BotHunter Daily Analysis Index

BotHunter ®
Cyber-TA Internet Release
Computer Science Laboratory
SRI International

SAMPLE NAME: GrumSpamTool_botHunter.txt
Last Updated: Mon Dec 28 21:14:02 2009

www.BOTHUNTER.net

Victim IP	Max Score	Profiles	CCs	Events
192.168.19.156	2.6	VIEW 7	93.174.95.145 Country: (Unknown Country?) City: (Unknown City?). 208.67.222.222 (Resolver1.Opendns.Com), Country: United States (Us), City: San Francisco, Ca.	1:2008189 {tcp} C&C Communication: ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin, [/spm/s_alive.php?id=80155511136222344936838061986084&tick=1655984&ver=480&smtp=ok]; 1134->80 1:2000328 {tcp} Outbound Attack: ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs); 1145->25 1:2008189 (8) {tcp} C&C Communication: ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin, [/spm/s_alive.php?id=80155511136222344936838061986084&tick=1655984&ver=480&smtp=ok]; 1134->80 777:7777005 (3) {tcp} Outbound Scan: Detected intense non-malware port scanning of 30 IPs (28 /24s) (# pkts S/M/O/I=298/0/1337/0): 25:1337, 53u:298 1:2000328 {tcp} Outbound Attack: ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs); 1960->25 1:2000328 {tcp} Outbound Attack: ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs); 1221->25 777:7777005 {udp} Outbound Scan: Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=513/0/3154/0): 25:3154, 53u:513 1:2000328 {tcp} Outbound Attack: ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs); 2861->25 1:2008189 (3) {tcp} C&C Communication: ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin, [/spm/s_alive.php?id=80155511136222344936838061986084&tick=1979640&ver=480&smtp=ok]; 3141->80 777:7777005 (2) {udp} Outbound Scan: Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=513/0/3154/0): 25:3154, 53u:513 777:7777005 {tcp} Outbound Scan: Detected intense non-malware port scanning of 30 IPs (28 /24s) (# pkts S/M/O/I=640/0/4400/0): 25:4400, 53u:640 1:2008189 {tcp} C&C Communication: ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin, [/spm/s_alive.php?id=80155511136222344936838061986084&tick=2173359&ver=480&smtp=ok]; 3908->80 1:2008189 {tcp} C&C Communication: ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin, [/spm/s_alive.php?id=80155511136222344936838061986084&tick=3073671&ver=480&smtp=ok]; 3977->80