Score: 1.3 (>= 0.8) Infected Target: 130.107.143.38 Infector List: 211.213.240.61 Egg Source List: 91.207.61.51, 211.213.240.61 C & C List: 121.12.116.142 (2) Peer Coord. List: Resource List: Observed Start: 05/13/2009 02:57:42.364 PDT Report End: 05/13/2009 02:57:45.338 PDT Gen. Time: 05/13/2009 02:58:03.776 PDT INBOUND SCAN EXPLOIT 211.213.240.61 (5) (02:57:42.364 PDT-02:57:45.338 PDT) event=1:2003081 (2) {tcp} E2[rb] ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) 2: 139<-2838 (02:57:42.364 PDT-02:57:42.737 PDT) ------------------------- event=1:299913 (3) {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP 139<-2909 (02:57:48.088 PDT) 2: 139<-2890 (02:57:45.338 PDT-02:57:45.338 PDT) EXPLOIT (slade) EGG DOWNLOAD 91.207.61.51 (02:58:03.776 PDT) event=1:3000003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port 1032->80 (02:58:03.776 PDT) 211.213.240.61 (2) (02:57:56.471 PDT) event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 9988<-3034 (02:57:56.471 PDT) ------------------------- event=1:5001684 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 9988<-3034 (02:57:56.471 PDT) C and C TRAFFIC 121.12.116.142 (2) (02:58:01.396 PDT) event=1:100000273 {tcp} E4[rb] COMMUNITY BOT GTBot info command 1031<-65520 (02:58:02.597 PDT) ------------------------- event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel 1031->65520 (02:58:01.396 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1242208662.364 1242208665.339 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.143.38' ============================== SEPARATOR ================================