Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

12 September 2010
<prev>   <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.


Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]
Time
 		Victim
OS
 		Infection
Source
 		C&C
Server
 		DNS Lookups &
Failed Connects 		Infection
Port
 		Packet
Trace
 		Detection
Signatures
 		Infection
Chatter
 		BotHunter
Analysis
 		Behavioral
Cluster
 		Forensic
Logs
 		Antivirus
Labels
 		Packed Malware_Binary Unpacked egg.exe
 		Unpacked egg.asm
 		Packer PEID
 		Data Strings
 		Syscall Trace
01:11:00 Win2K-f 113.253.209.237 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) 		n/a US:www.maxmind.com
EU:getmyip.co.uk
:www.vouchercodes.com
:checkip.dyndns.org
:www.getmyip.org
US:67.15.94.80:80
EU:91.198.22.70:80
94.236.56.130:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:01:20:00 Win2K-f 113.253.209.237 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) 		n/a US:www.maxmind.com
US:checkip.dyndns.org
DE:131.220.6.26:80 		445 pcap raw alerts
ruleset 		http
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:02:40:00 WinXP 79.163.162.103 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
PL. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:03:14:00 Win2K-f 216.210.81.102 (SPEAKEASY.NET):
US. (DSL) 		62.193.249.122:3305 JP:cx10man.weedns.com 135 pcap raw alerts
ruleset 		irc
607 lines 		Yeah : 1.8
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:03:20:00 WinXP 59.103.197.157 (PIE.NET.PK):
PAKISTAN TELECOMMUNICATION COMPANY LIMITED,
ISLAMABAD, ISLAMABAD, PK. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:04:12:00 WinXP 117.254.147.46 (STERLINGSTUDENTS.NET):
NIB (NATIONAL INTERNET BACKBONE),
NEW DELHI, DELHI, IN. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:04:39:00 WinXP 117.254.171.53 (STERLINGSTUDENTS.NET):
NIB (NATIONAL INTERNET BACKBONE),
NEW DELHI, DELHI, IN. (DSL) 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:04:42:00 Win2K-f 113.255.83.254 (HUTCHCITY.COM):
HUTCHISON GLOBAL COMMUNICATIONS,
HONG KONG, HONG KONG (SAR), HK. (DSL) 		n/a   135 pcap raw alerts
ruleset 		other
182 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:05:29:00 Win2K-f 69.193.78.147 (RR.COM):
ROAD RUNNER HOLDCO LLC,
HERNDON, VIRGINIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:05:45:00 WinXP 151.82.71.75 (51-151.NET24.IT):
IUNET-BNET,
IT. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:06:32:00 Win2K-f 216.209.183.158 (BELL.CA):
SYMPATICO (BELL NEXXIA),
CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
97 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:07:03:00 WinXP 66.50.4.65 (PRTC.NET):
PRTC RAS,
SAN JUAN, PUERTO RICO, PR. (DSL) 		n/a CN:proxim.ircgalaxy.pl
DE:citi-bank.ru
DE:213.155.0.224:80
CN:60.190.222.139:65520 		445 pcap raw alerts
ruleset 		http
irc
4 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:07:24:00 Win2K-f 122.146.82.226 (SPARQNET.NET):
NEW CENTRY INFOCOM TECH. CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:08:40:00 Win2K-f 96.8.228.168 (GVTC.COM):
GUADALUPE VALLEY TELEPHONE COOPERATIVE INC,
NEW BRAUNFELS, TEXAS, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
118 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:08:42:00 WinXP 92.115.253.183 (HOST-STATIC-92-115-28-10.MOLDTELECOM.MD):
JSC MOLDTELECOM SA,
CHISINAU, CHISINAU, MD. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:08:44:00 WinXP 194.19.234.252 (-):
BTG,
RIGA, RIGA, LV. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
76 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
08:57:00 Win2K-f 81.89.210.94 (-):
CROSSNET DSL NETWORK,
YEREVAN, YEREVAN, AM. (DSL) 		n/a US:www.maxmind.com
:www.getmyip.org
EU:checkip.dyndns.org
EU:getmyip.co.uk
:www.vouchercodes.com
US:67.15.94.80:80
EU:91.198.22.70:80
94.236.56.130:80 		445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:09:06:00 Win2K-f 81.89.210.94 (-):
CROSSNET DSL NETWORK,
YEREVAN, YEREVAN, AM. (DSL) 		n/a US:www.maxmind.com
:checkip.dyndns.org
DE:131.220.6.26:80 		445 pcap raw alerts
ruleset 		http
5 lines 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:09:56:00 Win2K-f 122.49.247.60 (CCNET-AI.NE.JP):
COMMUNITY NETWORK CENTER INC,
