Score: 0.8 (>= 0.8) Infected Target: 130.107.181.181 Infector List: 80.171.59.135 Egg Source List: 80.171.59.135 C & C List: Peer Coord. List: Resource List: Observed Start: 09/02/2009 06:55:27.746 PDT Report End: 09/02/2009 06:55:31.749 PDT Gen. Time: 09/02/2009 06:55:31.749 PDT INBOUND SCAN EXPLOIT 80.171.59.135 (21) (06:55:27.766 PDT-06:55:31.749 PDT) event=1:21390 (10) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 2: 445<-59683 (06:55:29.529 PDT-06:55:29.551 PDT) 2: 445<-59742 (06:55:30.339 PDT-06:55:30.361 PDT) 2: 445<-59541 (06:55:27.766 PDT-06:55:27.787 PDT) 2: 445<-59687 (06:55:29.461 PDT-06:55:29.483 PDT) 2: 445<-59865 (06:55:31.728 PDT-06:55:31.749 PDT) ------------------------- event=1:23003 {tcp} E2[rb] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt 445<-59865 (06:55:31.681 PDT) ------------------------- event=1:299998 (10) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 2: 445<-59541 (06:55:27.766 PDT-06:55:27.787 PDT) 2: 445<-59687 (06:55:29.461 PDT-06:55:29.483 PDT) 2: 445<-59865 (06:55:31.728 PDT-06:55:31.749 PDT) 2: 445<-59742 (06:55:30.339 PDT-06:55:30.361 PDT) 2: 445<-59683 (06:55:29.529 PDT-06:55:29.551 PDT) EXPLOIT (slade) EGG DOWNLOAD 80.171.59.135 (7) (06:55:27.746 PDT) event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 1033<-59773 (06:55:30.021 PDT) ------------------------- event=1:3000006 (5) {tcp} E3[rb] BotHunter MALWARE executable upload 445<-59541 (06:55:27.746 PDT) 445<-59687 (06:55:29.439 PDT) 445<-59683 (06:55:29.507 PDT) 445<-59742 (06:55:30.317 PDT) 445<-59865 (06:55:31.705 PDT) ------------------------- event=1:5001684 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 1033<-59773 (06:55:30.021 PDT) C and C TRAFFIC PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1251899727.746 1251899731.750 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.181.181' ============================== SEPARATOR ================================