Infected Target: 192.168.71.130 Score: 2.8 (>= 0.8) Infector List: Egg Source List: 69.42.70.12, 85.255.118.117, 206.251.244.226, 64.191.208.114 C & C List: 72.55.140.184, 206.251.244.226 (2), 8.12.221.125 (2), 208.69.57.194, 64.191.208.114 Peer Coord. List: Resource List: 192.168.71.2 (8) Observed Start: 06/25/2008 20:59:11.946 PDT Report End: 06/25/2008 20:59:26.474 PDT Gen. Time: 06/25/2008 21:04:10.839 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD 69.42.70.12 (20:59:21.332 PDT) event=1:2002739 {tcp} E3[rb] ET MALWARE iDownloadAgent Spyware User Agent 3038->80 (20:59:21.332 PDT) 85.255.118.117 (20:59:16.699 PDT) event=1:2008012 {tcp} E3[rb] ET MALWARE Winquickupdates.com/Mycashloads.com Related Trojan Install Report 3024->80 (20:59:16.699 PDT) 206.251.244.226 (6) (20:59:12.212 PDT) event=1:2007577 (2) {tcp} E3[rb] ET TROJAN General Downloader Checkin URL (GUID+) 3047->80 (21:02:27.087 PDT) 3048->80 (21:02:27.087 PDT) ------------------------- event=1:2008394 (2) {tcp} E3[rb] ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) 3020->80 (20:59:12.212 PDT) 3028->80 (20:59:17.073 PDT) ------------------------- event=1:2008438 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send a Text File 3020<-80 (20:59:12.246 PDT) 3028<-80 (20:59:17.104 PDT) 64.191.208.114 (20:59:13.937 PDT) event=1:2002739 {tcp} E3[rb] ET MALWARE iDownloadAgent Spyware User Agent 3021->80 (20:59:13.937 PDT) C and C TRAFFIC 72.55.140.184 (20:59:18.667 PDT) event=1:2008279 {tcp} E4[rb] ET MALWARE ZenoSearch Spyware User-Agent 3034->80 (20:59:18.667 PDT) 206.251.244.226 (2) (20:59:12.212 PDT) event=1:2006357 (2) {tcp} E4[rb] ET MALWARE Suspicious User Agent - Likely Webhancer Related Spyware (TEST) 3028->80 (20:59:17.073 PDT) 3020->80 (20:59:12.212 PDT) 8.12.221.125 (2) (20:59:26.392 PDT-20:59:26.474 PDT) event=1:2007772 (2) {tcp} E4[rb] ET MALWARE Suspicious User Agent (Internet Explorer (compatible)) 2: 3043->80 (20:59:26.392 PDT-20:59:26.474 PDT) 208.69.57.194 (20:59:18.351 PDT) event=1:2008279 {tcp} E4[rb] ET MALWARE ZenoSearch Spyware User-Agent 3032->80 (20:59:18.351 PDT) 64.191.208.114 (20:59:24.072 PDT) event=1:2002740 {tcp} E4[rb] ET MALWARE adservs.com Spyware 3041->80 (20:59:24.072 PDT) PEER COORDINATION OUTBOUND SCAN 192.168.71.2 (3) (20:59:26.416 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected intense non-malware port scanning of 21 IPs (19 /24s) (# pkts S/M/O/I=84/12/4/7): 53u:19, 123u:1, 1900u:3, 80:65 0->0 (20:59:26.416 PDT) 0->0 (21:01:24.276 PDT) 0->0 (21:04:10.839 PDT) ATTACK PREP 192.168.71.2 (8) (20:59:11.946 PDT) event=1:2600100 {udp} E6[rb] SPYWARE-DNS DNS lookup 10 chars (.com) 3025->53 (20:59:18.224 PDT) ------------------------- event=1:2600109 {udp} E6[rb] SPYWARE-DNS DNS lookup 14 chars (.com) 3025->53 (20:59:26.335 PDT) ------------------------- event=1:2600143 (2) {udp} E6[rb] SPYWARE-DNS DNS lookup 5 chars (.com) 1026->53 (20:59:11.946 PDT) 3025->53 (21:02:27.022 PDT) ------------------------- event=1:2600144 {udp} E6[rb] SPYWARE-DNS DNS lookup 6 chars (.com) 3025->53 (20:59:23.535 PDT) ------------------------- event=1:2600146 {udp} E6[rb] SPYWARE-DNS DNS lookup 7 chars (.com) 1026->53 (20:59:13.795 PDT) ------------------------- event=1:2600151 {udp} E6[rb] SPYWARE-DNS DNS lookup 9 chars (.com) 3025->53 (20:59:26.401 PDT) ------------------------- event=1:2600331 {udp} E6[rb] SPYWARE-DNS DNS lookup 6 chars (.net) 3025->53 (20:59:18.548 PDT) DECLARE BOT 85.255.118.117 (3) (20:59:16.665 PDT) event=1:2406033 {tcp} E8[rb] ET rbN Known Russian Business Network Monitored Domains (29) 3024->80 (20:59:16.665 PDT) ------------------------- event=1:2406034 {tcp} E8[rb] ET RBN Known Russian Business Network Monitored Domains (30) 3024->80 (20:59:16.665 PDT) ------------------------- event=1:2500000 {tcp} E8[rb] ET COMPROMISED Known Compromised or Hostile Host Traffic (1) 3024->80 (20:59:16.665 PDT) tcpslice 1214452751.946 1214452766.475 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.71.130'