Score: 0.8 (>= 0.8) Infected Target: 192.168.1.154 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/16/2011 20:03:54.137 PDT Gen. Time: 03/16/2011 20:03:54.137 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 65.19.251.75 (20:03:54.137 PDT) event=1:9910023 {tcp} E8[rb] BotHunter Malware propagation attack source, [] MAC_Src: 00:30:48:30:03:AF 135->2363 (20:03:54.137 PDT) tcpslice 1300331034.137 1300331034.138 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================ Score: 2.1 (>= 0.8) Infected Target: 192.168.1.154 Infector List: 65.19.251.75 Egg Source List: 65.19.251.75 C & C List: Peer Coord. List: Resource List: Observed Start: 03/16/2011 20:03:54.137 PDT Gen. Time: 03/16/2011 20:07:46.778 PDT INBOUND SCAN EXPLOIT 65.19.251.75 (2) (20:03:54.292 PDT) event=1:22351 {tcp} E2[rb] REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode, [] MAC_Dst: 00:30:48:30:03:AE 135<-2363 (20:03:54.292 PDT) ------------------------- event=1:2299913 {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 135<-2363 (20:03:54.292 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 65.19.251.75 (6) (20:03:55.802 PDT) event=1:1444 (2) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:30:48:30:03:AF 1028->69 (20:03:55.802 PDT) 1029->69 (20:04:03.764 PDT) ------------------------- event=1:2008120 (2) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:30:48:30:03:AF 1028->69 (20:03:55.802 PDT) 1029->69 (20:04:03.764 PDT) ------------------------- event=1:3001441 (2) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:30:48:30:03:AF 1028->69 (20:03:55.802 PDT) 1029->69 (20:04:03.764 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 65.19.251.75 (20:03:54.467 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:30:48:30:03:AE 1027->707 (20:03:54.467 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT 65.19.251.75 (20:03:54.137 PDT) event=1:9910023 {tcp} E8[rb] BotHunter Malware propagation attack source, [] MAC_Src: 00:30:48:30:03:AF 135->2363 (20:03:54.137 PDT) tcpslice 1300331034.137 1300331034.138 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.154 Infector List: 218.219.219.52 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/16/2011 20:48:02.084 PDT Gen. Time: 03/16/2011 20:48:02.322 PDT INBOUND SCAN EXPLOIT 218.219.219.52 (2) (20:48:02.084 PDT) event=1:22351 {tcp} E2[rb] REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode, [] MAC_Dst: 00:30:48:30:03:AE 135<-2311 (20:48:02.084 PDT) ------------------------- event=1:2299913 {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 135<-2311 (20:48:02.084 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 218.219.219.52 (20:48:02.322 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:30:48:30:03:AE 1027->707 (20:48:02.322 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1300333682.084 1300333682.085 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.154 Infector List: 218.219.219.52 Egg Source List: 218.219.219.52 C & C List: Peer Coord. List: Resource List: Observed Start: 03/16/2011 20:48:02.084 PDT Gen. Time: 03/16/2011 20:52:10.799 PDT INBOUND SCAN EXPLOIT 218.219.219.52 (2) (20:48:02.084 PDT) event=1:22351 {tcp} E2[rb] REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode, [] MAC_Dst: 00:30:48:30:03:AE 135<-2311 (20:48:02.084 PDT) ------------------------- event=1:2299913 {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 135<-2311 (20:48:02.084 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 218.219.219.52 (6) (20:48:03.860 PDT) event=1:1444 (2) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:30:48:30:03:AF 1028->69 (20:48:03.860 PDT) 1029->69 (20:48:13.193 PDT) ------------------------- event=1:2008120 (2) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:30:48:30:03:AF 1028->69 (20:48:03.860 PDT) 1029->69 (20:48:13.193 PDT) ------------------------- event=1:3001441 (2) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:30:48:30:03:AF 1028->69 (20:48:03.860 PDT) 1029->69 (20:48:13.193 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 218.219.219.52 (20:48:02.322 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:30:48:30:03:AE 1027->707 (20:48:02.322 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1300333682.084 1300333682.085 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================