W32/Sobig-F - Halflife correlation ???
I've scanned my Netflow logs for activity associated with the 20 machines that SoBig was targeting and I found some very curious activity. I routed traffic to these 20 ips to Null0. At 3:09 I started getting traffic from 10 of the 20 machines to a Halflife server on my network. This continued until 6:14pm. The conversations could not be productive because of my Null route, but what were these machines trying to do? Even more interesting is the fact that these machines were supposed to be shutdown before 3:00. How could they be sending data to this halflife server? I suspect that the addresses are spoofed, but to what end? Are there any halflife vunerabilies that the virus writers are using? It just seems like too much of a coincidence that 10 out of 20 machines were hitting this server. I have the original Netflow data and the complete logs. Below is a sample of what I was seeing. Port 27015 is the normal Halflife port. Anyone have any ideas? or seeing anything similar? Read: Date,Time,SrcIP,SrcPort,DstIP,DstPort,Protocol,Packets,Bytes 2003/08/22 15:09:54 67.73.21.6.50416 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:00 12.232.104.221.64550 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:03 61.38.187.59.43445 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:07 67.9.241.67.17414 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:09 63.250.82.87.2956 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:12 24.197.143.132.18637 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:23 61.38.187.59.64072 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:31 67.73.21.6.27900 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:39 65.177.240.194.1448 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:46 63.250.82.87.33876 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:16 65.177.240.194.40713 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:18 61.38.187.59.58060 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:25 24.197.143.132.4336 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:40 67.9.241.67.6812 -> XXX.XXX.XXX.XXX.27015 17 1 37 [...] 2003/08/22 18:13:27 65.95.193.138.11565 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:31 12.232.104.221.32662 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:35 61.38.187.59.28106 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:37 24.33.66.38.19736 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:38 67.9.241.67.51452 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:46 65.95.193.138.46930 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:53 61.38.187.59.16641 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:59 63.250.82.87.56358 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:14:09 12.232.104.221.19923 -> XXX.XXX.XXX.XXX.27015 17 1 37 Total = 1751 flows from 15:09:54 to 18:14:09 Servers hitting the Halflife machine ------------------------------------ 12.232.104.221 24.33.66.38 24.197.143.132 24.202.91.43 61.38.187.59 63.250.82.87 65.95.193.138 65.177.240.194 67.9.241.67 67.73.21.6 __________________________ http://www.invision.net/ _______________________ Matthew E. Martini, PE InVision.com, Inc. (631) 543-1000 x104 Chief Technology Officer matt@invision.net (631) 864-8896 Fax _______________________________________________________________________pgp_
On 8/22/03 8:50 PM, "Matt Martini" <martini@invision.net> wrote:
I've scanned my Netflow logs for activity associated with the 20 machines that SoBig was targeting and I found some very curious activity.
If what you claim is correct, this could be very bad. The virus is already there on many infected machines, it just needs a way to communicate with other infected hosts to coordinate it's bidding. IRC has been a weak link for viruses as they can usually be tracked and stopped in a short order, however with gaming machines, it may be a little bit harder. Maybe there are no master servers. Maybe it doesn't need one. Perhaps it just uses a network like Game Spy to find public Halflife (or other gaming servers) to get the viruses to "link" together. Infected boxes would the communicate on random Halflife servers all over the net. (there are thousands of them). Maybe the clients don't find the masters, maybe the masters find the clients. Maybe the list of "20 servers" was just a decoy of sorts. It would be nearly impossible to track the source of who is controlling the infected boxes. Clever... -- Robert Blayzor, BOFH INOC, LLC rblayzor@inoc.net PGP: http://www.inoc.net/~dev/ Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9 "If I had it all to do over again, I'd spell creat with an ""e"". - Kernighan"
Hi I popped onto #nanog on efnet last night reporting UDP 'Gaming' Traffic hitting our services from those 20 boxes and got laughed at for suggesting "game" traffic, i'm glad someone else noticed it too! We run lots of Game Servers in the UK and most of the CS ones were getting traffic from those 20 boxes (blocked with an ACL) - i'll have to check through my netflow logs for more details. Also, "Stephen J. Wilcox" saw traffic destined for his CS Servers. They were trying to hit servers in multiple subnets, all on ports 270XX. Best Regards Darren Smith Game Digital Ltd ----- Original Message ----- From: "Robert Blayzor" <rblayzor@inoc.net> To: "Matthew E. Martini" <martini@invision.net>; "North American Network Operators Group" <nanog@merit.edu> Sent: Saturday, August 23, 2003 3:05 AM Subject: Re: W32/Sobig-F - Halflife correlation ???
