Score: 0.8 (>= 0.8) Infected Target: 192.168.1.181 Infector List: 180.14.27.11 Egg Source List: C & C List: 140.174.25.8 Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:58:56.879 PDT Gen. Time: 06/20/2011 04:58:57.713 PDT INBOUND SCAN EXPLOIT 180.14.27.11 (3) (04:58:56.879 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-23399 (04:58:56.879 PDT) ------------------------- event=1:22000046 (2) {tcp} E2[rb] ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k), [] MAC_Dst: 00:30:48:30:03:AE 2: 445<-23399 (04:58:56.879 PDT-04:58:56.879 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 140.174.25.8 (04:58:57.713 PDT) event=1:2002196 {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/sd?s=84893&f=1] MAC_Src: 00:30:48:30:03:AF 1148->80 (04:58:57.713 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308571136.879 1308571136.880 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.181' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.181 Infector List: 180.14.27.11 Egg Source List: C & C List: 140.174.25.8 (3) Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:58:56.879 PDT Gen. Time: 06/20/2011 05:02:30.344 PDT INBOUND SCAN EXPLOIT 180.14.27.11 (3) (04:58:56.879 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-23399 (04:58:56.879 PDT) ------------------------- event=1:22000046 (2) {tcp} E2[rb] ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k), [] MAC_Dst: 00:30:48:30:03:AE 2: 445<-23399 (04:58:56.879 PDT-04:58:56.879 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 140.174.25.8 (3) (04:58:57.713 PDT) event=1:2002196 (2) {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/sd?s=84893&f=1] MAC_Src: 00:30:48:30:03:AF 1148->80 (04:58:57.713 PDT) 1148->80 (04:58:57.886 PDT) ------------------------- event=1:2009880 {tcp} E4[rb] ET MALWARE Casalemedia Spyware Reporting URL Visited 3, [/sd?s=84893&f=1&C=1] MAC_Src: 00:30:48:30:03:AF 1148->80 (04:58:57.886 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308571136.879 1308571136.880 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.181' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.181 Infector List: 202.7.119.247 Egg Source List: 202.7.119.247 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:50:39.518 PDT Gen. Time: 06/20/2011 05:50:47.950 PDT INBOUND SCAN EXPLOIT 202.7.119.247 (3) (05:50:39.518 PDT) event=1:22003081 {tcp} E2[rb] ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 139<-21817 (05:50:39.707 PDT) ------------------------- event=1:22003082 {tcp} E2[rb] ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 139<-21817 (05:50:39.707 PDT) ------------------------- event=1:2299913 {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 139<-21817 (05:50:39.518 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 202.7.119.247 (05:50:47.950 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 9988<-23452 (05:50:47.950 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308574239.518 1308574239.519 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.181' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.181 Infector List: 202.7.119.247 Egg Source List: 202.7.119.247 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:50:39.518 PDT Gen. Time: 06/20/2011 05:54:00.449 PDT INBOUND SCAN EXPLOIT 202.7.119.247 (3) (05:50:39.518 PDT) event=1:22003081 {tcp} E2[rb] ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 139<-21817 (05:50:39.707 PDT) ------------------------- event=1:22003082 {tcp} E2[rb] ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 139<-21817 (05:50:39.707 PDT) ------------------------- event=1:2299913 {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 139<-21817 (05:50:39.518 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 202.7.119.247 (2) (05:50:47.950 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 9988<-23452 (05:50:47.950 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 9988<-23452 (05:50:47.950 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308574239.518 1308574239.519 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.181' ============================== SEPARATOR ================================