Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: W32/Sobig-F - Halflife correlation ???

  • From: Robert Blayzor
  • Date: Sat Aug 23 08:07:43 2003

On 8/23/03 7:17 AM, "Darren Smith" <data@barrysworld.com> wrote:

> They were trying to hit servers in multiple subnets, all on ports 270XX.

I'm not sure on this.  Lots of gaming servers use the 270XX UDP range.
Quake3, HL, etc.

It may be possible it's just probing for other HL servers running on
different ports.  A lot of these games also use the same gaming engine for
the network and graphics abilities, so it's possible HL may not be the only
"game server" in the mix, it may be any game that uses the HL engine.  I
know there are several out there, Counterstrike being one of them.

So if it's not looking for a HL only exploit, I'd bet it's trying to get the
infected machines to link up and communicate via the network of gaming
servers.  This could be very bad because there could be virtually no way to
stop this other than taking down the "Game Spy" type networks so the
computers can't find each other.

--
Robert Blayzor, BOFH
INOC, LLC
rblayzor@inoc.net
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

"Oh my God, Space Aliens!!  Don't eat me, I have a wife and kids!
                Eat them!"  -- Homer J. Simpson






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.