On 8/22/03 8:50 PM, "Matt Martini" <martini@invision.net> wrote:
I've scanned my Netflow logs for activity associated with the 20 machines that SoBig was targeting and I found some very curious activity.
If what you claim is correct, this could be very bad. The virus is already there on many infected machines, it just needs a way to communicate with other infected hosts to coordinate it's bidding. IRC has been a weak link for viruses as they can usually be tracked and stopped in a short order, however with gaming machines, it may be a little bit harder. Maybe there are no master servers. Maybe it doesn't need one. Perhaps it just uses a network like Game Spy to find public Halflife (or other gaming servers) to get the viruses to "link" together. Infected boxes would the communicate on random Halflife servers all over the net. (there are thousands of them). Maybe the clients don't find the masters, maybe the masters find the clients. Maybe the list of "20 servers" was just a decoy of sorts. It would be nearly impossible to track the source of who is controlling the infected boxes. Clever... -- Robert Blayzor, BOFH INOC, LLC rblayzor@inoc.net PGP: http://www.inoc.net/~dev/ Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9 "If I had it all to do over again, I'd spell creat with an ""e"". - Kernighan"