Score: 1.3 (>= 0.8) Infected Target: 130.107.140.145 Infector List: 91.67.35.130 Egg Source List: 91.67.35.130 C & C List: 66.252.13.214 Peer Coord. List: Resource List: Observed Start: 09/01/2009 08:45:00.523 PDT Report End: 09/01/2009 08:45:02.050 PDT Gen. Time: 09/01/2009 08:49:09.599 PDT INBOUND SCAN EXPLOIT 91.67.35.130 (11) (08:45:00.523 PDT-08:45:02.050 PDT) event=1:21390 (2) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 2: 445<-1094 (08:45:02.037 PDT-08:45:02.050 PDT) ------------------------- event=1:22000032 {tcp} E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit 445<-4218 (08:45:01.953 PDT) ------------------------- event=1:22466 (2) {tcp} E2[rb] NETBIOS SMB-DS IPC$ unicode share access 445<-3805 (08:45:00.523 PDT) 445<-4218 (08:45:01.204 PDT) ------------------------- event=1:292000032 (2) {tcp} E2[rb] BotHunter EXPLOIT LSA exploit 2: 445<-4218 (08:45:01.948 PDT-08:45:01.953 PDT) ------------------------- event=1:299913 (2) {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP 2: 445<-4218 (08:45:01.910 PDT-08:45:01.948 PDT) ------------------------- event=1:299998 (2) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 2: 445<-1094 (08:45:02.037 PDT-08:45:02.050 PDT) EXPLOIT (slade) EGG DOWNLOAD 91.67.35.130 (3) (08:45:02.012 PDT) event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 1033<-2059 (08:45:04.211 PDT) ------------------------- event=1:3000007 {tcp} E3[rb] BotHunter MALWARE executable upload 445<-1094 (08:45:02.012 PDT) ------------------------- event=1:5001684 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 1033<-2059 (08:45:04.211 PDT) C and C TRAFFIC 66.252.13.214 (08:49:09.599 PDT) event=1:2406019 {tcp} E4[rb] ET RBN Known Russian Business Network Monitored Domains (15) 1035<-9890 (08:49:09.599 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1251819900.523 1251819902.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.140.145' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 130.107.140.145 Infector List: Egg Source List: C & C List: 66.252.13.214 (5) Peer Coord. List: Resource List: 66.252.13.214 Observed Start: 09/01/2009 08:49:09.599 PDT Report End: 09/01/2009 08:51:20.034 PDT Gen. Time: 09/01/2009 08:51:20.034 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC 66.252.13.214 (5) (08:49:09.599 PDT-08:51:20.034 PDT) event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1035<-9890 (08:49:09.662 PDT) ------------------------- event=1:2002029 {tcp} E4[rb] ET TROJAN BOT - channel topic scan/exploit command 1035<-9890 (08:49:09.949 PDT) ------------------------- event=1:2406000 (2) {tcp} E4[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets 2: 1035<-9890 (08:49:09.599 PDT-08:51:20.034 PDT) ------------------------- event=1:2406019 {tcp} E4[rb] ET RBN Known Russian Business Network Monitored Domains (15) 1035<-9890 (08:51:20.034 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 66.252.13.214 (08:49:09.950 PDT) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 1035->9890 (08:49:09.950 PDT) DECLARE BOT tcpslice 1251820149.599 1251820280.035 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.140.145' ============================== SEPARATOR ================================