Score: 1.8 (>= 0.8) Infected Target: 192.168.1.190 Infector List: 83.135.66.187 Egg Source List: 83.135.66.187 C & C List: 66.252.13.212 (9) Peer Coord. List: Resource List: 66.252.13.212 Observed Start: 09/25/2009 02:41:17.697 PDT Report End: 09/25/2009 02:46:41.478 PDT Gen. Time: 09/25/2009 02:46:41.478 PDT INBOUND SCAN EXPLOIT 83.135.66.187 (4) (02:41:17.719 PDT-02:41:17.739 PDT) event=1:21390 (2) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 2: 445<-13056 (02:41:17.719 PDT-02:41:17.739 PDT) ------------------------- event=1:299998 (2) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 2: 445<-13056 (02:41:17.719 PDT-02:41:17.739 PDT) EXPLOIT (slade) EGG DOWNLOAD 83.135.66.187 (3) (02:41:17.697 PDT) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download 68<-13567 (02:41:19.781 PDT) ------------------------- event=1:2007726 {tcp} E3[rb] ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) 1027<-33439 (02:41:18.634 PDT) ------------------------- event=1:3000006 {tcp} E3[rb] BotHunter MALWARE executable upload 445<-13056 (02:41:17.697 PDT) C and C TRAFFIC 66.252.13.212 (9) (02:41:26.950 PDT-02:46:41.478 PDT) event=1:2000346 (2) {tcp} E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port 2: 1031<-16667 (02:41:27.495 PDT-02:41:29.582 PDT) ------------------------- event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1031<-16667 (02:41:27.197 PDT) ------------------------- event=1:2001184 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Vulnerability Scan 1031<-16667 (02:41:27.568 PDT) ------------------------- event=1:2406000 (2) {tcp} E4[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets 1031<-16667 (02:42:58.256 PDT) 1030<-16667 (02:41:26.950 PDT) ------------------------- event=1:2406019 (3) {tcp} E4[rb] ET RBN Known Russian Business Network Monitored Domains (15) 2: 1031<-16667 (02:42:58.256 PDT-02:46:41.478 PDT) 1030<-16667 (02:41:26.950 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 66.252.13.212 (02:41:27.438 PDT) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 1031->16667 (02:41:27.438 PDT) DECLARE BOT tcpslice 1253871677.697 1253872001.479 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.190' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.190 Infector List: Egg Source List: C & C List: 66.252.13.212 (4) Peer Coord. List: Resource List: 66.252.13.212 Observed Start: 09/25/2009 02:46:41.478 PDT Gen. Time: 09/25/2009 02:46:42.946 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC 66.252.13.212 (4) (02:46:41.478 PDT) event=1:2000346 {tcp} E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port 1558<-16667 (02:46:42.888 PDT) ------------------------- event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1558<-16667 (02:46:41.609 PDT) ------------------------- event=1:2001184 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Vulnerability Scan 1558<-16667 (02:46:42.946 PDT) ------------------------- event=1:2406000 {tcp} E4[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets 1031<-16667 (02:46:41.478 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 66.252.13.212 (02:46:42.830 PDT) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 1558->16667 (02:46:42.830 PDT) DECLARE BOT tcpslice 1253872001.478 1253872001.479 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.190' ============================== SEPARATOR ================================