RE: [NEW] bugbear_b.nasl

From: larosa, vjay (larosa_vjayat_private)
Date: Wed Jun 11 2003 - 09:11:28 PDT

  • Next message: Renaud Deraison: "Re: [NEW] bugbear_b.nasl" 

    Hello Renaud,

Here is the snort output from me connecting to port 1080 and typing p. This
system was infected with BugBear.b. 

Thanks!

vjl

06/11-12:10:46.192021 10.0.0.11:32777 -> 10.0.0.10:1080
TCP TTL:64 TOS:0x10 ID:19843 IpLen:20 DgmLen:55 DF
***AP*** Seq: 0xD26EBAF3  Ack: 0xC2C12F0F  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 37687915 0
0x0000: 00 02 A5 32 52 82 00 D0 59 1A 65 D2 08 00 45 10  ...2R...Y.e...E.
0x0010: 00 37 4D 83 40 00 40 06 D9 19 0A 00 00 0B 0A 00  .7M.@.@.........
0x0020: 00 0A 80 09 04 38 D2 6E BA F3 C2 C1 2F 0F 80 18  .....8.n..../...
0x0030: 16 D0 B9 A1 00 00 01 01 08 0A 02 3F 12 6B 00 00  ...........?.k..
0x0040: 00 00 70 0D 0A                                   ..p..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/11-12:10:46.192504 10.0.0.10:1080 -> 10.0.0.11:32777
TCP TTL:128 TOS:0x0 ID:98 IpLen:20 DgmLen:308 DF
***AP*** Seq: 0xC2C12F0F  Ack: 0xD26EBAF6  Win: 0x446D  TcpLen: 32
TCP Options (3) => NOP NOP TS: 8012 37687915
0x0000: 00 D0 59 1A 65 D2 00 02 A5 32 52 82 08 00 45 00  ..Y.e....2R...E.
0x0010: 01 34 00 62 40 00 80 06 E5 4D 0A 00 00 0A 0A 00  .4.b@....M......
0x0020: 00 0B 04 38 80 09 C2 C1 2F 0F D2 6E BA F6 80 18  ...8..../..n....
0x0030: 44 6D 6B 61 00 00 01 01 08 0A 00 00 1F 4C 02 3F  Dmka.........L.?
0x0040: 12 6B 45 2E 04 53 6F 16 0A A6 2B E6 C4 A0 4A A0  .kE..So...+...J.
0x0050: 27 C8 B3 1D EB B7 3D 22 FD F2 A0 9B 2C F0 B9 DA  '.....="....,...
0x0060: F5 BC 22 5D 0C 92 82 9A 73 69 82 11 EB 18 98 95  .."]....si......
0x0070: 0B 37 96 2B F3 55 D7 EE FA AE 93 CB B8 09 99 DB  .7.+.U..........
0x0080: 7E 99 66 76 F5 0B 67 E3 2B EA 39 73 BD A4 B0 16  ~.fv..g.+.9s....
0x0090: FA 14 8B 28 82 58 E8 3C 15 3C 8C 90 55 92 3F 75  ...(.X.<.<..U.?u
0x00A0: 1D DF 23 E1 72 13 9B 56 14 0A E1 EA 9B C4 E5 EC  ..#.r..V........
0x00B0: 3F 35 E7 BB C9 A5 EE B4 45 95 D2 C4 B4 5B 15 CD  ?5......E....[..
0x00C0: 97 E1 1E 73 BF 67 21 A0 34 9B ED 32 0A C2 E0 8E  ...s.g!.4..2....
0x00D0: 80 6C 74 92 C0 0E CA B6 AF 30 A6 75 F0 19 C6 65  .lt......0.u...e
0x00E0: 47 6B 2E EB EB 84 42 AF D5 44 40 C0 EF 79 0A 06  Gk....B..D@..y..
0x00F0: E7 E7 CC D8 51 81 53 44 09 E9 68 1C 02 E5 3A 98  ....Q.SD..h...:.
0x0100: 9F BD A7 35 64 DC EA DA BE 66 9B B3 B1 93 C1 4E  ...5d....f.....N
0x0110: 20 03 78 6E 7E A8 DF 65 27 C0 0A 5E 75 49 57 BC   .xn~..e'..^uIW.
0x0120: 27 A8 9C CD E6 AA 9B 50 B1 16 ED FB 05 7E 2B D8  '......P.....~+.
0x0130: 10 FC 5D 27 48 1F 2C 87 82 D3 3C F4 09 83 04 FA  ..]'H.,...<.....
0x0140: B2 5C                                            .\