On 8/22/03 8:50 PM, "Matt Martini" <martini@invision.net> wrote:
I've scanned my Netflow logs for activity associated with the 20 machines that SoBig was targeting and I found some very curious activity.
If what you claim is correct, this could be very bad. The virus is
already
there on many infected machines, it just needs a way to communicate with other infected hosts to coordinate it's bidding. IRC has been a weak link for viruses as they can usually be tracked and stopped in a short order, however with gaming machines, it may be a little bit harder.
Maybe there are no master servers. Maybe it doesn't need one. Perhaps it just uses a network like Game Spy to find public Halflife (or other gaming servers) to get the viruses to "link" together. Infected boxes would the communicate on random Halflife servers all over the net. (there are thousands of them).
Maybe the clients don't find the masters, maybe the masters find the clients. Maybe the list of "20 servers" was just a decoy of sorts. It would be nearly impossible to track the source of who is controlling the infected boxes.
Clever...
-- Robert Blayzor, BOFH INOC, LLC rblayzor@inoc.net PGP: http://www.inoc.net/~dev/ Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9
"If I had it all to do over again, I'd spell creat with an ""e"". - Kernighan"
On 8/23/03 7:17 AM, "Darren Smith" <data@barrysworld.com> wrote:
They were trying to hit servers in multiple subnets, all on ports 270XX.
I'm not sure on this. Lots of gaming servers use the 270XX UDP range. Quake3, HL, etc. It may be possible it's just probing for other HL servers running on different ports. A lot of these games also use the same gaming engine for the network and graphics abilities, so it's possible HL may not be the only "game server" in the mix, it may be any game that uses the HL engine. I know there are several out there, Counterstrike being one of them. So if it's not looking for a HL only exploit, I'd bet it's trying to get the infected machines to link up and communicate via the network of gaming servers. This could be very bad because there could be virtually no way to stop this other than taking down the "Game Spy" type networks so the computers can't find each other. -- Robert Blayzor, BOFH INOC, LLC rblayzor@inoc.net PGP: http://www.inoc.net/~dev/ Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9 "Oh my God, Space Aliens!! Don't eat me, I have a wife and kids! Eat them!" -- Homer J. Simpson
Hi Just a quick look at my syslog file, where MOO is the name of my ACL. fgrep MOO /var/log/cisco/<router>.log | grep 27015 -c 2383 fgrep MOO /var/log/cisco/<router>.log | grep 27016 -c 459 fgrep MOO /var/log/cisco/<router>.log | grep 27017 -c 210 fgrep MOO /var/log/cisco/<router>.log | grep 27018 -c 59 As you can see most of them were on 27015, these logs were from just one of my transit interfaces. Best Regards Darren Smith ----- Original Message ----- From: "Robert Blayzor" <rblayzor@inoc.net> To: "North American Network Operators Group" <nanog@merit.edu> Sent: Saturday, August 23, 2003 1:05 PM Subject: Re: W32/Sobig-F - Halflife correlation ???
On 8/23/03 7:17 AM, "Darren Smith" <data@barrysworld.com> wrote:
They were trying to hit servers in multiple subnets, all on ports 270XX.
I'm not sure on this. Lots of gaming servers use the 270XX UDP range. Quake3, HL, etc.
It may be possible it's just probing for other HL servers running on different ports. A lot of these games also use the same gaming engine for the network and graphics abilities, so it's possible HL may not be the
"game server" in the mix, it may be any game that uses the HL engine. I know there are several out there, Counterstrike being one of them.
So if it's not looking for a HL only exploit, I'd bet it's trying to get
only the
infected machines to link up and communicate via the network of gaming servers. This could be very bad because there could be virtually no way to stop this other than taking down the "Game Spy" type networks so the computers can't find each other.
