Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 91.207.7.116 C & C List: Peer Coord. List: Resource List: 78.24.188.201 Observed Start: 12/12/2009 00:58:25.308 PST Gen. Time: 12/12/2009 01:00:48.474 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.207.7.116 (7) (00:58:25.308 PST) event=1:2003179 (7) {tcp} E3[rb] ET POLICY exe download without User Agent, [/rlink.exe] MAC_Src: 00:01:64:FF:CE:EA 58537->80 (00:58:25.308 PST) 44696->80 (00:59:14.111 PST) 40220->80 (00:59:24.873 PST) 34760->80 (00:59:24.874 PST) 56739->80 (00:59:24.874 PST) 56949->80 (00:59:24.892 PST) 42274->80 (00:59:24.969 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 78.24.188.201 (01:00:48.474 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 36815->55003 (01:00:48.474 PST) PEER COORDINATION DECLARE BOT tcpslice 1260608305.308 1260608305.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.8 (>= 0.8) Infector List: 78.24.188.201 Egg Source List: 61.235.117.71, 91.207.7.116, 210.51.36.215, 218.93.205.19 C & C List: 88.198.228.238, 78.24.188.201 (16) Peer Coord. List: Resource List: 78.24.188.201 Observed Start: 12/12/2009 00:58:25.308 PST Report End: 12/12/2009 01:01:49.924 PST Gen. Time: 12/12/2009 01:02:27.480 PST INBOUND SCAN EXPLOIT 78.24.188.201 (4) (01:00:48.828 PST-01:01:11.280 PST) event=1:22000346 (4) {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 2: 44542<-55003 (01:01:08.791 PST-01:01:11.280 PST) 2: 36815<-55003 (01:00:48.828 PST-01:00:50.423 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.235.117.71 (01:02:13.476 PST) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48821<-80 (01:02:13.476 PST) 91.207.7.116 (7) (00:58:25.308 PST) event=1:2003179 (7) {tcp} E3[rb] ET POLICY exe download without User Agent, [/bnew.exe] MAC_Src: 00:01:64:FF:CE:EA 34760->80 (00:59:24.874 PST) 56949->80 (00:59:24.892 PST) 58537->80 (00:58:25.308 PST) 42274->80 (00:59:24.969 PST) 44696->80 (00:59:14.111 PST) 56739->80 (00:59:24.874 PST) 40220->80 (00:59:24.873 PST) 210.51.36.215 (7) (01:01:43.966 PST-01:01:49.924 PST) event=1:2000419 (3) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 3: 43199<-88 (01:01:48.002 PST-01:01:49.924 PST) ------------------------- event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 57668<-88 (01:01:43.966 PST) ------------------------- event=1:3300007 (3) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 3: 43199<-88 (01:01:48.002 PST-01:01:49.924 PST) 218.93.205.19 (01:01:34.006 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 43501->80 (01:01:34.006 PST) C and C TRAFFIC 88.198.228.238 (01:01:22.915 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 34441->65520 (01:01:22.915 PST) 78.24.188.201 (16) (01:00:43.313 PST) event=1:2008124 (16) {tcp} E4[rb] ET TROJAN Likely Bot Nick in IRC (USA +..), [] MAC_Src: 00:01:64:FF:CE:EA 36815->55003 (01:00:43.313 PST) 44542->55003 (01:01:08.222 PST) 49983->55003 (01:01:34.438 PST) 37753->55003 (01:01:36.874 PST) 57440->55003 (01:01:43.761 PST) 48859->55003 (01:01:47.475 PST) 33786->55003 (01:01:48.833 PST) 44216->55003 (01:01:50.974 PST) 55478->55003 (01:01:54.838 PST) 34349->55003 (01:01:56.550 PST) 37728->55003 (01:02:06.617 PST) 35667->55003 (01:02:07.974 PST) 53910->55003 (01:02:11.529 PST) 54767->55003 (01:02:15.391 PST) 38186->55003 (01:02:16.750 PST) 57839->55003 (01:02:19.532 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 78.24.188.201 (01:00:48.474 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 36815->55003 (01:00:48.474 PST) PEER COORDINATION DECLARE BOT tcpslice 1260608305.308 1260608509.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.2 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 202.97.184.196 C & C List: 78.24.188.201 (8) Peer Coord. List: Resource List: Observed Start: 12/12/2009 01:02:26.308 PST Gen. Time: 12/12/2009 01:02:37.507 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (01:02:30.383 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Av%19%FF%FF%00%00%00%00%01%03%03%07%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00] MAC_Dst: 00:21:1C:EE:14:00 33524->80 (01:02:30.383 PST) EGG DOWNLOAD 202.97.184.196 (01:02:37.507 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 52356<-81 (01:02:37.507 PST) C and C TRAFFIC 78.24.188.201 (8) (01:02:26.308 PST) event=1:2008124 (8) {tcp} E4[rb] ET TROJAN Likely Bot Nick in IRC (USA +..), [] MAC_Src: 00:01:64:FF:CE:EA 56040->55003 (01:02:26.308 PST) 32831->55003 (01:02:31.318 PST) 42102->55003 (01:02:31.677 PST) 55093->55003 (01:02:32.394 PST) 35213->55003 (01:02:33.119 PST) 46283->55003 (01:02:33.119 PST) 45548->55003 (01:02:34.723 PST) 40996->55003 (01:02:35.769 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260608546.308 1260608546.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 2.0 (>= 0.8) Infector List: 78.24.188.201, 91.206.201.39 Egg Source List: 202.97.184.196 C & C List: 78.24.188.201 (17) Peer Coord. List: Resource List: 78.24.188.201 Observed Start: 12/12/2009 01:02:26.308 PST Report End: 12/12/2009 01:04:10.497 PST Gen. Time: 12/12/2009 01:06:00.824 PST INBOUND SCAN EXPLOIT 78.24.188.201 (3) (01:03:44.466 PST-01:04:10.497 PST) event=1:22000346 (3) {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 2: 37821<-55003 (01:04:09.213 PST-01:04:10.497 PST) 53525<-55003 (01:03:44.466 PST) EXPLOIT MALWARE DNS 91.206.201.39 (01:02:30.383 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Av%19%FF%FF%00%00%00%00%01%03%03%07%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00] MAC_Dst: 00:21:1C:EE:14:00 33524->80 (01:02:30.383 PST) EGG DOWNLOAD 202.97.184.196 (12) (01:02:37.507 PST) event=1:2000419 (6) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 52356<-81 (01:02:37.507 PST) 33017<-81 (01:02:44.506 PST) 35777<-81 (01:03:49.257 PST) 55069<-81 (01:04:23.163 PST) 59968<-81 (01:04:30.398 PST) 59506<-81 (01:05:27.445 PST) ------------------------- event=1:3300007 (6) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 52356<-81 (01:02:37.507 PST) 33017<-81 (01:02:44.506 PST) 35777<-81 (01:03:49.257 PST) 55069<-81 (01:04:23.163 PST) 59968<-81 (01:04:30.398 PST) 59506<-81 (01:05:27.445 PST) C and C TRAFFIC 78.24.188.201 (17) (01:02:26.308 PST) event=1:2008124 (17) {tcp} E4[rb] ET TROJAN Likely Bot Nick in IRC (USA +..), [] MAC_Src: 00:01:64:FF:CE:EA 56040->55003 (01:02:26.308 PST) 32831->55003 (01:02:31.318 PST) 42102->55003 (01:02:31.677 PST) 55093->55003 (01:02:32.394 PST) 35213->55003 (01:02:33.119 PST) 46283->55003 (01:02:33.119 PST) 45548->55003 (01:02:34.723 PST) 40996->55003 (01:02:35.769 PST) 54800->55003 (01:02:37.191 PST) 34924->55003 (01:02:38.261 PST) 60964->55003 (01:02:38.987 PST) 38309->55003 (01:02:40.411 PST) 35476->55003 (01:02:41.480 PST) 58907->55003 (01:02:42.549 PST) 59969->55003 (01:02:44.335 PST) 55842->55003 (01:02:44.687 PST) 48787->55003 (01:02:45.400 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 78.24.188.201 (01:03:44.111 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 53525->55003 (01:03:44.111 PST) PEER COORDINATION DECLARE BOT tcpslice 1260608546.308 1260608650.498 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 61.235.117.71 C & C List: 193.104.94.11 Peer Coord. List: Resource List: Observed Start: 12/12/2009 02:39:41.077 PST Gen. Time: 12/12/2009 02:39:47.499 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 61.235.117.71 (02:39:47.499 PST) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41321<-80 (02:39:47.499 PST) C and C TRAFFIC 193.104.94.11 (02:39:41.077 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 59130->65520 (02:39:41.077 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260614381.077 1260614381.078 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.2 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 61.235.117.71, 202.97.184.196, 210.51.36.215, 218.93.205.19 C & C List: 208.73.210.27 (12), 174.133.57.140, 193.104.94.11 (3) Peer Coord. List: Resource List: Observed Start: 12/12/2009 02:39:41.077 PST Report End: 12/12/2009 02:40:29.078 PST Gen. Time: 12/12/2009 02:42:23.008 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (02:39:58.250 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Avs8%FF%00%00%00%00%01%03%03%071I%1880%FFl+%FF'%FFY%FFr%1E] MAC_Dst: 00:21:1C:EE:14:00 38322->80 (02:39:58.250 PST) EGG DOWNLOAD 61.235.117.71 (02:39:47.499 PST) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41321<-80 (02:39:47.499 PST) 202.97.184.196 (9) (02:40:05.028 PST) event=1:2000419 (5) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 42229<-81 (02:40:43.731 PST) 47600<-81 (02:40:38.434 PST) 37249<-81 (02:40:14.715 PST) 44282<-81 (02:40:31.231 PST) 33879<-81 (02:40:05.028 PST) ------------------------- event=1:3300007 (4) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 47600<-81 (02:40:38.434 PST) 33879<-81 (02:40:05.028 PST) 37249<-81 (02:40:14.715 PST) 44282<-81 (02:40:31.231 PST) 210.51.36.215 (6) (02:40:18.239 PST-02:40:29.078 PST) event=1:2000419 (3) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 3: 38307<-88 (02:40:18.239 PST-02:40:29.078 PST) ------------------------- event=1:3300007 (3) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 3: 38307<-88 (02:40:18.239 PST-02:40:29.078 PST) 218.93.205.19 (02:40:32.367 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 53700->80 (02:40:32.367 PST) C and C TRAFFIC 208.73.210.27 (12) (02:39:52.806 PST) event=1:2003088 (6) {tcp} E4[rb] ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp), [] MAC_Src: 00:01:64:FF:CE:EA 33027->80 (02:39:52.806 PST) 43225->80 (02:40:01.058 PST) 34068->80 (02:40:18.641 PST) 46693->80 (02:40:23.187 PST) 44426->80 (02:40:28.896 PST) 46678->80 (02:40:30.897 PST) ------------------------- event=1:2003636 (6) {tcp} E4[rb] ET VIRUS Sality Virus User Agent Detected (KUKU), [/mrow_pin/?id62343vxssse50395&rnd=74781] MAC_Src: 00:01:64:FF:CE:EA 33027->80 (02:39:52.806 PST) 43225->80 (02:40:01.058 PST) 34068->80 (02:40:18.641 PST) 46693->80 (02:40:23.187 PST) 44426->80 (02:40:28.896 PST) 46678->80 (02:40:30.897 PST) 174.133.57.140 (02:41:19.545 PST) event=1:2009456 {tcp} E4[rb] ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-DC-A9-BD&Publicer=kk_01] MAC_Src: 00:01:64:FF:CE:EA 40506->80 (02:41:19.545 PST) 193.104.94.11 (3) (02:39:41.077 PST) event=1:2003603 (3) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 59130->65520 (02:39:41.077 PST) 48714->65520 (02:40:06.086 PST) 34572->65520 (02:40:10.638 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260614381.077 1260614429.079 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: 88.198.228.238 Peer Coord. List: Resource List: Observed Start: 12/12/2009 02:47:42.457 PST Gen. Time: 12/12/2009 02:48:40.122 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 88.198.228.238 (02:48:40.122 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 44963->65520 (02:48:40.122 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 212.185.252.73 (02:47:42.457 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (26 /24s) (# pkts S/M/O/I=47/0/319/0): 53u:47, 65520:6, 81:38, 88:5, 1034:256, 44:4, 8392:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:47:42.457 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260614862.457 1260614862.458 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.5 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 61.235.117.71, 202.97.184.196, 210.51.36.215, 218.93.205.19 C & C List: 88.198.228.238 (3), 98.126.46.210 Peer Coord. List: Resource List: Observed Start: 12/12/2009 02:47:42.457 PST Report End: 12/12/2009 02:49:18.590 PST Gen. Time: 12/12/2009 02:51:01.364 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (02:49:59.437 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 55806->80 (02:49:59.437 PST) EGG DOWNLOAD 61.235.117.71 (2) (02:48:59.468 PST) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59325<-80 (02:48:59.468 PST) 35454<-80 (02:49:23.955 PST) 202.97.184.196 (6) (02:49:12.516 PST) event=1:2000419 (3) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 45166<-81 (02:49:23.017 PST) 54364<-81 (02:49:12.516 PST) 56881<-81 (02:49:24.532 PST) ------------------------- event=1:3300007 (3) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 56881<-81 (02:49:24.532 PST) 45166<-81 (02:49:23.017 PST) 54364<-81 (02:49:12.516 PST) 210.51.36.215 (8) (02:48:45.523 PST-02:49:18.590 PST) event=1:2000419 (3) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 3: 45915<-88 (02:49:17.433 PST-02:49:18.590 PST) ------------------------- event=1:2000427 (2) {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 50116<-88 (02:48:45.523 PST) 51154<-88 (02:49:14.507 PST) ------------------------- event=1:3300007 (3) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 3: 45915<-88 (02:49:17.433 PST-02:49:18.590 PST) 218.93.205.19 (02:48:43.881 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 49718->80 (02:48:43.881 PST) C and C TRAFFIC 88.198.228.238 (3) (02:48:40.122 PST) event=1:2003603 (3) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 44963->65520 (02:48:40.122 PST) 47555->65520 (02:49:07.324 PST) 33705->65520 (02:49:12.265 PST) 98.126.46.210 (02:50:22.479 PST) event=1:2009456 {tcp} E4[rb] ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-75-7F-4A&Publicer=kk_01] MAC_Src: 00:01:64:FF:CE:EA 39839->80 (02:50:22.479 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 212.185.252.73 (02:47:42.457 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (26 /24s) (# pkts S/M/O/I=47/0/319/0): 53u:47, 65520:6, 81:38, 88:5, 1034:256, 44:4, 8392:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:47:42.457 PST) 88.198.228.238 (2) (02:49:12.056 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (26 /24s) (# pkts S/M/O/I=47/0/374/0): 53u:47, 65520:11, 81:39, 88:7, 1034:287, 44:4, 8392:26, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:49:12.056 PST) 0->0 (02:50:42.170 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260614862.457 1260614958.