Score: 1.8 (>= 0.8) Infected Target: 130.107.219.191 Infector List: 70.183.160.46 Egg Source List: 210.51.36.215, 70.183.160.46 C & C List: 88.198.228.238, 193.104.94.11 Peer Coord. List: Resource List: Observed Start: 12/04/2009 14:31:46.469 PST Report End: 12/04/2009 14:32:08.594 PST Gen. Time: 12/04/2009 14:36:33.029 PST INBOUND SCAN EXPLOIT 70.183.160.46 (14:31:46.469 PST) event=1:299913 {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP 135<-2124 (14:31:46.469 PST) EXPLOIT (slade) EGG DOWNLOAD 210.51.36.215 (8) (14:32:04.048 PST-14:32:08.594 PST) event=1:2001683 (4) {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 4: 1035<-88 (14:32:04.048 PST-14:32:08.594 PST) ------------------------- event=1:5001684 (4) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 4: 1035<-88 (14:32:04.048 PST-14:32:08.594 PST) 70.183.160.46 (6) (14:31:47.833 PST) event=1:1444 (2) {udp} E3[rb] TFTP GET from external source 1033->69 (14:31:53.505 PST) 1032->69 (14:31:47.833 PST) ------------------------- event=1:2008120 (2) {udp} E3[rb] ET POLICY Outbound TFTP Read Request 1032->69 (14:31:47.833 PST) 1033->69 (14:31:53.505 PST) ------------------------- event=1:3001441 (2) {udp} E3[rb] TFTP GET .exe from external source 1032->69 (14:31:47.833 PST) 1033->69 (14:31:53.505 PST) C and C TRAFFIC 88.198.228.238 (14:31:58.699 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel 1034->65520 (14:31:58.699 PST) 193.104.94.11 (14:36:33.029 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel 1051->65520 (14:36:33.029 PST) PEER COORDINATION OUTBOUND SCAN 70.183.160.46 (14:31:46.706 PST) event=1:52123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner 1031->707 (14:31:46.706 PST) ATTACK PREP DECLARE BOT tcpslice 1259965906.469 1259965928.595 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 130.107.219.191' ============================== SEPARATOR ================================