Score: 0.8 (>= 0.8) Infected Target: 130.107.134.235 Infector List: 222.127.187.88 Egg Source List: 69.31.121.50, 64.12.204.18 C & C List: Peer Coord. List: Resource List: Observed Start: 09/22/2009 22:07:53.566 PDT Report End: 09/22/2009 22:07:57.639 PDT Gen. Time: 09/22/2009 22:17:14.745 PDT INBOUND SCAN EXPLOIT 222.127.187.88 (18) (22:07:53.566 PDT-22:07:57.639 PDT) event=1:22000032 (2) {tcp} E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit 445<-4375 (22:07:57.639 PDT) 445<-4137 (22:07:54.712 PDT) ------------------------- event=1:22466 (2) {tcp} E2[rb] NETBIOS SMB-DS IPC$ unicode share access 445<-4137 (22:07:53.566 PDT) 445<-4375 (22:07:56.614 PDT) ------------------------- event=1:292000032 (4) {tcp} E2[rb] BotHunter EXPLOIT LSA exploit 2: 445<-4375 (22:07:57.627 PDT-22:07:57.639 PDT) 2: 445<-4137 (22:07:54.700 PDT-22:07:54.712 PDT) ------------------------- event=1:299906 (10) {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP 5: 445<-4375 (22:07:57.337 PDT-22:07:57.627 PDT) 5: 445<-4137 (22:07:54.389 PDT-22:07:54.700 PDT) EXPLOIT (slade) EGG DOWNLOAD 69.31.121.50 (22:17:14.745 PDT) event=1:2002986 {tcp} E3[rb] ET POLICY ICQ Install Direct download - Not normal mode of install 1031->80 (22:17:14.745 PDT) 64.12.204.18 (22:09:13.574 PDT) event=1:3000003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port 1033->80 (22:09:13.574 PDT) C and C TRAFFIC PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1253682473.566 1253682477.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.134.235' ============================== SEPARATOR ================================