Infected Target: 192.168.71.131 Score: 2.8 (>= 0.8) Infector List: Egg Source List: 69.42.70.12, 85.255.118.117, 206.251.244.226, 64.191.208.114 C & C List: 72.55.140.184, 206.251.244.226 (2), 85.12.60.13, 199.93.58.124 (2), 208.69.57.194, 64.191.208.114 Peer Coord. List: Resource List: 192.168.71.2 (12) Observed Start: 06/25/2008 21:02:36.629 PDT Report End: 06/25/2008 21:03:09.222 PDT Gen. Time: 06/25/2008 21:07:51.496 PDT INBOUND SCAN EXPLOIT EXPLOIT (slade) EGG DOWNLOAD 69.42.70.12 (21:03:04.902 PDT) event=1:2002739 {tcp} E3[rb] ET MALWARE iDownloadAgent Spyware User Agent 3056->80 (21:03:04.902 PDT) 85.255.118.117 (21:03:00.668 PDT) event=1:2008012 {tcp} E3[rb] ET MALWARE Winquickupdates.com/Mycashloads.com Related Trojan Install Report 3048->80 (21:03:00.668 PDT) 206.251.244.226 (6) (21:02:54.351 PDT) event=1:2007577 (2) {tcp} E3[rb] ET TROJAN General Downloader Checkin URL (GUID+) 3090->80 (21:06:12.356 PDT) 3091->80 (21:06:12.357 PDT) ------------------------- event=1:2008394 (2) {tcp} E3[rb] ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) 3043->80 (21:02:54.351 PDT) 3046->80 (21:03:00.483 PDT) ------------------------- event=1:2008438 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send a Text File 3043<-80 (21:02:54.390 PDT) 3046<-80 (21:03:00.518 PDT) 64.191.208.114 (21:02:55.250 PDT) event=1:2002739 {tcp} E3[rb] ET MALWARE iDownloadAgent Spyware User Agent 3044->80 (21:02:55.250 PDT) C and C TRAFFIC 72.55.140.184 (21:03:03.243 PDT) event=1:2008279 {tcp} E4[rb] ET MALWARE ZenoSearch Spyware User-Agent 3054->80 (21:03:03.243 PDT) 206.251.244.226 (2) (21:02:54.351 PDT) event=1:2006357 (2) {tcp} E4[rb] ET MALWARE Suspicious User Agent - Likely Webhancer Related Spyware (TEST) 3043->80 (21:02:54.351 PDT) 3046->80 (21:03:00.483 PDT) 85.12.60.13 (21:02:53.221 PDT) event=1:2008282 {tcp} E4[rb] ET TROJAN Antispywaremaster.com Fake AV Checkin 3041->80 (21:02:53.221 PDT) 199.93.58.124 (2) (21:03:08.941 PDT-21:03:09.222 PDT) event=1:2007772 (2) {tcp} E4[rb] ET MALWARE Suspicious User Agent (Internet Explorer (compatible)) 2: 3062->80 (21:03:08.941 PDT-21:03:09.222 PDT) 208.69.57.194 (21:03:02.928 PDT) event=1:2008279 {tcp} E4[rb] ET MALWARE ZenoSearch Spyware User-Agent 3053->80 (21:03:02.928 PDT) 64.191.208.114 (21:03:09.405 PDT) event=1:2002740 {tcp} E4[rb] ET MALWARE adservs.com Spyware 3063->80 (21:03:09.405 PDT) PEER COORDINATION OUTBOUND SCAN 192.168.71.2 (3) (21:03:03.125 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected intense non-malware port scanning of 21 IPs (20 /24s) (# pkts S/M/O/I=103/7/4/7): 53u:22, 123u:1, 1900u:3, 80:81 0->0 (21:03:03.125 PDT) 0->0 (21:05:09.277 PDT) 0->0 (21:07:51.496 PDT) ATTACK PREP 192.168.71.2 (12) (21:02:36.629 PDT) event=1:2600100 {udp} E6[rb] SPYWARE-DNS DNS lookup 10 chars (.com) 1026->53 (21:03:02.790 PDT) ------------------------- event=1:2600103 {udp} E6[rb] SPYWARE-DNS DNS lookup 11 chars (.com) 1026->53 (21:02:36.629 PDT) ------------------------- event=1:2600105 {udp} E6[rb] SPYWARE-DNS DNS lookup 12 chars (.com) 1026->53 (21:02:43.687 PDT) ------------------------- event=1:2600109 {udp} E6[rb] SPYWARE-DNS DNS lookup 14 chars (.com) 1026->53 (21:03:08.804 PDT) ------------------------- event=1:2600115 {udp} E6[rb] SPYWARE-DNS DNS lookup 17 chars (.com) 1026->53 (21:02:52.980 PDT) ------------------------- event=1:2600143 (2) {udp} E6[rb] SPYWARE-DNS DNS lookup 5 chars (.com) 3022->53 (21:02:54.083 PDT) 1026->53 (21:06:12.267 PDT) ------------------------- event=1:2600144 {udp} E6[rb] SPYWARE-DNS DNS lookup 6 chars (.com) 1026->53 (21:03:08.877 PDT) ------------------------- event=1:2600146 {udp} E6[rb] SPYWARE-DNS DNS lookup 7 chars (.com) 1026->53 (21:02:55.047 PDT) ------------------------- event=1:2600151 {udp} E6[rb] SPYWARE-DNS DNS lookup 9 chars (.com) 1026->53 (21:03:14.722 PDT) ------------------------- event=1:2600331 {udp} E6[rb] SPYWARE-DNS DNS lookup 6 chars (.net) 1026->53 (21:03:03.029 PDT) ------------------------- event=1:2600333 {udp} E6[rb] SPYWARE-DNS DNS lookup 8 chars (.net) 1026->53 (21:02:40.417 PDT) DECLARE BOT 85.255.118.117 (3) (21:03:00.628 PDT) event=1:2406033 {tcp} E8[rb] ET rbN Known Russian Business Network Monitored Domains (29) 3048->80 (21:03:00.628 PDT) ------------------------- event=1:2406034 {tcp} E8[rb] ET RBN Known Russian Business Network Monitored Domains (30) 3048->80 (21:03:00.628 PDT) ------------------------- event=1:2500000 {tcp} E8[rb] ET COMPROMISED Known Compromised or Hostile Host Traffic (1) 3048->80 (21:03:00.628 PDT) 67.55.81.200 (2) (21:02:43.798 PDT) event=1:2406021 {tcp} E8[rb] ET rbN Known Russian Business Network Monitored Domains (17) 3032->80 (21:02:43.798 PDT) ------------------------- event=1:2406022 {tcp} E8[rb] ET rbN Known Russian Business Network Monitored Domains (18) 3032->80 (21:02:43.798 PDT) tcpslice 1214452956.629 1214452989.223 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.71.131'