BotHunter Daily Analysis Index

BotHunter ®
Live Internet Monitor Page
Computer Science Laboratory
SRI International

Last Updated: Mon Jun 20 23:00:10 2011

www.BOTHUNTER.net

Victim IP	Max Score	Profiles	CCs	Events
192.168.1.233	2.1	VIEW 4	46.252.130.7 46.252.130.7 (Dsl), Greatreadings.Com, Ripe Ncc, United Kingdom, Malware Controller Mail Abuser. 213.155.0.224 213.155.0.224 (Comp), -, Valen1 - Sergey Baskakov, Namibia, Mail Abuser Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-36507 1:22000046 (2) {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-36507 1:9910003 {tcp} Bot Space Access: BotHunter MTC confirmed botnet control server; 1029->80 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-13861 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-13861 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-13861 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->5661 1:22000032 (3) {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3433 1:22000033 (2) {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-3433
192.168.1.223	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-2107 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-2107 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1027->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69
192.168.1.64	0.8	VIEW 1		1:22009201 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.b Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-3283 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 445<-3283
192.168.1.204	0.8	VIEW 1		1:2299913 (4) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-19097 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1022->19555
192.168.1.34	0.8	VIEW 2		1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-4642 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-4642 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-4642 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1035
192.168.1.180	2.1	VIEW 2	67.125.140.230 67.125.140.230 (Dsl), Pacbell.Net, At&T Internet Services, Fresno, California, United States, Mail Abuser Malware Propagator Malware Controller.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 135->3764 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-3764 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-3764 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1028->69
192.168.1.5	0.8	VIEW 1		1:22003081 (2) {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-47281 1:22003082 (2) {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-47281 1:2299913 (3) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-47852 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-49908
192.168.1.100	1.7	VIEW 250	134.34.246.5 134.34.246.5 (Dsl), Uni-Konstanz.De, Universitaet Konstanz, Konstanz, Baden-WÜRttemberg, Germany, Malware Controller. 132.239.17.226 132.239.17.226 (Comp), Ucsd.Edu, University Of California San Diego, La Jolla, California, United States, Malware Controller. 206.207.248.34 206.207.248.34 (Comp), Arizona.Edu, University Of Arizona, Tucson, Arizona, United States, Mail Abuser Malware Controller. 213.136.106.214 213.136.106.214 (Dsl), Afnet.Net, Isp Cote D'Ivoire, Abidjan, Cote D'Ivoire, Malware Controller. 194.85.105.17 194.85.105.17 (Dsl), Ripn.Net, Network For Ru Services, Moscow, Moskva, Russian Federation, Malicious Site Mail Abuser Malware Controller. 12.46.129.16 12.46.129.16 (Comp), Comcastbusiness.Net, Intel, Berkeley, California, United States, Malware Controller. 195.37.16.125 195.37.16.125 (Comp), -, Extranet Der Universitaet Passau, Passau, Bayern, Germany, Malware Controller. 143.89.49.74 143.89.49.74 (Dsl), Ustlnx43-N2.Ust.Hk, Hong Kong University Of Science And Technology, Hong Kong, Hong Kong (Sar), Hong Kong, Malware Controller Mail Abuser.	1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 4121->4121 1:2003179 (5) {tcp} Egg Download: ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe]; 39921->80 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 60384->61921 1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 2122->2122 1:2003179 (3) {tcp} Egg Download: ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-enUS-patch.exe]; 54094->80 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 56490->3128 1:2003179 {tcp} Egg Download: ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enGB-patch.exe]; 54538->80 1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 23127->23127 1:2003179 (2) {tcp} Egg Download: ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enGB-patch.exe]; 54538->80 1:3810008 {udp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 37685->53 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 34779<-80 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 43167->2126 1:2003179 (2) {tcp} Egg Download: ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe]; 42002->80 1:2003179 (2) {tcp} Egg Download: ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe]; 45721->80 1:2003179 {tcp} Egg Download: ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe]; 34573->80 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 41199->2126 1:2003179 (4) {tcp} Egg Download: ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe]; 45160->80 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 37030->2126 1:2003179 {tcp} Egg Download: ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-esES-patch.exe]; 58550->80 1:2003179 (3) {tcp} Egg Download: ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-esES-patch.exe]; 59355->80