-- Robert Blayzor, BOFH INOC, LLC rblayzor@inoc.net PGP: http://www.inoc.net/~dev/ Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9
"Oh my God, Space Aliens!! Don't eat me, I have a wife and kids! Eat them!" -- Homer J. Simpson
Did anyone else see anything with regards to this thread? Regards Darren Smith ----- Original Message ----- From: "Darren Smith" <data@barrysworld.com> To: "Robert Blayzor" <rblayzor@inoc.net>; "North American Network Operators Group" <nanog@merit.edu> Sent: Saturday, August 23, 2003 1:22 PM Subject: Re: W32/Sobig-F - Halflife correlation ???
Hi
Just a quick look at my syslog file, where MOO is the name of my ACL.
fgrep MOO /var/log/cisco/<router>.log | grep 27015 -c 2383
fgrep MOO /var/log/cisco/<router>.log | grep 27016 -c 459
fgrep MOO /var/log/cisco/<router>.log | grep 27017 -c 210
fgrep MOO /var/log/cisco/<router>.log | grep 27018 -c 59
As you can see most of them were on 27015, these logs were from just one of my transit interfaces.
Best Regards
Darren Smith
----- Original Message ----- From: "Robert Blayzor" <rblayzor@inoc.net> To: "North American Network Operators Group" <nanog@merit.edu> Sent: Saturday, August 23, 2003 1:05 PM Subject: Re: W32/Sobig-F - Halflife correlation ???
On 8/23/03 7:17 AM, "Darren Smith" <data@barrysworld.com> wrote:
They were trying to hit servers in multiple subnets, all on ports 270XX.
I'm not sure on this. Lots of gaming servers use the 270XX UDP range. Quake3, HL, etc.
It may be possible it's just probing for other HL servers running on different ports. A lot of these games also use the same gaming engine for the network and graphics abilities, so it's possible HL may not be the
"game server" in the mix, it may be any game that uses the HL engine. I know there are several out there, Counterstrike being one of them.
So if it's not looking for a HL only exploit, I'd bet it's trying to get
only the
infected machines to link up and communicate via the network of gaming servers. This could be very bad because there could be virtually no way to stop this other than taking down the "Game Spy" type networks so the computers can't find each other.
-- Robert Blayzor, BOFH INOC, LLC rblayzor@inoc.net PGP: http://www.inoc.net/~dev/ Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9
"Oh my God, Space Aliens!! Don't eat me, I have a wife and kids! Eat them!" -- Homer J. Simpson
Regarding the half life exploits, the 'remote root' exploits have been addressed to VALVe and they were fixed in 3.1.1.1d for linux (4.1.1.1d for win32).. which was released July 30th 2003[1]. Now, the bug was reported to VALVe on April 18th 2003, but it didnt hit bugtraq until July 29th, 2003[2]. On the other hand though, alot of server admins(from what I can grasp from the hlds_linux mailing list) do not run x.1.1.1d for the simple fact that it uses a bit more CPU then x.1.1.0c. There is an unoffical patch for x.1.1.0c that does plug the hole. Unless this worms communicating with an unknown hole or something... Thanks Adam [1] http://www.mail-archive.com/hlds_linux%40list.valvesoftware.com/msg17381.htm... [2] http://www.securityfocus.com/archive/1/330880/2003-07-26/2003-08-01/0 ---------------------------------------------------- Adam 'Starblazer' Romberg Appleton: 920-738-9032 System Administrator ExtremePC LLC -=- http://www.extremepcgaming.net On Mon, 25 Aug 2003, Darren Smith wrote:
Did anyone else see anything with regards to this thread?
Regards
Darren Smith
----- Original Message ----- From: "Darren Smith" <data@barrysworld.com> To: "Robert Blayzor" <rblayzor@inoc.net>; "North American Network Operators Group" <nanog@merit.edu> Sent: Saturday, August 23, 2003 1:22 PM Subject: Re: W32/Sobig-F - Halflife correlation ???
Hi
Just a quick look at my syslog file, where MOO is the name of my ACL.
fgrep MOO /var/log/cisco/<router>.log | grep 27015 -c 2383
fgrep MOO /var/log/cisco/<router>.log | grep 27016 -c 459
fgrep MOO /var/log/cisco/<router>.log | grep 27017 -c 210
fgrep MOO /var/log/cisco/<router>.log | grep 27018 -c 59
As you can see most of them were on 27015, these logs were from just one of my transit interfaces.
