Infected Target: 192.168.71.198 Score: 2.8 (>= 0.8) Infector List: Egg Source List: 91.203.92.18, 91.203.92.17 C & C List: 72.232.195.26 (2), 72.233.60.106 (5) Peer Coord. List: Resource List: 192.168.71.2 (4) Observed Start: 07/21/2008 21:38:09.319 PDT Gen. Time: 07/21/2008 21:42:09.348 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD 91.203.92.18 (21:38:23.388 PDT) event=1:2003380 {tcp} E3[rb] ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc) 3016->80 (21:38:23.388 PDT) 91.203.92.17 (14) (21:38:10.067 PDT) event=1:2001683 (4) {tcp} E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host 3009<-80 (21:38:12.420 PDT) 3010<-80 (21:38:13.545 PDT) 3011<-80 (21:38:16.003 PDT) 3012<-80 (21:38:19.283 PDT) ------------------------- event=1:2003380 (9) {tcp} E3[rb] ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc) 3007->80 (21:38:10.067 PDT) 3008->80 (21:38:10.882 PDT) 3009->80 (21:38:12.111 PDT) 3010->80 (21:38:13.250 PDT) 3011->80 (21:38:15.705 PDT) 3012->80 (21:38:18.985 PDT) 3013->80 (21:38:20.418 PDT) 3014->80 (21:38:21.072 PDT) 3015->80 (21:38:23.079 PDT) ------------------------- event=1:5001684 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host 3013<-80 (21:38:20.715 PDT) C and C TRAFFIC 72.232.195.26 (2) (21:38:38.242 PDT) event=1:2005320 {tcp} E4[rb] ET MALWARE Suspicious User-Agent (MyAgent) 3063->80 (21:42:09.348 PDT) ------------------------- event=1:2008399 {tcp} E4[rb] ET TROJAN contacy.info Trojan Checkin (User agent clk_jdfhid) 3023->80 (21:38:38.242 PDT) 72.233.60.106 (5) (21:38:27.751 PDT) event=1:2008382 (5) {tcp} E4[rb] ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (1) 3018->80 (21:38:27.751 PDT) 3020->80 (21:38:29.335 PDT) 3022->80 (21:38:31.748 PDT) 3027->80 (21:38:41.625 PDT) 3028->80 (21:38:41.925 PDT) PEER COORDINATION OUTBOUND SCAN 192.168.71.2 (2) (21:39:42.587 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=77/28/13/6): 53u:22, 123u:2, 1900u:3, 80:55, 25:8 0->0 (21:39:42.587 PDT) 0->0 (21:41:26.087 PDT) ATTACK PREP 192.168.71.2 (4) (21:38:09.319 PDT) event=1:2600100 {udp} E6[rb] SPYWARE-DNS DNS lookup 10 chars (.com) 1026->53 (21:38:09.319 PDT) ------------------------- event=1:2600267 {udp} E6[rb] SPYWARE-DNS DNS lookup 5 chars (.info) 1026->53 (21:38:27.654 PDT) ------------------------- event=1:2600268 {udp} E6[rb] SPYWARE-DNS DNS lookup 6 chars (.info) 1026->53 (21:38:41.473 PDT) ------------------------- event=1:2600269 {udp} E6[rb] SPYWARE-DNS DNS lookup 7 chars (.info) 1026->53 (21:38:38.141 PDT) DECLARE BOT 208.72.168.191 (2) (21:39:24.968 PDT) event=1:2406000 {tcp} E8[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets 3035->80 (21:39:24.968 PDT) ------------------------- event=1:2406009 {tcp} E8[rb] ET rbN Known Russian Business Network Monitored Domains (5) 3035->80 (21:39:24.968 PDT) tcpslice 1216701489.319 1216701489.320 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.71.198'