Infected Target: 192.169.223.128 Score: 2.9 (>= 0.8) Infector List: 92.240.234.164 Egg Source List: 130.67.20.57 C & C List: Peer Coord. List: Resource List: 92.240.234.164 Observed Start: 12/10/2009 02:38:07.767 PST Gen. Time: 12/10/2009 02:42:10.584 PST INBOUND SCAN EXPLOIT 92.240.234.164 (02:39:25.960 PST) event=1:22000346 {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:30:48:30:03:AE 1032<-3305 (02:39:25.960 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 130.67.20.57 (3) (02:38:08.401 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 68<-2094 (02:38:10.630 PST) ------------------------- event=1:3300001 {tcp} E3[rb] BotHunter Scrip-based Windows egg download .exe, [] MAC_Src: 00:30:48:30:03:AF 1130->1889 (02:38:08.401 PST) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 68<-2094 (02:38:10.630 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.67.20.57 (02:39:36.283 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/9/8/0): 445:9, [] MAC_Src: 00:30:48:30:03:AF 0->0 (02:39:36.283 PST) OUTBOUND SCAN 130.67.20.57 (02:38:07.767 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:30:48:30:03:AF 1130->1889 (02:38:07.767 PST) ATTACK PREP 92.240.234.164 (02:39:25.768 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:30:48:30:03:AF 1032->3305 (02:39:25.768 PST) PEER COORDINATION DECLARE BOT 130.67.20.57 (02:39:36.596 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/8/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (02:39:36.596 PST) tcpslice 1260441487.767 1260441487.768 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.169.223.128'