TROJAN HORSE
 

On 28/07/03 I visited this site, spending a great deal of time here and downloaded the EQ Emu, alongwith various updates.

Having been busy lately, my G/F had been using the machine, but I had not made any updates to my AV for about a week.

Having just updated my definitions, I find that I'm carrying the `Backdoor Coreflood' trojan (used for DOS attacks and comeplete system control, as I understand). Having checked my site access for the day and checking against the creation dates for the EXE & 2 DLL's this entailed (not to mention the registery modification) I am certain that this minefield-like site is the culprit.

To the owners, I'd like to think that you might take this as a useful reminder that such a disjointed board can hide a multitude of sins.

To the casual browser, I would advise extreme caution in light of this incident.

I hope I can get a positive response from the site owners, rather than just this post being deleted for `pissing someone off'


And to the miscreant responsible for this breech, I can only suggest that you take a look outside the window, if you have one, and go find something better to do - like play with traffic on the freeway.

I dont like your tone mr.


BARK BARK little pussie

We get this sort of accusation from time to time. I have yet to find one with credibility, or some sort of sound argument. It always seems to be "i have a virus and i visited your site, therefore you are spreading a virus".

It's really quite simple to pinpoint whether or not the binaries you downloaded from here contain a trojan or virus: just download them again and run them through a pitbull of a virus check. That seems pretty definitive to me!

Now, I don't know about a Trojan Horse, but if we build a large wooden badger, then Lancelot, Gallahad, and I can leap out...

or even beter (omg) look at the source code! jesus. peeps make acuasations and dont even bother to look.

Its all right there for you to look at..

Read the post before you bandy about "handbags at twenty oaces" type comments. I did not claim it was in the EQ Emu app, I visited a lot of posts trying to track down info relating to the emu and at some point on one of these threads, have been mislead in what has been downloaded.

TBH, at this juncture I'd like to add that although I'm sure you guys work long and hard into the night, consuming much coke and not getting enough sunlight in the name of the game, EQ Emu and my experience so far have left a somewhat bitter taste....

So I'm off fer a rinse

At this point in the thread, my understanding is that you downloaded a trojan from somewhere on the internet.

Thanks for the heads up!

Sarcasm..........cool.......

we should include an empty virus.cpp to scare people away.

Go home!

You are not needed here!

Ignorance shall not be tollerated.

:twisted:

I know where the Trojan came from.

I'd advise everyone to steer clear of the EQEmu IRC channel if they wish to avoid this.

Here's a li'l link to help you out. See that `ServerOp - Forever Hacking' in Shawn319's sig? That is also the IRC Channel that the Codeflood.Backdoor connects to whenever an internet connection is established.

Call me a newb, but do not insult my intelligence. It's a lamer type trick and easy enough to remove.

Please do not insult our intelligence, either. Just show us how you figured this out. What is your evidence?

If I was tracking down a trojan, I would look at what IP connections are made (netstat -a). Connecting to a specific IRC channel would not be reported by netstat because that is not IP - it's a layer above the IP layer. That leads me to believe that you are not looking in the correct place, hence the desire I have for you to provide evidence.

No need to take offense to the fact that I am asking for evidence. It happens everyday in courtrooms across the country I am from.

It didn't take too much to track it down. If you read back, I was alerted after updating my AV definitions. Subsequently, I restarted after disabling System Restore and removed the offending dll's and exe alongwith the registry entry pertaining to the exe.

If you look back, you'll see that by the date of the initial post, this trojan had been on my comp for about a week.....by which time my logs have been overwritten due to a limited cache that I set. In future, you can be assured that my limits will be set higher so that this does not pass unnoticed.

Evidence? I can assure you that I pretty much spent the whole day on your site ( no others in my browser cache for the date the exe & dll appeared on my system and my memory isn't that of a stoner or goldfish....), but obviously, my current logs hold no record going back that far.

Rest assured, that I will be scouring my sys for more compelling evidence of the origins of this nuisance over the next day or two (time permitting). Obviously the word of an administrator who runs a company LAN for a living isn't good enough for you. It would seem that it is my own ill fortune that I got a little lax at home on a system that is shortly scheduled for a reinstall and lockdown.

May I enquire as to whether you guys keep server side logs on the IRC? If so, publish them raw. Personally, if someone posted a message or dropped a mail in indicating that somebody was abusing company resources I'd be duty bound to investigate on the server side, at the very least to make sure that there wasn't a server side compromise....and at best to reassure users that they weren't placing themselves at risk just by stopping by.