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/11-12:10:46.192568 10.0.0.11:32777 -> 10.0.0.10:1080
TCP TTL:64 TOS:0x10 ID:19844 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xD26EBAF6  Ack: 0xC2C1300F  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 37687915 8012
0x0000: 00 02 A5 32 52 82 00 D0 59 1A 65 D2 08 00 45 10  ...2R...Y.e...E.
0x0010: 00 34 4D 84 40 00 40 06 D9 1B 0A 00 00 0B 0A 00  .4M.@.@.........
0x0020: 00 0A 80 09 04 38 D2 6E BA F6 C2 C1 30 0F 80 10  .....8.n....0...
0x0030: 19 20 11 1B 00 00 01 01 08 0A 02 3F 12 6B 00 00  . .........?.k..
0x0040: 1F 4C                                            .L

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/11-12:10:46.192679 10.0.0.10:1080 -> 10.0.0.11:32777
TCP TTL:128 TOS:0x0 ID:99 IpLen:20 DgmLen:106 DF
***AP*** Seq: 0xC2C1300F  Ack: 0xD26EBAF6  Win: 0x446D  TcpLen: 32
TCP Options (3) => NOP NOP TS: 8012 37687915
0x0000: 00 D0 59 1A 65 D2 00 02 A5 32 52 82 08 00 45 00  ..Y.e....2R...E.
0x0010: 00 6A 00 63 40 00 80 06 E6 16 0A 00 00 0A 0A 00  .j.c@...........
0x0020: 00 0B 04 38 80 09 C2 C1 30 0F D2 6E BA F6 80 18  ...8....0..n....
0x0030: 44 6D E5 67 00 00 01 01 08 0A 00 00 1F 4C 02 3F  Dm.g.........L.?
0x0040: 12 6B 06 AA F1 21 EE B1 CF A0 6F 02 35 49 36 E1  .k...!....o.5I6.
0x0050: B6 96 C8 8E 32 4E 63 AE 91 22 6C 46 FB 3B 9E 3D  ....2Nc.."lF.;.=
0x0060: F1 8D A6 9E A1 EB 65 0A 6D 1B 73 6E 3A 2D 31 30  ......e.m.sn:-10
0x0070: 30 33 38 31 36 38 39 31                          03816891

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/11-12:10:46.192700 10.0.0.11:32777 -> 10.0.0.10:1080
TCP TTL:64 TOS:0x10 ID:19845 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xD26EBAF6  Ack: 0xC2C13045  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 37687915 8012
0x0000: 00 02 A5 32 52 82 00 D0 59 1A 65 D2 08 00 45 10  ...2R...Y.e...E.
0x0010: 00 34 4D 85 40 00 40 06 D9 1A 0A 00 00 0B 0A 00  .4M.@.@.........
0x0020: 00 0A 80 09 04 38 D2 6E BA F6 C2 C1 30 45 80 10  .....8.n....0E..
0x0030: 19 20 10 E5 00 00 01 01 08 0A 02 3F 12 6B 00 00  . .........?.k..
0x0040: 1F 4C                                            .L

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





-----Original Message-----
From: larosa, vjay [mailto:larosa_vjayat_private] 
Sent: Tuesday, June 10, 2003 2:10 PM
To: 'Renaud Deraison'; plugins-writersat_private
Subject: RE: [NEW] bugbear_b.nasl

Okay, we are getting a live copy of the virus in a little bit. The tech has
already cleaned the system I was playing with. I will send you the output as
soon as I can.

vjl

-----Original Message-----
From: Renaud Deraison [mailto:deraisonat_private] 
Sent: Tuesday, June 10, 2003 2:02 PM
To: plugins-writersat_private
Subject: Re: [NEW] bugbear_b.nasl

On Tue, Jun 10, 2003 at 07:53:17PM +0200, Pavel Kankovsky wrote:
> On Tue, 10 Jun 2003, Renaud Deraison wrote:
> 
> > According to the reference in Vincent's plugin, it's possible to launch
> > a web server on an arbitrary port, so I added the plugin, which now
> > looks for every web server, not only port 81.
> 
> Infected hosts I've seen so far had no HTTP port open.
> Perhaps the web server has to be activated explicitly (via 1080?)?

Yes, it has to be (it's what I meant by "it's possible to launch a web
server 
on an arbitrary port")


				-- Renaud

    This archive was generated by hypermail 2b30 : Wed Jun 11 2003 - 09:12:37 PDT