Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

PUBLIC PAGE

<Click here: to download BotHunter>

06 October 2007
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
T:00:07:00 WinXP 82.245.142.168 (PROXAD.NET):
PROXAD / FREE SAS,
NICE, PROVENCE-ALPES-COTE D'AZUR, FR. 		211.233.7.66:7000 KR:saber4.ircqforum.com
KR:211.233.7.66:7000 		445 pcap raw alerts
ruleset 		ftp
irc
20 lines 		Yeah : 1.3
profile 		C:1117
Medium 		summary
tarball 		7 of 32 c8331d1ba1
[Firefox:27 hits: 09-23 to 10-30] 		d070c1373f [0] ASM:Graph
 ASPack| lines=2931
embedded dns 		trace
T:00:44:00 WinXP 59.112.240.191 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. 		n/a   445 pcap raw alerts
ruleset 		shell
shell
ftp
shell
19 lines 		Yeah : 0.8
profile 		F:324
Medium 		summary
tarball 		none none none none none none none
T:00:50:00 WinXP 91.165.82.212 (PPP.TISCALI.FR):
NONE,
PARIS, ILE-DE-FRANCE, FR. (DIAL) 		n/a  
CZ:217.170.244.2:443
CZ:82.114.64.251:443 		445 pcap raw alerts
ruleset 		shell
ftp
18 lines 		Yeah : 1.3
profile 		B:1262
Low 		summary
tarball 		29 of 32 5902b1cedd
[Firefox: 2 hits: 09-24 to 10-06] 		73c18afd83 [0] ASM:Graph
 FSG| lines=1961
embedded dns 		trace
01:21:00 WinXP 66.137.71.74 (SWBELL.NET):
DIAL POOL - AS,
EDMOND, OKLAHOMA, US. (DIAL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
19 lines 		Yeah : 0.8
profile 		F:324
High 		summary
tarball 		none none none none none none none
01:36:00 Win2K-f 122.29.84.207 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
JP. 		67.43.236.67:8080 CA:xx.ka3ek.com
CA:www.nadsam0.info
CA:72.10.167.74:80 		445 pcap raw alerts
ruleset 		ftp
irc
24 lines 		Yeah : 1.8
profile 		-
Outlier 		summary
tarball 		none none none none none none none
01:48:00 WinXP 60.34.186.167 (PLALA.OR.JP):
PLALA NETWORKS INC,
JP. 		n/a   445 pcap raw alerts
ruleset 		shell
3 lines 		Yeah : 0.8
profile 		Z:48
High 		summary
tarball 		none none none none none none none
03:00:00 WinXP 89.252.29.153 (FREENET.COM.UA):
FOR FREENET CUSTOMERS AND INFRASTRUCTURE,
KIEV, MISTO KYYIV, UA. 		n/a RU:proxim.ircgalaxy.pl
UA:citi-bank.ru
UA:194.54.90.246:80
RU:81.95.146.253:65520 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		X:64
High 		summary
tarball 		31 of 32 b37139d812
[Firefox: 4 hits: 10-06 to 10-14] 		4b6fefe095 [0] ASM:Graph
 PolyEnE| lines=129 trace
T:03:51:00 WinXP 211.0.241.169 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
JP. 		n/a CA:sisxteen.oihduhdd.net
:sdihsihdsfsofhsohs.net
:nagoo.nagitiriheiwu.net
CN:220.196.59.226:2234 		445 pcap raw alerts
ruleset 		shell
ftp
18 lines 		Yeah : 0.8
profile 		-
Outlier 		summary
tarball 		24 of 29 97ac56e1eb
[Firefox:13 hits: 07-10 to 10-06] 		d4642127b1 [0] none:none
 none|none lines=52 trace
T:04:03:00 WinXP 218.171.219.250 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
KAOHSIUNG, KAO-HSIUNG, TW. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
23 lines 		Yeah : 0.8
profile 		F:324
Medium 		summary
tarball 		none none none none none none none
04:17:00 Win2K-f 86.74.62.229 (GAOLAND.NET):
DYNAMIC POOLS,
FR. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
17 lines 		Yeah : 0.8
profile 		B:1262
Medium 		summary
tarball 		none none none none none none none
T:05:38:00 Win2K-f 82.245.142.168 (PROXAD.NET):
PROXAD / FREE SAS,
NICE, PROVENCE-ALPES-COTE D'AZUR, FR. 		n/a KR:scorti1.dns2go.com
KR:211.233.7.66:7000 		445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		C:1117
Medium 		summary
tarball 		12 of 32 a937513a33
[Firefox: 4 hits: 09-11 to 10-06] 		816f78fc82 [0] ASM:Graph
 none|none lines=2906
embedded dns 		trace
06:13:00 Win2K-f 121.95.79.199 (INFOWEB.NE.JP):
INFOWEB(FUJITSU LTD.),
TOKYO, TOKYO, JP. 		n/a  
CZ:217.170.244.2:443
CZ:82.114.64.251:443 		445 pcap raw alerts
ruleset 		shell
ftp
