I've scanned my Netflow logs for activity associated with the 20
machines that SoBig was targeting and I found some very curious
I routed traffic to these 20 ips to Null0.
At 3:09 I started getting traffic from 10 of the 20 machines to a
Halflife server on my network. This continued until 6:14pm.
The conversations could not be productive because of my Null route, but
what were these machines trying to do? Even more interesting is the fact
that these machines were supposed to be shutdown before 3:00. How could
they be sending data to this halflife server? I suspect that the
addresses are spoofed, but to what end?
Are there any halflife vunerabilies that the virus writers are using? It
just seems like too much of a coincidence that 10 out of 20 machines
were hitting this server.
I have the original Netflow data and the complete logs. Below is a
sample of what I was seeing. Port 27015 is the normal Halflife port.
Anyone have any ideas? or seeing anything similar?
2003/08/22 15:09:54 184.108.40.206.50416 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 15:10:00 220.127.116.11.64550 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 15:10:03 18.104.22.168.43445 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 15:10:07 22.214.171.124.17414 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 15:10:09 126.96.36.199.2956 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 15:10:12 188.8.131.52.18637 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 15:10:23 184.108.40.206.64072 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 15:10:31 220.127.116.11.27900 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 15:10:39 18.104.22.168.1448 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 15:10:46 22.214.171.124.33876 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 15:11:16 126.96.36.199.40713 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 15:11:18 188.8.131.52.58060 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 15:11:25 184.108.40.206.4336 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 15:11:40 220.127.116.11.6812 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 18:13:27 18.104.22.168.11565 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 18:13:31 22.214.171.124.32662 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 18:13:35 126.96.36.199.28106 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 18:13:37 188.8.131.52.19736 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 18:13:38 184.108.40.206.51452 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 18:13:46 220.127.116.11.46930 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 18:13:53 18.104.22.168.16641 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 18:13:59 22.214.171.124.56358 -> XXX.XXX.XXX.XXX.27015 17 1 37
2003/08/22 18:14:09 126.96.36.199.19923 -> XXX.XXX.XXX.XXX.27015 17 1 37
Total = 1751 flows from 15:09:54 to 18:14:09
Servers hitting the Halflife machine
If what you claim is correct, this could be very bad. The virus is already
there on many infected machines, it just needs a way to communicate with
other infected hosts to coordinate it's bidding. IRC has been a weak link
for viruses as they can usually be tracked and stopped in a short order,
however with gaming machines, it may be a little bit harder.
Maybe there are no master servers. Maybe it doesn't need one. Perhaps it
just uses a network like Game Spy to find public Halflife (or other gaming
servers) to get the viruses to "link" together. Infected boxes would the
communicate on random Halflife servers all over the net. (there are
thousands of them).
Maybe the clients don't find the masters, maybe the masters find the
clients. Maybe the list of "20 servers" was just a decoy of sorts. It
would be nearly impossible to track the source of who is controlling the
There are many hl vulnerabilities, specifically a recent equivalent of
'remote root' was revealed a week or two ago.
I popped onto #nanog on efnet last night reporting UDP 'Gaming' Traffic
hitting our services from those 20 boxes and got laughed at for suggesting
"game" traffic, i'm glad someone else noticed it too!
We run lots of Game Servers in the UK and most of the CS ones were getting
traffic from those 20 boxes (blocked with an ACL) - i'll have to check
through my netflow logs for more details.
Also, "Stephen J. Wilcox" saw traffic destined for his CS Servers.
They were trying to hit servers in multiple subnets, all on ports 270XX.
Game Digital Ltd
I'm not sure on this. Lots of gaming servers use the 270XX UDP range.
Quake3, HL, etc.
It may be possible it's just probing for other HL servers running on
different ports. A lot of these games also use the same gaming engine for
the network and graphics abilities, so it's possible HL may not be the only
"game server" in the mix, it may be any game that uses the HL engine. I
know there are several out there, Counterstrike being one of them.
So if it's not looking for a HL only exploit, I'd bet it's trying to get the
infected machines to link up and communicate via the network of gaming
servers. This could be very bad because there could be virtually no way to
stop this other than taking down the "Game Spy" type networks so the
computers can't find each other.
Just a quick look at my syslog file, where MOO is the name of my ACL.
fgrep MOO /var/log/cisco/<router>.log | grep 27015 -c
fgrep MOO /var/log/cisco/<router>.log | grep 27016 -c
fgrep MOO /var/log/cisco/<router>.log | grep 27017 -c
fgrep MOO /var/log/cisco/<router>.log | grep 27018 -c
As you can see most of them were on 27015, these logs were from just one of
my transit interfaces.
Did anyone else see anything with regards to this thread?
Regarding the half life exploits, the 'remote root' exploits have been
addressed to VALVe and they were fixed in 188.8.131.52d for linux (184.108.40.206d
for win32).. which was released July 30th 2003.
Now, the bug was reported to VALVe on April 18th 2003, but it didnt hit
bugtraq until July 29th, 2003.
On the other hand though, alot of server admins(from what I can grasp from
the hlds_linux mailing list) do not run x.1.1.1d for the simple fact that it
uses a bit more CPU then x.1.1.0c. There is an unoffical patch for
x.1.1.0c that does plug the hole.
Unless this worms communicating with an unknown hole or something...
One possibility is that half-life servers are inherently directory services.
The list of connected players could be used to encode directory data for
the worm to attack.
Realistically, it doesn't need a hole to communicate. All it needs to do
is impersonate a player that doesn't mind dying alot. It can still communicate
with it's "team-mates" using the built-in communications channels in the game
and it can still use CS servers as a directory service. These are FEATURES
of the game with no vulnerability required.