Home page logo
/

nanog logo nanog mailing list archives

Re: W32/Sobig-F - Halflife correlation ???
From: Robert Blayzor <rblayzor () inoc net>
Date: Fri, 22 Aug 2003 22:05:20 -0400


On 8/22/03 8:50 PM, "Matt Martini" <martini () invision net> wrote:

I've scanned my Netflow logs for activity associated with the 20
machines that SoBig was targeting and I found some very curious
activity.

If what you claim is correct, this could be very bad.  The virus is already
there on many infected machines, it just needs a way to communicate with
other infected hosts to coordinate it's bidding.  IRC has been a weak link
for viruses as they can usually be tracked and stopped in a short order,
however with gaming machines, it may be a little bit harder.

Maybe there are no master servers.  Maybe it doesn't need one.  Perhaps it
just uses a network like Game Spy to find public Halflife (or other gaming
servers) to get the viruses to "link" together.  Infected boxes would the
communicate on random Halflife servers all over the net. (there are
thousands of them).

Maybe the clients don't find the masters, maybe the masters find the
clients.  Maybe the list of "20 servers" was just a decoy of sorts.  It
would be nearly impossible to track the source of who is controlling the
infected boxes.

Clever...

--
Robert Blayzor, BOFH
INOC, LLC
rblayzor () inoc net
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

"If I had it all to do over again, I'd spell creat with an ""e"".  -
Kernighan"



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault