nanog mailing list archives

Re: W32/Sobig-F - Halflife correlation ???

From: "Darren Smith" <data () barrysworld com>
Date: Sat, 23 Aug 2003 12:17:32 +0100


Hi

I popped onto #nanog on efnet last night reporting UDP 'Gaming' Traffic
hitting our services from those 20 boxes and got laughed at for suggesting
"game" traffic, i'm glad someone else noticed it too!

We run lots of Game Servers in the UK and most of the CS ones were getting
traffic from those 20 boxes (blocked with an ACL) - i'll have to check
through my netflow logs for more details.

Also, "Stephen J. Wilcox" saw traffic destined for his CS Servers.

They were trying to hit servers in multiple subnets, all on ports 270XX.

Best Regards

Darren Smith
Game Digital Ltd

----- Original Message ----- 
From: "Robert Blayzor" <rblayzor () inoc net>
To: "Matthew E. Martini" <martini () invision net>; "North American Network
Operators Group" <nanog () merit edu>
Sent: Saturday, August 23, 2003 3:05 AM
Subject: Re: W32/Sobig-F - Halflife correlation ???


On 8/22/03 8:50 PM, "Matt Martini" <martini () invision net> wrote:

I've scanned my Netflow logs for activity associated with the 20
machines that SoBig was targeting and I found some very curious
activity.


If what you claim is correct, this could be very bad.  The virus is

already

there on many infected machines, it just needs a way to communicate with
other infected hosts to coordinate it's bidding.  IRC has been a weak link
for viruses as they can usually be tracked and stopped in a short order,
however with gaming machines, it may be a little bit harder.

Maybe there are no master servers.  Maybe it doesn't need one.  Perhaps it
just uses a network like Game Spy to find public Halflife (or other gaming
servers) to get the viruses to "link" together.  Infected boxes would the
communicate on random Halflife servers all over the net. (there are
thousands of them).

Maybe the clients don't find the masters, maybe the masters find the
clients.  Maybe the list of "20 servers" was just a decoy of sorts.  It
would be nearly impossible to track the source of who is controlling the
infected boxes.

Clever...

--
Robert Blayzor, BOFH
INOC, LLC
rblayzor () inoc net
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

"If I had it all to do over again, I'd spell creat with an ""e"".  -
Kernighan"

Current thread:

W32/Sobig-F - Halflife correlation ??? Matt Martini (Aug 22)
- Re: W32/Sobig-F - Halflife correlation ??? Robert Blayzor (Aug 22)
  - Re: W32/Sobig-F - Halflife correlation ??? Darren Smith (Aug 23)
    - Re: W32/Sobig-F - Halflife correlation ??? Robert Blayzor (Aug 23)
    - Re: W32/Sobig-F - Halflife correlation ??? Darren Smith (Aug 23)
    - Re: W32/Sobig-F - Halflife correlation ??? Darren Smith (Aug 26)
    - Re: W32/Sobig-F - Halflife correlation ??? Adam 'Starblazer' Romberg (Aug 26)
    - Re: W32/Sobig-F - Halflife correlation ??? Owen DeLong (Aug 28)
- RE: W32/Sobig-F - Halflife correlation ??? Jim Popovitch (Aug 22)
- Re: W32/Sobig-F - Halflife correlation ??? Owen DeLong (Aug 28)