Netwire RAT from Blizzard IP Pool

Yesterday I’ve installed Unifi Dream Machine Pro on my home network and noticed that I am getting “pinged” by Blizzard servers every hour or so.
IPS also detecting those “pings” as “TROJAN Netwire RAT”.

Worth noting, application is not running (disabled from starting up automatically) and no other Blizzard related services are running. So this is straight up “ping” initiated by the Blizzard servers.

Here are screenshots from the IPS report page - _


There is a thread from December 2020,
Given the fact ,as GM mentioned, that servers are hosted on GCP and knowing that there might be some “dynamic” in the IP assignment to the server, i cannot whitelist range of IPs i don’t trust, nor am i going to allow port 3274 to be accessible by anyone. As much as i trust Blizzard using this port, i don’t trust other people who might use it to do something nasty.

And just to clarify even more, people are reporting traffic coming from countries their servers are located in. Well, mine is Kazzak (France??), so having those “pings” originating from USA is a bit strange for me.

And the main problem is, i see those come up more often when i am playing WoW, however, after about 2 or 3 of those messages WoW gives me and Error code and throws me out of the game (with freeze on my side, can still perfectly see what others are doing, even chat works), totally understandable as your service is probably waiting for something in return and 3 out of 3 times i am not returning a thing as my IPS blocked the initial request, so there is nothing on my side that has any idea that it must reply.

So far, as of 8th of March 2021, these are the whitelisted IPs and Subnets i had to add to at least mitigate 90% of the disconnects associated with “IDS/IPS”:

1. - subnet (Blizzard)
2. - subnet (Blizzard)
3. - subnet (Blizzard)
4. - Google Cloud (single IP address, might be different for you)
1 Like

For what it’s worth, I have the same issue, and it continues to persist to this day. Thanks for reporting it here so I could find it in a web search and not panic.

This is also discussed on the Ubiquity community forums. URL mangled here to dodge the fairly aggressive anti-spam measures here: community dot ui dot com slash questions slash Threat-Management-Alert-1-A-Network-Trojan-was-Detected-Signature-ET-TROJAN-Netwire-RAT-Check-in slash 80ea2e34-d5a9-487a-98ed-19be7c9cd7ea