192.168.1.166	2.1	VIEW 2	75.38.94.36 75.38.94.36 (Dsl), Sbcglobal.Net, Danny Chon Dba, New York, United States, Malware Propagator Malware Controller.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 135->3765 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-3765 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-3765 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1028->69
192.168.1.202	0.8	VIEW 1	213.155.0.224 213.155.0.224 (Comp), -, Valen1 - Sergey Baskakov, Namibia, Mail Abuser Malware Controller.	1:9910003 {tcp} Bot Space Access: BotHunter MTC confirmed botnet control server; 1037->80
192.168.1.240	0.8	VIEW 2		1:22003081 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-36885 1:22003082 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-36885 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-36885 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-39824
192.168.1.208	1.7	VIEW 2	83.133.119.197 83.133.119.197 (Dsl), Greatnet.De, Lncde-Greatnet-Newmedia, Germany, Malicious Site Mail Abuser Malware Controller.	1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 1032->65520 1:2003603 {tcp} C&C Communication: ET TROJAN W32.Virut.A joining an IRC Channel; 1032->65520 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 1032->65520 1:9910003 {tcp} Bot Space Access: BotHunter MTC confirmed botnet control server; 1032->65520 1:9910009 {tcp} Bot Space Access: ET ShadowServer confirmed botnet control server; 1032->65520
192.168.1.104	2.1	VIEW 2	213.155.0.224 213.155.0.224 (Comp), -, Valen1 - Sergey Baskakov, Namibia, Mail Abuser Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-18864 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-18864 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-18864 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1100
192.168.1.190	2.1	VIEW 6	46.252.130.7 46.252.130.7 (Dsl), Greatreadings.Com, Ripe Ncc, United Kingdom, Malware Controller Mail Abuser. 140.174.25.8 140.174.25.8 (Dsl), Verio.Net, Ntt America Inc, Englewood, Colorado, United States, Malware Controller. 64.38.232.180 64.38.232.180 (Comp), -, Domain Development, Calabasas, California, United States, Malicious Site Mail Abuser Malware Controller Malware Propagator. 213.155.0.224 213.155.0.224 (Comp), -, Valen1 - Sergey Baskakov, Namibia, Mail Abuser Malware Controller.	1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 1092->65520 1:2002196 (2) {tcp} C&C Communication: ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/sd?s=84893&f=1]; 1106->80 1:2009880 {tcp} C&C Communication: ET MALWARE Casalemedia Spyware Reporting URL Visited 3, [/sd?s=84893&f=1&C=1]; 1106->80 1:2003603 {tcp} C&C Communication: ET TROJAN W32.Virut.A joining an IRC Channel; 1092->65520 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 1100->80 1:9910003 {tcp} Bot Space Access: BotHunter MTC confirmed botnet control server; 1092->65520 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-24077 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-24077 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-52542 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-52542
192.168.1.176	0.8	VIEW 4		1:22003081 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-17203 1:22003082 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-17203 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-17203 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-17304 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-2980 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-2980 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-2980
192.168.1.228	0.8	VIEW 1		1:2299913 (4) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-50455 1:2000047 {tcp} Egg Download: ET WORM Sasser Transfer _up.exe; 9996<-50459
192.168.1.169	2.1	VIEW 2	93.177.237.176 93.177.237.176 (Dsl), Lvdats.Lv, Lvdats-Net, Riga, Latvia, Malware Propagator Malware Controller. 213.155.0.224 213.155.0.224 (Comp), -, Valen1 - Sergey Baskakov, Namibia, Mail Abuser Malware Controller.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->8287 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-8287 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-8287 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-8287 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1031<-2360 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->2360
