Score: 1.0 (>= 0.8) Infected Target: 130.107.200.208 Infector List: 84.51.81.98 Egg Source List: 84.51.81.98 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2008 01:17:31.000 PDT Report End: 05/07/2008 01:17:31.643 PDT Gen. Time: 05/07/2008 01:17:36.275 PDT INBOUND SCAN 84.51.81.98 (01:17:31.459 PDT) event=551:5555001 {tcp} E1[sc] scade detected scan by 84.51.81.98:[445 ] 0<-445 (01:17:31.459 PDT) EXPLOIT 84.51.81.98 (18) (01:17:31.000 PDT-01:17:31.643 PDT) event=1:1390 (8) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 2: 445<-1604 (01:17:31.643 PDT-01:17:31.643 PDT) 2: 445<-1603 (01:17:31.641 PDT-01:17:31.641 PDT) 2: 445<-1569 (01:17:31.455 PDT-01:17:31.455 PDT) 2: 445<-1600 (01:17:31.642 PDT-01:17:31.642 PDT) ------------------------- event=1:2001944 {tcp} E2[rb] BLEEDING-EDGE EXPLOIT MS04-007 Kill-Bill ASN1 exploit attempt 445<-1569 (01:17:31.455 PDT) ------------------------- event=1:3003 {tcp} E2[rb] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt 445<-1569 (01:17:31.000 PDT) ------------------------- event=1:99998 (8) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 2: 445<-1569 (01:17:31.455 PDT-01:17:31.455 PDT) 2: 445<-1604 (01:17:31.643 PDT-01:17:31.643 PDT) 2: 445<-1603 (01:17:31.641 PDT-01:17:31.641 PDT) 2: 445<-1600 (01:17:31.642 PDT-01:17:31.642 PDT) EXPLOIT (slade) EGG DOWNLOAD 84.51.81.98 (2) (01:17:31.000 PDT) event=1:2001684 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host, Win32 1033<-2440 (01:17:36.275 PDT) ------------------------- event=1:3000006 {tcp} E3[rb] BotHunter MALWARE executable upload 445<-1569 (01:17:31.000 PDT) C and C TRAFFIC PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1210148251.000 1210148251.644 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.200.208' ============================== SEPARATOR ================================