So far, I've seen no positive feedback or an ivestigation of your own logs. Just cries of "Prove it". That in itself is disturbing enough.

Not trying to say it came from your irc channel, but i downloaded mirc, join your channel then had IRCbot.gen trojan in my computer, coincidence? Dont think so

Today i installed everything needed to, run a server, play on a server, and the IRC from http://www.eqemu.com/index.php?irc .
did this on 2 computers, one i set up to run a 4.4 the other .5, after using 3 different ainti virus programs i did not recieve 1 virus.

I have uninstalled and reinstalled mIRC so many times and joined their channels, I have NEVER recieved anything bad from them. I think its just your imagination.

Lets take a poll!
Who else has gotten a trojen or virus from here? *puts his hand down*

I've always thought it's best to scan everything I download. Thus, when I downloaded the eq emu files very recently (actually yesterday afternoon, before your post was made, which would make the virus' time on your system two days, not a week) , I found no viruses in the files after doing my routine check (I check for new definitions daily, as well.) I think is that the virus came from a file not directly hosted by eqemu, because as far as I can tell their files on sourceforge are clean (wouldn't sourceforge be in your recently visited sites list if you downloaded the eqemu files?). Also, the virus itself is rather old and, as far as I can tell, has been in popular antivirus programs for roughly 2 - 7 months (also, the virus itself consists of only two files according to several av site listings, an exe and dll). I don't want to cause any trouble, but I just thought that this information might be useful in finding the real origin of this virus.

I'm sorry that I didn't make it clear enough in my first post to this thread:

This was a direct request. Please download those executables again and run them through the anti virus program. It's not rocket science.

Once you have located the executable that introduced the virus, post THAT LINK to this board. We'll test it out, find this alleged trojan, and lay the smack down.

Q.E.D.

Until you can provide a link that we can verify, I find no credibility in your accusation - mainly because I've been a perma IRC citizen here for several months, and I've used numerous binaries related to this site.

Perhaps you're not paying proper attention here.

I have quite clearly stated that I confirm that the source of this trojan was the IRC channel EQEMU, not the EQEmu source files.

Hopefully thats drawn back the cloud on this issue for you guys.

The fact remains, that either your Ops or IRC channel users are indulging in the planting of Trojans. The Backdoor.Codeflood variant I received via the IRC channel is predominantly used for DDoS attacks.

Now, if you're actively condoning that, or shielding the guilty party(s), then that is kinda irresponsible and stupid. If my ISP approaches me with any kind of accusation relating to involvement in (illegal) DDoS attacks orginating from my IP, my finger will be firmly pointed in the direction of your IRC channel.

Heads up...

And there were 3 files planted on my sys, as follows;

BFTAWUL.DLL
GIYGFQM.DLL
GIYGFQM.EXE

All of the above were created on 28/07/03 and their naming is entirely random. Residing in \Windows\System32 the EXE is called from the registery on startup.

As previously stated, these did NOT originate from the EQEMU source, but from a malicious (as yet unidentified) IRC user.

Now, is it just a coincidence that the same channel that this joins upon finding a connection is the `Forever Hacking' as featured in Shawn319's sig?

I'm getting a sense that you guys are shielding someone.

Dog......meet .....Bone......

I'm sure you're aware of the phrase and the implication.

Forever hacking was the name of a server, about the most popular eqemu server. If it WAS someone affiliated with that server, it could be one of the 2000+ registered users of it.

What makes you think we would shield anyone from something like this, when it been so BLAZINGLY apparent that we've done everything possible to keep this project as legitimate and on the up and up , and safe as possible.

You can blame an EQEMU user, or even a bot someone put into IRC, but to personally blame the eqemu ops/devs, especially with no basis whatsoever is a tad on the hyper-reactional side.

As far as the connection between Shawn's sig and a channel name, we'll , thats like saying because someone caught the 'west nile virus' , it MUST have been that shifty egyptian guy that lives on the corner that gave it to them....

Does that say to you that I am blaming the Ops or developers? Not the way I read, or intended it.

If you have logs for the channel for 28/07/03, could you just look over them?

<Bangs head against brick wall>

Shawn319 is an Op.....seems to me that's blaming him...

This is my understanding of what you have stated, G boy:

Ok, you believe you have 3 infected binaries that came from this site - not IRC.

Ok, this thing that has infected your system also happens to make a connection to an IRC channel - which I don't see how you were able to figure out since netstat or other such tools don't decode above the IP layer. But, you were the one that stated it without support.

