Infected Target: 192.168.71.131 Score: 1.5 (>= 0.8) Infector List: Egg Source List: C & C List: 85.92.158.75, 72.55.140.184 (2) Peer Coord. List: Resource List: 192.168.71.2 (5) Observed Start: 06/26/2008 03:13:13.645 PDT Report End: 06/26/2008 03:13:28.706 PDT Gen. Time: 06/26/2008 03:20:40.601 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC 85.92.158.75 (03:13:36.580 PDT) event=1:2008371 {tcp} E4[rb] ET MALWARE Likely Ad-ware installation phoning home (success and NSISDL User-Agent) 3195->80 (03:13:36.580 PDT) 72.55.140.184 (2) (03:13:28.496 PDT-03:13:28.706 PDT) event=1:2008279 (2) {tcp} E4[rb] ET MALWARE ZenoSearch Spyware User-Agent 2: 3194->80 (03:13:28.496 PDT-03:13:28.706 PDT) PEER COORDINATION OUTBOUND SCAN 192.168.71.2 (3) (03:13:40.170 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected intense non-malware port scanning of 21 IPs (18 /24s) (# pkts S/M/O/I=193/0/17/24): 53u:31, 80:162, 67u:14, 443:3 0->0 (03:13:40.170 PDT) 0->0 (03:15:41.830 PDT) (03:20:40.601 PDT) ATTACK PREP 192.168.71.2 (5) (03:13:13.645 PDT) event=1:2600098 {udp} E6[rb] SPYWARE-DNS DNS lookup 10 chars (.com) 1026->53 (03:13:47.054 PDT) ------------------------- event=1:2600110 {udp} E6[rb] SPYWARE-DNS DNS lookup 14 chars (.com) 1026->53 (03:13:13.645 PDT) ------------------------- event=1:2600144 {udp} E6[rb] SPYWARE-DNS DNS lookup 6 chars (.com) 1026->53 (03:13:41.256 PDT) ------------------------- event=1:2600313 {udp} E6[rb] SPYWARE-DNS DNS lookup 13 chars (.net) 1026->53 (03:13:44.004 PDT) ------------------------- event=1:2600331 {udp} E6[rb] SPYWARE-DNS DNS lookup 6 chars (.net) 1026->53 (03:13:28.367 PDT) DECLARE BOT tcpslice 1214475193.645 1214475208.707 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.71.131'