Score: 1.3 (>= 0.8) Infected Target: 130.107.204.206 Infector List: 221.127.25.147 Egg Source List: 58.221.251.247, 210.51.51.150, 221.127.25.147 C & C List: 121.12.116.142 Peer Coord. List: Resource List: Observed Start: 06/11/2009 06:03:56.539 PDT Report End: 06/11/2009 06:05:10.670 PDT Gen. Time: 06/11/2009 06:05:18.296 PDT INBOUND SCAN EXPLOIT 221.127.25.147 (6) (06:03:56.539 PDT-06:04:00.161 PDT) event=1:22466 (2) {tcp} E2[rb] NETBIOS SMB-DS IPC$ unicode share access 445<-3091 (06:03:56.539 PDT) 445<-3357 (06:03:59.378 PDT) ------------------------- event=1:299913 (4) {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP 2: 445<-3357 (06:04:00.159 PDT-06:04:00.161 PDT) 2: 445<-3091 (06:03:57.163 PDT-06:03:57.165 PDT) EXPLOIT (slade) EGG DOWNLOAD 58.221.251.247 (2) (06:05:18.296 PDT) event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 1344<-88 (06:05:18.296 PDT) ------------------------- event=1:5001684 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 1344<-88 (06:05:18.296 PDT) 210.51.51.150 (5) (06:04:52.431 PDT-06:05:10.670 PDT) event=1:2001683 (3) {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 1319<-88 (06:04:52.431 PDT) 2: 1335<-88 (06:05:05.169 PDT-06:05:10.670 PDT) ------------------------- event=1:5001684 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 1319<-88 (06:04:52.431 PDT) 1335<-88 (06:05:10.670 PDT) 221.127.25.147 (2) (06:04:01.905 PDT) event=1:2000047 {tcp} E3[rb] ET WORM Sasser Transfer _up.exe 9996<-3764 (06:04:01.905 PDT) ------------------------- event=1:31000004 {tcp} E3[rb] BotHunter Scrip-based Windows egg download .exe 9996->3764 (06:04:02.484 PDT) C and C TRAFFIC 121.12.116.142 (06:04:35.537 PDT) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel 1301->65520 (06:04:35.537 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1244725436.539 1244725510.671 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.204.206' ============================== SEPARATOR ================================