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: 208.73.210.27 Peer Coord. List: Resource List: Observed Start: 12/12/2009 03:18:43.122 PST Gen. Time: 12/12/2009 03:22:17.511 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 208.73.210.27 (03:22:17.511 PST) event=1:2003636 {tcp} E4[rb] ET VIRUS Sality Virus User Agent Detected (KUKU), [/mrow_pin/?id5813562obub29622&rnd=5825875] MAC_Src: 00:01:64:FF:CE:EA 36059->80 (03:22:17.511 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 196.208.83.147 (2) (03:20:13.124 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/0/662/0): 1034:662, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:20:13.124 PST) 0->0 (03:21:43.199 PST) 15.10.40.128 (03:18:43.122 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=0/0/597/0): 1034:597, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:18:43.122 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260616723.122 1260616723.123 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: 208.73.210.27 (2) Peer Coord. List: Resource List: Observed Start: 12/12/2009 03:18:43.122 PST Gen. Time: 12/12/2009 03:22:17.625 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 208.73.210.27 (2) (03:22:17.511 PST) event=1:2003088 {tcp} E4[rb] ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp), [] MAC_Src: 00:01:64:FF:CE:EA 36059->80 (03:22:17.511 PST) ------------------------- event=1:2003636 {tcp} E4[rb] ET VIRUS Sality Virus User Agent Detected (KUKU), [/mrow_pin/?id5813562obub29622&rnd=5825875] MAC_Src: 00:01:64:FF:CE:EA 36059->80 (03:22:17.511 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 196.208.83.147 (2) (03:20:13.124 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/0/662/0): 1034:662, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:20:13.124 PST) 0->0 (03:21:43.199 PST) 15.10.40.128 (03:18:43.122 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=0/0/597/0): 1034:597, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:18:43.122 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260616723.122 1260616723.123 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: 208.73.210.27 (10) Peer Coord. List: Resource List: Observed Start: 12/12/2009 03:22:25.097 PST Gen. Time: 12/12/2009 03:23:13.361 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 208.73.210.27 (10) (03:22:25.097 PST) event=1:2003088 (5) {tcp} E4[rb] ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp), [] MAC_Src: 00:01:64:FF:CE:EA 33434->80 (03:22:25.097 PST) 52169->80 (03:22:33.213 PST) 57573->80 (03:22:34.747 PST) 49113->80 (03:22:34.824 PST) 60632->80 (03:22:42.982 PST) ------------------------- event=1:2003636 (5) {tcp} E4[rb] ET VIRUS Sality Virus User Agent Detected (KUKU), [/mrow_pin/?id66609afxe32515&rnd=78953] MAC_Src: 00:01:64:FF:CE:EA 33434->80 (03:22:25.097 PST) 52169->80 (03:22:33.213 PST) 57573->80 (03:22:34.747 PST) 49113->80 (03:22:34.824 PST) 60632->80 (03:22:42.982 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 196.208.83.147 (03:23:13.361 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=0/0/808/0): 1034:808, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:23:13.361 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260616945.097 1260616945.098 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: 208.73.210.27 (10) Peer Coord. List: Resource List: Observed Start: 12/12/2009 03:22:25.097 PST Gen. Time: 12/12/2009 03:26:25.100 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 208.73.210.27 (10) (03:22:25.097 PST) event=1:2003088 (5) {tcp} E4[rb] ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp), [] MAC_Src: 00:01:64:FF:CE:EA 33434->80 (03:22:25.097 PST) 52169->80 (03:22:33.213 PST) 57573->80 (03:22:34.747 PST) 49113->80 (03:22:34.824 PST) 60632->80 (03:22:42.982 PST) ------------------------- event=1:2003636 (5) {tcp} E4[rb] ET VIRUS Sality Virus User Agent Detected (KUKU), [/mrow_pin/?id66609afxe32515&rnd=78953] MAC_Src: 00:01:64:FF:CE:EA 33434->80 (03:22:25.097 PST) 52169->80 (03:22:33.213 PST) 57573->80 (03:22:34.747 PST) 49113->80 (03:22:34.824 PST) 60632->80 (03:22:42.982 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 196.208.83.147 (3) (03:23:13.361 PST) event=777:7777005 (3) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=0/0/808/0): 1034:808, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:23:13.361 PST) 0->0 (03:24:43.362 PST) 0->0 (03:26:13.635 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260616945.097 1260616945.098 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 218.93.205.19 C & C List: 213.219.245.212 (2), 218.93.205.30 Peer Coord. List: Resource List: Observed Start: 12/12/2009 05:16:08.039 PST Gen. Time: 12/12/2009 05:16:38.400 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 218.93.205.19 (05:16:38.400 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 57805->80 (05:16:38.400 PST) C and C TRAFFIC 213.219.245.212 (2) (05:16:08.039 PST) event=1:2003070 (2) {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=cnxgdxopndnaclghgd&scn=0&inf=0&ver=19-2&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 36631->80 (05:16:08.039 PST) 51751->80 (05:16:26.540 PST) 218.93.205.30 (05:16:26.581 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 43505->65520 (05:16:26.581 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260623768.039 1260623768.040 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.2 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 61.235.117.71, 202.97.184.196, 218.93.205.19 C & C List: 213.219.245.212 (5), 218.93.205.30 (2) Peer Coord. List: Resource List: Observed Start: 12/12/2009 05:16:08.039 PST Gen. Time: 12/12/2009 05:19:40.782 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (05:16:52.446 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Aw%02%FF%FF%00%00%00%00%01%03%03%07zation Required] MAC_Dst: 00:21:1C:EE:14:00 45761->80 (05:16:52.446 PST) EGG DOWNLOAD 61.235.117.71 (05:16:44.421 PST) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53134<-80 (05:16:44.421 PST) 202.97.184.196 (4) (05:17:01.580 PST) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 60389<-81 (05:17:01.580 PST) 41179<-81 (05:17:36.986 PST) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 60389<-81 (05:17:01.580 PST) 41179<-81 (05:17:36.986 PST) 218.93.205.19 (2) (05:16:38.400 PST) event=1:2001894 (2) {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 57805->80 (05:16:38.400 PST) 52905->80 (05:16:54.772 PST) C and C TRAFFIC 213.219.245.212 (5) (05:16:08.039 PST) event=1:2003070 (5) {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=cnxgdxopndnaclghgd&scn=0&inf=0&ver=19-2&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 36631->80 (05:16:08.039 PST) 51751->80 (05:16:26.540 PST) 55661->80 (05:16:42.796 PST) 57808->80 (05:19:01.861 PST) 45876->80 (05:19:21.658 PST) 218.93.205.30 (2) (05:16:26.581 PST) event=1:2003603 (2) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 43505->65520 (05:16:26.581 PST) 41327->65520 (05:16:42.727 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260623768.039 1260623768.040 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.2 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 202.97.184.196 C & C List: 88.198.228.238 Peer Coord. List: Resource List: Observed Start: 12/12/2009 05:27:14.482 PST Gen. Time: 12/12/2009 05:29:15.147 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (05:29:08.048 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Aw%0E%18*%00%00%00%00%01%03%03%078%FF}o~%FF%FF%FF1=%FF?zP%FF] MAC_Dst: 00:21:1C:EE:14:00 54759->80 (05:29:08.048 PST) EGG DOWNLOAD 202.97.184.196 (05:29:15.147 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 49810<-81 (05:29:15.147 PST) C and C TRAFFIC 88.198.228.238 (05:27:14.482 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 50982->65520 (05:27:14.482 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260624434.482 1260624434.483 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.2 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 202.97.184.196 C & C List: 88.198.228.238 Peer Coord. List: Resource List: Observed Start: 12/12/2009 05:27:14.482 PST Gen. Time: 12/12/2009 05:31:16.817 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (05:29:08.048 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Aw%0E%18*%00%00%00%00%01%03%03%078%FF}o~%FF%FF%FF1=%FF?zP%FF] MAC_Dst: 00:21:1C:EE:14:00 54759->80 (05:29:08.048 PST) EGG DOWNLOAD 202.97.184.196 (16) (05:29:15.147 PST) event=1:2000419 (8) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 49810<-81 (05:29:15.147 PST) 59948<-81 (05:29:18.834 PST) 56791<-81 (05:29:22.819 PST) 54426<-81 (05:29:27.912 PST) 37244<-81 (05:29:28.570 PST) 35830<-81 (05:29:35.366 PST) 45561<-81 (05:30:52.319 PST) 38309<-81 (05:30:59.710 PST) ------------------------- event=1:3300007 (8) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 49810<-81 (05:29:15.147 PST) 59948<-81 (05:29:18.834 PST) 56791<-81 (05:29:22.819 PST) 54426<-81 (05:29:27.912 PST) 37244<-81 (05:29:28.570 PST) 35830<-81 (05:29:35.366 PST) 45561<-81 (05:30:52.319 PST) 38309<-81 (05:30:59.710 PST) C and C TRAFFIC 88.198.228.238 (05:27:14.482 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 50982->65520 (05:27:14.482 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260624434.482 1260624434.483 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.2 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 210.51.36.215 C & C List: 88.198.228.238 (2) Peer Coord. List: Resource List: Observed Start: 12/12/2009 06:10:15.492 PST Gen. Time: 12/12/2009 06:12:52.981 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (06:10:33.014 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [/FEEDS/BINCORPUS/2009-02-15.tgz] MAC_Dst: 00:21:1C:EE:14:00 51221->80 (06:10:33.014 PST) EGG DOWNLOAD 210.51.36.215 (06:12:52.981 PST) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 58770<-88 (06:12:52.981 PST) C and C TRAFFIC 88.198.228.238 (2) (06:10:15.492 PST) event=1:2003603 (2) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 43602->65520 (06:10:15.492 PST) 57396->65520 (06:12:43.909 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260627015.492 1260627015.493 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.5 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 202.97.184.196, 210.51.36.215 C & C List: 88.198.228.238 (2) Peer Coord. List: Resource List: Observed Start: 12/12/2009 06:10:15.492 PST Gen. Time: 12/12/2009 06:14:04.151 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (06:10:33.014 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [/FEEDS/BINCORPUS/2009-02-15.tgz] MAC_Dst: 00:21:1C:EE:14:00 51221->80 (06:10:33.014 PST) EGG DOWNLOAD 202.97.184.196 (4) (06:13:04.491 PST) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 57191<-81 (06:13:04.491 PST) 59714<-81 (06:13:14.101 PST) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 57191<-81 (06:13:04.491 PST) 59714<-81 (06:13:14.101 PST) 210.51.36.215 (06:12:52.981 PST) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 58770<-88 (06:12:52.981 PST) C and C TRAFFIC 88.198.228.238 (2) (06:10:15.492 PST) event=1:2003603 (2) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 43602->65520 (06:10:15.492 PST) 57396->65520 (06:12:43.909 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 88.198.228.238 (06:13:06.247 PST) event=777:7777005 {udp} E5[bh] Detected intense non-malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=24/0/24/0): 65520:4, 53u:24, 88:2, 8392:16, 81:2, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:13:06.247 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260627015.492 1260627015.493 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: Peer Coord. List: Resource List: Observed Start: 12/12/2009 06:14:24.351 PST Gen. Time: 12/12/2009 06:14:36.422 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (2) (06:14:24.351 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 36328<-81 (06:14:24.351 PST) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 36328<-81 (06:14:24.351 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 88.198.228.238 (06:14:36.422 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=40/0/61/0): 65520:4, 53u:40, 88:2, 8392:47, 81:8, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:14:36.422 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260627264.351 1260627264.352 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.3 (>= 0.8) Infector List: Egg Source List: 202.97.184.196, 218.93.205.19 C & C List: 218.93.205.30 Peer Coord. List: Resource List: Observed Start: 12/12/2009 06:14:24.351 PST Gen. Time: 12/12/2009 06:18:24.368 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (12) (06:14:24.351 PST) event=1:2000419 (5) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 36328<-81 (06:14:24.351 PST) 53388<-81 (06:14:50.959 PST) 58393<-81 (06:16:15.758 PST) 51161<-81 (06:16:23.351 PST) 43949<-81 (06:17:35.431 PST) ------------------------- event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 34106<-81 (06:14:56.678 PST) ------------------------- event=1:2008547 {tcp} E3[rb] ET TROJAN PECompact2 Packed Binary - Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 53388<-81 (06:14:50.959 PST) ------------------------- event=1:3300007 (5) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 36328<-81 (06:14:24.351 PST) 53388<-81 (06:14:50.959 PST) 58393<-81 (06:16:15.758 PST) 51161<-81 (06:16:23.351 PST) 43949<-81 (06:17:35.431 PST) 218.93.205.19 (06:16:02.322 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 56339->80 (06:16:02.322 PST) C and C TRAFFIC 218.93.205.30 (06:15:50.118 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 32831->65520 (06:15:50.118 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 88.198.228.238 (2) (06:14:36.422 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=40/0/61/0): 65520:4, 53u:40, 88:2, 8392:47, 81:8, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:14:36.422 PST) 0->0 (06:16:15.275 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260627264.351 1260627264.352 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 216.151.177.78, 209.107.213.54 C & C List: 88.198.228.238 Peer Coord. List: Resource List: Observed Start: 12/12/2009 08:55:31.529 PST Gen. Time: 12/12/2009 08:58:06.005 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 216.151.177.78 (4) (08:55:31.529 PST) event=1:2002986 (4) {tcp} E3[rb] ET POLICY ICQ Install Direct download - Not normal mode of install, [/pub/ICQ_Win95_98_NT4/ICQ_4/Lite_Edition/icq4_setup.exe] MAC_Src: 00:01:64:FF:CE:EA 55210->80 (08:55:31.529 PST) 49313->80 (08:55:31.615 PST) 43259->80 (08:56:07.383 PST) 34432->80 (08:56:07.469 PST) 209.107.213.54 (2) (08:55:31.795 PST) event=1:2002986 (2) {tcp} E3[rb] ET POLICY ICQ Install Direct download - Not normal mode of install, [/pub/ICQ_Win95_98_NT4/ICQ_4/Lite_Edition/icq4_setup.exe] MAC_Src: 00:01:64:FF:CE:EA 60420->80 (08:55:31.795 PST) 41942->80 (08:56:07.559 PST) C and C TRAFFIC 88.198.228.238 (08:58:06.005 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 51608->65520 (08:58:06.005 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260636931.529 1260636931.530 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 216.151.177.78, 209.107.213.54 C & C List: 88.198.228.238 (2) Peer Coord. List: Resource List: Observed Start: 12/12/2009 08:55:31.529 PST Gen. Time: 12/12/2009 08:58:53.003 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 216.151.177.78 (4) (08:55:31.529 PST) event=1:2002986 (4) {tcp} E3[rb] ET POLICY ICQ Install Direct download - Not normal mode of install, [/pub/ICQ_Win95_98_NT4/ICQ_4/Lite_Edition/icq4_setup.exe] MAC_Src: 00:01:64:FF:CE:EA 55210->80 (08:55:31.529 PST) 49313->80 (08:55:31.615 PST) 43259->80 (08:56:07.383 PST) 34432->80 (08:56:07.469 PST) 209.107.213.54 (2) (08:55:31.795 PST) event=1:2002986 (2) {tcp} E3[rb] ET POLICY ICQ Install Direct download - Not normal mode of install, [/pub/ICQ_Win95_98_NT4/ICQ_4/Lite_Edition/icq4_setup.exe] MAC_Src: 00:01:64:FF:CE:EA 60420->80 (08:55:31.795 PST) 41942->80 (08:56:07.559 PST) C and C TRAFFIC 88.198.228.238 (2) (08:58:06.005 PST) event=1:2003603 (2) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 51608->65520 (08:58:06.005 PST) 47684->65520 (08:58:10.026 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260636931.529 1260636931.530 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 210.51.36.215 C & C List: 193.104.94.11 Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:01:13.751 PST Gen. Time: 12/12/2009 09:01:24.825 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 210.51.36.215 (09:01:24.825 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 60862<-88 (09:01:24.825 PST) C and C TRAFFIC 193.104.94.11 (09:01:13.751 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 43030->65520 (09:01:13.751 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260637273.751 1260637273.752 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.2 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 61.235.117.71, 210.51.36.215, 218.93.205.19 C & C List: 88.198.228.238 (2), 193.104.94.11 (3) Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:01:13.751 PST Report End: 12/12/2009 09:01:25.212 PST Gen. Time: 12/12/2009 09:04:45.019 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (09:01:47.343 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Aw%FF%FF%FF%00%00%00%00%01%03%03%07%1C%12%1B%FF%FF%FF%FF%FF%FF%FF%FF%09%FFr%FF] MAC_Dst: 00:21:1C:EE:14:00 44095->80 (09:01:47.343 PST) EGG DOWNLOAD 61.235.117.71 (2) (09:01:29.651 PST) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55536<-80 (09:01:38.799 PST) 42879<-80 (09:01:29.651 PST) 210.51.36.215 (4) (09:01:24.825 PST-09:01:25.212 PST) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 2: 60862<-88 (09:01:24.825 PST-09:01:25.212 PST) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 2: 60862<-88 (09:01:24.825 PST-09:01:25.212 PST) 218.93.205.19 (09:04:19.797 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 47925->80 (09:04:19.797 PST) C and C TRAFFIC 88.198.228.238 (2) (09:04:25.825 PST) event=1:2003603 (2) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 46853->65520 (09:04:25.825 PST) 39479->65520 (09:04:45.019 PST) 193.104.94.11 (3) (09:01:13.751 PST) event=1:2003603 (3) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 43030->65520 (09:01:13.751 PST) 53902->65520 (09:01:25.712 PST) 51264->65520 (09:04:07.670 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260637273.751 1260637285.213 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: 88.198.228.238 (3) Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:05:08.891 PST Gen. Time: 12/12/2009 09:07:24.583 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (09:07:24.583 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 36176<-81 (09:07:24.583 PST) C and C TRAFFIC 88.198.228.238 (3) (09:05:08.891 PST) event=1:2003603 (3) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 60607->65520 (09:05:08.891 PST) 38536->65520 (09:07:06.085 PST) 34348->65520 (09:07:10.260 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260637508.891 1260637508.892 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.3 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: 88.198.228.238 (4) Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:05:08.891 PST Gen. Time: 12/12/2009 09:09:05.872 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (4) (09:07:24.583 PST) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 36176<-81 (09:07:24.583 PST) 38447<-81 (09:07:40.505 PST) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 36176<-81 (09:07:24.583 PST) 38447<-81 (09:07:40.505 PST) C and C TRAFFIC 88.198.228.238 (4) (09:05:08.891 PST) event=1:2003603 (4) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 60607->65520 (09:05:08.891 PST) 38536->65520 (09:07:06.085 PST) 34348->65520 (09:07:10.260 PST) 43414->65520 (09:08:15.142 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 59.17.51.253 (09:07:57.347 PST) event=777:7777005 {udp} E5[bh] Detected intense non-malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=17/0/40/0): 1723, 65520:24, 88:5, 44:4, 53u:17, 6667:2, 81:4, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:07:57.347 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260637508.891 1260637508.892 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: 213.219.245.212 Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:15:40.295 PST Gen. Time: 12/12/2009 09:15:40.452 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 213.219.245.212 (09:15:40.452 PST) event=1:2008192 {tcp} E4[rb] ET WORM Korgo.P Reporting, [/index.php?id=jznkwnqacfyxh?scn=0?inf=0?ver=13?cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 40094->80 (09:15:40.452 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 199.7.64.126 (09:15:40.295 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=34/0/49/0): 1723, 53u:34, 65520:27, 88:5, 44:4, 6667:8, 81:4, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:15:40.295 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260638140.295 1260638140.296 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.5 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 61.235.117.71, 202.97.184.196, 210.51.36.215, 218.93.205.19 C & C List: 213.219.245.212 (4), 218.93.205.30 (4) Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:15:40.295 PST Gen. Time: 12/12/2009 09:18:23.020 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (09:16:11.520 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Aw%FF%FFR%00%00%00%00%01%03%03%07%FF%FFd%01%0E%01%FF%FF%FF%FF%FF%FF%FF%FFX] MAC_Dst: 00:21:1C:EE:14:00 48049->80 (09:16:11.520 PST) EGG DOWNLOAD 61.235.117.71 (2) (09:16:51.709 PST) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34136<-80 (09:16:51.709 PST) 42863<-80 (09:17:04.425 PST) 202.97.184.196 (10) (09:16:45.462 PST) event=1:2000419 (5) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 50577<-81 (09:16:45.462 PST) 50892<-81 (09:17:04.868 PST) 45355<-81 (09:17:26.854 PST) 60061<-81 (09:17:34.588 PST) 54654<-81 (09:18:04.603 PST) ------------------------- event=1:3300007 (5) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 50577<-81 (09:16:45.462 PST) 50892<-81 (09:17:04.868 PST) 45355<-81 (09:17:26.854 PST) 60061<-81 (09:17:34.588 PST) 54654<-81 (09:18:04.603 PST) 210.51.36.215 (09:16:41.898 PST) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 38218<-88 (09:16:41.898 PST) 218.93.205.19 (2) (09:15:54.153 PST) event=1:2001894 (2) {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 59305->80 (09:15:54.153 PST) 57039->80 (09:16:30.562 PST) C and C TRAFFIC 213.219.245.212 (4) (09:15:40.452 PST) event=1:2003070 {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=qkdtjayqgfxbcccdl&scn=0&inf=0&ver=18&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 58008->80 (09:16:23.682 PST) ------------------------- event=1:2008192 (3) {tcp} E4[rb] ET WORM Korgo.P Reporting, [/index.php?id=jznkwnqacfyxh?scn=0?inf=0?ver=13?cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 40094->80 (09:15:40.452 PST) 40807->80 (09:16:24.535 PST) 56575->80 (09:16:29.788 PST) 218.93.205.30 (4) (09:15:40.699 PST) event=1:2003603 (4) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 49260->65520 (09:15:40.699 PST) 42176->65520 (09:16:23.448 PST) 33101->65520 (09:16:23.552 PST) 54199->65520 (09:16:29.778 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 199.7.64.126 (2) (09:15:40.295 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=34/0/49/0): 1723, 53u:34, 65520:27, 88:5, 44:4, 6667:8, 81:4, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:15:40.295 PST) 0->0 (09:17:26.386 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260638140.295 1260638140.296 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: 213.219.245.212 Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:18:34.857 PST Gen. Time: 12/12/2009 09:18:57.492 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (2) (09:18:34.857 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 52450<-81 (09:18:34.857 PST) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 52450<-81 (09:18:34.857 PST) C and C TRAFFIC 213.219.245.212 (09:18:57.492 PST) event=1:2003070 {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=nochvsfjyjyrc&scn=0&inf=0&ver=18&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 60342->80 (09:18:57.492 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260638314.857 1260638314.858 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.3 (>= 0.8) Infector List: Egg Source List: 202.97.184.196, 210.51.36.215 C & C List: 88.198.228.238, 213.219.245.212 (3) Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:18:34.857 PST Gen. Time: 12/12/2009 09:21:11.678 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (2) (09:18:34.857 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 52450<-81 (09:18:34.857 PST) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 52450<-81 (09:18:34.857 PST) 210.51.36.215 (09:21:02.855 PST) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 54755<-88 (09:21:02.855 PST) C and C TRAFFIC 88.198.228.238 (09:20:59.183 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 47093->65520 (09:20:59.183 PST) 213.219.245.212 (3) (09:18:57.492 PST) event=1:2003070 (3) {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=nochvsfjyjyrc&scn=0&inf=0&ver=18&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 60342->80 (09:18:57.492 PST) 56282->80 (09:19:36.004 PST) 55410->80 (09:19:38.309 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 199.7.64.126 (09:20:58.854 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=34/0/89/0): 1723, 53u:34, 65520:35, 88:7, 44:4, 8392:14, 6667:8, 81:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:20:58.854 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260638314.857 1260638314.858 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 218.93.205.19 C & C List: 213.219.245.212 (4), 218.93.205.30 Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:40:24.479 PST Gen. Time: 12/12/2009 09:42:52.210 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 218.93.205.19 (09:42:52.210 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 51377->80 (09:42:52.210 PST) C and C TRAFFIC 213.219.245.212 (4) (09:40:24.479 PST) event=1:2003070 (4) {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=bxszzmwyssynm&scn=0&inf=0&ver=19&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 47233->80 (09:40:24.479 PST) 57321->80 (09:40:58.303 PST) 53712->80 (09:41:07.496 PST) 36985->80 (09:42:40.274 PST) 218.93.205.30 (09:42:40.505 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 57096->65520 (09:42:40.505 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260639624.479 1260639624.