Score: 0.8 (>= 0.8) Infected Target: 192.168.1.187 Infector List: 83.58.91.168 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:24:34.099 PDT Gen. Time: 06/20/2011 01:24:38.290 PDT INBOUND SCAN EXPLOIT 83.58.91.168 (4) (01:24:34.099 PDT-01:24:36.769 PDT) event=1:2299913 (4) {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 2: 445<-22727 (01:24:34.099 PDT-01:24:34.121 PDT) 2: 445<-22737 (01:24:36.748 PDT-01:24:36.769 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 83.58.91.168 (01:24:38.290 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:30:48:30:03:AE 9995->22749 (01:24:38.290 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308558274.099 1308558276.770 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.187' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.187 Infector List: 50.72.167.204 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:49:08.024 PDT Gen. Time: 06/20/2011 13:49:08.196 PDT INBOUND SCAN EXPLOIT 50.72.167.204 (2) (13:49:08.024 PDT) event=1:22351 {tcp} E2[rb] REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode, [] MAC_Dst: 00:30:48:30:03:AE 135<-1833 (13:49:08.024 PDT) ------------------------- event=1:2299913 {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 135<-1833 (13:49:08.024 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 50.72.167.204 (13:49:08.196 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:30:48:30:03:AE 1031->707 (13:49:08.196 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308602948.024 1308602948.025 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.187' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.187 Infector List: 50.72.167.204 Egg Source List: 50.72.167.204 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:49:08.024 PDT Gen. Time: 06/20/2011 13:51:15.418 PDT INBOUND SCAN EXPLOIT 50.72.167.204 (2) (13:49:08.024 PDT) event=1:22351 {tcp} E2[rb] REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode, [] MAC_Dst: 00:30:48:30:03:AE 135<-1833 (13:49:08.024 PDT) ------------------------- event=1:2299913 {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 135<-1833 (13:49:08.024 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 50.72.167.204 (3) (13:49:09.189 PDT) event=1:1444 {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:30:48:30:03:AF 1032->69 (13:49:09.189 PDT) ------------------------- event=1:2008120 {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:30:48:30:03:AF 1032->69 (13:49:09.189 PDT) ------------------------- event=1:3001441 {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:30:48:30:03:AF 1032->69 (13:49:09.189 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 50.72.167.204 (13:49:08.196 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:30:48:30:03:AE 1031->707 (13:49:08.196 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308602948.024 1308602948.025 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.187' ============================== SEPARATOR ================================