192.168.1.206	1.3	VIEW 4	50.15.144.162 50.15.144.162 (-), -, -, -, Malware Propagator Mail Abuser Malicious Scanner.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->11535 1:22000046 (2) {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-11535 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-47141 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-47141 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-47141 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1825
192.168.1.189	2.1	VIEW 4	61.215.137.22 61.215.137.22 (Dsl), Cablenet.Ne.Jp, Cablenet-Cidr-Blk, Tokyo, Japan, Malware Propagator Mail Abuser Malware Controller.	1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-14468 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-14468 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1032->69 1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 135->43358 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-43358 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-43358
192.168.1.149	1.1	VIEW 2	89.117.24.97 89.117.24.97 (Dsl), Erdves.Lt, Point To Point Client Networks, Vilnius, Vilniaus Apskritis, Lithuania, Malware Propagator Malware Controller.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->3902 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-3902 1:22000046 (2) {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-3902
192.168.1.215	3.0	VIEW 2	175.124.143.165 175.124.143.165 (-), -, -, -, Malware Propagator Malware Controller. 83.133.119.197 83.133.119.197 (Dsl), Greatnet.De, Lncde-Greatnet-Newmedia, Germany, Malicious Site Mail Abuser Malware Controller.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 135->1151 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-1151 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-1151 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1028->69
192.168.1.217	2.1	VIEW 2	213.155.0.224 213.155.0.224 (Comp), -, Valen1 - Sergey Baskakov, Namibia, Mail Abuser Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-43383 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-43383 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-43383 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->1100
192.168.1.3	1.6	VIEW 2	213.155.0.224 213.155.0.224 (Comp), -, Valen1 - Sergey Baskakov, Namibia, Mail Abuser Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-51751 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-51751 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-51751 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->8061
192.168.1.253	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-35708 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-35708 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1027->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69
192.168.1.8	1.6	VIEW 2	213.155.0.224 213.155.0.224 (Comp), -, Valen1 - Sergey Baskakov, Namibia, Mail Abuser Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-4758 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-4758 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-4758 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->272
192.168.1.192	0.8	VIEW 2		1:22003081 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-3844 1:22003082 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-3844 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-3844 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-4250
192.168.1.40	0.8	VIEW 1		1:22009201 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.b Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-3726 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 445<-3726
192.168.1.241	0.8	VIEW 1		1:2299913 (4) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-8837 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9995->8841
192.168.1.212	0.8	VIEW 4	140.211.167.98 140.211.167.98 (Comp), Oregonstate.Edu, Oregon State System Of Higher Education, Klamath Falls, Oregon, United States, Malware Controller.	1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 54320->6667 1:9910009 {tcp} Bot Space Access: ET ShadowServer confirmed botnet control server; 54320->6667 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 50063->6667 1:9910009 {tcp} Bot Space Access: ET ShadowServer confirmed botnet control server; 50063->6667
192.168.1.203	2.1	VIEW 4	211.75.247.164 211.75.247.164 (Comp), Hinet.Net, Tainan New Edison Communication, Tainan, Kao-Hsiung, Taiwan, Malware Propagator Malware Controller.	1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-1258 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-1258 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1027->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69 1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 135->46549 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-46549 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-46549
192.168.1.103	0.8	VIEW 2		1:22003081 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-58224 1:22003082 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-58224 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-58224 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-60472