The holier-than-thou attitude is a little annoying, but what I find really disturbing is that throughout the thread, you assumed we knew this and regarded you as such.

Is the word of an EQEMu dev not good enough for you? If not, then perhaps you can understand why the word of some random Joe Blow from the internet is not good enough for me.

No, you have not. You stated that the trojan was making a connection to the IRC channel. See above quote. Please pay attention and quit telling others to do it for you.

No, you did not state this. You stated the trojan on your computer was making a connection to IRC.

But now that you have stated this - are you saying that you connected to IRC now? How did this trojan make its way to your system? Please explain, oh mighty LAN administrator. Did you accept a DCC from someone and then run the executable you downloaded? HOW DID THE FILES GET ONTO YOUR SYSTEM?

Given your accusations, it would seem that you have knowledge of how they got there.

After reading the above quotations where I have pointed out the flaws we all see in your argument, would you care to revise this statement? I really don't like this absurb accusation. Stick to the evidence, G boy, that's the only thing that will get a verdict.

Yes, you are. See above quote. You are accusing "you guys", of which I am a part of.

Since we're making assumptions, let's make one based on your status in the professional world: Your LAN is safely behind a robust firewall, with no glaring security holes. Correct?

Goauld, you're really starting to get on my bad side, and believe me, that's quite a feat. I am only going to say this once more, and if you violate it, I will make sure you are removed from this community. Stick to the evidence. Don't assume, it only makes an ass out of you (not me).

Let me clarify...

I am as certain as I can be that the Codeflood Trojan originated from your IRC channel (If you check back in this thread, it would seem that I am not alone in the receipt of malware from this channel).

I request once again, that if you maintain any logs that you inspect them. It's a simple enough request.

"Prove it" is the mantra of the guilty or the idle - you already are aware of the fact that my logs do not extend back as far as 28/07/03. Also worth considering, is the fact that this trojan gives COMPLETE system control - thus any logs present are effectivley rendered useless unless I submit my PC for expensive and costly forensic examination.

As I've already stated - this is my home system - used for leisure only. Although it is due for a reinstall and lockdown when it's placed behind a router when my 2nd PC arrives next week. At present, it's only protection is a software firewall with certain services restricted or disabled.

Fact is, you have some fool on your IRC channel who thinks this is funny. Whoever that is will continue to see this kind of thing as good fun as long as you ALLOW them to.

As per your comments, I'm surprised that you do not appreciate the chronology of this thread. My FIRST suspicion was directed to this site. This has been subsequently revised as I have investigated this issue.

I'll state now, I categorically RETRACT any accusation pertaining to this site being involved in the distribution of malware (if thats what it takes for you to understand). Someone is having fun on your IRC channel at your expense - obviously it is too much to ask for you to look into this.

I have investigated as well as I can do given the truncated nature of my logs. I ask now that you at least extend the same courtesy instead of attempting to discredit any legitimate concerns of your user base.

If you would rather ignore this issue, than allay the concerns of your users then so be it. Delete my account and pretend none of this happened. I'm sure this would suit you better.

Consider this possibility.

Someone is infecting visitors to your IRC channel with malware for conducting DDoS attacks. If such an attack is executed on a large scale, are you confident that you won't attract attention from the authorities? If you do, how will you convince them that it was a user, not an Op who had abused your resource? I would imagine that you maintain server side logs of all IRC activity. Or perhaps you don't? You tell me.

Lets just hope that the above scenario is hypothetical only and that the distributor of this trojan is only doing so out of bordeom and not to orchestrate any kind of large scale action.

At this juncture I'm disappointed with the attitude to what is clearly an abuse of your resources. The positive feedback I was hoping for isn't here.

Here's the facts:

Symantec Security Response - Backdoor.Coreflood

This virus did not get onto your computer by connecting to IRC. You need to figure out HOW this trojan got onto your system. What have you been downloading?

Furthermore, you need to state why you believe it connects to the channel specified by Shawn319's signature. I don't see HOW you would know this.

Finally, I am just a dev for this project. I don't have access to any IRC logs. I don't even have access to our CVS to modify files. I prefer it that way so that I can avoid this sort of situation - malicious accusations from people trying to discredit my name.

How do you arrive at this conclusion? The delivery method doesn''t seem to be referred to at the Symantec Security Response centre...

How am I trying to discredit you personally? I am merely asking you to look into this as most responsible resource providers would....

