Score: 1.8 (>= 0.8) Infected Target: 192.168.1.175 Infector List: 83.135.71.114 Egg Source List: 83.135.71.114 C & C List: 66.252.13.212 (6) Peer Coord. List: Resource List: 66.252.13.212 Observed Start: 09/27/2009 15:20:16.872 PDT Report End: 09/27/2009 15:27:54.196 PDT Gen. Time: 09/27/2009 15:27:54.196 PDT INBOUND SCAN EXPLOIT 83.135.71.114 (4) (15:20:16.894 PDT-15:20:16.915 PDT) event=1:21390 (2) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 2: 445<-16536 (15:20:16.894 PDT-15:20:16.915 PDT) ------------------------- event=1:299998 (2) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 2: 445<-16536 (15:20:16.894 PDT-15:20:16.915 PDT) EXPLOIT (slade) EGG DOWNLOAD 83.135.71.114 (3) (15:20:16.872 PDT) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download 73<-17142 (15:20:19.319 PDT) ------------------------- event=1:2007726 {tcp} E3[rb] ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) 1032<-37636 (15:20:17.931 PDT) ------------------------- event=1:3000006 {tcp} E3[rb] BotHunter MALWARE executable upload 445<-16536 (15:20:16.872 PDT) C and C TRAFFIC 66.252.13.212 (6) (15:23:13.942 PDT-15:27:54.196 PDT) event=1:2000346 {tcp} E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port 1036<-16667 (15:23:14.162 PDT) ------------------------- event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1036<-16667 (15:23:14.004 PDT) ------------------------- event=1:2001184 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Vulnerability Scan 1036<-16667 (15:23:14.221 PDT) ------------------------- event=1:2406000 {tcp} E4[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets 1036<-16667 (15:23:13.942 PDT) ------------------------- event=1:2406019 (2) {tcp} E4[rb] ET RBN Known Russian Business Network Monitored Domains (15) 2: 1036<-16667 (15:23:13.942 PDT-15:27:54.196 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 66.252.13.212 (15:23:14.105 PDT) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 1036->16667 (15:23:14.105 PDT) DECLARE BOT tcpslice 1254090016.872 1254090474.197 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.175' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.175 Infector List: Egg Source List: C & C List: 66.252.13.212 (4) Peer Coord. List: Resource List: 66.252.13.212 Observed Start: 09/27/2009 15:27:54.196 PDT Gen. Time: 09/27/2009 15:27:56.514 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC 66.252.13.212 (4) (15:27:54.196 PDT) event=1:2000346 {tcp} E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port 1064<-16667 (15:27:56.514 PDT) ------------------------- event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1064<-16667 (15:27:54.364 PDT) ------------------------- event=1:2001184 {tcp} E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Vulnerability Scan 1064<-16667 (15:27:55.202 PDT) ------------------------- event=1:2406000 {tcp} E4[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets 1036<-16667 (15:27:54.196 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 66.252.13.212 (15:27:54.628 PDT) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 1064->16667 (15:27:54.628 PDT) DECLARE BOT tcpslice 1254090474.196 1254090474.197 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.175' ============================== SEPARATOR ================================