RE: Increase in Sub7 scans

[bparis () sorrentolactalis com]

        On June 4th around 8:30EDT, the popular online game server,
Battle.Net (http://www.battle.net) began restricting bots from logging onto
their servers.

        Many players had used these bots to control their private "clan
channels". Since they were no longer able use their old bots (i.e.:
http://www.ultimatebot.com), they turned to using "binary" bots that are
able to fool the BattleNet servers into thinking that they are a player
logging onto the server instead of a bot. The vast majority of these bots
being passed around are "trojaned" with various backdoors that load Sub7
onto the victims box, or DL Sub7 onto the victims box.

        One popular binary bot making the rounds is Damnbot
(http://damnbot.cjb.net). Although the webpage claims to say the version
available for download is virus-free, it indeed contains a backdoor which
was caught by McAfee using their latest defs. Others floating around are
ScBot and D2SkyBot (particularly nasty).

        I have samples of the D2 and SC bots available for inspection...

William S. Paris
Telecommunication/Network Analyst
Sorrento Lactalis Inc.
bparis () sorrentolactalis com
        

-----Original Message-----
From: Obert, Jack E. [mailto:JObert () sprg smhs com]
Sent: Tuesday, June 12, 2001 9:43 AM
To: 'incidents () securityfocus com'
Subject: Increase in Sub7 scans


Since February, I've been receiving tcp port scans for the default sub7 port
(27374) at a rate of approximately 3-4 per day.  Starting on June 8th to
present, I've been receiving them at 9 times that rate.  

6/5/01 - 3 Scans
6/6/01 - 4 Scans
6/7/01 - 3 Scans
6/8/01 - 8 Scans
6/9/01 - 14 Scans
6/10/01 - 38 Scans
6/11/01 - 22 Scans

Any ideas on what could have sparked this increased scanning?  A new
utility?  A new vulnerability related to sub7?  New media publicity?

Thanks

Jack E. Obert, GSEC 
Technical Information Security Officer 
St. John's Health System