Score:            1.3 (>= 0.8)
Infected Target:  130.107.164.160
Infector List:    87.122.208.112
Egg Source List:  87.122.208.112
C & C List:       67.43.236.67
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   09/02/2009 11:49:42.443 PDT
Report End:       09/02/2009 11:49:58.450 PDT
Gen. Time:        09/02/2009 11:49:58.450 PDT

INBOUND SCAN
    <unobserved>

EXPLOIT
    87.122.208.112 (30) (11:49:42.464 PDT-11:49:58.450 PDT)
       event=1:21390 (14) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP
          2: 445<-3092 (11:49:46.999 PDT-11:49:47.020 PDT)
          2: 445<-7386 (11:49:58.429 PDT-11:49:58.450 PDT)
          2: 445<-1763 (11:49:42.464 PDT-11:49:42.485 PDT)
          2: 445<-3662 (11:49:48.329 PDT-11:49:48.351 PDT)
          2: 445<-2069 (11:49:43.615 PDT-11:49:43.636 PDT)
          2: 445<-5436 (11:49:52.977 PDT-11:49:52.998 PDT)
          2: 445<-2344 (11:49:44.555 PDT-11:49:44.576 PDT)
       -------------------------
       event=1:23003 (2) {tcp} E2[rb] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
          445<-7386 (11:49:58.386 PDT)
          445<-2069 (11:49:43.572 PDT)
       -------------------------
       event=1:299998 (14) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP
          2: 445<-2344 (11:49:44.555 PDT-11:49:44.576 PDT)
          2: 445<-3662 (11:49:48.329 PDT-11:49:48.351 PDT)
          2: 445<-1763 (11:49:42.464 PDT-11:49:42.485 PDT)
          2: 445<-5436 (11:49:52.977 PDT-11:49:52.998 PDT)
          2: 445<-7386 (11:49:58.429 PDT-11:49:58.450 PDT)
          2: 445<-3092 (11:49:46.999 PDT-11:49:47.020 PDT)
          2: 445<-2069 (11:49:43.615 PDT-11:49:43.636 PDT)

EXPLOIT (slade)
    <unobserved>

EGG DOWNLOAD
    87.122.208.112 (8) (11:49:42.443 PDT)
       event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host
          1033<-2640 (11:49:44.942 PDT)
       -------------------------
       event=1:3000006 (7) {tcp} E3[rb]  BotHunter MALWARE executable upload
          445<-1763 (11:49:42.443 PDT)
          445<-2069 (11:49:43.594 PDT)
          445<-2344 (11:49:44.534 PDT)
          445<-3092 (11:49:46.977 PDT)
          445<-3662 (11:49:48.308 PDT)
          445<-5436 (11:49:52.955 PDT)
          445<-7386 (11:49:58.408 PDT)

C and C TRAFFIC
    67.43.236.67 (11:49:57.837 PDT)
       event=1:2404011 {tcp} E4[rb] ET DROP Known Bot C&C Server Traffic (group 12) 
          1034->10324 (11:49:57.837 PDT)

PEER COORDINATION
    <unobserved>

OUTBOUND SCAN
    <unobserved>

ATTACK PREP
    <unobserved>

DECLARE BOT
    <unobserved>

tcpslice 1251917382.443 1251917398.451 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.164.160'

============================== SEPARATOR ================================