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 210.51.36.215, 218.93.205.19 C & C List: 213.219.245.212 (7), 218.93.205.30 (3) Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:40:24.479 PST Gen. Time: 12/12/2009 09:44:17.009 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 210.51.36.215 (09:43:01.025 PST) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 37135<-88 (09:43:01.025 PST) 218.93.205.19 (09:42:52.210 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 51377->80 (09:42:52.210 PST) C and C TRAFFIC 213.219.245.212 (7) (09:40:24.479 PST) event=1:2003070 (7) {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=bxszzmwyssynm&scn=0&inf=0&ver=19&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 47233->80 (09:40:24.479 PST) 57321->80 (09:40:58.303 PST) 53712->80 (09:41:07.496 PST) 36985->80 (09:42:40.274 PST) 48739->80 (09:43:05.320 PST) 33869->80 (09:43:09.618 PST) 49618->80 (09:43:22.056 PST) 218.93.205.30 (3) (09:42:40.505 PST) event=1:2003603 (3) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 57096->65520 (09:42:40.505 PST) 58432->65520 (09:43:05.336 PST) 48450->65520 (09:43:09.566 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260639624.479 1260639624.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: 213.219.245.212 Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:45:50.109 PST Gen. Time: 12/12/2009 09:45:52.875 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 213.219.245.212 (09:45:52.875 PST) event=1:2003070 {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=xaqxamkdixeqiafixw&scn=0&inf=0&ver=19&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 33577->80 (09:45:52.875 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 218.93.205.30 (09:45:50.109 PST) event=777:7777005 {udp} E5[bh] Detected intense non-malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=20/0/18/0): 65520:6, 88:2, 8392:10, 53u:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:45:50.109 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260639950.109 1260639950.110 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: 213.219.245.212 (5) Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:45:50.109 PST Gen. Time: 12/12/2009 09:49:08.304 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 213.219.245.212 (5) (09:45:52.875 PST) event=1:2003070 (5) {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=xaqxamkdixeqiafixw&scn=0&inf=0&ver=19&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 33577->80 (09:45:52.875 PST) 55876->80 (09:46:00.037 PST) 35300->80 (09:46:11.936 PST) 45253->80 (09:48:52.515 PST) 42507->80 (09:48:56.884 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 218.93.205.30 (2) (09:45:50.109 PST) event=777:7777005 (2) {udp} E5[bh] Detected intense non-malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=20/0/18/0): 65520:6, 88:2, 8392:10, 53u:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:45:50.109 PST) 0->0 (09:47:30.672 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260639950.109 1260639950.110 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: 213.219.245.212 Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:49:09.138 PST Gen. Time: 12/12/2009 09:49:09.319 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 213.219.245.212 (09:49:09.319 PST) event=1:2003070 {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=dzdqmmxjtjjscsrwu&scn=0&inf=0&ver=19&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 49791->80 (09:49:09.319 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 218.93.205.30 (09:49:09.138 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 29 IPs (28 /24s) (# pkts S/M/O/I=35/0/19/0): 65520:7, 88:2, 8392:10, 53u:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:49:09.138 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260640149.138 1260640149.139 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.5 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 202.97.184.196, 210.51.36.215, 218.93.205.19 C & C List: 217.11.54.126, 88.198.228.238 (3), 213.219.245.212 (4) Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:49:09.138 PST Report End: 12/12/2009 09:52:07.264 PST Gen. Time: 12/12/2009 09:53:19.450 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (09:52:18.019 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Aw%FF%07 %00%00%00%00%01%03%03%071260640549%00+,-.] MAC_Dst: 00:21:1C:EE:14:00 58726->80 (09:52:18.019 PST) EGG DOWNLOAD 202.97.184.196 (6) (09:52:41.271 PST) event=1:2000419 (3) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 53211<-81 (09:52:49.460 PST) 48259<-81 (09:52:41.271 PST) 39235<-81 (09:52:59.772 PST) ------------------------- event=1:3300007 (3) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 39235<-81 (09:52:59.772 PST) 48259<-81 (09:52:41.271 PST) 53211<-81 (09:52:49.460 PST) 210.51.36.215 (6) (09:49:22.371 PST-09:52:07.264 PST) event=1:2000419 (3) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 3: 49351<-88 (09:52:06.687 PST-09:52:07.264 PST) ------------------------- event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 40748<-88 (09:49:22.371 PST) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 2: 49351<-88 (09:52:06.687 PST-09:52:07.073 PST) 218.93.205.19 (09:52:04.090 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 36003->80 (09:52:04.090 PST) C and C TRAFFIC 217.11.54.126 (09:50:21.547 PST) event=1:2003070 {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=ammtdnoqapl&scn=8748&inf=0&ver=19&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 54518->80 (09:50:21.547 PST) 88.198.228.238 (3) (09:49:09.467 PST) event=1:2003603 (3) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 55454->65520 (09:49:09.467 PST) 43064->65520 (09:51:52.321 PST) 44647->65520 (09:51:56.471 PST) 213.219.245.212 (4) (09:49:09.319 PST) event=1:2003070 (4) {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=dzdqmmxjtjjscsrwu&scn=0&inf=0&ver=19&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 49791->80 (09:49:09.319 PST) 51744->80 (09:51:52.441 PST) 45377->80 (09:51:56.525 PST) 60505->80 (09:52:25.918 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 218.93.205.30 (2) (09:49:09.138 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 29 IPs (28 /24s) (# pkts S/M/O/I=35/0/19/0): 65520:7, 88:2, 8392:10, 53u:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:49:09.138 PST) 0->0 (09:51:51.991 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260640149.138 1260640327.265 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:53:36.535 PST Gen. Time: 12/12/2009 09:53:37.007 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (09:53:37.007 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 55440<-81 (09:53:37.007 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.54.112.30 (09:53:36.535 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=57/0/54/0): 65520:12, 88:9, 8392:22, 53u:57, 44:4, 81:7, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:53:36.535 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260640416.535 1260640416.536 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.3 (>= 0.8) Infector List: Egg Source List: 61.235.117.71, 202.97.184.196, 210.51.36.215, 218.93.205.19 C & C List: 88.198.228.238 (2), 213.219.245.212 (4), 174.133.57.140, 98.126.46.210 Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:53:36.535 PST Gen. Time: 12/12/2009 09:57:09.456 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 61.235.117.71 (09:56:09.648 PST) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44582<-80 (09:56:09.648 PST) 202.97.184.196 (4) (09:53:37.007 PST) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 55440<-81 (09:53:37.007 PST) 38959<-81 (09:53:50.959 PST) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 55440<-81 (09:53:37.007 PST) 38959<-81 (09:53:50.959 PST) 210.51.36.215 (09:55:40.853 PST) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 45829<-88 (09:55:40.853 PST) 218.93.205.19 (09:55:31.699 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 58054->80 (09:55:31.699 PST) C and C TRAFFIC 88.198.228.238 (2) (09:55:19.387 PST) event=1:2003603 (2) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 45120->65520 (09:55:19.387 PST) 58888->65520 (09:55:23.647 PST) 213.219.245.212 (4) (09:54:41.286 PST) event=1:2003070 (4) {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=uhgvgaybsi&scn=0&inf=0&ver=19&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 41867->80 (09:54:41.286 PST) 56166->80 (09:55:06.273 PST) 40176->80 (09:55:10.357 PST) 34325->80 (09:55:23.669 PST) 174.133.57.140 (09:53:49.498 PST) event=1:2009456 {tcp} E4[rb] ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-DC-A9-BD&Publicer=kk_01] MAC_Src: 00:01:64:FF:CE:EA 38683->80 (09:53:49.498 PST) 98.126.46.210 (09:53:49.413 PST) event=1:2009456 {tcp} E4[rb] ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-DC-A9-BD&Publicer=kk_01] MAC_Src: 00:01:64:FF:CE:EA 45943->80 (09:53:49.413 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.54.112.30 (3) (09:53:36.535 PST) event=777:7777005 (3) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=57/0/54/0): 65520:12, 88:9, 8392:22, 53u:57, 44:4, 81:7, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:53:36.535 PST) 0->0 (09:55:19.053 PST) 0->0 (09:56:49.466 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260640416.535 1260640416.536 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 218.93.205.19 C & C List: 213.219.245.212, 88.198.228.238 Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:57:51.815 PST Gen. Time: 12/12/2009 09:58:03.586 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 218.93.205.19 (09:58:03.586 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 57955->80 (09:58:03.586 PST) C and C TRAFFIC 213.219.245.212 (09:57:51.839 PST) event=1:2003070 {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=bxtljsiykxwksnxz&scn=0&inf=0&ver=19&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 36819->80 (09:57:51.839 PST) 88.198.228.238 (09:57:51.815 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 35908->65520 (09:57:51.815 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260640671.815 1260640671.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.3 (>= 0.8) Infector List: Egg Source List: 210.51.36.215, 218.93.205.19 C & C List: 213.219.245.212 (4), 88.198.228.238 Peer Coord. List: Resource List: Observed Start: 12/12/2009 09:57:51.815 PST Report End: 12/12/2009 09:58:12.502 PST Gen. Time: 12/12/2009 10:00:51.340 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 210.51.36.215 (4) (09:58:12.116 PST-09:58:12.502 PST) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 2: 47991<-88 (09:58:12.116 PST-09:58:12.502 PST) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 2: 47991<-88 (09:58:12.116 PST-09:58:12.502 PST) 218.93.205.19 (09:58:03.586 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 57955->80 (09:58:03.586 PST) C and C TRAFFIC 213.219.245.212 (4) (09:57:51.839 PST) event=1:2003070 (4) {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=bxtljsiykxwksnxz&scn=0&inf=0&ver=19&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 36819->80 (09:57:51.839 PST) 46947->80 (09:58:08.445 PST) 48995->80 (09:58:10.173 PST) 48675->80 (09:58:50.178 PST) 88.198.228.238 (09:57:51.815 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 35908->65520 (09:57:51.815 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.54.112.30 (09:58:37.153 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=70/0/86/0): 65520:18, 88:14, 8392:38, 53u:70, 44:4, 81:12, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:58:37.153 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260640671.815 1260640692.503 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.2 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 202.97.184.196 C & C List: 213.219.245.212 (2) Peer Coord. List: Resource List: Observed Start: 12/12/2009 10:07:57.640 PST Gen. Time: 12/12/2009 10:08:44.230 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (10:08:35.756 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Ax%0D%FF_%00%00%00%00%01%03%03%07http://iplane.c] MAC_Dst: 00:21:1C:EE:14:00 55609->80 (10:08:35.756 PST) EGG DOWNLOAD 202.97.184.196 (10:08:44.230 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 52918<-81 (10:08:44.230 PST) C and C TRAFFIC 213.219.245.212 (2) (10:07:57.640 PST) event=1:2003070 (2) {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=lbanvmukuaiizqtzc&scn=0&inf=0&ver=19&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 60304->80 (10:07:57.640 PST) 50330->80 (10:08:36.337 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260641277.640 1260641277.641 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 2.0 (>= 0.8) Infector List: 66.252.5.60, 91.206.201.39 Egg Source List: 202.97.184.196 C & C List: 213.219.245.212 (4) Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 10:07:57.640 PST Gen. Time: 12/12/2009 10:12:02.605 PST INBOUND SCAN EXPLOIT 66.252.5.60 (10:10:41.268 PST) event=1:22000346 {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 37777<-7000 (10:10:41.268 PST) EXPLOIT MALWARE DNS 91.206.201.39 (10:08:35.756 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Ax%0D%FF_%00%00%00%00%01%03%03%07http://iplane.c] MAC_Dst: 00:21:1C:EE:14:00 55609->80 (10:08:35.756 PST) EGG DOWNLOAD 202.97.184.196 (4) (10:08:44.230 PST) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 52918<-81 (10:08:44.230 PST) 34781<-81 (10:09:44.730 PST) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 52918<-81 (10:08:44.230 PST) 34781<-81 (10:09:44.730 PST) C and C TRAFFIC 213.219.245.212 (4) (10:07:57.640 PST) event=1:2003070 (4) {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=lbanvmukuaiizqtzc&scn=0&inf=0&ver=19&cnt=USA] MAC_Src: 