Score: 0.8 (>= 0.8) Infected Target: 130.107.161.225 Infector List: 89.155.219.83 Egg Source List: 89.155.219.83 C & C List: Peer Coord. List: Resource List: Observed Start: 11/03/2009 13:27:11.840 PST Report End: 11/03/2009 13:27:12.096 PST Gen. Time: 11/03/2009 13:27:14.348 PST INBOUND SCAN EXPLOIT 89.155.219.83 (10) (13:27:11.846 PST-13:27:12.096 PST) event=1:21390 (4) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 4: 445<-1631 (13:27:11.846 PST-13:27:12.096 PST) ------------------------- event=1:23003 (2) {tcp} E2[rb] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt 2: 445<-1631 (13:27:11.948 PST-13:27:12.017 PST) ------------------------- event=1:299998 (4) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 4: 445<-1631 (13:27:11.846 PST-13:27:12.096 PST) EXPLOIT (slade) EGG DOWNLOAD 89.155.219.83 (5) (13:27:11.840 PST-13:27:12.017 PST) event=1:2001683 {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 1028<-2125 (13:27:14.348 PST) ------------------------- event=1:3000006 (3) {tcp} E3[rb] BotHunter MALWARE executable upload 3: 445<-1631 (13:27:11.840 PST-13:27:12.017 PST) ------------------------- event=1:5001684 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 1028<-2125 (13:27:14.348 PST) C and C TRAFFIC PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT tcpslice 1257283631.840 1257283632.097 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.161.225' ============================== SEPARATOR ================================