Score: 1.8 (>= 0.8) Infected Target: 130.107.237.90 Infector List: 91.64.27.46 Egg Source List: 91.64.27.46 C & C List: 69.42.216.108 Peer Coord. List: Resource List: 69.42.216.108 Observed Start: 11/16/2008 08:27:57.912 PST Report End: 11/16/2008 08:27:57.932 PST Gen. Time: 11/16/2008 08:31:56.918 PST INBOUND SCAN EXPLOIT 91.64.27.46 (5) (08:27:57.912 PST-08:27:57.932 PST) event=1:21390 (2) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 2: 445<-1156 (08:27:57.920 PST-08:27:57.932 PST) ------------------------- event=1:23003 {tcp} E2[rb] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt 445<-1156 (08:27:57.912 PST) ------------------------- event=1:299998 (2) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 2: 445<-1156 (08:27:57.920 PST-08:27:57.932 PST) EXPLOIT (slade) EGG DOWNLOAD 91.64.27.46 (3) (08:27:57.916 PST) event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 1033<-1722 (08:27:59.828 PST) ------------------------- event=1:3000007 {tcp} E3[rb] BotHunter MALWARE executable upload 445<-1156 (08:27:57.916 PST) ------------------------- event=1:5001684 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 1033<-1722 (08:27:59.828 PST) C and C TRAFFIC 69.42.216.108 (08:31:56.661 PST) event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1035<-9890 (08:31:56.661 PST) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 69.42.216.108 (08:31:56.918 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 1035->9890 (08:31:56.918 PST) DECLARE BOT tcpslice 1226852877.912 1226852877.933 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.237.90' ============================== SEPARATOR ================================