Best Regards
Darren Smith
----- Original Message ----- From: "Robert Blayzor" <rblayzor@inoc.net> To: "North American Network Operators Group" <nanog@merit.edu> Sent: Saturday, August 23, 2003 1:05 PM Subject: Re: W32/Sobig-F - Halflife correlation ???
On 8/23/03 7:17 AM, "Darren Smith" <data@barrysworld.com> wrote:
They were trying to hit servers in multiple subnets, all on ports 270XX.
I'm not sure on this. Lots of gaming servers use the 270XX UDP range. Quake3, HL, etc.
It may be possible it's just probing for other HL servers running on different ports. A lot of these games also use the same gaming engine for the network and graphics abilities, so it's possible HL may not be the
"game server" in the mix, it may be any game that uses the HL engine. I know there are several out there, Counterstrike being one of them.
So if it's not looking for a HL only exploit, I'd bet it's trying to get
only the
infected machines to link up and communicate via the network of gaming servers. This could be very bad because there could be virtually no way to stop this other than taking down the "Game Spy" type networks so the computers can't find each other.
-- Robert Blayzor, BOFH INOC, LLC rblayzor@inoc.net PGP: http://www.inoc.net/~dev/ Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9
"Oh my God, Space Aliens!! Don't eat me, I have a wife and kids! Eat them!" -- Homer J. Simpson
Realistically, it doesn't need a hole to communicate. All it needs to do is impersonate a player that doesn't mind dying alot. It can still communicate with it's "team-mates" using the built-in communications channels in the game and it can still use CS servers as a directory service. These are FEATURES of the game with no vulnerability required. Owen --On Tuesday, August 26, 2003 6:12 AM -0500 Adam 'Starblazer' Romberg <star@extremepcgaming.net> wrote:
Regarding the half life exploits, the 'remote root' exploits have been addressed to VALVe and they were fixed in 3.1.1.1d for linux (4.1.1.1d for win32).. which was released July 30th 2003[1].
Now, the bug was reported to VALVe on April 18th 2003, but it didnt hit bugtraq until July 29th, 2003[2].
On the other hand though, alot of server admins(from what I can grasp from the hlds_linux mailing list) do not run x.1.1.1d for the simple fact that it uses a bit more CPU then x.1.1.0c. There is an unoffical patch for x.1.1.0c that does plug the hole.
Unless this worms communicating with an unknown hole or something...
Thanks
Adam
[1] http://www.mail-archive.com/hlds_linux%40list.valvesoftware.com/msg17381. html [2] http://www.securityfocus.com/archive/1/330880/2003-07-26/2003-08-01/0
---------------------------------------------------- Adam 'Starblazer' Romberg Appleton: 920-738-9032 System Administrator ExtremePC LLC -=- http://www.extremepcgaming.net
On Mon, 25 Aug 2003, Darren Smith wrote:
Did anyone else see anything with regards to this thread?
Regards
Darren Smith
----- Original Message ----- From: "Darren Smith" <data@barrysworld.com> To: "Robert Blayzor" <rblayzor@inoc.net>; "North American Network Operators Group" <nanog@merit.edu> Sent: Saturday, August 23, 2003 1:22 PM Subject: Re: W32/Sobig-F - Halflife correlation ???
Hi
Just a quick look at my syslog file, where MOO is the name of my ACL.
fgrep MOO /var/log/cisco/<router>.log | grep 27015 -c 2383
fgrep MOO /var/log/cisco/<router>.log | grep 27016 -c 459
fgrep MOO /var/log/cisco/<router>.log | grep 27017 -c 210
fgrep MOO /var/log/cisco/<router>.log | grep 27018 -c 59
As you can see most of them were on 27015, these logs were from just one of my transit interfaces.
Best Regards
Darren Smith
----- Original Message ----- From: "Robert Blayzor" <rblayzor@inoc.net> To: "North American Network Operators Group" <nanog@merit.edu> Sent: Saturday, August 23, 2003 1:05 PM Subject: Re: W32/Sobig-F - Halflife correlation ???
On 8/23/03 7:17 AM, "Darren Smith" <data@barrysworld.com> wrote:
They were trying to hit servers in multiple subnets, all on ports 270XX.
I'm not sure on this. Lots of gaming servers use the 270XX UDP range. Quake3, HL, etc.