18 lines 		Yeah : 1.3
profile 		AA:50
High 		summary
tarball 		29 of 32 f377307ecb
[Firefox: 6 hits: 07-31 to 10-28] 		191e08961b [0] ASM:Graph
 FSG| lines=1943
embedded dns 		trace
T:06:23:00 WinXP 61.231.233.219 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
18 lines 		Yeah : 0.8
profile 		F:324
Medium 		summary
tarball 		none none none none none none none
06:30:00 WinXP 82.160.240.114 (-):
TELEKOMUNIKACJA KOLEJOWA SP. Z O.O,
AMSTERDAM, NOORD-HOLLAND, NL. 		n/a UA:citi-bank.ru
UA:194.54.90.246:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		A:2701
High 		summary
tarball 		29 of 29 3ae357d17b
[Firefox:426 hits: 05-01 to 10-30] 		2771c2be39 [0] ASM:Graph
 PolyEnE| lines=76 trace
06:41:00 WinXP 4.245.242.183 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
NEW HAVEN, CONNECTICUT, US. (DIAL) 		n/a  
CZ:217.170.244.2:443
CZ:82.114.64.251:443 		445 pcap raw alerts
ruleset 		shell
ftp
21 lines 		Yeah : 1.3
profile 		B:1262
High 		summary
tarball 		25 of 28 7fdfe363d5
[Firefox:1064 hits: 07-11 to 10-30] 		48de9c8163 [0] ASM:Graph
 FSG| lines=539 trace
T:06:57:00 WinXP 84.53.209.111 (VSI.RU):
JSC CENTERTELECOM,
RU. 		n/a   445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		AB:46
Low 		summary
tarball 		30 of 32 0ad52ffdd9
NEW 		6e6181b4e0 [0] ASM:Graph
 PolyEnE| lines=84 trace
T:06:58:00 Win2K-f 220.137.199.205 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TW. 		n/a  
CZ:217.170.244.2:443
CZ:82.114.64.251:443 		445 pcap raw alerts
ruleset 		shell
ftp
17 lines 		Yeah : 1.3
profile 		B:1262
High 		summary
tarball 		25 of 28 7fdfe363d5
[Firefox:1064 hits: 07-11 to 10-30] 		48de9c8163 [0] ASM:Graph
 FSG| lines=539 trace
T:07:02:00 WinXP 88.105.225.205 (AS9105.COM):
TISCALI UK LTD,
LONDON, ENGLAND, UK. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
shell
ftp
shell
18 lines 		Yeah : 0.8
profile 		F:324
Medium 		summary
tarball 		none none none none none none none
T:07:35:00 WinXP 218.41.91.78 (SO-NET.NE.JP):
SO-NET SERVICE,
JP. 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
15 lines 		Yeah : 1.3
profile 		none summary
tarball 		29 of 29 831f4ee0a7
[Firefox:203 hits: 07-11 to 10-30] 		4f4827aebb [0] ASM:Graph
 |PECompact lines=63 trace
07:56:00 WinXP 211.122.34.69 (OCN.NE.JP):
NTT COMMUNICATIONS CORPORATION,
NAHA, OKINAWA, JP. 		n/a UA:citi-bank.ru
UA:194.54.90.246:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		A:2701
High 		summary
tarball 		29 of 29 aa298099d5
[Firefox: 5 hits: 05-04 to 10-06] 		a32f91a12d [0] ASM:Graph
 PolyEnE| lines=70 trace
08:31:00 WinXP 24.211.219.103 (RR.COM):
ROAD RUNNER HOLDCO LLC,
DURHAM, NORTH CAROLINA, US. 		n/a UA:citi-bank.ru
UA:194.54.90.246:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		A:2701
High 		summary
tarball 		26 of 28 7d99b0e910
[Firefox:1822 hits: 05-01 to 10-30] 		106a109040 [0] ASM:Graph
 PolyEnE| lines=70 trace
08:33:00 Win2K-f 189.5.160.137 (BRASILTELECOM.NET.BR):
COMITE GESTOR DA INTERNET NO BRASIL,
GOIâNIA, GOIáS, BR. 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		N:94
High 		summary
tarball 		8 of 32 90cf2f1999
NEW 		none [4] none:none
 none|none none trace
T:09:07:00 Win2K-f 130.13.224.180 (QWEST.NET):
QWEST BROADBAND SERVICES INC,
PHOENIX, ARIZONA, US. 		n/a   445 pcap raw alerts
ruleset 		ftp
12 lines 		Yeah : 0.8
profile 		N:94
Medium 		summary
tarball 		9 of 32 51be10f5a0
[Firefox:24 hits: 09-25 to 10-26] 		none [4] none:none
 ASPack| none trace
09:33:00 Win2K-f 88.65.41.227 (ARCOR-IP.NET):
ARCOR-DSL-NET,
MUNICH, BAYERN, DE. (DSL) 		217.170.244.2:443  
CZ:217.170.244.2:443
CZ:82.114.64.251:443 		445 pcap raw alerts
ruleset 		shell
ftp
irc
28 lines 		Yeah : 1.8
profile 		B:1262
High 		summary
tarball 		25 of 28 7fdfe363d5
[Firefox:1064 hits: 07-11 to 10-30] 		48de9c8163 [0] ASM:Graph
 FSG|