the hell did I get pulled into this??

[Shawn319]

Quote:

Originally Posted by Goauld

I know where the Trojan came from.

I'd advise everyone to steer clear of the EQEmu IRC channel if they wish to avoid this.

Here's a li'l link to help you out. See that `ServerOp - Forever Hacking' in Shawn319's sig? That is also the IRC Channel that the Codeflood.Backdoor connects to whenever an internet connection is established.

Call me a newb, but do not insult my intelligence. It's a lamer type trick and easy enough to remove.

Okay. could you please clarify what you mean by this?

You say it connects to the foreverhacking CHANNEL? on what irc server. Or do you mean it connects to the foreverhacking IRC SERVER.

And what form of "foreverhacking" is it? is it foreverhacking.net or is it forever-hacking.net.

forever-hacking.net is a site run by "l33t script kiddies" that would probably do something like this and have ABSOLUTELY NOTHING TO DO WITH EQEMU OR THE "ForeverHacking EQEmu Server".

If i remember correctly their irc server is irc.forever-hacking.net.. which is quite far from irc.eqemu.net. Be a little clearer next time before blaming people or a group of people for your stupidity.

p.s.: My sig, which says "ServerOp - Forever Hacking" means that I am a ServerOP (status 200+) on the "ForeverHacking" EQEMU SERVER. this is a dev play server that is hardly up anymore. WTF does this have to do with irc or ME?

[Shawn319]

Oh and if you still don't believe me, "Forever-Hacking" has been known to issue DoS attacks (against us).. read this..


http://forums.eqemu.net/viewtopic.php?t=5229



If thats not enough proof then i dont know is.