00:01:64:FF:CE:EA 60304->80 (10:07:57.640 PST) 50330->80 (10:08:36.337 PST) 46089->80 (10:09:40.826 PST) 57520->80 (10:10:53.390 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (10:10:40.479 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 37777->7000 (10:10:40.479 PST) PEER COORDINATION DECLARE BOT tcpslice 1260641277.640 1260641277.641 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: 66.252.5.60 Egg Source List: C & C List: Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 10:12:54.666 PST Gen. Time: 12/12/2009 10:12:55.406 PST INBOUND SCAN EXPLOIT 66.252.5.60 (10:12:55.406 PST) event=1:22000346 {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 33842<-7000 (10:12:55.406 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (10:12:54.666 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 33842->7000 (10:12:54.666 PST) PEER COORDINATION DECLARE BOT tcpslice 1260641574.666 1260641574.667 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.8 (>= 0.8) Infector List: 66.252.5.60 Egg Source List: 202.97.184.196, 210.51.36.215, 218.93.205.19 C & C List: 88.198.228.238 (3), 209.107.213.27 (4), 174.133.57.140 Peer Coord. List: Resource List: 66.252.5.60 (2) Observed Start: 12/12/2009 10:12:54.666 PST Report End: 12/12/2009 10:16:55.724 PST Gen. Time: 12/12/2009 10:16:55.724 PST INBOUND SCAN EXPLOIT 66.252.5.60 (6) (10:12:55.406 PST) event=1:22000346 (6) {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 33842<-7000 (10:12:55.406 PST) 48835<-7000 (10:13:24.467 PST) 42427<-7000 (10:13:35.021 PST) 49692<-7000 (10:14:03.964 PST) 41336<-7000 (10:15:53.125 PST) 41841<-7000 (10:16:24.951 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (8) (10:16:30.389 PST) event=1:2000419 (4) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 46573<-81 (10:16:42.357 PST) 32917<-81 (10:16:35.170 PST) 35759<-81 (10:16:30.389 PST) 38272<-81 (10:16:41.076 PST) ------------------------- event=1:3300007 (4) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 46573<-81 (10:16:42.357 PST) 32917<-81 (10:16:35.170 PST) 35759<-81 (10:16:30.389 PST) 38272<-81 (10:16:41.076 PST) 210.51.36.215 (4) (10:16:18.275 PST-10:16:18.660 PST) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 2: 53596<-88 (10:16:18.275 PST-10:16:18.660 PST) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 2: 53596<-88 (10:16:18.275 PST-10:16:18.660 PST) 218.93.205.19 (10:16:11.839 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 38465->80 (10:16:11.839 PST) C and C TRAFFIC 88.198.228.238 (3) (10:16:06.081 PST) event=1:2003603 (3) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 47463->65520 (10:16:10.047 PST) 54139->65520 (10:16:23.871 PST) 58172->65520 (10:16:06.081 PST) 209.107.213.27 (4) (10:16:53.327 PST-10:16:55.724 PST) event=1:2002196 (3) {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/sd?s=95308&f=1&C=1] MAC_Src: 00:01:64:FF:CE:EA 42017->80 (10:16:53.980 PST) 2: 42017->80 (10:16:53.327 PST-10:16:55.724 PST) ------------------------- event=1:2009880 {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 3, [] MAC_Src: 00:01:64:FF:CE:EA 42017->80 (10:16:53.980 PST) 174.133.57.140 (10:16:51.895 PST) event=1:2009456 {tcp} E4[rb] ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-DC-A9-BD&Publicer=kk_01] MAC_Src: 00:01:64:FF:CE:EA 48990->80 (10:16:51.895 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (2) (10:12:54.666 PST) event=1:2000352 (2) {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 33842->7000 (10:12:54.666 PST) 41336->7000 (10:15:52.940 PST) PEER COORDINATION DECLARE BOT tcpslice 1260641574.666 1260641815.725 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: 209.107.213.27 Peer Coord. List: Resource List: Observed Start: 12/12/2009 10:17:10.637 PST Gen. Time: 12/12/2009 10:17:40.499 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (10:17:40.499 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 39149<-81 (10:17:40.499 PST) C and C TRAFFIC 209.107.213.27 (10:17:10.637 PST) event=1:2002196 {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/sd?s=95308&f=1] MAC_Src: 00:01:64:FF:CE:EA 42017->80 (10:17:10.637 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260641830.637 1260641830.638 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 2.3 (>= 0.8) Infector List: 66.252.5.60, 91.206.201.39 Egg Source List: 202.97.184.196 C & C List: 209.107.213.27, 218.93.205.30 Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 10:17:10.637 PST Gen. Time: 12/12/2009 10:20:56.835 PST INBOUND SCAN EXPLOIT 66.252.5.60 (10:20:21.293 PST) event=1:22000346 {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 47157<-7000 (10:20:21.293 PST) EXPLOIT MALWARE DNS 91.206.201.39 (10:19:15.118 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Ax%17%FF%FF%00%00%00%00%01%03%03%07edu/pl_measurem] MAC_Dst: 00:21:1C:EE:14:00 52765->80 (10:19:15.118 PST) EGG DOWNLOAD 202.97.184.196 (17) (10:17:40.499 PST) event=1:2000419 (7) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 39149<-81 (10:17:40.499 PST) 60303<-81 (10:17:41.905 PST) 58335<-81 (10:18:01.311 PST) 59131<-81 (10:18:02.654 PST) 40748<-81 (10:19:23.937 PST) 51122<-81 (10:19:30.905 PST) 49597<-81 (10:19:43.109 PST) ------------------------- event=1:2000427 (2) {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 58570<-81 (10:18:05.374 PST) 50674<-81 (10:18:06.670 PST) ------------------------- event=1:2008547 (2) {tcp} E3[rb] ET TROJAN PECompact2 Packed Binary - Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 58335<-81 (10:18:01.311 PST) 59131<-81 (10:18:02.654 PST) ------------------------- event=1:3300007 (6) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 39149<-81 (10:17:40.499 PST) 60303<-81 (10:17:41.905 PST) 58335<-81 (10:18:01.311 PST) 59131<-81 (10:18:02.654 PST) 40748<-81 (10:19:23.937 PST) 51122<-81 (10:19:30.905 PST) C and C TRAFFIC 209.107.213.27 (10:17:10.637 PST) event=1:2002196 {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/sd?s=95308&f=1] MAC_Src: 00:01:64:FF:CE:EA 42017->80 (10:17:10.637 PST) 218.93.205.30 (10:19:24.636 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 41014->65520 (10:19:24.636 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (2) (10:18:09.095 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=20/0/73/0): 81:39, 7000:18, 65520:6, 88:5, 44:4, 53u:20, 8392, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:18:09.095 PST) 0->0 (10:19:40.190 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (10:18:52.026 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 39983->7000 (10:18:52.026 PST) PEER COORDINATION DECLARE BOT tcpslice 1260641830.637 1260641830.638 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: Peer Coord. List: Resource List: Observed Start: 12/12/2009 10:21:15.689 PST Gen. Time: 12/12/2009 10:21:16.624 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (10:21:16.624 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 58260<-81 (10:21:16.624 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (10:21:15.689 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=20/0/194/0): 81:73, 7000:80, 65520:8, 88:5, 44:4, 53u:20, 8392:24, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:21:15.689 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260642075.689 1260642075.690 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 2.1 (>= 0.8) Infector List: 66.252.5.60 Egg Source List: 61.235.117.71, 202.97.184.196, 210.51.36.215, 218.93.205.19 C & C List: 88.198.228.238, 209.107.213.27 (7), 174.133.57.140 (2), 98.126.46.210, 218.93.205.30 (3), 64.38.232.180 (3) Peer Coord. List: Resource List: 66.252.5.60 (2) Observed Start: 12/12/2009 10:21:15.689 PST Report End: 12/12/2009 10:24:21.936 PST Gen. Time: 12/12/2009 10:25:18.731 PST INBOUND SCAN EXPLOIT 66.252.5.60 (2) (10:22:23.225 PST) event=1:22000346 (2) {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 34671<-7000 (10:22:23.225 PST) 57778<-7000 (10:22:37.938 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.235.117.71 (10:22:11.406 PST) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40741<-80 (10:22:11.406 PST) 202.97.184.196 (6) (10:21:16.624 PST) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 45657<-81 (10:22:30.001 PST) 58260<-81 (10:21:16.624 PST) ------------------------- event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 40073<-81 (10:21:20.593 PST) ------------------------- event=1:2008547 {tcp} E3[rb] ET TROJAN PECompact2 Packed Binary - Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 58260<-81 (10:21:16.624 PST) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 58260<-81 (10:21:16.624 PST) 45657<-81 (10:22:30.001 PST) 210.51.36.215 (9) (10:22:16.203 PST-10:22:28.367 PST) event=1:2000419 (4) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 2: 45781<-88 (10:22:24.745 PST-10:22:26.452 PST) 2: 51780<-88 (10:22:27.599 PST-10:22:28.367 PST) ------------------------- event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 45945<-88 (10:22:16.203 PST) ------------------------- event=1:3300007 (4) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 2: 51780<-88 (10:22:27.599 PST-10:22:28.367 PST) 2: 45781<-88 (10:22:24.745 PST-10:22:26.452 PST) 218.93.205.19 (10:21:59.584 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 45752->80 (10:21:59.584 PST) C and C TRAFFIC 88.198.228.238 (10:22:25.223 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 48988->65520 (10:22:25.223 PST) 209.107.213.27 (7) (10:23:21.611 PST-10:24:21.936 PST) event=1:2002196 (5) {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/sd?s=98198&f=1&C=1] MAC_Src: 00:01:64:FF:CE:EA 2: 55310->80 (10:23:22.582 PST-10:23:52.395 PST) 3: 55310->80 (10:23:21.611 PST-10:24:21.936 PST) ------------------------- event=1:2009880 (2) {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 3, [] MAC_Src: 00:01:64:FF:CE:EA 2: 55310->80 (10:23:22.582 PST-10:23:52.395 PST) 174.133.57.140 (2) (10:23:20.327 PST) event=1:2009456 (2) {tcp} E4[rb] ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-68-C2-6F&Publicer=kk_01] MAC_Src: 00:01:64:FF:CE:EA 36776->80 (10:23:20.327 PST) 43742->80 (10:23:38.718 PST) 98.126.46.210 (10:23:20.252 PST) event=1:2009456 {tcp} E4[rb] ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-68-C2-6F&Publicer=kk_01] MAC_Src: 00:01:64:FF:CE:EA 39994->80 (10:23:20.252 PST) 218.93.205.30 (3) (10:21:45.308 PST) event=1:2003603 (3) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 50477->65520 (10:21:45.308 PST) 36828->65520 (10:22:07.838 PST) 36893->65520 (10:22:09.528 PST) 64.38.232.180 (3) (10:23:21.513 PST) event=1:2002196 (3) {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/redirectExitTrack.php?d=fortlauderdalerepublicans.com&r=27&u=http:/as.casalemedia.com/sd?s=98198&f=1] MAC_Src: 00:01:64:FF:CE:EA 33405->80 (10:23:52.174 PST) 55294->80 (10:23:21.513 PST) 58652->80 (10:24:21.898 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (3) (10:21:15.689 PST) event=777:7777005 (3) {tcp} E5[bh] Detected intense non-malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=20/0/194/0): 81:73, 7000:80, 65520:8, 88:5, 44:4, 53u:20, 8392:24, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:21:15.689 PST) 0->0 (10:22:45.076 PST) 0->0 (10:24:40.023 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (2) (10:21:57.238 PST) event=1:2000352 (2) {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 39063->7000 (10:21:57.238 PST) 53646->7000 (10:24:52.078 PST) PEER COORDINATION DECLARE BOT tcpslice 1260642075.689 1260642261.937 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: 174.133.57.140, 98.126.46.210 Peer Coord. List: Resource List: Observed Start: 12/12/2009 10:25:21.658 PST Gen. Time: 12/12/2009 10:25:21.829 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (10:25:21.829 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 57377<-81 (10:25:21.829 PST) C and C TRAFFIC 174.133.57.140 (10:25:21.742 PST) event=1:2009456 {tcp} E4[rb] ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-35-C8-09&Publicer=kk_01] MAC_Src: 00:01:64:FF:CE:EA 55341->80 (10:25:21.742 PST) 98.126.46.210 (10:25:21.658 PST) event=1:2009456 {tcp} E4[rb] ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-35-C8-09&Publicer=kk_01] MAC_Src: 00:01:64:FF:CE:EA 47910->80 (10:25:21.658 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260642321.658 1260642321.