192.168.1.219	2.2	VIEW 2	140.174.25.8 140.174.25.8 (Dsl), Verio.Net, Ntt America Inc, Englewood, Colorado, United States, Malware Controller. 64.38.232.180 64.38.232.180 (Comp), -, Domain Development, Calabasas, California, United States, Malicious Site Mail Abuser Malware Controller Malware Propagator.	1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-2547 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-2547 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1027->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69
192.168.1.154	2.2	VIEW 2	122.224.6.164 122.224.6.164 (Dsl), Yztradecn.Com, Shaoxing Telecom Bureau, Beijing, China, Malicious Site Mail Abuser Malware Controller. 140.174.25.8 140.174.25.8 (Dsl), Verio.Net, Ntt America Inc, Englewood, Colorado, United States, Malware Controller. 64.38.232.180 64.38.232.180 (Comp), -, Domain Development, Calabasas, California, United States, Malicious Site Mail Abuser Malware Controller Malware Propagator.	1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 1339->82 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1339<-82 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 1339<-82 1:2002196 (2) {tcp} C&C Communication: ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/sd?s=84893&f=1]; 1374->80 1:2009880 {tcp} C&C Communication: ET MALWARE Casalemedia Spyware Reporting URL Visited 3, [/sd?s=84893&f=1&C=1]; 1374->80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 1349->80
192.168.1.42	0.8	VIEW 2		1:22003081 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-3181 1:22003082 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-3181 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-3181 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-3270
192.168.1.195	1.7	VIEW 2	174.123.157.154 174.123.157.154 (Dsl), Theplanet.Com, Theplanet.Com Internet Services Inc, Dallas, Texas, United States, Malicious Site Mail Abuser Malware Controller. 64.38.232.180 64.38.232.180 (Comp), -, Domain Development, Calabasas, California, United States, Malicious Site Mail Abuser Malware Controller Malware Propagator.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-22253 1:22000046 (2) {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-22253 1:2009456 {tcp} C&C Communication: ET USER_AGENTS Suspicious User Agent (ClickAdsByIE), [/p6.asp?MAC=00-0C-29-F7-BD-23&Publicer=dc99]; 1587->80 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 1600<-80 1:2007671 {tcp} Egg Download: ET POLICY Binary Download Smaller than 1 MB Likely Hostile; 1600<-80
192.168.1.98	0.8	VIEW 1		1:22003081 (2) {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-2964 1:22003082 (2) {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-2964 1:2299913 (3) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-3197 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-3602
192.168.1.127	0.9	VIEW 4	209.159.151.3 209.159.151.3 (Dsl), Speakeasy.Net, -, San Francisco, California, United States, Malware Controller Malware Propagator. 209.190.113.190 209.190.113.190 (Comp), Xlhost.Com, Mohd. Arif Hossain Khan, Bangladesh, Malware Controller Mail Abuser.	1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 50178<-80 1:2003179 {tcp} Egg Download: ET POLICY exe download without User Agent, [/36000/36486/ud_200/SoftonicDownloader_for_eclipse.exe?AWSAccessKeyId=0HXVA1YMG3HX1XDSGT02&Expires=1308611233&Signature=KVjtTAN]; 50178->80 1:2007671 {tcp} Egg Download: ET POLICY Binary Download Smaller than 1 MB Likely Hostile; 50178<-80 1:2000419 (2) {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 50208<-80 1:2003179 (2) {tcp} Egg Download: ET POLICY exe download without User Agent, [/315000/315777/97143/softonic-us-silent.exe?SD_used=1&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cDpcL1wvc2QtY2YuZW4uc29mdG]; 50208->80 1:2007671 (2) {tcp} Egg Download: ET POLICY Binary Download Smaller than 1 MB Likely Hostile; 50208<-80 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 50242<-80 1:2003179 {tcp} Egg Download: ET POLICY exe download without User Agent, [/auth/otn-pub/java/java_ee_sdk/6u2-wjdk-6u26/java_ee_sdk-6u2-jdk-windows-x64-ml.exe?e=1308595813&h=074ef2b2440a3ec27eca785d8158]; 50242->80 1:2003179 {tcp} Egg Download: ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=569320761&c7=http:/loadus.exelator.com/load/?p=133&g=001&c=288656&ctg=&subctg=&product=&retailer=&brand=&]; 52712->80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain, [2%0E%B3%99oK%8E)%17%00%00T,20110620 19:15:23%0A%17%00%00T,20110620]; 52721->80 1:2003179 (2) {tcp} Egg Download: ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=569320761&c7=http:/loadus.exelator.com/load/?p=133&g=001&c=288656&ctg=&subctg=&product=&retailer=&brand=&]; 52712->80
192.168.1.44	1.1	VIEW 2	71.23.214.228 71.23.214.228 (Dsl), Clearwire-Dns.Net, Clearwire Us Llc, Philadelphia, Pennsylvania, United States, Malware Propagator Malware Controller Malicious Scanner.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->2972 1:22000046 (2) {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-2972
