OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Roger Thompson (rogert_at_mindspring.com)
Date: Mon Sep 09 2002 - 16:00:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    At 03:33 PM 9/8/2002 +0000, HalbaSus wrote:
    >I searched info about b.cgi on google and it sais it's a worm that tries to
    >connect to a few listed sites, get some encrypted commands and execute them
    >on the virused host.

    This is a characteristic of the W32/Frethem worm.

    >But why would he connect to my site ? (I even noticed such entries on my home
    >dial-up system). I suspect it's some worm/scanner (like codered 'n stuff) but
    >what vulnerability could someone find in b.cgi ?

    It's not looking for a vulnerability. It's making a call to the web server
    that's supposed to be on the target IP. It's either passing it some
    encrypted information, or asking for some code to be downloaded. Or both.
    No one knows, except the author and his buddies, and they're not saying.

    No one knows what the deal with the web server is either. It could be that
    the worm itself listens on port 80, but I don't recall seeing that when I
    initially looked at it.

    When Frethem first emerged, the anti virus community made a pretty good
    effort to try to get a copy of b.cgi, but we never could. Most of the boxes
    appeared to be dsl or cable, and probably compromised. Personnally, I
    concluded that there probably was no b.cgi - just a specialized app,
    written by the virus author, listening on port 80, and servicing requests
    to b.cgi. A way of distributing control.

    The odd thing is that you should suddenly see them. Are you on some sort of
    DHCP setup, where you might have stumbled onto one of the target IPs? One
    of my WormCatcher nodes is on DHCP, and a few days ago got a good blast
    from Frethem-infected machines. It shows up on the "Monthly Filtered
    Activity" graph, at http://www.wormwatch.org/traffic/monthly/filtered.shtml
    Prior to that, I had thought it was probably extinct.

    Roger

    Regards

    Roger Thompson
    Technical Director of Malicious Code Research
    TruSecure Corporation
    www.trusecure.com
    www.wormwatch.org

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com