[Dshield] Interesting thread over on NANOG

John Sage jsage at finchhaven.com
Sat Aug 23 03:51:44 GMT 2003

The first guy notices an unusual correlation between the SoBig-f
target IP list, and traffic to a HalfLife server on his net:

To: North American Network Operators Group <nanog at merit.edu>
Subject: W32/Sobig-F - Halflife correlation ???

I've scanned my Netflow logs for activity associated with the 20
machines that SoBig was targeting and I found some very curious

I routed traffic to these 20 ips to Null0.

At 3:09 I started getting traffic from 10 of the 20 machines to a
Halflife server on my network. This continued until 6:14pm.

The conversations could not be productive because of my Null route,
but what were these machines trying to do? Even more interesting is
the fact that these machines were supposed to be shutdown before
3:00. How could they be sending data to this halflife server? I
suspect that the addresses are spoofed, but to what end?

Are there any halflife vunerabilies that the virus writers are using?
It just seems like too much of a coincidence that 10 out of 20
machines were hitting this server.

And a second guy responds:

Subject: Re: W32/Sobig-F - Halflife correlation ???
To: North American Network Operators Group <nanog at merit.edu>

If what you claim is correct, this could be very bad.  The virus is
already there on many infected machines, it just needs a way to
communicate with other infected hosts to coordinate it's bidding. IRC
has been a weak link for viruses as they can usually be tracked and
stopped in a short order, however with gaming machines, it may be a
little bit harder.

Maybe there are no master servers.  Maybe it doesn't need one.
Perhaps it just uses a network like Game Spy to find public Halflife
(or other gaming servers) to get the viruses to "link" together.
Infected boxes would the communicate on random Halflife servers all
over the net. (there are thousands of them).

Maybe the clients don't find the masters, maybe the masters find the
clients.  Maybe the list of "20 servers" was just a decoy of sorts.
It would be nearly impossible to track the source of who is
controlling the infected boxes.


- John
"Warning: time of day goes back, taking countermeasures."

More information about the list mailing list