Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: weird b.cgi
From: Roger Thompson <rogert () mindspring com>
Date: Mon, 09 Sep 2002 17:00:37 -0400
At 03:33 PM 9/8/2002 +0000, HalbaSus wrote:

I searched info about b.cgi on google and it sais it's a worm that tries to
connect to a few listed sites, get some encrypted commands and execute them
on the virused host.


This is a characteristic of the W32/Frethem worm.


But why would he connect to my site ? (I even noticed such entries on my home
dial-up system). I suspect it's some worm/scanner (like codered 'n stuff) but
what vulnerability could someone find in b.cgi ?
It's not looking for a vulnerability. It's making a call to the web server that's supposed to be on the target IP. It's either passing it some encrypted information, or asking for some code to be downloaded. Or both. No one knows, except the author and his buddies, and they're not saying.
No one knows what the deal with the web server is either. It could be that the worm itself listens on port 80, but I don't recall seeing that when I initially looked at it.
When Frethem first emerged, the anti virus community made a pretty good effort to try to get a copy of b.cgi, but we never could. Most of the boxes appeared to be dsl or cable, and probably compromised. Personnally, I concluded that there probably was no b.cgi - just a specialized app, written by the virus author, listening on port 80, and servicing requests to b.cgi. A way of distributing control.
The odd thing is that you should suddenly see them. Are you on some sort of DHCP setup, where you might have stumbled onto one of the target IPs? One of my WormCatcher nodes is on DHCP, and a few days ago got a good blast from Frethem-infected machines. It shows up on the "Monthly Filtered Activity" graph, at http://www.wormwatch.org/traffic/monthly/filtered.shtml Prior to that, I had thought it was probably extinct. 

Roger




Regards

Roger Thompson
Technical Director of Malicious Code Research
TruSecure Corporation
www.trusecure.com
www.wormwatch.org


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]