Score: 0.9 (>= 0.8) Infected Target: 192.168.1.127 Infector List: Egg Source List: 72.21.194.16, 216.137.37.131 C & C List: 209.159.151.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:33:47.754 PDT Gen. Time: 06/20/2011 11:35:47.738 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 72.21.194.16 (3) (11:33:47.754 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 50178<-80 (11:33:47.891 PDT) ------------------------- event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/36000/36486/ud_200/SoftonicDownloader_for_eclipse.exe?AWSAccessKeyId=0HXVA1YMG3HX1XDSGT02&Expires=1308611233&Signature=KVjtTAN] MAC_Src: 00:01:64:FF:CE:EA 50178->80 (11:33:47.754 PDT) ------------------------- event=1:2007671 {tcp} E3[rb] ET POLICY Binary Download Smaller than 1 MB Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 50178<-80 (11:33:47.891 PDT) 216.137.37.131 (8) (11:34:39.435 PDT) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 50208<-80 (11:34:39.448 PDT) 50209<-80 (11:34:39.533 PDT) ------------------------- event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/315000/315777/97143/softonic-us-silent.exe?SD_used=1&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cDpcL1wvc2QtY2YuZW4uc29mdG] MAC_Src: 00:01:64:FF:CE:EA 50208->80 (11:34:39.435 PDT) 50209->80 (11:34:39.526 PDT) ------------------------- event=1:2007671 (2) {tcp} E3[rb] ET POLICY Binary Download Smaller than 1 MB Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 50208<-80 (11:34:39.448 PDT) 50209<-80 (11:34:39.533 PDT) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 50208<-80 (11:34:39.448 PDT) 50209<-80 (11:34:39.533 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 209.159.151.3 (11:35:47.738 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:01:64:FF:CE:EA 50215->80 (11:35:47.738 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308594827.754 1308594827.755 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.127' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.127 Infector List: Egg Source List: 68.142.79.70, 72.21.194.16, 66.235.138.19, 216.137.37.131 C & C List: 209.159.151.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:33:47.754 PDT Gen. Time: 06/20/2011 11:40:18.573 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 68.142.79.70 (4) (11:36:46.876 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 50242<-80 (11:36:46.971 PDT) ------------------------- event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/auth/otn-pub/java/java_ee_sdk/6u2-wjdk-6u26/java_ee_sdk-6u2-jdk-windows-x64-ml.exe?e=1308595813&h=074ef2b2440a3ec27eca785d8158] MAC_Src: 00:01:64:FF:CE:EA 50242->80 (11:36:46.956 PDT) ------------------------- event=1:2007671 {tcp} E3[rb] ET POLICY Binary Download Smaller than 1 MB Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 50242<-80 (11:36:46.876 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 50242<-80 (11:36:46.971 PDT) 72.21.194.16 (3) (11:33:47.754 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 50178<-80 (11:33:47.891 PDT) ------------------------- event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/36000/36486/ud_200/SoftonicDownloader_for_eclipse.exe?AWSAccessKeyId=0HXVA1YMG3HX1XDSGT02&Expires=1308611233&Signature=KVjtTAN] MAC_Src: 00:01:64:FF:CE:EA 50178->80 (11:33:47.754 PDT) ------------------------- event=1:2007671 {tcp} E3[rb] ET POLICY Binary Download Smaller than 1 MB Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 50178<-80 (11:33:47.891 PDT) 66.235.138.19 (11:36:46.334 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/b/ss/oracleglobal,oracleotnlive/1/H.19.4/s63043506573885?AQB=1&ndh=1&t=20/5/2011 11:40:15 1 420&g=http:/www.oracle.com/technet] MAC_Src: 00:01:64:FF:CE:EA 50241->80 (11:36:46.334 PDT) 216.137.37.131 (8) (11:34:39.435 PDT) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 50208<-80 (11:34:39.448 PDT) 50209<-80 (11:34:39.533 PDT) ------------------------- event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/315000/315777/97143/softonic-us-silent.exe?SD_used=1&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cDpcL1wvc2QtY2YuZW4uc29mdG] MAC_Src: 00:01:64:FF:CE:EA 50208->80 (11:34:39.435 PDT) 50209->80 (11:34:39.526 PDT) ------------------------- event=1:2007671 (2) {tcp} E3[rb] ET POLICY Binary Download Smaller than 1 MB Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 50208<-80 (11:34:39.448 PDT) 50209<-80 (11:34:39.533 PDT) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 50208<-80 (11:34:39.448 PDT) 50209<-80 (11:34:39.533 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 209.159.151.3 (11:35:47.738 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:01:64:FF:CE:EA 50215->80 (11:35:47.738 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308594827.754 1308594827.755 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.127' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.127 Infector List: Egg Source List: 140.174.24.65 C & C List: 209.190.113.190 Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:12:00.713 PDT Gen. Time: 06/20/2011 16:12:01.049 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 140.174.24.65 (16:12:00.713 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=569320761&c7=http:/loadus.exelator.com/load/?p=133&g=001&c=288656&ctg=&subctg=&product=&retailer=&brand=&] MAC_Src: 00:01:64:FF:CE:EA 52712->80 (16:12:00.713 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 209.190.113.190 (16:12:01.049 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [2%0E%B3%99oK%8E)%17%00%00T,20110620 19:15:23%0A%17%00%00T,20110620] MAC_Src: 00:01:64:FF:CE:EA 52721->80 (16:12:01.049 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308611520.713 1308611520.714 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.127' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.127 Infector List: Egg Source List: 140.174.24.65, 64.210.61.131 C & C List: 209.190.113.190 Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:12:00.713 PDT Gen. Time: 06/20/2011 16:14:54.591 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 140.174.24.65 (2) (16:12:00.713 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=569320761&c7=http:/loadus.exelator.com/load/?p=133&g=001&c=288656&ctg=&subctg=&product=&retailer=&brand=&] MAC_Src: 00:01:64:FF:CE:EA 52712->80 (16:12:00.713 PDT) 52712->80 (16:12:09.050 PDT) 64.210.61.131 (16:12:09.145 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/getuid?http:/loadm.exelator.com/load/?p=204&g=011&bi=$UID&j=0] MAC_Src: 00:01:64:FF:CE:EA 52741->80 (16:12:09.145 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 209.190.113.190 (16:12:01.049 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [2%0E%B3%99oK%8E)%17%00%00T,20110620 19:15:23%0A%17%00%00T,20110620] MAC_Src: 00:01:64:FF:CE:EA 52721->80 (16:12:01.049 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308611520.713 1308611520.714 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.127' ============================== SEPARATOR ================================