Re: weird b.cgi

From: Roger Thompson (rogertat_private)
Date: Mon Sep 09 2002 - 14:00:37 PDT

Next message: Carey, Steve T ISD: "RE: prisoner.iana.org"

Previous message: Johannes Ullrich: "Re: Code Red / Nimda Antidote?"
In reply to: HalbaSus: "weird b.cgi"
Next in thread: HalbaSus: "Re: weird b.cgi"
Reply: HalbaSus: "Re: weird b.cgi"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 03:33 PM 9/8/2002 +0000, HalbaSus wrote:
>I searched info about b.cgi on google and it sais it's a worm that tries to
>connect to a few listed sites, get some encrypted commands and execute them
>on the virused host.

This is a characteristic of the W32/Frethem worm.

>But why would he connect to my site ? (I even noticed such entries on my home
>dial-up system). I suspect it's some worm/scanner (like codered 'n stuff) but
>what vulnerability could someone find in b.cgi ?

It's not looking for a vulnerability. It's making a call to the web server 
that's supposed to be on the target IP. It's either passing it some 
encrypted information, or asking for some code to be downloaded. Or both. 
No one knows, except the author and his buddies, and they're not saying.

No one knows what the deal with the web server is either. It could be that 
the worm itself listens on port 80, but I don't recall seeing that when I 
initially looked at it.

When Frethem first emerged, the anti virus community made a pretty good 
effort to try to get a copy of b.cgi, but we never could. Most of the boxes 
appeared to be dsl or cable, and probably compromised. Personnally, I 
concluded that there probably was no b.cgi - just a specialized app, 
written by the virus author, listening on port 80, and servicing requests 
to b.cgi. A way of distributing control.

The odd thing is that you should suddenly see them. Are you on some sort of 
DHCP setup, where you might have stumbled onto one of the target IPs? One 
of my WormCatcher nodes is on DHCP, and a few days ago got a good blast 
from Frethem-infected machines. It shows up on the "Monthly Filtered 
Activity" graph, at http://www.wormwatch.org/traffic/monthly/filtered.shtml 
Prior to that, I had thought it was probably extinct.

Roger

Regards

Roger Thompson
Technical Director of Malicious Code Research
TruSecure Corporation
www.trusecure.com
www.wormwatch.org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Carey, Steve T ISD: "RE: prisoner.iana.org"
Previous message: Johannes Ullrich: "Re: Code Red / Nimda Antidote?"
In reply to: HalbaSus: "weird b.cgi"
Next in thread: HalbaSus: "Re: weird b.cgi"
Reply: HalbaSus: "Re: weird b.cgi"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 14:26:12 PDT