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 2.1 (>= 0.8) Infector List: 66.252.5.60 Egg Source List: 61.235.117.71, 202.97.184.196 C & C List: 209.107.213.27 (3), 88.198.228.238 (4), 174.133.57.140 (4), 98.126.46.210 (2), 64.38.232.180, 66.150.51.151 (2) Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 10:25:21.658 PST Gen. Time: 12/12/2009 10:29:19.502 PST INBOUND SCAN EXPLOIT 66.252.5.60 (6) (10:25:21.945 PST) event=1:22000346 (6) {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 34972<-7000 (10:25:21.945 PST) 57378<-7000 (10:25:25.084 PST) 40768<-7000 (10:25:35.944 PST) 52658<-7000 (10:27:52.927 PST) 46751<-7000 (10:28:27.237 PST) 53392<-7000 (10:28:37.444 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.235.117.71 (10:25:44.050 PST) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40075<-80 (10:25:44.050 PST) 202.97.184.196 (16) (10:25:21.829 PST) event=1:2000419 (8) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 57377<-81 (10:25:21.829 PST) 51200<-81 (10:25:25.596 PST) 44046<-81 (10:25:28.126 PST) 39006<-81 (10:25:32.470 PST) 46979<-81 (10:25:35.439 PST) 45532<-81 (10:25:51.829 PST) 40762<-81 (10:25:59.286 PST) 45350<-81 (10:26:19.408 PST) ------------------------- event=1:3300007 (8) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 57377<-81 (10:25:21.829 PST) 51200<-81 (10:25:25.596 PST) 44046<-81 (10:25:28.126 PST) 39006<-81 (10:25:32.470 PST) 46979<-81 (10:25:35.439 PST) 45532<-81 (10:25:51.829 PST) 40762<-81 (10:25:59.286 PST) 45350<-81 (10:26:19.408 PST) C and C TRAFFIC 209.107.213.27 (3) (10:26:39.827 PST) event=1:2002196 (2) {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/sd?s=98198&f=1] MAC_Src: 00:01:64:FF:CE:EA 37938->80 (10:26:39.827 PST) 37938->80 (10:26:39.995 PST) ------------------------- event=1:2009880 {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 3, [] MAC_Src: 00:01:64:FF:CE:EA 37938->80 (10:26:39.995 PST) 88.198.228.238 (4) (10:25:22.925 PST) event=1:2003603 (4) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 34579->65520 (10:25:22.925 PST) 35477->65520 (10:27:40.744 PST) 32902->65520 (10:28:05.511 PST) 52903->65520 (10:28:12.886 PST) 174.133.57.140 (4) (10:25:21.742 PST) event=1:2009456 (4) {tcp} E4[rb] ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-35-C8-09&Publicer=kk_01] MAC_Src: 00:01:64:FF:CE:EA 55341->80 (10:25:21.742 PST) 42930->80 (10:25:42.765 PST) 36744->80 (10:28:44.793 PST) 55162->80 (10:29:10.234 PST) 98.126.46.210 (2) (10:25:21.658 PST) event=1:2009456 (2) {tcp} E4[rb] ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-35-C8-09&Publicer=kk_01] MAC_Src: 00:01:64:FF:CE:EA 47910->80 (10:25:21.658 PST) 36247->80 (10:28:44.719 PST) 64.38.232.180 (10:26:39.768 PST) event=1:2002196 {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/redirectExitTrack.php?d=filingtaxreturnonline.com&r=27&u=http:/as.casalemedia.com/sd?s=98198&f=1] MAC_Src: 00:01:64:FF:CE:EA 44504->80 (10:26:39.768 PST) 66.150.51.151 (2) (10:25:57.418 PST) event=1:2003579 (2) {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=47372&x=;CRRJ4T23BhSFPZVvmbz:EmU;TulQLbF9ERN9eRWkVeq:eYdteTWcEWQXLE;TRifX4KFj9mRXBcnfYphXLuQkj] MAC_Src: 00:01:64:FF:CE:EA 37865->80 (10:25:57.418 PST) 47919->80 (10:25:57.695 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (3) (10:26:18.423 PST) event=777:7777005 (3) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=51/0/409/0): 81:148, 7000:98, 65520:24, 88:27, 44:24, 53u:51, 8392:88, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:26:18.423 PST) 0->0 (10:27:48.704 PST) 0->0 (10:29:18.568 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (10:27:52.535 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 52658->7000 (10:27:52.535 PST) PEER COORDINATION DECLARE BOT tcpslice 1260642321.658 1260642321.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.2 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 202.97.184.196 C & C List: 64.38.232.180 Peer Coord. List: Resource List: Observed Start: 12/12/2009 10:29:30.186 PST Gen. Time: 12/12/2009 10:29:48.171 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (10:29:30.186 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 42314->80 (10:29:30.186 PST) EGG DOWNLOAD 202.97.184.196 (2) (10:29:34.456 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 50491<-81 (10:29:34.456 PST) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 50491<-81 (10:29:34.456 PST) C and C TRAFFIC 64.38.232.180 (10:29:48.171 PST) event=1:2002196 {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/redirectExitTrack.php?d=losangelescomputerlessons.com&r=27&u=http:/as.casalemedia.com/sd?s=98198&f=1] MAC_Src: 00:01:64:FF:CE:EA 55574->80 (10:29:48.171 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260642570.186 1260642570.187 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 2.3 (>= 0.8) Infector List: 66.252.5.60, 91.206.201.39 Egg Source List: 202.97.184.196 C & C List: 209.107.213.34 (4), 64.38.232.180 (2) Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 10:29:30.186 PST Report End: 12/12/2009 10:30:06.085 PST Gen. Time: 12/12/2009 10:33:02.514 PST INBOUND SCAN EXPLOIT 66.252.5.60 (10:31:20.922 PST) event=1:22000346 {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 52453<-7000 (10:31:20.922 PST) EXPLOIT MALWARE DNS 91.206.201.39 (10:29:30.186 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 42314->80 (10:29:30.186 PST) EGG DOWNLOAD 202.97.184.196 (8) (10:29:34.456 PST) event=1:2000419 (3) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 50491<-81 (10:29:34.456 PST) 54621<-81 (10:30:00.190 PST) 59379<-81 (10:30:08.019 PST) ------------------------- event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 43329<-81 (10:30:04.205 PST) ------------------------- event=1:2008547 {tcp} E3[rb] ET TROJAN PECompact2 Packed Binary - Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 54621<-81 (10:30:00.190 PST) ------------------------- event=1:3300007 (3) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 50491<-81 (10:29:34.456 PST) 54621<-81 (10:30:00.190 PST) 59379<-81 (10:30:08.019 PST) C and C TRAFFIC 209.107.213.34 (4) (10:29:48.250 PST-10:30:06.085 PST) event=1:2002196 (3) {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/sd?s=98198&f=1&C=1] MAC_Src: 00:01:64:FF:CE:EA 57229->80 (10:29:48.428 PST) 2: 57229->80 (10:29:48.250 PST-10:30:06.085 PST) ------------------------- event=1:2009880 {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 3, [] MAC_Src: 00:01:64:FF:CE:EA 57229->80 (10:29:48.428 PST) 64.38.232.180 (2) (10:29:48.171 PST) event=1:2002196 (2) {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/redirectExitTrack.php?d=losangelescomputerlessons.com&r=27&u=http:/as.casalemedia.com/sd?s=98198&f=1] MAC_Src: 00:01:64:FF:CE:EA 43440->80 (10:30:06.044 PST) 55574->80 (10:29:48.171 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (2) (10:30:54.947 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/559/0): 81:231, 7000:109, 65520:30, 88:37, 44:34, 53u:60, 8392:118, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:30:54.947 PST) 0->0 (10:33:02.514 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (10:30:55.184 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 56250->7000 (10:30:55.184 PST) PEER COORDINATION DECLARE BOT tcpslice 1260642570.186 1260642606.086 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: 66.252.5.60 Egg Source List: C & C List: Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 10:34:17.555 PST Gen. Time: 12/12/2009 10:34:18.064 PST INBOUND SCAN EXPLOIT 66.252.5.60 (10:34:18.064 PST) event=1:22000346 {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 40420<-7000 (10:34:18.064 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (10:34:17.555 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 40420->7000 (10:34:17.555 PST) PEER COORDINATION DECLARE BOT tcpslice 1260642857.555 1260642857.556 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 2.1 (>= 0.8) Infector List: 66.252.5.60 Egg Source List: 61.235.117.71, 202.97.184.196 C & C List: 218.93.205.30 (3) Peer Coord. List: Resource List: 66.252.5.60 (2) Observed Start: 12/12/2009 10:34:17.555 PST Gen. Time: 12/12/2009 10:37:40.615 PST INBOUND SCAN EXPLOIT 66.252.5.60 (7) (10:34:18.064 PST) event=1:22000346 (7) {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 40420<-7000 (10:34:18.064 PST) 59859<-7000 (10:34:22.451 PST) 48996<-7000 (10:34:33.934 PST) 44486<-7000 (10:36:52.934 PST) 51822<-7000 (10:37:17.915 PST) 56428<-7000 (10:37:21.947 PST) 60087<-7000 (10:37:34.317 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.235.117.71 (2) (10:36:44.053 PST) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57354<-80 (10:36:44.053 PST) 55681<-80 (10:37:18.110 PST) 202.97.184.196 (12) (10:37:00.145 PST) event=1:2000419 (6) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 47492<-81 (10:37:00.145 PST) 45239<-81 (10:37:07.552 PST) 59456<-81 (10:37:22.911 PST) 58139<-81 (10:37:29.817 PST) 40374<-81 (10:37:33.130 PST) 52964<-81 (10:37:40.615 PST) ------------------------- event=1:3300007 (6) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 47492<-81 (10:37:00.145 PST) 45239<-81 (10:37:07.552 PST) 59456<-81 (10:37:22.911 PST) 58139<-81 (10:37:29.817 PST) 40374<-81 (10:37:33.130 PST) 52964<-81 (10:37:40.615 PST) C and C TRAFFIC 218.93.205.30 (3) (10:36:40.612 PST) event=1:2003603 (3) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 60156->65520 (10:36:40.612 PST) 55230->65520 (10:37:05.461 PST) 55692->65520 (10:37:09.578 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (2) (10:34:33.542 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/568/0): 81:231, 7000:118, 65520:30, 88:37, 44:34, 53u:60, 8392:118, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:34:33.542 PST) 0->0 (10:36:40.208 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (2) (10:34:17.555 PST) event=1:2000352 (2) {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 40420->7000 (10:34:17.555 PST) 44486->7000 (10:36:52.090 PST) PEER COORDINATION DECLARE BOT tcpslice 1260642857.555 1260642857.556 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: Peer Coord. List: Resource List: Observed Start: 12/12/2009 10:38:05.490 PST Gen. Time: 12/12/2009 10:38:25.922 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (2) (10:38:05.490 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 52375<-81 (10:38:05.490 PST) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 52375<-81 (10:38:05.490 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (10:38:25.922 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/601/0): 81:248, 7000:128, 65520:36, 88:37, 44:34, 53u:60, 8392:118, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:38:25.922 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260643085.490 1260643085.491 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.6 (>= 0.8) Infector List: 66.252.5.60 Egg Source List: 202.97.184.196 C & C List: Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 10:38:05.490 PST Gen. Time: 12/12/2009 10:41:51.890 PST INBOUND SCAN EXPLOIT 66.252.5.60 (10:40:21.192 PST) event=1:22000346 {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 37315<-7000 (10:40:21.192 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (9) (10:38:05.490 PST) event=1:2000419 (4) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 52375<-81 (10:38:05.490 PST) 45941<-81 (10:38:26.850 PST) 59429<-81 (10:38:39.506 PST) 36255<-81 (10:38:54.803 PST) ------------------------- event=1:2008547 {tcp} E3[rb] ET TROJAN PECompact2 Packed Binary - Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 36255<-81 (10:38:54.803 PST) ------------------------- event=1:3300007 (4) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 52375<-81 (10:38:05.490 PST) 45941<-81 (10:38:26.850 PST) 59429<-81 (10:38:39.506 PST) 36255<-81 (10:38:54.803 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (3) (10:38:25.922 PST) event=777:7777005 (3) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/601/0): 81:248, 7000:128, 65520:36, 88:37, 44:34, 53u:60, 8392:118, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:38:25.922 PST) 0->0 (10:40:20.216 PST) 0->0 (10:41:51.890 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (10:39:52.311 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 36062->7000 (10:39:52.311 PST) PEER COORDINATION DECLARE BOT tcpslice 1260643085.490 1260643085.491 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 218.93.205.19 C & C List: 88.198.228.238 Peer Coord. List: Resource List: Observed Start: 12/12/2009 10:43:05.684 PST Gen. Time: 12/12/2009 10:43:15.277 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 218.93.205.19 (10:43:15.277 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 41959->80 (10:43:15.277 PST) C and C TRAFFIC 88.198.228.238 (10:43:05.684 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 40959->65520 (10:43:05.684 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260643385.684 1260643385.685 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 2.3 (>= 0.8) Infector List: 66.252.5.60, 91.206.201.39 Egg Source List: 61.235.117.71, 202.97.184.196, 218.93.205.19 C & C List: 88.198.228.238 (2) Peer Coord. List: Resource List: 66.252.5.60 (2) Observed Start: 12/12/2009 10:43:05.684 PST Gen. Time: 12/12/2009 10:47:14.097 PST INBOUND SCAN EXPLOIT 66.252.5.60 (10:43:18.572 PST) event=1:22000346 {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 43365<-7000 (10:43:18.572 PST) EXPLOIT MALWARE DNS 91.206.201.39 (10:43:21.307 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0Ax-%FF%FF%00%00%00%00%01%03%03%07~%11%FF%FFyp%FF4%FF%FF%02%FF%1B%FF ] MAC_Dst: 00:21:1C:EE:14:00 57505->80 (10:43:21.307 PST) EGG DOWNLOAD 61.235.117.71 (10:43:21.004 PST) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54677<-80 (10:43:21.004 PST) 202.97.184.196 (10) (10:43:27.710 PST) event=1:2000419 (5) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 51122<-81 (10:43:27.710 PST) 46516<-81 (10:43:34.851 PST) 58700<-81 (10:44:34.148 PST) 51114<-81 (10:46:07.196 PST) 41345<-81 (10:46:15.728 PST) ------------------------- event=1:3300007 (5) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 51122<-81 (10:43:27.710 PST) 46516<-81 (10:43:34.851 PST) 58700<-81 (10:44:34.148 PST) 51114<-81 (10:46:07.196 PST) 41345<-81 (10:46:15.728 PST) 218.93.205.19 (10:43:15.277 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 41959->80 (10:43:15.277 PST) C and C TRAFFIC 88.198.228.238 (2) (10:43:05.684 PST) event=1:2003603 (2) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 40959->65520 (10:43:05.684 PST) 57876->65520 (10:45:52.324 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (2) (10:43:27.251 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/625/0): 81:263, 7000:135, 65520:38, 88:37, 44:34, 53u:60, 8392:118, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:43:27.251 PST) 0->0 (10:45:15.553 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (2) (10:43:17.264 PST) event=1:2000352 (2) {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 43365->7000 (10:43:17.264 PST) 53163->7000 (10:46:04.102 PST) PEER COORDINATION DECLARE BOT tcpslice 1260643385.684 1260643385.685 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: Peer Coord. List: Resource List: Observed Start: 12/12/2009 10:47:14.453 PST Gen. Time: 12/12/2009 10:47:15.385 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (10:47:15.385 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 46969<-81 (10:47:15.385 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (10:47:14.453 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/642/0): 81:275, 7000:138, 65520:40, 88:37, 44:34, 53u:60, 8392:118, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:47:14.453 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260643634.453 1260643634.454 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.8 (>= 0.8) Infector List: Egg Source List: 202.97.184.196, 210.51.36.215, 218.93.205.19 C & C List: 88.198.228.238 Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 10:47:14.453 PST Gen. Time: 12/12/2009 10:51:11.288 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (8) (10:47:15.385 PST) event=1:2000419 (4) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 46969<-81 (10:47:15.385 PST) 40757<-81 (10:49:26.244 PST) 55657<-81 (10:49:33.337 PST) 34661<-81 (10:50:31.573 PST) ------------------------- event=1:3300007 (4) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 46969<-81 (10:47:15.385 PST) 40757<-81 (10:49:26.244 PST) 55657<-81 (10:49:33.337 PST) 34661<-81 (10:50:31.573 PST) 210.51.36.215 (10:49:10.782 PST) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 43543<-88 (10:49:10.782 PST) 218.93.205.19 (10:49:01.442 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 54264->80 (10:49:01.442 PST) C and C TRAFFIC 88.198.228.238 (10:48:55.509 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 52087->65520 (10:48:55.509 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (3) (10:47:14.453 PST) event=777:7777005 (3) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/642/0): 81:275, 7000:138, 65520:40, 88:37, 44:34, 53u:60, 8392:118, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:47:14.453 PST) 0->0 (10:48:55.161 PST) 0->0 (10:50:30.641 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (10:49:06.872 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 41992->7000 (10:49:06.872 PST) PEER COORDINATION DECLARE BOT tcpslice 1260643634.453 1260643634.454 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 10:52:04.016 PST Gen. Time: 12/12/2009 10:52:04.255 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (10:52:04.016 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/706/0): 81:286, 7000:141, 65520:42, 88:39, 44:34, 53u:60, 8392:164, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:52:04.016 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (10:52:04.255 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 51744->7000 (10:52:04.255 PST) PEER COORDINATION DECLARE BOT tcpslice 1260643924.016 1260643924.017 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.1 (>= 0.8) Infector List: 66.252.5.60 Egg Source List: C & C List: Peer Coord. List: Resource List: 66.252.5.60 (2) Observed Start: 12/12/2009 10:52:04.016 PST Gen. Time: 12/12/2009 10:55:34.957 PST INBOUND SCAN EXPLOIT 66.252.5.60 (3) (10:52:04.868 PST) event=1:22000346 (3) {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 51744<-7000 (10:52:04.868 PST) 53778<-7000 (10:52:10.121 PST) 36724<-7000 (10:52:22.055 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (2) (10:52:04.016 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/706/0): 81:286, 7000:141, 65520:42, 88:39, 44:34, 53u:60, 8392:164, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:52:04.016 PST) 0->0 (10:54:21.130 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (2) (10:52:04.255 PST) event=1:2000352 (2) {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 51744->7000 (10:52:04.255 PST) 57647->7000 (10:55:34.957 PST) PEER COORDINATION DECLARE BOT tcpslice 1260643924.016 1260643924.017 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 10:57:52.086 PST Gen. Time: 12/12/2009 10:57:52.451 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (10:57:52.086 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/715/0): 81:286, 7000:150, 65520:42, 88:39, 44:34, 53u:60, 8392:164, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:57:52.086 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (10:57:52.451 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 51447->7000 (10:57:52.451 PST) PEER COORDINATION DECLARE BOT tcpslice 1260644272.086 1260644272.087 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.1 (>= 0.8) Infector List: 66.252.5.60 Egg Source List: C & C List: Peer Coord. List: Resource List: 66.252.5.60 (2) Observed Start: 12/12/2009 10:57:52.086 PST Gen. Time: 12/12/2009 11:01:51.751 PST INBOUND SCAN EXPLOIT 66.252.5.60 (4) (10:57:53.618 PST) event=1:22000346 (4) {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 51447<-7000 (10:57:53.618 PST) 53112<-7000 (10:58:21.918 PST) 54558<-7000 (11:00:56.161 PST) 60634<-7000 (11:01:18.047 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (2) (10:57:52.086 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/715/0): 81:286, 7000:150, 65520:42, 88:39, 44:34, 53u:60, 8392:164, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:57:52.086 PST) 0->0 (11:00:54.934 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (2) (10:57:52.451 PST) event=1:2000352 (2) {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 51447->7000 (10:57:52.451 PST) 54558->7000 (11:00:55.170 PST) PEER COORDINATION DECLARE BOT tcpslice 1260644272.086 1260644272.087 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 11:02:54.920 PST Gen. Time: 12/12/2009 11:03:52.401 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (11:02:54.920 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/731/0): 81:286, 7000:166, 65520:42, 88:39, 44:34, 53u:60, 8392:164, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:02:54.920 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (11:03:52.401 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 52262->7000 (11:03:52.401 PST) PEER COORDINATION DECLARE BOT tcpslice 1260644574.920 1260644574.921 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 2.3 (>= 0.8) Infector List: 66.252.5.60, 91.206.201.39 Egg Source List: 61.235.117.71, 202.97.184.196, 218.93.205.19 C & C List: 193.104.94.11 (2) Peer Coord. List: Resource List: 66.252.5.60 (2) Observed Start: 12/12/2009 11:02:54.920 PST Gen. Time: 12/12/2009 11:07:06.706 PST INBOUND SCAN EXPLOIT 66.252.5.60 (5) (11:03:53.242 PST) event=1:22000346 (5) {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 52262<-7000 (11:03:53.242 PST) 45389<-7000 (11:04:18.404 PST) 52045<-7000 (11:04:22.894 PST) 36100<-7000 (11:04:34.847 PST) 56421<-7000 (11:06:53.316 PST) EXPLOIT MALWARE DNS 91.206.201.39 (11:04:41.908 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0AxAOE%00%00%00%00%01%03%03%07rN%0F%FF%FF%FFv%FF%FFS~Y] MAC_Dst: 00:21:1C:EE:14:00 55815->80 (11:04:41.908 PST) EGG DOWNLOAD 61.235.117.71 (11:07:06.706 PST) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34129<-80 (11:07:06.706 PST) 202.97.184.196 (6) (11:04:52.342 PST) event=1:2000419 (3) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 34571<-81 (11:04:52.342 PST) 34077<-81 (11:05:01.467 PST) 44183<-81 (11:06:01.469 PST) ------------------------- event=1:3300007 (3) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 34571<-81 (11:04:52.342 PST) 34077<-81 (11:05:01.467 PST) 44183<-81 (11:06:01.469 PST) 218.93.205.19 (11:06:52.230 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 47120->80 (11:06:52.230 PST) C and C TRAFFIC 193.104.94.11 (2) (11:04:23.251 PST) event=1:2003603 (2) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 46040->65520 (11:04:23.251 PST) 37247->65520 (11:06:40.580 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 202.97.184.196 (11:02:54.920 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/731/0): 81:286, 7000:166, 65520:42, 88:39, 44:34, 53u:60, 8392:164, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:02:54.920 PST) 193.104.94.11 (2) (11:04:34.234 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=60/0/742/0): 81:286, 7000:175, 65520:44, 88:39, 44:34, 53u:60, 8392:164, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:04:34.234 PST) 0->0 (11:06:40.058 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (2) (11:03:52.401 PST) event=1:2000352 (2) {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 52262->7000 (11:03:52.401 PST) 56421->7000 (11:06:52.298 PST) PEER COORDINATION DECLARE BOT tcpslice 1260644574.920 1260644574.921 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: 193.104.94.11 (2) Peer Coord. List: Resource List: Observed Start: 12/12/2009 11:07:08.241 PST Gen. Time: 12/12/2009 11:07:18.296 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (11:07:18.296 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 49146<-81 (11:07:18.296 PST) C and C TRAFFIC 193.104.94.11 (2) (11:07:08.241 PST) event=1:2003603 (2) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 39758->65520 (11:07:08.241 PST) 37931->65520 (11:07:12.984 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260644828.241 1260644828.242 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 2.1 (>= 0.8) Infector List: 66.252.5.60 Egg Source List: 61.235.117.71, 202.97.184.196, 210.51.36.215, 218.93.205.19 C & C List: 88.198.228.238 (2), 193.104.94.11 (2) Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 11:07:08.241 PST Gen. Time: 12/12/2009 11:11:10.288 PST INBOUND SCAN EXPLOIT 66.252.5.60 (3) (11:07:38.491 PST) event=1:22000346 (3) {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 51085<-7000 (11:07:38.491 PST) 33678<-7000 (11:10:22.888 PST) 54920<-7000 (11:10:24.934 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.235.117.71 (6) (11:07:25.127 PST) event=1:2001685 (6) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49279<-80 (11:07:25.127 PST) 49135<-80 (11:07:30.316 PST) 33551<-80 (11:07:34.022 PST) 55348<-80 (11:07:34.039 PST) 43370<-80 (11:07:45.314 PST) 43691<-80 (11:07:53.031 PST) 202.97.184.196 (8) (11:07:18.296 PST) event=1:2000419 (4) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 49146<-81 (11:07:18.296 PST) 60194<-81 (11:07:30.468 PST) 34449<-81 (11:07:43.844 PST) 43408<-81 (11:07:52.171 PST) ------------------------- event=1:3300007 (4) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 49146<-81 (11:07:18.296 PST) 60194<-81 (11:07:30.468 PST) 34449<-81 (11:07:43.844 PST) 43408<-81 (11:07:52.171 PST) 210.51.36.215 (2) (11:07:27.880 PST) event=1:2000427 (2) {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 51448<-88 (11:07:27.880 PST) 58019<-88 (11:07:31.066 PST) 218.93.205.19 (11:07:19.857 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 60740->80 (11:07:19.857 PST) C and C TRAFFIC 88.198.228.238 (2) (11:07:25.536 PST) event=1:2003603 (2) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 43138->65520 (11:07:25.536 PST) 44912->65520 (11:09:43.241 PST) 193.104.94.11 (2) (11:07:08.241 PST) event=1:2003603 (2) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 39758->65520 (11:07:08.241 PST) 37931->65520 (11:07:12.984 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.104.94.11 (2) (11:08:10.297 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=86/0/838/0): 81:308, 7000:184, 65520:52, 88:43, 44:34, 53u:86, 8392:217, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:08:10.297 PST) 0->0 (11:09:42.910 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (11:09:54.952 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 54548->7000 (11:09:54.952 PST) PEER COORDINATION DECLARE BOT tcpslice 1260644828.241 1260644828.242 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: Peer Coord. List: Resource List: Observed Start: 12/12/2009 11:11:13.591 PST Gen. Time: 12/12/2009 11:11:14.516 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (11:11:14.516 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 52280<-81 (11:11:14.516 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.104.94.11 (11:11:13.591 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=101/0/934/0): 81:342, 7000:215, 65520:54, 88:43, 44:34, 53u:101, 8392:246, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:11:13.591 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260645073.591 1260645073.592 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 2.1 (>= 0.8) Infector List: 66.252.5.60 Egg Source List: 202.97.184.196, 210.51.36.215 C & C List: 88.198.228.238, 174.133.57.140, 209.107.213.85 (3), 98.126.46.210, 64.38.232.180 Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 11:11:13.591 PST Report End: 12/12/2009 11:13:42.111 PST Gen. Time: 12/12/2009 11:14:51.081 PST INBOUND SCAN EXPLOIT 66.252.5.60 (3) (11:12:53.193 PST) event=1:22000346 (3) {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 58664<-7000 (11:12:53.193 PST) 48810<-7000 (11:13:22.848 PST) 36780<-7000 (11:13:34.939 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (6) (11:11:14.516 PST) event=1:2000419 (3) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 33933<-81 (11:13:57.736 PST) 52280<-81 (11:11:14.516 PST) 60823<-81 (11:14:04.986 PST) ------------------------- event=1:3300007 (3) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 52280<-81 (11:11:14.516 PST) 60823<-81 (11:14:04.986 PST) 33933<-81 (11:13:57.736 PST) 210.51.36.215 (5) (11:13:33.167 PST-11:13:42.111 PST) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 2: 50768<-88 (11:13:41.725 PST-11:13:42.111 PST) ------------------------- event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 45528<-88 (11:13:33.167 PST) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 2: 50768<-88 (11:13:41.725 PST-11:13:42.111 PST) C and C TRAFFIC 88.198.228.238 (11:13:23.124 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 58670->65520 (11:13:23.124 PST) 174.133.57.140 (11:14:41.072 PST) event=1:2009456 {tcp} E4[rb] ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-68-C2-6F&Publicer=kk_01] MAC_Src: 00:01:64:FF:CE:EA 45964->80 (11:14:41.072 PST) 209.107.213.85 (3) (11:14:41.828 PST) event=1:2002196 (2) {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/sd?s=98198&f=1] MAC_Src: 00:01:64:FF:CE:EA 46463->80 (11:14:41.828 PST) 46463->80 (11:14:42.000 PST) ------------------------- event=1:2009880 {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 3, [] MAC_Src: 00:01:64:FF:CE:EA 46463->80 (11:14:42.000 PST) 98.126.46.210 (11:14:40.988 PST) event=1:2009456 {tcp} E4[rb] ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-68-C2-6F&Publicer=kk_01] MAC_Src: 00:01:64:FF:CE:EA 54609->80 (11:14:40.988 PST) 64.38.232.180 (11:14:41.751 PST) event=1:2002196 {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/redirectExitTrack.php?d=financialopinion.com&r=27&u=http:/as.casalemedia.com/sd?s=98198&f=1] MAC_Src: 00:01:64:FF:CE:EA 42206->80 (11:14:41.751 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.104.94.11 (2) (11:11:13.591 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=101/0/934/0): 81:342, 7000:215, 65520:54, 88:43, 44:34, 53u:101, 8392:246, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:11:13.591 PST) 0->0 (11:12:52.379 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (11:12:52.733 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 58664->7000 (11:12:52.733 PST) PEER COORDINATION DECLARE BOT tcpslice 1260645073.591 1260645222.112 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: Peer Coord. List: Resource List: Observed Start: 12/12/2009 11:14:53.614 PST Gen. Time: 12/12/2009 11:15:04.034 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (11:15:04.034 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 38215<-81 (11:15:04.034 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.104.94.11 (11:14:53.614 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=101/0/1006/0): 81:349, 7000:230, 65520:56, 88:50, 44:38, 53u:101, 8392:283, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:14:53.614 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260645293.614 1260645293.615 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 2.0 (>= 0.8) Infector List: 91.206.201.39 Egg Source List: 61.235.117.71, 202.97.184.196, 210.51.36.215, 218.93.205.19 C & C List: 88.198.228.238 (2) Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 11:14:53.614 PST Gen. Time: 12/12/2009 11:18:37.081 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.206.201.39 (11:16:06.615 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0AxK%FF%FF%00%00%00%00%01%03] MAC_Dst: 00:21:1C:EE:14:00 53203->80 (11:16:06.615 PST) EGG DOWNLOAD 61.235.117.71 (2) (11:16:24.598 PST) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36400<-80 (11:16:24.598 PST) 57759<-80 (11:16:32.968 PST) 202.97.184.196 (12) (11:15:04.034 PST) event=1:2000419 (6) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 38215<-81 (11:15:04.034 PST) 43969<-81 (11:16:13.877 PST) 48615<-81 (11:16:25.158 PST) 37025<-81 (11:16:50.346 PST) 35611<-81 (11:17:01.049 PST) 60569<-81 (11:17:25.394 PST) ------------------------- event=1:3300007 (6) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 38215<-81 (11:15:04.034 PST) 43969<-81 (11:16:13.877 PST) 48615<-81 (11:16:25.158 PST) 37025<-81 (11:16:50.346 PST) 35611<-81 (11:17:01.049 PST) 60569<-81 (11:17:25.394 PST) 210.51.36.215 (11:16:04.183 PST) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 45086<-88 (11:16:04.183 PST) 218.93.205.19 (2) (11:15:53.209 PST) event=1:2001894 (2) {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 57104->80 (11:15:53.209 PST) 48258->80 (11:16:17.377 PST) C and C TRAFFIC 88.198.228.238 (2) (11:15:40.248 PST) event=1:2003603 (2) {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 38953->65520 (11:15:40.248 PST) 51537->65520 (11:16:07.652 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.104.94.11 (3) (11:14:53.614 PST) event=777:7777005 (3) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=101/0/1006/0): 81:349, 7000:230, 65520:56, 88:50, 44:38, 53u:101, 8392:283, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:14:53.614 PST) 0->0 (11:16:24.688 PST) 0->0 (11:18:36.970 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (11:15:52.042 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 49062->7000 (11:15:52.042 PST) PEER COORDINATION DECLARE BOT tcpslice 1260645293.614 1260645293.615 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 11:18:54.784 PST Gen. Time: 12/12/2009 11:21:52.120 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.104.94.11 (11:21:52.120 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=101/0/1081/0): 81:365, 7000:242, 65520:60, 88:52, 44:38, 53u:101, 8392:324, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:21:52.120 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (11:18:54.784 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 41552->7000 (11:18:54.784 PST) PEER COORDINATION DECLARE BOT tcpslice 1260645534.784 1260645534.785 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.1 (>= 0.8) Infector List: 66.252.5.60 Egg Source List: C & C List: Peer Coord. List: Resource List: 66.252.5.60 (2) Observed Start: 12/12/2009 11:18:54.784 PST Gen. Time: 12/12/2009 11:22:50.189 PST INBOUND SCAN EXPLOIT 66.252.5.60 (4) (11:21:53.890 PST) event=1:22000346 (4) {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 55741<-7000 (11:21:53.890 PST) 35411<-7000 (11:22:18.409 PST) 55327<-7000 (11:22:22.056 PST) 49006<-7000 (11:22:34.804 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.104.94.11 (11:21:52.120 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=101/0/1081/0): 81:365, 7000:242, 65520:60, 88:52, 44:38, 53u:101, 8392:324, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:21:52.120 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (2) (11:18:54.784 PST) event=1:2000352 (2) {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 41552->7000 (11:18:54.784 PST) 55741->7000 (11:21:52.542 PST) PEER COORDINATION DECLARE BOT tcpslice 1260645534.784 1260645534.785 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 11:24:05.940 PST Gen. Time: 12/12/2009 11:24:51.956 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.104.94.11 (11:24:05.940 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=101/0/1089/0): 81:365, 7000:250, 65520:60, 88:52, 44:38, 53u:101, 8392:324, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:24:05.940 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (11:24:51.956 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 37236->7000 (11:24:51.956 PST) PEER COORDINATION DECLARE BOT tcpslice 1260645845.940 1260645845.941 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.1 (>= 0.8) Infector List: 66.252.5.60 Egg Source List: C & C List: Peer Coord. List: Resource List: 66.252.5.60 (2) Observed Start: 12/12/2009 11:24:05.940 PST Gen. Time: 12/12/2009 11:28:15.986 PST INBOUND SCAN EXPLOIT 66.252.5.60 (3) (11:25:23.060 PST) event=1:22000346 (3) {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 40181<-7000 (11:25:23.060 PST) 52555<-7000 (11:26:21.968 PST) 38438<-7000 (11:27:56.190 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.104.94.11 (3) (11:24:05.940 PST) event=777:7777005 (3) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=101/0/1089/0): 81:365, 7000:250, 65520:60, 88:52, 44:38, 53u:101, 8392:324, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:24:05.940 PST) 0->0 (11:25:35.512 PST) 0->0 (11:27:55.292 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (2) (11:24:51.956 PST) event=1:2000352 (2) {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 37236->7000 (11:24:51.956 PST) 38438->7000 (11:27:55.869 PST) PEER COORDINATION DECLARE BOT tcpslice 1260645845.940 1260645845.941 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 11:29:58.240 PST Gen. Time: 12/12/2009 11:30:52.791 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.104.94.11 (11:29:58.240 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=101/0/1185/0): 81:365, 7000:346, 65520:60, 88:52, 44:38, 53u:101, 8392:324, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:29:58.240 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (11:30:52.791 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 43293->7000 (11:30:52.791 PST) PEER COORDINATION DECLARE BOT tcpslice 1260646198.240 1260646198.241 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 2.3 (>= 0.8) Infector List: 66.252.5.60, 91.206.201.39 Egg Source List: 61.235.117.71, 202.97.184.196, 218.93.205.19 C & C List: 88.198.228.238, 193.104.94.11 Peer Coord. List: Resource List: 66.252.5.60 Observed Start: 12/12/2009 11:29:58.240 PST Gen. Time: 12/12/2009 11:33:59.539 PST INBOUND SCAN EXPLOIT 66.252.5.60 (11:30:53.054 PST) event=1:22000346 {tcp} E2[rb] ET ATTACK RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:01:64:FF:CE:EA 43293<-7000 (11:30:53.054 PST) EXPLOIT MALWARE DNS 91.206.201.39 (11:31:44.022 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: colopin.cn (zeus), [%04%02%08%0AxZ%0F%FF%00%00%00%00%01%03%03%07%11%FF%FF%FF%FF%FF}%FFqEY%FF*%FFH] MAC_Dst: 00:21:1C:EE:14:00 43891->80 (11:31:44.022 PST) EGG DOWNLOAD 61.235.117.71 (11:31:39.192 PST) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47906<-80 (11:31:39.192 PST) 202.97.184.196 (7) (11:31:53.194 PST) event=1:2000419 (4) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 38715<-81 (11:31:53.194 PST) 38525<-81 (11:32:00.523 PST) 52887<-81 (11:33:01.789 PST) 35503<-81 (11:33:59.539 PST) ------------------------- event=1:3300007 (3) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 38715<-81 (11:31:53.194 PST) 38525<-81 (11:32:00.523 PST) 52887<-81 (11:33:01.789 PST) 218.93.205.19 (11:31:29.366 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 35391->80 (11:31:29.366 PST) C and C TRAFFIC 88.198.228.238 (11:31:23.123 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 46376->65520 (11:31:23.123 PST) 193.104.94.11 (11:33:41.088 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 47072->65520 (11:33:41.088 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.104.94.11 (3) (11:29:58.240 PST) event=777:7777005 (3) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=101/0/1185/0): 81:365, 7000:346, 65520:60, 88:52, 44:38, 53u:101, 8392:324, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:29:58.240 PST) 0->0 (11:31:52.730 PST) 0->0 (11:33:40.572 PST) OUTBOUND SCAN ATTACK PREP 66.252.5.60 (11:30:52.791 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:01:64:FF:CE:EA 43293->7000 (11:30:52.791 PST) PEER COORDINATION DECLARE BOT tcpslice 1260646198.240 1260646198.241 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 202.97.184.196 C & C List: 193.104.94.11 Peer Coord. List: Resource List: Observed Start: 12/12/2009 11:33:59.539 PST Gen. Time: 12/12/2009 11:34:08.367 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (3) (11:33:59.539 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 55674<-81 (11:34:06.446 PST) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 35503<-81 (11:33:59.539 PST) 55674<-81 (11:34:06.446 PST) C and C TRAFFIC 193.104.94.11 (11:34:08.367 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 33171->65520 (11:34:08.367 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260646439.539 1260646439.540 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================ Infected Target: 192.168.10.31 Score: 1.3 (>= 0.8) Infector List: Egg Source List: 202.97.184.196, 218.93.205.19 C & C List: 193.104.94.11 Peer Coord. List: Resource List: Observed Start: 12/12/2009 11:33:59.539 PST Gen. Time: 12/12/2009 11:38:05.017 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 202.97.184.196 (7) (11:33:59.539 PST) event=1:2000419 (3) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 55674<-81 (11:34:06.446 PST) 58570<-81 (11:34:25.648 PST) 44291<-81 (11:35:05.727 PST) ------------------------- event=1:3300007 (4) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 35503<-81 (11:33:59.539 PST) 55674<-81 (11:34:06.446 PST) 58570<-81 (11:34:25.648 PST) 44291<-81 (11:35:05.727 PST) 218.93.205.19 (11:34:17.121 PST) event=1:2001894 {tcp} E3[rb] ET MALWARE ToolbarPartner Spyware Agent Partner Install, [/inst.php?id=32&sid=0] MAC_Src: 00:01:64:FF:CE:EA 32803->80 (11:34:17.121 PST) C and C TRAFFIC 193.104.94.11 (11:34:08.367 PST) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel, [] MAC_Src: 00:01:64:FF:CE:EA 33171->65520 (11:34:08.367 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.104.94.11 (2) (11:35:35.114 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=101/0/1221/0): 81:384, 7000:357, 65520:66, 88:52, 44:38, 53u:101, 8392:324, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:35:35.114 PST) 0->0 (11:37:06.633 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1260646439.539 1260646439.540 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.10.31' ============================== SEPARATOR ================================