Score: 1.8 (>= 0.8) Infected Target: 130.107.222.220 Infector List: 122.121.158.42 Egg Source List: 122.121.158.42 C & C List: 66.252.13.212 (10) Peer Coord. List: Resource List: 66.252.13.212 Observed Start: 09/10/2009 22:34:49.880 PDT Report End: 09/10/2009 22:39:56.064 PDT Gen. Time: 09/10/2009 22:39:56.064 PDT INBOUND SCAN EXPLOIT 122.121.158.42 (4) (22:34:49.886 PDT-22:34:49.892 PDT) event=1:21390 (2) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 2: 445<-1569 (22:34:49.886 PDT-22:34:49.892 PDT) ------------------------- event=1:299998 (2) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 2: 445<-1569 (22:34:49.886 PDT-22:34:49.892 PDT) EXPLOIT (slade) EGG DOWNLOAD 122.121.158.42 (3) (22:34:49.880 PDT) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download 73<-1657 (22:34:51.517 PDT) ------------------------- event=1:2007726 {tcp} E3[rb] ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) 1032<-42738 (22:34:50.632 PDT) ------------------------- event=1:3000006 {tcp} E3[rb] BotHunter MALWARE executable upload 445<-1569 (22:34:49.880 PDT) C and C TRAFFIC 66.252.13.212 (10) (22:35:19.097 PDT-22:39:56.064 PDT) event=1:2000346 (2) {tcp} E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port 2: 1035<-16667 (22:35:19.493 PDT-22:35:21.057 PDT) ------------------------- event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 1035<-16667 (22:35:19.217 PDT) ------------------------- event=1:2406000 (3) {tcp} E4[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets 3: 1035<-16667 (22:35:19.097 PDT-22:38:25.666 PDT) ------------------------- event=1:2406019 (4) {tcp} E4[rb] ET RBN Known Russian Business Network Monitored Domains (15) 4: 1035<-16667 (22:35:19.097 PDT-22:39:56.064 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 66.252.13.212 (22:35:19.436 PDT) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 1035->16667 (22:35:19.436 PDT) DECLARE BOT tcpslice 1252647289.880 1252647596.065 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.222.220' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 130.107.222.220 Infector List: Egg Source List: C & C List: 66.252.13.212 (3) Peer Coord. List: Resource List: 66.252.13.212 Observed Start: 09/10/2009 22:47:01.103 PDT Gen. Time: 09/10/2009 22:47:01.180 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC 66.252.13.212 (3) (22:47:01.103 PDT) event=1:2000346 {tcp} E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port 3198<-16667 (22:47:02.430 PDT) ------------------------- event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message 3198<-16667 (22:47:01.236 PDT) ------------------------- event=1:2406000 {tcp} E4[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets 1035<-16667 (22:47:01.103 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP 66.252.13.212 (22:47:02.373 PDT) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port 3198->16667 (22:47:02.373 PDT) DECLARE BOT tcpslice 1252648021.103 1252648021.104 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.222.220' ============================== SEPARATOR ================================