Infected Target: 192.168.1.166 Score: 2.3 (>= 0.8) Infector List: 130.13.119.77 Egg Source List: 85.114.143.2, 194.90.224.86, 130.13.119.77 C & C List: 194.90.224.86, 210.245.211.11 Peer Coord. List: Resource List: Observed Start: 08/01/2008 14:45:44.339 PDT Report End: 08/01/2008 14:45:44.366 PDT Gen. Time: 08/01/2008 14:51:54.265 PDT INBOUND SCAN 130.13.119.77 (14:51:54.265 PDT) event=777:7777001 {tcp} E1[bh] Detected intense non-malware scan by 130.13.119.77 (# pkts S/M/O/I=0/34/289/0) of 10 IPs: 192.168.1.166.{445,1032,73} 192.168.237.140.445 192.168.157.90.445 192.168.168.76.445 192.168.131.18.445 192.168.167.196.445 192.168.179.202.445 192.168.143.244.445 192.168.171.76.445 192.168.165.246.445 0<-0 (14:51:54.265 PDT) EXPLOIT 130.13.119.77 (5) (14:45:44.353 PDT-14:45:44.366 PDT) event=1:21390 (2) {tcp} E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP 2: 445<-1170 (14:45:44.353 PDT-14:45:44.366 PDT) ------------------------- event=1:22001944 {tcp} E2[rb] BLEEDING-EDGE EXPLOIT MS04-007 Kill-Bill ASN1 exploit attempt 445<-1170 (14:45:44.353 PDT) ------------------------- event=1:299998 (2) {tcp} E2[rb] SHELLCODE x86 inc ebx NOOP 2: 445<-1170 (14:45:44.353 PDT-14:45:44.366 PDT) EXPLOIT (slade) EGG DOWNLOAD 85.114.143.2 (2) (14:48:46.018 PDT) event=1:3000003 (2) {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port 1038->80 (14:48:46.018 PDT) 1039->80 (14:48:46.623 PDT) 194.90.224.86 (2) (14:48:50.227 PDT) event=1:2008394 {tcp} E3[rb] ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt) 1040->80 (14:48:50.227 PDT) ------------------------- event=1:2008438 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send a Text File 1040<-80 (14:48:50.450 PDT) 130.13.119.77 (2) (14:45:44.339 PDT) event=1:2000427 {tcp} E3[rb] ET POLICY PE EXE Install Windows file download 73<-2750 (14:45:46.113 PDT) ------------------------- event=1:3000006 {tcp} E3[rb] BotHunter MALWARE executable upload 445<-1170 (14:45:44.339 PDT) C and C TRAFFIC 194.90.224.86 (14:48:50.227 PDT) event=1:2006357 {tcp} E4[rb] ET MALWARE Suspicious User Agent - Likely Webhancer Related Spyware (TEST) 1040->80 (14:48:50.227 PDT) 210.245.211.11 (14:48:40.910 PDT) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel 1037->65520 (14:48:40.910 PDT) PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT 210.245.211.11 (2) (14:45:49.419 PDT) event=1:3000014 (2) {tcp} E8[rb] BotHunter Known Command and Control Server (International) 1034->65520 (14:45:49.419 PDT) 1037->65520 (14:48:22.609 PDT) tcpslice 1217627144.339 1217627144.367 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.166' ============================== SEPARATOR ================================ Infected Target: 192.168.1.166 Score: 1.0 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 08/01/2008 14:58:59.078 PDT Gen. Time: 08/01/2008 15:04:38.913 PDT INBOUND SCAN 130.13.119.77 (2) (15:01:37.308 PDT) event=777:7777001 (2) {tcp} E1[bh] Detected intense non-malware scan by 130.13.119.77 (# pkts S/M/O/I=0/56/289/0) of 15 IPs: 192.168.1.166.{445,1032,73} 192.168.224.88.445 192.168.174.20.445 192.168.182.56.445 192.168.154.150.445 192.168.212.92.445 192.168.176.70.445 192.168.143.244.445 192.168.171.76.445 192.168.165.246.445 192.168.168.144.445 192.168.154.222.445 192.168.178.36.445 192.168.198.234.445 192.168.234.126.445 0<-0 (15:01:37.308 PDT) 0<-0 (15:04:38.913 PDT) EXPLOIT EXPLOIT (slade) EGG DOWNLOAD C and C TRAFFIC PEER COORDINATION OUTBOUND SCAN ATTACK PREP DECLARE BOT 210.245.211.11 (14:58:59.078 PDT) event=1:3000014 {tcp} E8[rb] BotHunter Known Command and Control Server (International) 1037->65520 (14:58:59.078 PDT) tcpslice 1217627939.078 1217627939.079 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.166' ============================== SEPARATOR ================================