Score:            2.3 (>= 0.8)
Infected Target:  130.107.142.46
Infector List:    130.13.154.111
Egg Source List:  130.13.154.111
C & C List:       79.132.211.24, 204.8.223.249 (2)
Peer Coord. List: <unobserved>
Resource List:    204.8.223.249
Observed Start:   11/24/2008 20:47:39.696 PST
Report End:       11/24/2008 20:48:01.396 PST
Gen. Time:        11/24/2008 20:48:01.396 PST

INBOUND SCAN
    <unobserved>

EXPLOIT
    130.13.154.111 (5) (20:47:39.696 PST-20:47:39.738 PST)
       event=1:21390 (2) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP
          2: 445<-1212 (20:47:39.725 PST-20:47:39.738 PST)
       -------------------------
       event=1:23003 {tcp} E2[rb] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
          445<-1212 (20:47:39.696 PST)
       -------------------------
       event=1:299998 (2) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP
          2: 445<-1212 (20:47:39.725 PST-20:47:39.738 PST)

EXPLOIT (slade)
    <unobserved>

EGG DOWNLOAD
    130.13.154.111 (4) (20:47:39.711 PST)
       event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host
          68<-1583 (20:47:40.427 PST)
       -------------------------
       event=1:2007726 {tcp} E3[rb] ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)
          1027<-15309 (20:47:40.052 PST)
       -------------------------
       event=1:3000006 {tcp} E3[rb]  BotHunter MALWARE executable upload
          445<-1212 (20:47:39.711 PST)
       -------------------------
       event=1:5001684 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host
          68<-1583 (20:47:40.427 PST)

C and C TRAFFIC
    79.132.211.24 (20:47:49.923 PST)
       event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel
          1030->65520 (20:47:49.923 PST)
    
    204.8.223.249 (2) (20:47:59.257 PST-20:48:00.567 PST)
       event=1:2000346 (2) {tcp} E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port
          2: 1032<-6669 (20:47:59.257 PST-20:48:00.567 PST)

PEER COORDINATION
    <unobserved>

OUTBOUND SCAN
    204.8.223.249 (3) (20:47:59.390 PST-20:48:01.396 PST)
       event=1:2103157 (3) {tcp} E5[rb] ET TROJAN Agobot-SDBot Commands
          3: 1032->6669 (20:47:59.390 PST-20:48:01.396 PST)

ATTACK PREP
    204.8.223.249 (20:47:59.174 PST)
       event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port
          1032->6669 (20:47:59.174 PST)

DECLARE BOT
    <unobserved>

tcpslice 1227588459.696 1227588481.397 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.142.46'

============================== SEPARATOR ================================