Score: 0.8 (>= 0.8) Infected Target: 192.168.1.170 Infector List: 216.188.236.157 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:28:09.809 PDT Gen. Time: 06/20/2011 00:28:10.088 PDT INBOUND SCAN EXPLOIT 216.188.236.157 (2) (00:28:09.809 PDT) event=1:22351 {tcp} E2[rb] REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode, [] MAC_Dst: 00:30:48:30:03:AE 135<-4131 (00:28:09.809 PDT) ------------------------- event=1:2299913 {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 135<-4131 (00:28:09.809 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 216.188.236.157 (00:28:10.088 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:30:48:30:03:AE 1031->707 (00:28:10.088 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308554889.809 1308554889.810 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.170' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.170 Infector List: 216.188.236.157 Egg Source List: 216.188.236.157 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:28:09.809 PDT Gen. Time: 06/20/2011 00:32:27.737 PDT INBOUND SCAN EXPLOIT 216.188.236.157 (2) (00:28:09.809 PDT) event=1:22351 {tcp} E2[rb] REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode, [] MAC_Dst: 00:30:48:30:03:AE 135<-4131 (00:28:09.809 PDT) ------------------------- event=1:2299913 {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 135<-4131 (00:28:09.809 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 216.188.236.157 (6) (00:28:11.252 PDT) event=1:1444 (2) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:30:48:30:03:AF 1032->69 (00:28:11.252 PDT) 1033->69 (00:28:15.425 PDT) ------------------------- event=1:2008120 (2) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:30:48:30:03:AF 1032->69 (00:28:11.252 PDT) 1033->69 (00:28:15.425 PDT) ------------------------- event=1:3001441 (2) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:30:48:30:03:AF 1032->69 (00:28:11.252 PDT) 1033->69 (00:28:15.425 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 216.188.236.157 (00:28:10.088 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:30:48:30:03:AE 1031->707 (00:28:10.088 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308554889.809 1308554889.810 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.170' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.170 Infector List: Egg Source List: 140.174.24.211 C & C List: 204.145.83.230 Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:18:06.790 PDT Gen. Time: 06/20/2011 11:18:06.794 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 140.174.24.211 (11:18:06.790 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=1017524181&c12=1838583715-441426007-1299255728940&c7=http:/loadus.exelator.com/load/?p=133&g=002&c=288656] MAC_Src: 00:01:64:FF:CE:EA 62188->80 (11:18:06.790 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 204.145.83.230 (11:18:06.794 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:01:64:FF:CE:EA 62212->80 (11:18:06.794 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308593886.790 1308593886.791 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.170' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.170 Infector List: Egg Source List: 140.174.24.178, 140.174.24.211 C & C List: 204.145.83.230 Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:18:06.790 PDT Gen. Time: 06/20/2011 11:21:23.210 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 140.174.24.178 (11:18:30.241 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=1856569078&c12=1838583715-441426007-1299255728940&c7=http:/loadus.exelator.com/load/?p=133&g=002&c=288656] MAC_Src: 00:01:64:FF:CE:EA 62257->80 (11:18:30.241 PDT) 140.174.24.211 (11:18:06.790 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=1017524181&c12=1838583715-441426007-1299255728940&c7=http:/loadus.exelator.com/load/?p=133&g=002&c=288656] MAC_Src: 00:01:64:FF:CE:EA 62188->80 (11:18:06.790 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 204.145.83.230 (11:18:06.794 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:01:64:FF:CE:EA 62212->80 (11:18:06.794 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308593886.790 1308593886.791 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.170' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.170 Infector List: Egg Source List: 140.174.24.211 C & C List: 204.145.83.230 Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:58:47.305 PDT Gen. Time: 06/20/2011 12:58:47.377 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 140.174.24.211 (12:58:47.377 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=968451817&c12=1838583715-441426007-1299255728940&c7=http:/loadus.exelator.com/load/?p=133&g=002&c=288656&] MAC_Src: 00:01:64:FF:CE:EA 63982->80 (12:58:47.377 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 204.145.83.230 (12:58:47.305 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:01:64:FF:CE:EA 63979->80 (12:58:47.305 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308599927.305 1308599927.306 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.170' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.170 Infector List: Egg Source List: 140.174.24.211 C & C List: 204.145.83.230 Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:11:01.120 PDT Gen. Time: 06/20/2011 14:11:01.456 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 140.174.24.211 (14:11:01.120 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=1782487212&c12=1838583715-441426007-1299255728940&c7=http:/loadus.exelator.com/load/?p=133&g=002&c=288656] MAC_Src: 00:01:64:FF:CE:EA 50170->80 (14:11:01.120 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 204.145.83.230 (14:11:01.456 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/e/getdata.xgi?dt=br&pkey=dptb89rknys42&ru=http:/loadus.exelator.com/load/?p=242&g=900&na_id=&na_mp=&na_da=] MAC_Src: 00:01:64:FF:CE:EA 50176->80 (14:11:01.456 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308604261.120 1308604261.121 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.170' ============================== SEPARATOR ================================