W32/Sobig-F - Halflife correlation ???

Thu Aug 28 16:58:30 UTC 2003

Realistically, it doesn't need a hole to communicate.  All it needs to do
is impersonate a player that doesn't mind dying alot.  It can still 
communicate
with it's "team-mates" using the built-in communications channels in the 
game
and it can still use CS servers as a directory service.  These are FEATURES
of the game with no vulnerability required.

Owen

--On Tuesday, August 26, 2003 6:12 AM -0500 Adam 'Starblazer' Romberg 
<star at extremepcgaming.net> wrote:

>
> Regarding the half life exploits, the 'remote root' exploits have been
> addressed to VALVe and they were fixed in 3.1.1.1d for linux (4.1.1.1d
> for win32).. which was released July 30th 2003[1].
>
> Now, the bug was reported to VALVe on April 18th 2003, but it didnt hit
> bugtraq until July 29th, 2003[2].
>
> On the other hand though, alot of server admins(from what I can grasp from
> the hlds_linux mailing list) do not run x.1.1.1d for the simple fact that
> it uses a bit more CPU then x.1.1.0c.  There is an unoffical patch for
> x.1.1.0c that does plug the hole.
>
> Unless this worms communicating with an unknown hole or something...
>
> Thanks
>
> Adam
>
> [1]
> http://www.mail-archive.com/hlds_linux%40list.valvesoftware.com/msg17381.
> html [2]
> http://www.securityfocus.com/archive/1/330880/2003-07-26/2003-08-01/0
>
> ----------------------------------------------------
> Adam 'Starblazer' Romberg     Appleton: 920-738-9032
> System Administrator
> ExtremePC LLC    -=-  http://www.extremepcgaming.net
>
> On Mon, 25 Aug 2003, Darren Smith wrote:
>
>>
>> Did anyone else see anything with regards to this thread?
>>
>> Regards
>>
>> Darren Smith
>>
>> ----- Original Message -----
>> From: "Darren Smith" <data at barrysworld.com>
>> To: "Robert Blayzor" <rblayzor at inoc.net>; "North American Network
>> Operators Group" <nanog at merit.edu>
>> Sent: Saturday, August 23, 2003 1:22 PM
>> Subject: Re: W32/Sobig-F - Halflife correlation ???
>>
>>
>> >
>> > Hi
>> >
>> > Just a quick look at my syslog file, where MOO is the name of my ACL.
>> >
>> > fgrep MOO /var/log/cisco/<router>.log | grep 27015 -c
>> > 2383
>> >
>> > fgrep MOO /var/log/cisco/<router>.log | grep 27016 -c
>> > 459
>> >
>> > fgrep MOO /var/log/cisco/<router>.log | grep 27017 -c
>> > 210
>> >
>> > fgrep MOO /var/log/cisco/<router>.log | grep 27018 -c
>> > 59
>> >
>> > As you can see most of them were on 27015, these logs were from just
>> > one of my transit interfaces.
>> >
>> > Best Regards
>> >
>> > Darren Smith
>> >
>> > ----- Original Message -----
>> > From: "Robert Blayzor" <rblayzor at inoc.net>
>> > To: "North American Network Operators Group" <nanog at merit.edu>
>> > Sent: Saturday, August 23, 2003 1:05 PM
>> > Subject: Re: W32/Sobig-F - Halflife correlation ???
>> >
>> >
>> > >
>> > > On 8/23/03 7:17 AM, "Darren Smith" <data at barrysworld.com> wrote:
>> > >
>> > > > They were trying to hit servers in multiple subnets, all on ports
>> > > > 270XX.
>> > >
>> > > I'm not sure on this.  Lots of gaming servers use the 270XX UDP
>> > > range. Quake3, HL, etc.
>> > >
>> > > It may be possible it's just probing for other HL servers running on
>> > > different ports.  A lot of these games also use the same gaming
>> > > engine for the network and graphics abilities, so it's possible HL
>> > > may not be the
>> > only
>> > > "game server" in the mix, it may be any game that uses the HL
>> > > engine.  I know there are several out there, Counterstrike being one
>> > > of them.
>> > >
>> > > So if it's not looking for a HL only exploit, I'd bet it's trying to
>> > > get
>> > the
>> > > infected machines to link up and communicate via the network of
>> > > gaming servers.  This could be very bad because there could be
>> > > virtually no way
>> > to
>> > > stop this other than taking down the "Game Spy" type networks so the
>> > > computers can't find each other.
>> > >
>> > > --
>> > > Robert Blayzor, BOFH
>> > > INOC, LLC
>> > > rblayzor at inoc.net
>> > > PGP: http://www.inoc.net/~dev/
>> > > Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9
>> > >
>> > > "Oh my God, Space Aliens!!  Don't eat me, I have a wife and kids!
>> > >                 Eat them!"  -- Homer J. Simpson
>> > >
>> > >
>> > >
>> >
>> >
>>
>>
>
>