TOYOKAWA, AICHI, JP. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:10:13:00 Win2K-f 175.114.27.232 (-):
. 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
113 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:10:57:00 WinXP 64.33.132.48 (AIRSTREAMCOMM.NET):
TRI COUNTY TELEPHONE,
WISCONSIN, US. (DIAL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:11:14:00 Win2K-f 76.202.7.0 (PACBELL.NET):
AT&T INTERNET SERVICES,
HOUSTON, TEXAS, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
59 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:11:20:00 WinXP 79.163.27.15 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
WARSAW, WARSZAWA, PL. (DSL) 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
11:28:00 WinXP 79.163.27.15 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
WARSAW, WARSZAWA, PL. (DSL) 		n/a DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:11:59:00 WinXP 63.17.223.25 (UU.NET):
UUNET TECHNOLOGIES INC,
ATLANTA, GEORGIA, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
252 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:12:54:00 Win2K-f 180.70.142.214, 173.192.153.178 (INVALID IPV4 ADDRESS):
INVALID IPV4 ADDRESS,
INVALID IPV4 ADDRESS, INVALID IPV4 ADDRESS, INVALID IPV4 ADDRESS. (INVALID IPV4 ADDRESS) 		60.190.222.139:65520 US:microsoft.com
DE:proxima.ircgalaxy.pl
LV:ad.ghura.pl
:bb.iwillhavebigdick.com
LV:kdert.com
CN:exe2.perfectexe.com
CN:cao.iwillhavebigdick.com
:in.7cy.net
:in1.7cy.net
:x.liruna.com
:sb.perfectexe.com
CN:2b.perfectexe.com
CN:sy2.perfectexe.com
CN:222.170.127.203:85
DE:83.133.119.206:65520 		135 pcap raw alerts
ruleset 		irc
http
159 lines 		Yeah : 1.8
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:13:12:00 Win2K-f 67.48.116.101 (RR.COM):
ROAD RUNNER HOLDCO LLC,
LEES SUMMIT, MISSOURI, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:13:37:00 WinXP 79.163.133.229 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
WROCLAW, DOLNOSLASKIE, PL. (DSL) 		213.155.0.224:80 DE:citi-bank.ru 445 pcap raw alerts
ruleset 		http
2 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
13:44:00 WinXP 79.163.133.229 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
WROCLAW, DOLNOSLASKIE, PL. (DSL) 		n/a DE:citi-bank.ru
DE:213.155.0.224:80 		445 pcap raw alerts
ruleset 		http
1 line 		Yeah : 0.8
profile 		none summary
tarball 		none none none none none none none
T:14:14:00 Win2K-f 74.111.195.189 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		http
irc
24 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:15:34:00 Win2K-f 70.44.42.220 (PTD.NET):
PENTELEDATA INC. - CABLE,
MILFORD, PENNSYLVANIA, US. (DSL) 		n/a :out8hours.com
US:searchportal.information.com
:cdn.dsultra.com
US:domdex.com
:ad.doubleclick.net
:b.collective-media.net
:segment-pixel.invitemedia.com
CA:idcs.interclick.com
:ads.undertone.com
US:ib.adnxs.com
CA:osmdcs.interclick.com
:a.collective-media.net
173.222.45.95:80
US:64.210.61.208:80
CA:74.122.140.16:80
96.16.200.74:80 		445 pcap raw alerts
ruleset 		http
48 lines 		Argh : 0.3
profile 		none summary
tarball 		none none none none none none none
T:15:59:00 WinXP 76.202.7.0 (PACBELL.NET):
AT&T INTERNET SERVICES,
HOUSTON, TEXAS, US. (100Mbps) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
59 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:18:14:00 Win2K-f 4.224.141.166 (LEVEL3.NET):
LEVEL 3 COMMUNICATIONS INC,
INDIANAPOLIS, INDIANA, US. (DIAL) 		n/a   135 pcap raw alerts
ruleset 		other
18 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:20:27:00 WinXP 70.76.40.183 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
SASKATOON, SASKATCHEWAN, CA. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
222 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace
T:22:27:00 WinXP 99.165.194.108 (SBCGLOBAL.NET):
AT&T INTERNET SERVICES,
US. (DSL) 		n/a   445 pcap raw alerts
ruleset 		shell
ftp
14 lines 		Yeah : 1.3
profile 		none summary
tarball 		none none none none none none none
T:23:57:00 WinXP 173.25.92.50 (MCHSI.COM):
MEDIACOM COMMUNICATIONS CORP,
MIDDLETOWN, NEW YORK, US. (DSL) 		n/a US:microsoft.com 135 pcap raw alerts
ruleset 		other
75 lines 		Yeah : 1.3
profile 		none summary
tarball 		0 of 32 d41d8cd98f
NEW 		none[3] ASM:Graph
 none|none lines=0 trace