It may be possible it's just probing for other HL servers running on different ports. A lot of these games also use the same gaming engine for the network and graphics abilities, so it's possible HL may not be the
"game server" in the mix, it may be any game that uses the HL engine. I know there are several out there, Counterstrike being one of them.
So if it's not looking for a HL only exploit, I'd bet it's trying to get
only the
infected machines to link up and communicate via the network of gaming servers. This could be very bad because there could be virtually no way to stop this other than taking down the "Game Spy" type networks so the computers can't find each other.
-- Robert Blayzor, BOFH INOC, LLC rblayzor@inoc.net PGP: http://www.inoc.net/~dev/ Key fingerprint = A445 7D1E 3D4F A4EF 6875 21BB 1BAA 10FE 5748 CFE9
"Oh my God, Space Aliens!! Don't eat me, I have a wife and kids! Eat them!" -- Homer J. Simpson
-----Original Message----- From: Matt Martini Sent: Friday, 22 August, 2003 20:51 To: North American Network Operators Group Subject: W32/Sobig-F - Halflife correlation ???
Are there any halflife vunerabilies that the virus writers are using?
There are many hl vulnerabilities, specifically a recent equivalent of 'remote root' was revealed a week or two ago. -Jim P.
One possibility is that half-life servers are inherently directory services. The list of connected players could be used to encode directory data for the worm to attack. Owen --On Friday, August 22, 2003 8:50 PM -0400 Matt Martini <martini@invision.net> wrote:
I've scanned my Netflow logs for activity associated with the 20 machines that SoBig was targeting and I found some very curious activity.
I routed traffic to these 20 ips to Null0.
At 3:09 I started getting traffic from 10 of the 20 machines to a Halflife server on my network. This continued until 6:14pm.
The conversations could not be productive because of my Null route, but what were these machines trying to do? Even more interesting is the fact that these machines were supposed to be shutdown before 3:00. How could they be sending data to this halflife server? I suspect that the addresses are spoofed, but to what end?
Are there any halflife vunerabilies that the virus writers are using? It just seems like too much of a coincidence that 10 out of 20 machines were hitting this server.
I have the original Netflow data and the complete logs. Below is a sample of what I was seeing. Port 27015 is the normal Halflife port.
Anyone have any ideas? or seeing anything similar?
Read: Date,Time,SrcIP,SrcPort,DstIP,DstPort,Protocol,Packets,Bytes
2003/08/22 15:09:54 67.73.21.6.50416 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:00 12.232.104.221.64550 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:03 61.38.187.59.43445 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:07 67.9.241.67.17414 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:09 63.250.82.87.2956 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:12 24.197.143.132.18637 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:23 61.38.187.59.64072 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:31 67.73.21.6.27900 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:39 65.177.240.194.1448 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:10:46 63.250.82.87.33876 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:16 65.177.240.194.40713 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:18 61.38.187.59.58060 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:25 24.197.143.132.4336 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 15:11:40 67.9.241.67.6812 -> XXX.XXX.XXX.XXX.27015 17 1 37 [...] 2003/08/22 18:13:27 65.95.193.138.11565 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:31 12.232.104.221.32662 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:35 61.38.187.59.28106 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:37 24.33.66.38.19736 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:38 67.9.241.67.51452 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:46 65.95.193.138.46930 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:53 61.38.187.59.16641 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:13:59 63.250.82.87.56358 -> XXX.XXX.XXX.XXX.27015 17 1 37 2003/08/22 18:14:09 12.232.104.221.19923 -> XXX.XXX.XXX.XXX.27015 17 1 37
Total = 1751 flows from 15:09:54 to 18:14:09
Servers hitting the Halflife machine ------------------------------------ 12.232.104.221 24.33.66.38 24.197.143.132 24.202.91.43 61.38.187.59 63.250.82.87 65.95.193.138 65.177.240.194 67.9.241.67 67.73.21.6
__________________________ http://www.invision.net/ _______________________
Matthew E. Martini, PE InVision.com, Inc. (631) 543-1000 x104 Chief Technology Officer matt@invision.net (631) 864-8896 Fax _______________________________________________________________________pg p_
participants (6)
-
Adam 'Starblazer' Romberg
-
Darren Smith
-
Jim Popovitch
-
Matt Martini
-
Owen DeLong
-
Robert Blayzor