Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 210.51.166.223 C & C List: 204.137.28.195 Peer Coord. List: Resource List: Observed Start: 11/21/2009 10:09:05.137 PST Gen. Time: 11/21/2009 10:10:33.157 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 210.51.166.223 (10:09:05.137 PST) event=1:2008100 {tcp} E3[rb] ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download, [/neo/cfg.bin] MAC_Src: 00:0E:39:E0:94:00 1054->80 (10:09:05.137 PST) C and C TRAFFIC 204.137.28.195 (10:10:33.157 PST) event=1:2003579 {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=:J86x75owrR6trTPiapZZoljv3gqwtBNwSjtYoCC5MGKx0:Ojd7Qq3vbwf5y;Mx;2Rgpaox6MMd91oBiy2cWCM] MAC_Src: 00:0E:39:E0:94:00 1330->80 (10:10:33.157 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258826945.137 1258826945.138 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 210.51.166.223 C & C List: 204.137.28.195 (2) Peer Coord. List: Resource List: Observed Start: 11/21/2009 10:09:05.137 PST Gen. Time: 11/21/2009 10:13:06.124 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 210.51.166.223 (10:09:05.137 PST) event=1:2008100 {tcp} E3[rb] ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download, [/neo/cfg.bin] MAC_Src: 00:0E:39:E0:94:00 1054->80 (10:09:05.137 PST) C and C TRAFFIC 204.137.28.195 (2) (10:10:33.157 PST) event=1:2003579 (2) {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=:J86x75owrR6trTPiapZZoljv3gqwtBNwSjtYoCC5MGKx0:Ojd7Qq3vbwf5y;Mx;2Rgpaox6MMd91oBiy2cWCM] MAC_Src: 00:0E:39:E0:94:00 1330->80 (10:10:33.157 PST) 1330->80 (10:10:33.342 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258826945.137 1258826945.138 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 91.212.226.178 C & C List: 204.137.28.195 Peer Coord. List: Resource List: Observed Start: 11/21/2009 13:03:48.319 PST Gen. Time: 11/21/2009 13:04:11.179 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.212.226.178 (13:03:48.319 PST) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/setup_233.exe] MAC_Src: 00:0E:39:E0:94:00 1582->80 (13:03:48.319 PST) C and C TRAFFIC 204.137.28.195 (13:04:11.179 PST) event=1:2003579 {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=W2ba9w0Ls:Q2O0nIBceqiqbxEEQUx;tSx9BmrapYsZkN9CY9kq:h:T1GxF2wTe2JpwBsdaSIw:b26qMXYI0aMe] MAC_Src: 00:0E:39:E0:94:00 1682->80 (13:04:11.179 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258837428.319 1258837428.320 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 91.212.226.178 C & C List: 204.137.28.195 (4) Peer Coord. List: Resource List: Observed Start: 11/21/2009 13:03:48.319 PST Gen. Time: 11/21/2009 13:07:48.810 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.212.226.178 (13:03:48.319 PST) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/setup_233.exe] MAC_Src: 00:0E:39:E0:94:00 1582->80 (13:03:48.319 PST) C and C TRAFFIC 204.137.28.195 (4) (13:04:11.179 PST) event=1:2003579 (4) {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=W2ba9w0Ls:Q2O0nIBceqiqbxEEQUx;tSx9BmrapYsZkN9CY9kq:h:T1GxF2wTe2JpwBsdaSIw:b26qMXYI0aMe] MAC_Src: 00:0E:39:E0:94:00 1682->80 (13:04:11.179 PST) 1683->80 (13:04:11.457 PST) 2377->80 (13:05:04.979 PST) 2410->80 (13:05:07.384 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258837428.319 1258837428.320 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 91.212.226.178 C & C List: 204.137.28.195 (2), 66.150.51.154 Peer Coord. List: Resource List: Observed Start: 11/21/2009 13:17:57.337 PST Gen. Time: 11/21/2009 13:19:00.626 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.212.226.178 (13:19:00.626 PST) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/setup_233.exe] MAC_Src: 00:0E:39:E0:94:00 3610->80 (13:19:00.626 PST) C and C TRAFFIC 204.137.28.195 (2) (13:17:58.403 PST) event=1:2003579 (2) {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=55686&x=mJ7LKEp0wAc6:Ad9U3Cq1SD:Y3ReJJaWJdj9YSCQFM5cKDgsjd8nevTEJiGlHvXUyzdDxJDGCFoYAtR;2DajQF] MAC_Src: 00:0E:39:E0:94:00 3472->80 (13:17:58.403 PST) 3473->80 (13:17:58.713 PST) 66.150.51.154 (13:17:57.337 PST) event=1:2003581 {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (sendmedia), [/bin/findwhat.dll?sendmedia&d=mFTwE23XJ:0K:Av;wk3DSoBZY35aUa5Ai5geY5lKAE7cSEN5jaa153pKSEdXkkpCAoTnb2Nc:rBO1RPeDJNSgaGBLb8MlDGaI] MAC_Src: 00:0E:39:E0:94:00 3469->80 (13:17:57.337 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258838277.337 1258838277.