nanog mailing list archives
Re: W32/Sobig-F - Halflife correlation ???
From: "Darren Smith" <data () barrysworld com>
Date: Sat, 23 Aug 2003 12:17:32 +0100
Hi I popped onto #nanog on efnet last night reporting UDP 'Gaming' Traffic hitting our services from those 20 boxes and got laughed at for suggesting "game" traffic, i'm glad someone else noticed it too! We run lots of Game Servers in the UK and most of the CS ones were getting traffic from those 20 boxes (blocked with an ACL) - i'll have to check through my netflow logs for more details. Also, "Stephen J. Wilcox" saw traffic destined for his CS Servers. They were trying to hit servers in multiple subnets, all on ports 270XX. Best Regards Darren Smith Game Digital Ltd ----- Original Message ----- From: "Robert Blayzor" <rblayzor () inoc net> To: "Matthew E. Martini" <martini () invision net>; "North American Network Operators Group" <nanog () merit edu> Sent: Saturday, August 23, 2003 3:05 AM Subject: Re: W32/Sobig-F - Halflife correlation ???
On 8/22/03 8:50 PM, "Matt Martini" <martini () invision net> wrote:I've scanned my Netflow logs for activity associated with the 20 machines that SoBig was targeting and I found some very curious activity.If what you claim is correct, this could be very bad. The virus is
already
there on many infected machines, it just needs a way to communicate with other infected hosts to coordinate it's bidding. IRC has been a weak link for viruses as they can usually be tracked and stopped in a short order, however with gaming machines, it may be a little bit harder. Maybe there are no master servers. Maybe it doesn't need one. Perhaps it just uses a network like Game Spy to find public Halflife (or other gaming servers) to get the viruses to "link" together. Infected boxes would the communicate on random Halflife servers all over the net. (there are thousands of them). Maybe the clients don't find the masters, maybe the masters find the clients. Maybe the list of "20 servers" was just a decoy of sorts. It would be nearly impossible to track the source of who is controlling the infected boxes. Clever... -- Robert Blayzor, BOFH INOC, LLC rblayzor () inoc net PGP: http://www.inoc.net/~dev/ Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9 "If I had it all to do over again, I'd spell creat with an ""e"". - Kernighan"
Current thread:
- W32/Sobig-F - Halflife correlation ??? Matt Martini (Aug 22)
- Re: W32/Sobig-F - Halflife correlation ??? Robert Blayzor (Aug 22)
- Re: W32/Sobig-F - Halflife correlation ??? Darren Smith (Aug 23)
- Re: W32/Sobig-F - Halflife correlation ??? Robert Blayzor (Aug 23)
- Re: W32/Sobig-F - Halflife correlation ??? Darren Smith (Aug 23)
- Re: W32/Sobig-F - Halflife correlation ??? Darren Smith (Aug 26)
- Re: W32/Sobig-F - Halflife correlation ??? Adam 'Starblazer' Romberg (Aug 26)
- Re: W32/Sobig-F - Halflife correlation ??? Owen DeLong (Aug 28)
- Re: W32/Sobig-F - Halflife correlation ??? Darren Smith (Aug 23)
- Re: W32/Sobig-F - Halflife correlation ??? Robert Blayzor (Aug 22)