North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: W32/Sobig-F - Halflife correlation ???
- From: Darren Smith
- Date: Sat Aug 23 07:22:45 2003
I popped onto #nanog on efnet last night reporting UDP 'Gaming' Traffic
hitting our services from those 20 boxes and got laughed at for suggesting
"game" traffic, i'm glad someone else noticed it too!
We run lots of Game Servers in the UK and most of the CS ones were getting
traffic from those 20 boxes (blocked with an ACL) - i'll have to check
through my netflow logs for more details.
Also, "Stephen J. Wilcox" saw traffic destined for his CS Servers.
They were trying to hit servers in multiple subnets, all on ports 270XX.
Game Digital Ltd
----- Original Message -----
From: "Robert Blayzor" <firstname.lastname@example.org>
To: "Matthew E. Martini" <email@example.com>; "North American Network
Operators Group" <firstname.lastname@example.org>
Sent: Saturday, August 23, 2003 3:05 AM
Subject: Re: W32/Sobig-F - Halflife correlation ???
> On 8/22/03 8:50 PM, "Matt Martini" <email@example.com> wrote:
> > I've scanned my Netflow logs for activity associated with the 20
> > machines that SoBig was targeting and I found some very curious
> > activity.
> If what you claim is correct, this could be very bad. The virus is
> there on many infected machines, it just needs a way to communicate with
> other infected hosts to coordinate it's bidding. IRC has been a weak link
> for viruses as they can usually be tracked and stopped in a short order,
> however with gaming machines, it may be a little bit harder.
> Maybe there are no master servers. Maybe it doesn't need one. Perhaps it
> just uses a network like Game Spy to find public Halflife (or other gaming
> servers) to get the viruses to "link" together. Infected boxes would the
> communicate on random Halflife servers all over the net. (there are
> thousands of them).
> Maybe the clients don't find the masters, maybe the masters find the
> clients. Maybe the list of "20 servers" was just a decoy of sorts. It
> would be nearly impossible to track the source of who is controlling the
> infected boxes.
> Robert Blayzor, BOFH
> INOC, LLC
> PGP: http://www.inoc.net/~dev/
> Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9
> "If I had it all to do over again, I'd spell creat with an ""e"". -