Infected Target: 192.168.21.219 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 195.2.253.238, 195.2.253.236 C & C List: 94.75.207.170 Peer Coord. List: Resource List: Observed Start: 10/22/2009 13:56:17.541 PDT Gen. Time: 10/22/2009 13:56:37.565 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 195.2.253.238 (3) (13:56:21.749 PDT) event=1:2003380 (3) {tcp} E3[rb] ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc), [/arkbp/atgdeerwwt.php] MAC_Src: 00:0E:39:DB:3C:00 2302->80 (13:56:21.749 PDT) 2329->80 (13:56:33.301 PDT) 2330->80 (13:56:34.430 PDT) 195.2.253.236 (12) (13:56:17.541 PDT) event=1:2003380 (12) {tcp} E3[rb] ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc), [/arkbp/atgdeerwwt.php] MAC_Src: 00:0E:39:DB:3C:00 2277->80 (13:56:17.541 PDT) 2276->80 (13:56:17.547 PDT) 2286->80 (13:56:18.978 PDT) 2292->80 (13:56:19.767 PDT) 2298->80 (13:56:20.937 PDT) 2303->80 (13:56:21.908 PDT) 2305->80 (13:56:23.399 PDT) 2312->80 (13:56:26.390 PDT) 2319->80 (13:56:28.867 PDT) 2321->80 (13:56:31.503 PDT) 2324->80 (13:56:32.678 PDT) 2325->80 (13:56:33.196 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 94.75.207.170 (13:56:37.565 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: mcsmc.org (malware), [] MAC_Src: 00:0E:39:DB:3C:00 2341->80 (13:56:37.565 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1256244977.541 1256244977.542 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.21.219' ============================== SEPARATOR ================================ Infected Target: 192.168.21.219 Score: 1.0 (>= 0.8) Infector List: Egg Source List: C & C List: 66.150.51.151 (2), 94.75.207.170 Peer Coord. List: Resource List: Observed Start: 10/22/2009 14:52:40.261 PDT Gen. Time: 10/22/2009 14:53:28.086 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.150.51.151 (2) (14:52:40.261 PDT) event=1:2003579 (2) {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=naqPFUOUOqatnql7SWGB05aNTv:G7adcs2q1P51SOFFjFwZsto6eNvVl7yOuoXpLwyVWxYePqn3oR::HbwgOZv] MAC_Src: 00:0E:39:DB:3C:00 4720->80 (14:52:40.261 PDT) 4725->80 (14:52:41.322 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN 94.75.207.170 (14:53:28.086 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: mcsmc.org (malware), [] MAC_Src: 00:0E:39:DB:3C:00 4806->80 (14:53:28.086 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1256248360.261 1256248360.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.21.219' ============================== SEPARATOR ================================ Infected Target: 192.168.21.219 Score: 1.0 (>= 0.8) Infector List: Egg Source List: C & C List: 204.137.28.195 (2), 66.150.51.151 (4), 94.75.207.170 Peer Coord. List: Resource List: Observed Start: 10/22/2009 14:52:40.261 PDT Gen. Time: 10/22/2009 14:56:41.066 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 204.137.28.195 (2) (14:56:34.059 PDT) event=1:2003579 (2) {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=Si2H7QdqZASNoCjrXI6DR4mr6UcpZ;Ejg42wm4a6KabLRqhFX8a7B3gv6Bc;6egffQVCw76LIC0wR8bh15S;RA] MAC_Src: 00:0E:39:DB:3C:00 1076->80 (14:56:34.059 PDT) 1078->80 (14:56:34.945 PDT) 66.150.51.151 (4) (14:52:40.261 PDT) event=1:2003579 (4) {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=naqPFUOUOqatnql7SWGB05aNTv:G7adcs2q1P51SOFFjFwZsto6eNvVl7yOuoXpLwyVWxYePqn3oR::HbwgOZv] MAC_Src: 00:0E:39:DB:3C:00 4720->80 (14:52:40.261 PDT) 4725->80 (14:52:41.322 PDT) 1030->80 (14:55:14.240 PDT) 1033->80 (14:55:15.078 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN 94.75.207.170 (14:53:28.086 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: mcsmc.org (malware), [] MAC_Src: 00:0E:39:DB:3C:00 4806->80 (14:53:28.086 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1256248360.261 1256248360.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.21.219' ============================== SEPARATOR ================================