Score:            1.3 (>= 0.8)
Infected Target:  130.107.239.200
Infector List:    80.92.180.198
Egg Source List:  80.92.180.198, 89.149.244.22
C & C List:       69.42.218.70
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   12/02/2009 22:37:12.054 PST
Gen. Time:        12/02/2009 22:37:25.164 PST

INBOUND SCAN
    <unobserved>

EXPLOIT
    80.92.180.198 (22:37:12.054 PST)
       event=1:299913 {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP
          135<-2586 (22:37:12.054 PST)

EXPLOIT (slade)
    <unobserved>

EGG DOWNLOAD
    80.92.180.198 (22:37:13.177 PST)
       event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download
          1027<-50474 (22:37:13.177 PST)
    
    89.149.244.22 (22:37:25.164 PST)
       event=1:3000003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port
          1030->80 (22:37:25.164 PST)

C and C TRAFFIC
    69.42.218.70 (22:37:24.625 PST)
       event=1:2000355 {tcp} E4[rb] ET POLICY IRC authorization message
          1029<-8585 (22:37:24.625 PST)

PEER COORDINATION
    <unobserved>

OUTBOUND SCAN
    <unobserved>

ATTACK PREP
    <unobserved>

DECLARE BOT
    <unobserved>

tcpslice 1259822232.054 1259822232.055 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.239.200'

============================== SEPARATOR ================================