W32/Sobig-F - Halflife correlation ???

Owen DeLong owen at delong.com
Thu Aug 28 15:20:36 UTC 2003


One possibility is that half-life servers are inherently directory services.
The list of connected players could be used to encode directory data for
the worm to attack.

Owen


--On Friday, August 22, 2003 8:50 PM -0400 Matt Martini 
<martini at invision.net> wrote:

>
>
> I've scanned my Netflow logs for activity associated with the 20
> machines that SoBig was targeting and I found some very curious
> activity.
>
> I routed traffic to these 20 ips to Null0.
>
> At 3:09 I started getting traffic from 10 of the 20 machines to a
> Halflife server on my network. This continued until 6:14pm.
>
> The conversations could not be productive because of my Null route, but
> what were these machines trying to do? Even more interesting is the fact
> that these machines were supposed to be shutdown before 3:00. How could
> they be sending data to this halflife server? I suspect that the
> addresses are spoofed, but to what end?
>
> Are there any halflife vunerabilies that the virus writers are using? It
> just seems like too much of a coincidence that 10 out of 20 machines
> were hitting this server.
>
> I have the original Netflow data and the complete logs. Below is a
> sample of what I was seeing. Port 27015 is the normal Halflife port.
>
> Anyone have any ideas? or seeing anything similar?
>
> Read: Date,Time,SrcIP,SrcPort,DstIP,DstPort,Protocol,Packets,Bytes
>
> 2003/08/22 15:09:54 67.73.21.6.50416 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 15:10:00 12.232.104.221.64550 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 15:10:03 61.38.187.59.43445 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 15:10:07 67.9.241.67.17414 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 15:10:09 63.250.82.87.2956 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 15:10:12 24.197.143.132.18637 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 15:10:23 61.38.187.59.64072 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 15:10:31 67.73.21.6.27900 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 15:10:39 65.177.240.194.1448 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 15:10:46 63.250.82.87.33876 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 15:11:16 65.177.240.194.40713 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 15:11:18 61.38.187.59.58060 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 15:11:25 24.197.143.132.4336 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 15:11:40 67.9.241.67.6812 -> XXX.XXX.XXX.XXX.27015 17 1 37
> [...]
> 2003/08/22 18:13:27 65.95.193.138.11565 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 18:13:31 12.232.104.221.32662 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 18:13:35 61.38.187.59.28106 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 18:13:37 24.33.66.38.19736 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 18:13:38 67.9.241.67.51452 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 18:13:46 65.95.193.138.46930 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 18:13:53 61.38.187.59.16641 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 18:13:59 63.250.82.87.56358 -> XXX.XXX.XXX.XXX.27015 17 1 37
> 2003/08/22 18:14:09 12.232.104.221.19923 -> XXX.XXX.XXX.XXX.27015 17 1 37
>
> Total = 1751 flows from 15:09:54 to 18:14:09
>
> Servers hitting the Halflife machine
> ------------------------------------
> 12.232.104.221
> 24.33.66.38
> 24.197.143.132
> 24.202.91.43
> 61.38.187.59
> 63.250.82.87
> 65.95.193.138
> 65.177.240.194
> 67.9.241.67
> 67.73.21.6
>
>
> __________________________ http://www.invision.net/
> _______________________
>
>  Matthew E. Martini, PE        InVision.com, Inc.   (631) 543-1000 x104
>  Chief Technology Officer      matt at invision.net    (631) 864-8896 Fax
> _______________________________________________________________________pg
> p_
>





More information about the NANOG mailing list