Score: 0.8 (>= 0.8) Infected Target: 192.168.1.176 Infector List: 89.122.199.239 Egg Source List: 89.122.199.239 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:37:15.538 PDT Gen. Time: 06/20/2011 02:37:24.022 PDT INBOUND SCAN EXPLOIT 89.122.199.239 (3) (02:37:15.538 PDT) event=1:22003081 {tcp} E2[rb] ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 139<-17203 (02:37:15.763 PDT) ------------------------- event=1:22003082 {tcp} E2[rb] ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 139<-17203 (02:37:15.763 PDT) ------------------------- event=1:2299913 {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 139<-17203 (02:37:15.538 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.122.199.239 (02:37:24.022 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 9988<-17304 (02:37:24.022 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308562635.538 1308562635.539 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.176' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.176 Infector List: 89.122.199.239 Egg Source List: 89.122.199.239 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:37:15.538 PDT Gen. Time: 06/20/2011 02:41:59.565 PDT INBOUND SCAN EXPLOIT 89.122.199.239 (3) (02:37:15.538 PDT) event=1:22003081 {tcp} E2[rb] ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 139<-17203 (02:37:15.763 PDT) ------------------------- event=1:22003082 {tcp} E2[rb] ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 139<-17203 (02:37:15.763 PDT) ------------------------- event=1:2299913 {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 139<-17203 (02:37:15.538 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.122.199.239 (2) (02:37:24.022 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 9988<-17304 (02:37:24.022 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 9988<-17304 (02:37:24.022 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308562635.538 1308562635.539 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.176' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.176 Infector List: 186.210.82.195 Egg Source List: 186.210.82.195 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:02:33.275 PDT Gen. Time: 06/20/2011 04:02:42.096 PDT INBOUND SCAN EXPLOIT 186.210.82.195 (4) (04:02:33.275 PDT-04:02:33.495 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-2980 (04:02:33.556 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:30:48:30:03:AE 445<-2980 (04:02:33.495 PDT) ------------------------- event=1:2299913 (2) {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 2: 445<-2980 (04:02:33.275 PDT-04:02:33.495 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.210.82.195 (04:02:42.096 PDT) event=1:3300003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:30:48:30:03:AF 1031->2206 (04:02:42.096 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308567753.275 1308567753.496 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.176' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.176 Infector List: 186.210.82.195 Egg Source List: 186.210.82.195 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:02:33.275 PDT Gen. Time: 06/20/2011 04:06:07.942 PDT INBOUND SCAN EXPLOIT 186.210.82.195 (4) (04:02:33.275 PDT-04:02:33.495 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-2980 (04:02:33.556 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:30:48:30:03:AE 445<-2980 (04:02:33.495 PDT) ------------------------- event=1:2299913 (2) {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 2: 445<-2980 (04:02:33.275 PDT-04:02:33.495 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.210.82.195 (7) (04:02:42.096 PDT-04:02:54.794 PDT) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 2: 1031<-2206 (04:02:50.355 PDT-04:02:54.794 PDT) ------------------------- event=1:3300003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:30:48:30:03:AF 1031->2206 (04:02:42.096 PDT) ------------------------- event=1:3300004 (2) {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 2: 1031<-2206 (04:02:50.153 PDT-04:02:54.794 PDT) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 2: 1031<-2206 (04:02:50.355 PDT-04:02:54.794 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308567753.275 1308567774.795 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.176' ============================== SEPARATOR ================================