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 91.212.226.178 C & C List: 204.137.28.195 Peer Coord. List: Resource List: Observed Start: 11/21/2009 13:29:08.894 PST Gen. Time: 11/21/2009 13:30:27.861 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.212.226.178 (13:29:08.894 PST) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/setup_233.exe] MAC_Src: 00:0E:39:E0:94:00 4037->80 (13:29:08.894 PST) C and C TRAFFIC 204.137.28.195 (13:30:27.861 PST) event=1:2003579 {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=RUiik2SIWcYW;u;oeYIXAOWdMxOti6IfWTrc;OtVQQYOkDAxuOrnNi8A2ZIDCu4DijAlXEjTOueoAT4AtXTZtQ] MAC_Src: 00:0E:39:E0:94:00 4120->80 (13:30:27.861 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258838948.894 1258838948.895 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 91.212.226.178 C & C List: 204.137.28.195 (2) Peer Coord. List: Resource List: Observed Start: 11/21/2009 13:29:08.894 PST Gen. Time: 11/21/2009 13:33:15.073 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.212.226.178 (13:29:08.894 PST) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/setup_233.exe] MAC_Src: 00:0E:39:E0:94:00 4037->80 (13:29:08.894 PST) C and C TRAFFIC 204.137.28.195 (2) (13:30:27.861 PST) event=1:2003579 (2) {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=RUiik2SIWcYW;u;oeYIXAOWdMxOti6IfWTrc;OtVQQYOkDAxuOrnNi8A2ZIDCu4DijAlXEjTOueoAT4AtXTZtQ] MAC_Src: 00:0E:39:E0:94:00 4120->80 (13:30:27.861 PST) 4123->80 (13:30:28.199 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258838948.894 1258838948.895 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 91.212.226.178 C & C List: 66.150.51.151 Peer Coord. List: Resource List: Observed Start: 11/21/2009 13:49:25.707 PST Gen. Time: 11/21/2009 13:50:44.521 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.212.226.178 (13:49:25.707 PST) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/setup_233.exe] MAC_Src: 00:0E:39:E0:94:00 4657->80 (13:49:25.707 PST) C and C TRAFFIC 66.150.51.151 (13:50:44.521 PST) event=1:2003579 {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=3uxAbfargYIt2CF0C9IDLsefi9yCT6IINaISkaIhaYyELlF41msRzI2LB4laIgPATl5NHTatngfFuupaBNet1I] MAC_Src: 00:0E:39:E0:94:00 4698->80 (13:50:44.521 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258840165.707 1258840165.708 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 91.212.226.178 C & C List: 66.150.51.151 (2) Peer Coord. List: Resource List: Observed Start: 11/21/2009 13:49:25.707 PST Gen. Time: 11/21/2009 13:53:28.626 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.212.226.178 (13:49:25.707 PST) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/setup_233.exe] MAC_Src: 00:0E:39:E0:94:00 4657->80 (13:49:25.707 PST) C and C TRAFFIC 66.150.51.151 (2) (13:50:44.521 PST) event=1:2003579 (2) {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=3uxAbfargYIt2CF0C9IDLsefi9yCT6IINaISkaIhaYyELlF41msRzI2LB4laIgPATl5NHTatngfFuupaBNet1I] MAC_Src: 00:0E:39:E0:94:00 4698->80 (13:50:44.521 PST) 4700->80 (13:50:44.689 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258840165.707 1258840165.708 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 210.51.166.223, 91.212.226.178 C & C List: 204.137.28.195 Peer Coord. List: Resource List: Observed Start: 11/21/2009 13:59:33.841 PST Gen. Time: 11/21/2009 14:02:51.613 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 210.51.166.223 (14:01:46.156 PST) event=1:2008100 {tcp} E3[rb] ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download, [/neo/cfg.bin] MAC_Src: 00:0E:39:E0:94:00 2370->80 (14:01:46.156 PST) 91.212.226.178 (13:59:33.841 PST) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/setup_233.exe] MAC_Src: 00:0E:39:E0:94:00 2194->80 (13:59:33.841 PST) C and C TRAFFIC 204.137.28.195 (14:02:51.613 PST) event=1:2003579 {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=lG84pfmPnkNa25vY8TjH1qgl8iCEhGz5IbJTKb8pnJ5CkbO2OcyW9;BU7y0lwY9AX4PKpqy4pYxCk9N;Wa6aIr] MAC_Src: 00:0E:39:E0:94:00 2634->80 (14:02:51.613 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258840773.841 1258840773.842 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 210.51.166.223, 91.212.226.178 C & C List: 204.137.28.195 (2) Peer Coord. List: Resource List: Observed Start: 11/21/2009 13:59:33.841 PST Gen. Time: 11/21/2009 14:03:34.137 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 210.51.166.223 (14:01:46.156 PST) event=1:2008100 {tcp} E3[rb] ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download, [/neo/cfg.bin] MAC_Src: 