Score: 1.8 (>= 0.8) Infected Target: 130.107.140.144 Infector List: 93.221.28.170 Egg Source List: 93.221.28.170 C & C List: 66.252.13.214 Peer Coord. List: Resource List: Observed Start: 09/01/2009 08:25:45.885 PDT Report End: 09/01/2009 08:25:46.457 PDT Gen. Time: 09/01/2009 08:30:31.965 PDT INBOUND SCAN EXPLOIT 93.221.28.170 (6) (08:25:45.885 PDT-08:25:46.457 PDT) event=1:22000032 {tcp} E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit 445<-55034 (08:25:46.457 PDT) ------------------------- event=1:22466 {tcp} E2[rb] NETBIOS SMB-DS IPC$ unicode share access 445<-55034 (08:25:45.885 PDT) ------------------------- event=1:292000032 (2) {tcp} E2[rb] BotHunter EXPLOIT LSA exploit 2: 445<-55034 (08:25:46.454 PDT-08:25:46.457 PDT) ------------------------- event=1:299913 (2) {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP 2: 445<-55034 (08:25:46.442 PDT-08:25:46.454 PDT) EXPLOIT (slade) EGG DOWNLOAD 93.221.28.170 (2) (08:25:51.264 PDT) event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 1033<-56258 (08:25:51.264 PDT) ------------------------- event=1:5001684 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 1033<-56258 (08:25:51.264 PDT) C and C TRAFFIC 66.252.13.214 (08:30:31.965 PDT) event=1:2406019 {tcp} E4[rb] ET RBN Known Russian Business Network Monitored Domains (15) 1035<-9890 (08:30:31.965 PDT) PEER COORDINATION OUTBOUND SCAN 93.221.28.170 (08:25:47.002 PDT) event=1:52123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner 12045->55297 (08:25:47.002 PDT) ATTACK PREP DECLARE BOT tcpslice 1251818745.885 1251818746.458 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.140.144' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 130.107.140.144 Infector List: Egg Source List: C & C List: 66.252.13.214 (5) Peer Coord. List: Resource List: 66.252.13.214 Observed Start: 09/01/2009 08:30:31.965 PDT Gen. Time: 09/01/2009 08:32:32.356 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC 66.252.13.214 (5) (08:30:31.965 PDT) event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1036<-9890 (08:32:32.038 PDT) ------------------------- event=1:2002029 {tcp} E4[rb] ET TROJAN BOT - channel topic scan/exploit command 1036<-9890 (08:32:32.355 PDT) ------------------------- event=1:2406000 (2) {tcp} E4[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets 1035<-9890 (08:30:31.965 PDT) 1036<-9890 (08:32:29.027 PDT) ------------------------- event=1:2406019 {tcp} E4[rb] ET RBN Known Russian Business Network Monitored Domains (15) 1036<-9890 (08:32:29.027 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 66.252.13.214 (08:32:32.356 PDT) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 1036->9890 (08:32:32.356 PDT) DECLARE BOT tcpslice 1251819031.965 1251819031.966 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.140.144' ============================== SEPARATOR ================================