192.168.1.181	0.8	VIEW 4	140.174.25.8 140.174.25.8 (Dsl), Verio.Net, Ntt America Inc, Englewood, Colorado, United States, Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-23399 1:22000046 (2) {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-23399 1:2002196 {tcp} C&C Communication: ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/sd?s=84893&f=1]; 1148->80 1:2002196 (2) {tcp} C&C Communication: ET MALWARE Casalemedia Spyware Reporting URL Visited 2, [/sd?s=84893&f=1]; 1148->80 1:2009880 {tcp} C&C Communication: ET MALWARE Casalemedia Spyware Reporting URL Visited 3, [/sd?s=84893&f=1&C=1]; 1148->80 1:22003081 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-21817 1:22003082 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-21817 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-21817
192.168.1.225	2.5	VIEW 4	1.224.253.194 1.224.253.194 (-), -, -, -, Malware Propagator Malware Controller. 60.190.222.139 60.190.222.139 (Dsl), Yztradecn.Com, Shaoxing Telecom Bureau, Beijing, China, Malicious Site Mail Abuser Malware Controller.	1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-38601 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-38601 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1027->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69 1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 135->1241 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-1241 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-1241
192.168.1.170	1.3	VIEW 6	204.145.83.230 204.145.83.230 (Dsl), Speakeasy.Net, -, United States, Malware Controller.	1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-4131 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-4131 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1032->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1032->69 1:2003179 {tcp} Egg Download: ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=1017524181&c12=1838583715-441426007-1299255728940&c7=http:/loadus.exelator.com/load/?p=133&g=002&c=288656]; 62188->80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 62212->80 1:2003179 {tcp} Egg Download: ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=1856569078&c12=1838583715-441426007-1299255728940&c7=http:/loadus.exelator.com/load/?p=133&g=002&c=288656]; 62257->80 1:2003179 {tcp} Egg Download: ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=1017524181&c12=1838583715-441426007-1299255728940&c7=http:/loadus.exelator.com/load/?p=133&g=002&c=288656]; 62188->80 1:2003179 {tcp} Egg Download: ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=968451817&c12=1838583715-441426007-1299255728940&c7=http:/loadus.exelator.com/load/?p=133&g=002&c=288656&]; 63982->80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 63979->80 1:2003179 {tcp} Egg Download: ET POLICY exe download without User Agent, [/b?c1=2&c2=7531640&rn=1782487212&c12=1838583715-441426007-1299255728940&c7=http:/loadus.exelator.com/load/?p=133&g=002&c=288656]; 50170->80
192.168.1.226	2.1	VIEW 2	211.75.234.92 211.75.234.92 (Dsl), Hinet.Net, Chunghwa Telecom Data Communication Business Group, Taipei, T'Ai-Pei, Taiwan, Malware Propagator Malware Controller.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 135->6238 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-6238 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-6238 1:1444 {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69 1:3001441 {udp} Egg Download: TFTP GET .exe from external source; 1028->69
192.168.1.128	1.1	VIEW 2	50.15.144.162 50.15.144.162 (-), -, -, -, Malware Propagator Mail Abuser Malicious Scanner.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->40039 1:22000046 (2) {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-40039
192.168.1.220	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-7797 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-7797 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1027->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69
192.168.1.38	0.8	VIEW 1	109.86.94.110 109.86.94.110 (Dsl), -, Ua-Edunetworks, Ukraine, Malware Propagator.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->50214
192.168.1.178	1.1	VIEW 2	173.25.166.241 173.25.166.241 (Dsl), Mchsi.Com, Mediacom Communications Corp, Valdosta, Georgia, United States, Malware Propagator Malware Controller.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->4085 1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-4085 1:22000046 (2) {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-4085
192.168.1.130	0.8	VIEW 2		1:22003081 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-3947 1:22003082 {tcp} Inbound Attack: ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) MAC_Dst: 00:30:48:30:03:AE; 139<-3947 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 139<-3947 1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 9988<-4013
