BotHunter ®
  Cyber-TA Internet Release
  Computer Science Laboratory
  SRI International


  SAMPLE NAME:    SalityInfection_botHunter.txt
  Last Updated: Mon Dec 28 21:16:43 2009
BOTHUNTER LOGO
www.BOTHUNTER.net


Victim IP
 		Max Score
 		Profiles
 		CCs
 		Events
192.168.10.31
 2.3 VIEW 80
  • 88.198.228.238 (Static.88-198-228-238.Clients.Your-Server.De), Country: Germany (De), City: Nuremberg.
  • 78.24.188.201 (Position.Sessantanove.Us), Country: Germany (De), City: Berlin.
  • 193.104.94.11 Country: Russian Federation (Ru), City: (Unknown City).
  • 208.73.210.27 (Parkinglot.Information.Com), Country: United States (Us), City: Los Angeles, Ca.
  • 174.133.57.140 (8c.39.85ae.Static.Theplanet.Com), Country: United States (Us), City: Houston, Tx.
  • 98.126.46.210 (Customer.Krypt.Com), Country: United States (Us), City: Orange, Ca.
  • 213.219.245.212 Country: Switzerland (Ch), City: Zurich.
  • 218.93.205.30 Country: China (Cn), City: (Unknown City).
  • 217.11.54.126 (Webfw2.Dd24.Net), Country: Germany (De), City: (Unknown City).
  • 209.107.213.27 Country: United States (Us), City: (Unknown City).
  • 64.38.232.180 Country: United States (Us), City: (Unknown City).
  • 66.150.51.151 Country: United States (Us), City: (Unknown City).
  • 209.107.213.34 Country: United States (Us), City: (Unknown City).
  • 209.107.213.85 Country: United States (Us), City: (Unknown City).
  • 1:2003179 (7) {tcp} Egg Download: ET POLICY exe download without User Agent, [/rlink.exe]; 58537->80
  • 1:2000352 {tcp} Attack Prep: ET ATTACK RESPONSE IRC - dns request on non-std port; 36815->55003
  • 1:22000346 (4) {tcp} Inbound Attack: ET ATTACK RESPONSE IRC - Name response on non-std port MAC_Dst: 00:01:64:FF:CE:EA; 44542<-55003
  • 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 48821<-80
  • 1:2003179 (7) {tcp} Egg Download: ET POLICY exe download without User Agent, [/bnew.exe]; 34760->80
  • 1:2000419 (3) {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 43199<-88
  • 1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Av%19%FF%FF%00%00%00%00%01%03%03%07%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00] MAC_Dst: 00:21:1C:EE:14:00; 33524->80
  • 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 52356<-81
  • 1:22000346 (3) {tcp} Inbound Attack: ET ATTACK RESPONSE IRC - Name response on non-std port MAC_Dst: 00:01:64:FF:CE:EA; 37821<-55003
  • 1:2001685 {tcp} Egg Download: ET MALWARE Possible Windows executable sent when remote host claims to send an image; 41321<-80
  • 1:2003603 {tcp} C&C Communication: ET TROJAN W32.Virut.A joining an IRC Channel; 59130->65520
  • 1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Avs8%FF%00%00%00%00%01%03%03%071I%1880%FFl+%FF'%FFY%FFr%1E] MAC_Dst: 00:21:1C:EE:14:00; 38322->80
  • 1:2003603 {tcp} C&C Communication: ET TROJAN W32.Virut.A joining an IRC Channel; 44963->65520
  • 1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus) MAC_Dst: 00:21:1C:EE:14:00; 55806->80
  • 1:2003636 {tcp} C&C Communication: ET VIRUS Sality Virus User Agent Detected (KUKU), [/mrow_pin/?id5813562obub29622&rnd=5825875]; 36059->80
  • 1:2003088 {tcp} C&C Communication: ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp); 36059->80
  • 1:2003088 (5) {tcp} C&C Communication: ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp); 33434->80
  • 1:2001894 {tcp} Egg Download: ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0]; 57805->80
  • 1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Aw%02%FF%FF%00%00%00%00%01%03%03%07zation Required] MAC_Dst: 00:21:1C:EE:14:00; 45761->80
  • 1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Aw%0E%18*%00%00%00%00%01%03%03%078%FF}o~%FF%FF%FF1=%FF?zP%FF] MAC_Dst: 00:21:1C:EE:14:00; 54759->80