Score: 1.3 (>= 0.8) Infected Target: 130.107.179.206 Infector List: 89.147.73.20 Egg Source List: 115.126.2.110, 89.147.73.20, 92.48.201.47 C & C List: 115.126.2.121 (2) Peer Coord. List: Resource List: Observed Start: 10/25/2008 20:41:10.182 PDT Report End: 10/25/2008 20:41:10.564 PDT Gen. Time: 10/25/2008 20:47:30.636 PDT INBOUND SCAN EXPLOIT 89.147.73.20 (2) (20:41:10.182 PDT-20:41:10.564 PDT) event=1:2003081 (2) {tcp} E2[rb] ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) 2: 139<-1050 (20:41:10.182 PDT-20:41:10.564 PDT) EXPLOIT (slade) EGG DOWNLOAD 115.126.2.110 (20:41:28.570 PDT) event=1:3000003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port 1032->80 (20:41:28.570 PDT) 89.147.73.20 (2) (20:41:18.748 PDT) event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 9988<-1353 (20:41:18.748 PDT) ------------------------- event=1:5001684 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 9988<-1353 (20:41:18.748 PDT) 92.48.201.47 (20:42:50.995 PDT) event=1:3000003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port 1030->80 (20:42:50.995 PDT) C and C TRAFFIC 115.126.2.121 (2) (20:41:24.012 PDT) event=1:2003603 (2) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel 1031->65520 (20:41:24.012 PDT) 1026->65520 (20:42:46.943 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1224992470.182 1224992470.565 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.179.206' ============================== SEPARATOR ================================