Score: 1.8 (>= 0.8) Infected Target: 192.168.1.243 Infector List: 114.48.174.152 Egg Source List: 114.48.174.152 C & C List: 66.252.13.212 (5) Peer Coord. List: Resource List: 66.252.13.212 Observed Start: 09/24/2009 22:13:53.320 PDT Report End: 09/24/2009 22:13:53.360 PDT Gen. Time: 09/24/2009 22:16:50.294 PDT INBOUND SCAN EXPLOIT 114.48.174.152 (4) (22:13:53.320 PDT-22:13:53.360 PDT) event=1:21390 (2) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 2: 445<-55927 (22:13:53.320 PDT-22:13:53.360 PDT) ------------------------- event=1:299998 (2) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 2: 445<-55927 (22:13:53.320 PDT-22:13:53.360 PDT) EXPLOIT (slade) EGG DOWNLOAD 114.48.174.152 (3) (22:13:53.320 PDT) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download 73<-7339 (22:14:22.991 PDT) ------------------------- event=1:2007726 {tcp} E3[rb] ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) 1032<-59590 (22:14:06.248 PDT) ------------------------- event=1:3000006 {tcp} E3[rb] BotHunter MALWARE executable upload 445<-55927 (22:13:53.320 PDT) C and C TRAFFIC 66.252.13.212 (5) (22:16:26.660 PDT) event=1:2000346 {tcp} E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port 1036<-16667 (22:16:50.236 PDT) ------------------------- event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1036<-16667 (22:16:49.881 PDT) ------------------------- event=1:2001184 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Vulnerability Scan 1036<-16667 (22:16:50.294 PDT) ------------------------- event=1:2406000 {tcp} E4[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets 1034<-16667 (22:16:26.660 PDT) ------------------------- event=1:2406019 {tcp} E4[rb] ET RBN Known Russian Business Network Monitored Domains (15) 1034<-16667 (22:16:26.660 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 66.252.13.212 (22:16:50.179 PDT) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 1036->16667 (22:16:50.179 PDT) DECLARE BOT tcpslice 1253855633.320 1253855633.361 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.243' ============================== SEPARATOR ================================