Score: 1.3 (>= 0.8) Infected Target: 130.107.169.90 Infector List: 92.84.71.221 Egg Source List: 92.84.71.221 C & C List: 69.42.216.108 Peer Coord. List: Resource List: Observed Start: 08/30/2008 10:07:09.306 PDT Report End: 08/30/2008 10:07:09.358 PDT Gen. Time: 08/30/2008 10:12:23.705 PDT INBOUND SCAN EXPLOIT 92.84.71.221 (4) (10:07:09.332 PDT-10:07:09.358 PDT) event=1:21390 (2) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 2: 445<-55565 (10:07:09.332 PDT-10:07:09.358 PDT) ------------------------- event=1:299998 (2) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 2: 445<-55565 (10:07:09.332 PDT-10:07:09.358 PDT) EXPLOIT (slade) EGG DOWNLOAD 92.84.71.221 (3) (10:07:09.306 PDT) event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 1033<-59769 (10:07:26.144 PDT) ------------------------- event=1:3000007 {tcp} E3[rb] BotHunter MALWARE executable upload 445<-55565 (10:07:09.306 PDT) ------------------------- event=1:5001684 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 1033<-59769 (10:07:26.144 PDT) C and C TRAFFIC 69.42.216.108 (10:12:23.705 PDT) event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1035<-9890 (10:12:23.705 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1220116029.306 1220116029.359 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.169.90' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 130.107.169.90 Infector List: Egg Source List: C & C List: 69.42.216.108 Peer Coord. List: Resource List: 69.42.216.108 Observed Start: 08/30/2008 10:12:23.954 PDT Gen. Time: 08/30/2008 10:17:19.078 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC 69.42.216.108 (10:17:19.078 PDT) event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1466<-9890 (10:17:19.078 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 69.42.216.108 (10:12:23.954 PDT) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 1035->9890 (10:12:23.954 PDT) DECLARE BOT tcpslice 1220116343.954 1220116343.955 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.169.90' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 130.107.169.90 Infector List: Egg Source List: C & C List: 69.42.216.108 (3) Peer Coord. List: Resource List: 69.42.216.108 (2) Observed Start: 08/30/2008 10:17:19.265 PDT Gen. Time: 08/30/2008 10:18:22.136 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC 69.42.216.108 (3) (10:18:17.576 PDT) event=1:2000346 {tcp} E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port 1638<-2010 (10:18:17.624 PDT) ------------------------- event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1638<-2010 (10:18:17.576 PDT) ------------------------- event=1:2002930 {tcp} E4[rb] BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit 1638->2010 (10:18:22.136 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 69.42.216.108 (2) (10:17:19.265 PDT) event=1:2000352 (2) {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 1466->9890 (10:17:19.265 PDT) 1638->2010 (10:18:17.604 PDT) DECLARE BOT tcpslice 1220116639.265 1220116639.266 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.169.90' ============================== SEPARATOR ================================