Score: 1.8 (>= 0.8) Infected Target: 130.107.210.1 Infector List: 58.229.109.172 Egg Source List: 58.229.109.172 C & C List: 69.64.51.132 (4), 210.245.211.11 Peer Coord. List: Resource List: Observed Start: 07/26/2008 18:32:38.026 PDT Report End: 07/26/2008 18:32:38.396 PDT Gen. Time: 07/26/2008 18:32:56.847 PDT INBOUND SCAN EXPLOIT 58.229.109.172 (3) (18:32:38.026 PDT-18:32:38.396 PDT) event=1:2003081 {tcp} E2[rb] ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) 139<-3684 (18:32:38.396 PDT) ------------------------- event=1:22002903 (2) {tcp} E2[rb] BLEEDING-EDGE EXPLOIT x86 PexFnstenvMov/Sub Encoder 2: 139<-3684 (18:32:38.026 PDT-18:32:38.396 PDT) EXPLOIT (slade) EGG DOWNLOAD 58.229.109.172 (4) (18:32:45.904 PDT) event=1:2001683 (2) {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 1027<-9731 (18:32:45.904 PDT) 71<-1038 (18:32:52.958 PDT) ------------------------- event=1:5001684 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 1027<-9731 (18:32:45.904 PDT) 71<-1038 (18:32:52.958 PDT) C and C TRAFFIC 69.64.51.132 (4) (18:32:56.891 PDT) event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1033<-6789 (18:32:56.891 PDT) ------------------------- event=1:2000356 {tcp} E4[rb] ET POLICY IRC connection 1033<-6789 (18:32:57.285 PDT) ------------------------- event=1:2001584 {tcp} E4[rb] BLEEDING-EDGE VIRUS Bot Reporting Scan/Exploit 1033->6789 (18:32:57.433 PDT) ------------------------- event=1:2002930 {tcp} E4[rb] BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit 1033->6789 (18:32:57.433 PDT) 210.245.211.11 (18:32:51.908 PDT) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel 1029->65520 (18:32:51.908 PDT) PEER COORDINATION OUTBOUND SCAN 58.229.109.172 (18:32:38.989 PDT) event=1:52123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner 9192->3870 (18:32:38.989 PDT) ATTACK PREP DECLARE BOT tcpslice 1217122358.026 1217122358.397 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.210.1' ============================== SEPARATOR ================================