Score: 1.5 (>= 0.8) Infected Target: 130.107.242.44 Infector List: 160.7.234.19 Egg Source List: 160.7.234.19 C & C List: 222.177.11.165 Peer Coord. List: Resource List: Observed Start: 05/17/2008 18:31:26.000 PDT Report End: 05/17/2008 18:31:28.332 PDT Gen. Time: 05/17/2008 18:43:07.131 PDT INBOUND SCAN 160.7.234.19 (18:31:26.482 PDT) event=551:5555001 {tcp} E1[sc] scade detected scan by 160.7.234.19:[445 ] 0<-445 (18:31:26.482 PDT) EXPLOIT 160.7.234.19 (15) (18:31:26.000 PDT-18:31:28.332 PDT) event=1:1390 (6) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 2: 445<-1848 (18:31:28.330 PDT-18:31:28.332 PDT) 2: 445<-1806 (18:31:26.454 PDT-18:31:26.465 PDT) 2: 445<-1805 (18:31:26.482 PDT-18:31:26.484 PDT) ------------------------- event=1:2001944 (2) {tcp} E2[rb] BLEEDING-EDGE EXPLOIT MS04-007 Kill-Bill ASN1 exploit attempt 445<-1848 (18:31:28.330 PDT) 445<-1806 (18:31:26.454 PDT) ------------------------- event=1:3003 {tcp} E2[rb] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt 445<-1806 (18:31:26.000 PDT) ------------------------- event=1:99998 (6) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 2: 445<-1806 (18:31:26.454 PDT-18:31:26.465 PDT) 2: 445<-1848 (18:31:28.330 PDT-18:31:28.332 PDT) 2: 445<-1805 (18:31:26.482 PDT-18:31:26.484 PDT) EXPLOIT (slade) EGG DOWNLOAD 160.7.234.19 (3) (18:31:26.452 PDT) event=1:2001684 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host, Win32 1033<-1810 (18:31:27.051 PDT) ------------------------- event=1:3000006 (2) {tcp} E3[rb] BotHunter MALWARE executable upload 445<-1806 (18:31:26.452 PDT) 445<-1848 (18:31:28.308 PDT) C and C TRAFFIC 222.177.11.165 (18:43:07.131 PDT) event=1:2002024 {tcp} E4[rb] BLEEDING-EDGE TROJAN IRC NICK command 1038->7000 (18:43:07.131 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1211074286.000 1211074288.333 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.242.44' ============================== SEPARATOR ================================