?? Sobig back channel traffic ??

Steve Bernard sbernard at gmu.edu
Fri Aug 22 23:44:42 GMT 2003


I am seeing traffic from source IPs which match the previously released
SoBig.F list released earlier today, but that is most definitely spoofed.
The traffic is destined for UDP port 27015, which is commonly used by the
Half-Life game server. I haven't had time to do a further analysis yet but,
I believe that someone is attempting to use a back channel method of
communicating with hosts infected with the SoBig.F virus/worm/trojan. Have
you seen any of this yet?

There are examples below. I don't have full packet captures yet because of
the equipment that was used to capture these traces. I will be getting full
packets and performing further analysis.

17:54:55.461128 24.206.75.137.42475 > 129.174.aaa.bbb.27015: [udp sum ok]
udp 9 [tos 0x8]  (ttl 112, id 39936, len 37)
17:54:55.461143 24.197.143.132.42476 > 129.174.ccc.ddd.27015: [udp sum ok]
udp 9 [tos 0x8]  (ttl 112, id 39936, len 37)
17:54:57.313217 68.50.208.96.32059 > 129.174.aaa.bbb.27015: [udp sum ok] udp
9 [tos 0x8]  (ttl 112, id 39936, len 37)
17:54:57.314355 67.73.21.6.32060 > 129.174.ccc.ddd.27015: [udp sum ok] udp 9
[tos 0x8]  (ttl 112, id 39936, len 37)
17:55:06.603626 61.38.187.59.30688 > 129.174.aaa.bbb.27015: [udp sum ok] udp
9 [tos 0x8]  (ttl 112, id 39936, len 37)
17:55:06.604748 65.92.80.218.30687 > 129.174.ccc.ddd.27015: [udp sum ok] udp
9 [tos 0x8]  (ttl 112, id 39936, len 37)
17:55:08.426720 24.33.66.38.61013 > 129.174.aaa.bbb.27015: [udp sum ok] udp
9 [tos 0x8]  (ttl 112, id 39936, len 37)
17:55:08.427805 12.158.102.205.61012 > 129.174.ccc.ddd.27015: [udp sum ok]
udp 9 [tos 0x8]  (ttl 112, id 39936, len 37)

Take note of the closeness of the packet times and the sequential source
ports, despite coming from completely different Class A spaces. 'aaa.bbb'
and 'ccc.ddd' are the only two hosts on my network that I am seeing this
traffic going to. We have egress filters in place but, hadn't created
ingress filters, which I'm guessing a lot of other organizations may not
have done. Because of the filters that we have in place I can't query the
hosts to see if the "real" ones are up now, but they were all down earlier
in the day so I'm going on the assumption that this is not a coincidence.


Regards,

Steve Bernard
Sr. Systems Engineer, NET
George Mason University
Fairfax, Virginia



More information about the unisog mailing list