Score: 1.3 (>= 0.8) Infected Target: 130.107.233.128 Infector List: 82.114.248.19 Egg Source List: 82.114.248.19 C & C List: 66.252.13.214 (3) Peer Coord. List: Resource List: Observed Start: 09/01/2009 00:59:30.909 PDT Report End: 09/01/2009 00:59:35.234 PDT Gen. Time: 09/01/2009 01:05:55.318 PDT INBOUND SCAN EXPLOIT 82.114.248.19 (17) (00:59:30.909 PDT-00:59:35.234 PDT) event=1:21390 (8) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 2: 445<-3393 (00:59:32.594 PDT-00:59:32.615 PDT) 2: 445<-3824 (00:59:35.212 PDT-00:59:35.234 PDT) 2: 445<-3825 (00:59:35.142 PDT-00:59:35.164 PDT) 2: 445<-3111 (00:59:30.954 PDT-00:59:30.976 PDT) ------------------------- event=1:23003 {tcp} E2[rb] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt 445<-3111 (00:59:30.909 PDT) ------------------------- event=1:299998 (8) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 2: 445<-3824 (00:59:35.212 PDT-00:59:35.234 PDT) 2: 445<-3825 (00:59:35.142 PDT-00:59:35.164 PDT) 2: 445<-3393 (00:59:32.594 PDT-00:59:32.615 PDT) 2: 445<-3111 (00:59:30.954 PDT-00:59:30.976 PDT) EXPLOIT (slade) EGG DOWNLOAD 82.114.248.19 (6) (00:59:30.932 PDT) event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 1033<-3641 (00:59:33.310 PDT) ------------------------- event=1:3000007 (4) {tcp} E3[rb] BotHunter MALWARE executable upload 445<-3111 (00:59:30.932 PDT) 445<-3393 (00:59:32.572 PDT) 445<-3825 (00:59:35.120 PDT) 445<-3824 (00:59:35.189 PDT) ------------------------- event=1:5001684 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 1033<-3641 (00:59:33.310 PDT) C and C TRAFFIC 66.252.13.214 (3) (01:03:16.303 PDT) event=1:2406000 {tcp} E4[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets 1034<-9890 (01:03:16.303 PDT) ------------------------- event=1:2406019 (2) {tcp} E4[rb] ET RBN Known Russian Business Network Monitored Domains (15) 1034<-9890 (01:03:16.303 PDT) 1043<-9890 (01:05:55.318 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1251791970.909 1251791975.235 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.233.128' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 130.107.233.128 Infector List: Egg Source List: C & C List: 66.252.13.214 (4) Peer Coord. List: Resource List: 66.252.13.214 Observed Start: 09/01/2009 01:05:55.318 PDT Gen. Time: 09/01/2009 01:10:30.492 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC 66.252.13.214 (4) (01:05:55.318 PDT) event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1043<-9890 (01:06:17.450 PDT) ------------------------- event=1:2002029 {tcp} E4[rb] ET TROJAN BOT - channel topic scan/exploit command 1043<-9890 (01:06:17.761 PDT) ------------------------- event=1:2406000 {tcp} E4[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets 1043<-9890 (01:05:55.318 PDT) ------------------------- event=1:2406019 {tcp} E4[rb] ET RBN Known Russian Business Network Monitored Domains (15) 1043<-9890 (01:10:30.492 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 66.252.13.214 (01:06:17.762 PDT) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 1043->9890 (01:06:17.762 PDT) DECLARE BOT tcpslice 1251792355.318 1251792355.319 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.233.128' ============================== SEPARATOR ================================