Announcement

Collapse
No announcement yet.

Bla Trojan connection attempt from game server while playing online

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Bla Trojan connection attempt from game server while playing online

    Looking for some info from you veterans.

    I was playing UT2k4 online when Norton Internet Security 2004 interrupted to announce a blocked attempt by Bla Trojan horse to connect to my computer.

    I checked Norton's Visual Tracking and it revealed that the attack originated from the game server's IP. I sent the tracking details to the Abuse administrator whose address was listed therein.

    Does anyone know/can anyone explain to a relative noob how they were even able to make that attempt?

    What would they have hoped to accomplish if they were successful in connecting?

    Has anyone had the misfortune to have been successfully attacked by Bla Trojan?

    As I implied, I'm just looking to understand what was happening here.

    Thanks to all in advance.

    #2
    umm, I would like more info about this "trojan" like what port and protocol it uses.

    Comment


      #3
      The following is is from NIS2004 Alerts log:

      Details: Rule "Default Block Bla Trojan horse" blocked (xx.xx.xx.xxx,1042)
      Inbound UDP packet
      Local address,service is (MyComputer(xxx.xxx.xxx.xxx),1042)
      Remote address,service is (xx.xxx.xxx.1xxx,7777)
      Process name is "N/A"

      I "x'd" out the IP info because I don't to make it public at this point.

      Comment


        #4
        My best guess is it was a malformed packet, since it looks like its coming from a UT2004 port. I would chalk it up to a crouption at some point, and not actually an attempt to do any thing malicious.

        Comment


          #5
          Hope you're right. That would be a relief.

          A malformed packet can appear to be Bla Trojan horse? How can that be? Wouldn't it have to match a signature file NIS2004?

          Comment


            #6
            basicly your firewall is simply checking for a specific port, not a signiture. Most do that today, basicly if its UDP and connecting on port blah its most likely blah trojan.

            Comment


              #7
              That's good to know.

              I had been under the impression that they were signatures, like virus signatures are, but now I know better.

              Thanks.

              Comment


                #8
                Most firewalls don't use sigs, but a number of Network Intrusion Detection Systems do (such as snort). I know some Firewalls are including IDS's in there products though, such as sygate. But the use of signatures doesn't stop them from having false positives.

                Comment


                  #9
                  That's interesting. Two different ways to handle Trojans attacks.

                  Any idea why Norton would choose ID'ing an attack by port association vs. signature as used in snort?

                  Comment


                    #10
                    Just reread your post and noted that false positives will happen.

                    I guess that doesn't surprise me, though it is diasppointing to hear.

                    Comment


                      #11
                      Yeah, it's definitely a false positive. I've see this happen as well to several clan members running NIS. Just make a rule to allow it or it will keep coming back. Seems to happen to me if I ping pretty high to the server...say over 120.

                      Comment


                        #12
                        I've had "Probably Trojan Probe" alerts on my firewall from my ISP, one of my favorite sites, 2k4 server, other completely benign sites.
                        I just chalk it up to borked packets

                        Comment


                          #13
                          Thanks for the feedback. Good things to know.

                          Comment

                          Working...
                          X