I'm not demanding help sorting the infection out - I've already sorted that out. I'm not after any kind of recompense. I'm simply asking you to look into it to allay a users concerns.

I can't possibly see how a log of the channel will help. If the file came from the irc server it would be dcc and thus not listed in the channel at all (not to mention you normally have to accept or have auto-download for dcc transfers on, and some irc clients like mIRC even warn about dcc auto transfer being a way to receive virii by accident, so I can't see why anyone would allow such a blatant security hole to be opened .) Also, as far as how the virus gets on to systems, McAfee has a better write-up on it (the method doesn't mention irc as a common source too.)

How the hell did I get pulled into this??

Okay. could you please clarify what you mean by this?

You say it connects to the foreverhacking CHANNEL? on what irc server. Or do you mean it connects to the foreverhacking IRC SERVER.

And what form of "foreverhacking" is it? is it foreverhacking.net or is it forever-hacking.net.

forever-hacking.net is a site run by "l33t script kiddies" that would probably do something like this and have ABSOLUTELY NOTHING TO DO WITH EQEMU OR THE "ForeverHacking EQEmu Server".

If i remember correctly their irc server is irc.forever-hacking.net.. which is quite far from irc.eqemu.net. Be a little clearer next time before blaming people or a group of people for your stupidity.

p.s.: My sig, which says "ServerOp - Forever Hacking" means that I am a ServerOP (status 200+) on the "ForeverHacking" EQEMU SERVER. this is a dev play server that is hardly up anymore. WTF does this have to do with irc or ME?

Oh and if you still don't believe me, "Forever-Hacking" has been known to issue DoS attacks (against us).. read this..


http://forums.eqemu.net/viewtopic.php?t=5229



If thats not enough proof then i dont know is.

It would have been nice to hear this earlier Shawn. If you're IRC has been targetted by them before then it would seem that there is a good chance this is what has happened here.

As for how I came up with the link, well you're signature does seem to indicate some association with them, whether that is rightly or wrongly so, it's at least an incovenient coincidence.

And it would seem they (sic: Forever Hacking) are a bunch o kiddies. Hopefully some day they'll grow up.

BTW Goauld , what you are refering to as "link" in Shawns signature is , in fact , not a link at all just information about his status on that server.
If you run your mouse over it you'll see that there is no link attached to it.
Just an FYI.

Hehehe, I didn't mean a web link - I implied a social link, it would seem wrongly so, but it's easy to see how that mistake coudl be made, I would hope...

You have never once stated that you made a visit to our IRC server - given the 'matter of fact' tone of your posts, it's obvious you would have stated as such.

HOW DO YOU BELIEVE THIS TROJAN MADE ITS WAY ONTO YOUR COMPUTER? Please, you've got me really curious now. Just answer this one question, don't skip it again. If you only have theories, then please state those. I believe your answer will demonstrate a misunderstanding that can easily be rectified.

I'm still waiting for an answer on how you know it made a connection to a specific IRC channel, as well. Heck, I'd like to know how you know it made a connection to anything at all.

There is no "social link". the "foreverhacking" i am ascociated with is NOT the same "Forever-Hacking" that seems to be hacking YOU.

I have since removed the IRC client I was using, but from my recollection on the 28/07, I had connected to the EQEmu IRC, whereupon I found myself in an apparently empty channel (EQEMU) and was unable to chat.

Perhaps this is where you can help me to better understand the possible delivery method here. Is it possible for someone to setup a redirect from your channel, or is this merely likely to be due to the use of a bot?

I did post elsewhere on this forum, regarding an apparent problem I encountered on IRC - this being that I appeared to be in the EQEMU channel on my own as an Op. What made this stick in my mind was the fact that it was a connection to an existing channel, but I was the only member present...

The EQEmu channel is never empty. and even if it was, it's registered so that you would not become an OP if you were the only person in the room. Usually when channels are not registered the first person to visit the room gets OP'd. The fact that the room OP'd you makes me believe the channel was not there until you joined it. so you could have joined a non-eqemu IRC server (note the term "server") and joined a channel that was not there to begin with. This could mean anything.

If what you speak is true then you were not connected to the official EQEmu server (irc.eqemu.net).

Beyond that, speculation is up to you. this topic need not go any further..

I'll let you reply again since this is your thread, then i'm going to lock it.

I hear what you're saying but I definitley connected to irc.eqemu.net

<shrugs>

maybe that was part of the virus... making you think you were connected to an irc server that you were not? *shrug*.. all i know is #eqemu is never empty.