On June 4th around 8:30EDT, the popular online game server, Battle.Net (http://www.battle.net) began restricting bots from logging onto their servers. Many players had used these bots to control their private "clan channels". Since they were no longer able use their old bots (i.e.: http://www.ultimatebot.com), they turned to using "binary" bots that are able to fool the BattleNet servers into thinking that they are a player logging onto the server instead of a bot. The vast majority of these bots being passed around are "trojaned" with various backdoors that load Sub7 onto the victims box, or DL Sub7 onto the victims box. One popular binary bot making the rounds is Damnbot (http://damnbot.cjb.net). Although the webpage claims to say the version available for download is virus-free, it indeed contains a backdoor which was caught by McAfee using their latest defs. Others floating around are ScBot and D2SkyBot (particularly nasty). I have samples of the D2 and SC bots available for inspection... William S. Paris Telecommunication/Network Analyst Sorrento Lactalis Inc. bparisat_private -----Original Message----- From: Obert, Jack E. [mailto:JObertat_private] Sent: Tuesday, June 12, 2001 9:43 AM To: 'incidentsat_private' Subject: Increase in Sub7 scans Since February, I've been receiving tcp port scans for the default sub7 port (27374) at a rate of approximately 3-4 per day. Starting on June 8th to present, I've been receiving them at 9 times that rate. 6/5/01 - 3 Scans 6/6/01 - 4 Scans 6/7/01 - 3 Scans 6/8/01 - 8 Scans 6/9/01 - 14 Scans 6/10/01 - 38 Scans 6/11/01 - 22 Scans Any ideas on what could have sparked this increased scanning? A new utility? A new vulnerability related to sub7? New media publicity? Thanks Jack E. Obert, GSEC Technical Information Security Officer St. John's Health System
This archive was generated by hypermail 2b30 : Tue Jun 12 2001 - 20:47:04 PDT