00:0E:39:E0:94:00 2370->80 (14:01:46.156 PST) 91.212.226.178 (13:59:33.841 PST) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/setup_233.exe] MAC_Src: 00:0E:39:E0:94:00 2194->80 (13:59:33.841 PST) C and C TRAFFIC 204.137.28.195 (2) (14:02:51.613 PST) event=1:2003579 (2) {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=lG84pfmPnkNa25vY8TjH1qgl8iCEhGz5IbJTKb8pnJ5CkbO2OcyW9;BU7y0lwY9AX4PKpqy4pYxCk9N;Wa6aIr] MAC_Src: 00:0E:39:E0:94:00 2634->80 (14:02:51.613 PST) 2636->80 (14:02:51.892 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258840773.841 1258840773.842 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 91.212.226.178 C & C List: 66.150.51.151 Peer Coord. List: Resource List: Observed Start: 11/21/2009 14:04:37.873 PST Gen. Time: 11/21/2009 14:05:26.888 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.212.226.178 (14:04:37.873 PST) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/setup_233.exe] MAC_Src: 00:0E:39:E0:94:00 2804->80 (14:04:37.873 PST) C and C TRAFFIC 66.150.51.151 (14:05:26.888 PST) event=1:2003579 {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=Pn9v4B2KfJaf:Js7HUUYmg7:OUa3jhKUfgg8tXC2nVasmg9OkgLldgKUUla0WwY9vk9e;PEzoLjPdgD0UYGU:z] MAC_Src: 00:0E:39:E0:94:00 2931->80 (14:05:26.888 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258841077.873 1258841077.874 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 91.212.226.178 C & C List: 66.150.51.151 (3) Peer Coord. List: Resource List: Observed Start: 11/21/2009 14:04:37.873 PST Gen. Time: 11/21/2009 14:08:44.164 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.212.226.178 (14:04:37.873 PST) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/setup_233.exe] MAC_Src: 00:0E:39:E0:94:00 2804->80 (14:04:37.873 PST) C and C TRAFFIC 66.150.51.151 (3) (14:05:26.888 PST) event=1:2003579 (3) {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=Pn9v4B2KfJaf:Js7HUUYmg7:OUa3jhKUfgg8tXC2nVasmg9OkgLldgKUUla0WwY9vk9e;PEzoLjPdgD0UYGU:z] MAC_Src: 00:0E:39:E0:94:00 2931->80 (14:05:26.888 PST) 3031->80 (14:06:13.653 PST) 3033->80 (14:06:13.872 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258841077.873 1258841077.874 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 91.212.226.178, 210.51.166.223 C & C List: 204.137.28.195 Peer Coord. List: Resource List: Observed Start: 11/21/2009 14:25:56.165 PST Gen. Time: 11/21/2009 14:28:11.908 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.212.226.178 (14:26:02.911 PST) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/setup_233.exe] MAC_Src: 00:0E:39:E0:94:00 1048->80 (14:26:02.911 PST) 210.51.166.223 (14:25:56.165 PST) event=1:2008100 {tcp} E3[rb] ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download, [/neo/cfg.bin] MAC_Src: 00:0E:39:E0:94:00 1036->80 (14:25:56.165 PST) C and C TRAFFIC 204.137.28.195 (14:28:11.908 PST) event=1:2003579 {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=zVpudzznfsBwBskDIYr3HDaGBqS;j;rp3gr647at1PDIHgfZqgjAkISxsfSJZtzlUwUxw1BM7qIu5gAJ;Izanq] MAC_Src: 00:0E:39:E0:94:00 1148->80 (14:28:11.908 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258842356.165 1258842356.166 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================ Infected Target: 192.168.1.111 Score: 1.0 (>= 0.8) Infector List: Egg Source List: 91.212.226.178, 210.51.166.223 C & C List: 204.137.28.195 (2) Peer Coord. List: Resource List: Observed Start: 11/21/2009 14:25:56.165 PST Gen. Time: 11/21/2009 14:29:41.816 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.212.226.178 (14:26:02.911 PST) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/setup_233.exe] MAC_Src: 00:0E:39:E0:94:00 1048->80 (14:26:02.911 PST) 210.51.166.223 (14:25:56.165 PST) event=1:2008100 {tcp} E3[rb] ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download, [/neo/cfg.bin] MAC_Src: 00:0E:39:E0:94:00 1036->80 (14:25:56.165 PST) C and C TRAFFIC 204.137.28.195 (2) (14:28:11.908 PST) event=1:2003579 (2) {tcp} E4[rb] ET MALWARE Findwhat.com Spyware (clickthrough), [/bin/findwhat.dll?clickthrough&y=52593&x=zVpudzznfsBwBskDIYr3HDaGBqS;j;rp3gr647at1PDIHgfZqgjAkISxsfSJZtzlUwUxw1BM7qIu5gAJ;Izanq] MAC_Src: 00:0E:39:E0:94:00 1148->80 (14:28:11.908 PST) 1150->80 (14:28:12.112 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1258842356.165 1258842356.166 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.111' ============================== SEPARATOR ================================