Lucene search
K

Bugbear.B Worm Detection

🗓️ 11 Jun 2003 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 109 Views

Detect potential Bugbear.B Worm on port 1080, which may compromise sensitive information.

Code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(11733);
 script_version("$Revision: 1.12 $");
 script_cvs_date("$Date: 2013/05/03 18:30:33 $");

 script_name(english:"Bugbear.B Worm Detection");
 script_summary(english:"Detect Bugbear.B Worm Detection");

 script_set_attribute(attribute:"synopsis", value:"The remote host may have been compromised.");
 script_set_attribute(attribute:"description", value:
"The BugBear.B backdoor appears to be listening on this port.  An
attacker may connect to it to retrieve secret information such as
passwords, credit card numbers, etc. 

The BugBear.B worm includes a keylogger and can kill antivirus and
firewall software.  It propagates through email and open Windows
shares.");
 script_set_attribute(attribute:"solution", value:
"- Use an antivirus package to remove it.
- Close your Windows shares
- See http://www.symantec.com/avcenter/venc/data/[email protected]");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");

 script_set_attribute(attribute:"plugin_publication_date", value:"2003/06/11");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2003-2013 Tenable Network Security, Inc.");
 script_family(english:"Backdoors");

 script_dependencies("find_service2.nasl");
 script_require_ports(1080);
 exit(0);
}

#
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");


#
# bugbear.b is bound to port 1080. It sends data which seems to
# be host-specific when it receives the letter "p"
#
port = 1080;
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);
if (known_service(port:port)) exit(0, "The service listening on port "+port+" is known.");


soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);
send(socket:soc, data:"p");
r = recv(socket: soc, length: 308);
close(soc);
if (!strlen(r)) exit(0, "The service listening on port "+port+" did not respond when sent a 'p'.");


soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);
send(socket: soc, data: "x");
r2 = recv(socket: soc, length: 308);
if (strlen(r2)) exit(0, "The service listening on port "+port+" did respond when sent an 'x'.");
close(soc);


if (strlen(r) > 10)
{
 security_hole(port);
 register_service(port: port, proto: "bugbear_b");
 exit(0);
}
else exit(0, "The service listening on port "+port+" does not appear to be Bugbear.B.");

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

03 May 2013 18:30Current
5.5Medium risk
Vulners AI Score5.5
109