192.168.1.14	1.0	VIEW 4	77.75.77.123 77.75.77.123 (Dsl), Mapy.Cz, Seznam.Cz, Prague, Hlavni Mesto Praha, Czech Republic. 67.195.112.51 67.195.112.51 (Dsl), Yahoo.Com, Yahoo! Inc, Sunnyvale, California, United States. 66.249.71.212 66.249.71.212 (Dial), Google.Com, Google Inc, Mountain View, California, United States.	1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->49959 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->49959 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->59310 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->46809 1:2002033 {tcp} C&C Communication: ET TROJAN BOT - potential response; 80->39799 1:552123 (3) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->55093 1:552123 (4) {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 80->55093
192.168.1.173	2.1	VIEW 2	70.112.223.203 70.112.223.203 (Dsl), Rr.Com, Road Runner Holdco Llc, Bastrop, Texas, United States, Malware Propagator Malware Controller Mail Abuser.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 135->1121 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-1121 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-1121 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69 1:3001441 (2) {udp} Egg Download: TFTP GET .exe from external source; 1028->69
192.168.1.165	0.9	VIEW 1	140.174.25.8 140.174.25.8 (Dsl), Verio.Net, Ntt America Inc, Englewood, Colorado, United States, Malware Controller. 64.38.232.180 64.38.232.180 (Comp), -, Domain Development, Calabasas, California, United States, Malicious Site Mail Abuser Malware Controller Malware Propagator.	1:2002196 (6) {tcp} C&C Communication: ET MALWARE Casalemedia Spyware Reporting URL Visited 2; 1163->80 1:2009880 (2) {tcp} C&C Communication: ET MALWARE Casalemedia Spyware Reporting URL Visited 3, [/sd?s=84893&f=1&C=1]; 1150->80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 1183->80
192.168.1.159	1.1	VIEW 2	71.23.214.228 71.23.214.228 (Dsl), Clearwire-Dns.Net, Clearwire Us Llc, Philadelphia, Pennsylvania, United States, Malware Propagator Malware Controller Malicious Scanner.	1:9910023 {tcp} Bot Space Access: BotHunter Malware propagation attack source; 445->1846 1:22000046 (2) {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k) MAC_Dst: 00:30:48:30:03:AE; 445<-1846
192.168.1.76	1.6	VIEW 2	213.155.0.224 213.155.0.224 (Comp), -, Valen1 - Sergey Baskakov, Namibia, Mail Abuser Malware Controller.	1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-4495 1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-4495 1:2299913 (2) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-4495 1:3300003 {tcp} Egg Download: BotHunter HTTP-based .exe Upload on backdoor port; 1031->7284
192.168.1.57	0.9	VIEW 2	222.173.188.54 222.173.188.54 (Dsl), Qinglin-Sd.Com, Chinanet Shandong Province Network, Jinan, Shandong, China, Malware Controller. 221.13.128.166 221.13.128.166 (Dsl), Kd.Smx.Adsl, China Unicom Henan Province Network, Beijing, China, Malware Controller.	1:2003620 {tcp} C&C Communication: ET MALWARE 51yes.com Spyware Reporting User Activity, [/sa.aspx?id=350976759&refe=http:/www.sodu.org/mulu_91449.html&location=http:/www.93zw.com/content/Book/2/2749/5568129.shtml&col]; 52707->80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 52655->80 1:22009201 {tcp} Inbound Attack: ET CURRENT_EVENTS Conficker.b Shellcode MAC_Dst: 00:30:48:30:03:AE; 445<-3335 1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 445<-3335
192.168.1.187	1.3	VIEW 3		1:2299913 (4) {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 445<-22727 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 9995->22749 1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-1833 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-1833 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1031->707 1:1444 {udp} Egg Download: TFTP GET from external source; 1032->69
192.168.1.234	1.3	VIEW 2		1:22351 {tcp} Inbound Attack: REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode MAC_Dst: 00:30:48:30:03:AE; 135<-25888 1:2299913 {tcp} Inbound Attack: ET SHELLCODE x86 0x90 unicode NOOP MAC_Dst: 00:30:48:30:03:AE; 135<-25888 1:552123 {tcp} Outbound Attack: REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner; 1027->707 1:1444 (2) {udp} Egg Download: TFTP GET from external source; 1028->69 1:2008120 (2) {udp} Egg Download: ET POLICY Outbound TFTP Read Request; 1028->69
192.168.1.102	2.2	VIEW 269	132.239.17.226 132.239.17.226 (Comp), Ucsd.Edu, University Of California San Diego, La Jolla, California, United States, Malware Controller. 218.6.19.3 218.6.19.3 (Dsl), 163data.Com.Cn, Chinanet Fujian Province Network, Beijing, China, Malware Controller. 195.37.16.125 195.37.16.125 (Comp), -, Extranet Der Universitaet Passau, Passau, Bayern, Germany, Malware Controller. 206.207.248.34 206.207.248.34 (Comp), Arizona.Edu, University Of Arizona, Tucson, Arizona, United States, Mail Abuser Malware Controller. 213.136.106.214 213.136.106.214 (Dsl), Afnet.Net, Isp Cote D'Ivoire, Abidjan, Cote D'Ivoire, Malware Controller. 194.85.105.17 194.85.105.17 (Dsl), Ripn.Net, Network For Ru Services, Moscow, Moskva, Russian Federation, Malicious Site Mail Abuser Malware Controller. 134.34.246.5 134.34.246.5 (Dsl), Uni-Konstanz.De, Universitaet Konstanz, Konstanz, Baden-WÜRttemberg, Germany, Malware Controller. 143.89.49.74 143.89.49.74 (Dsl), Ustlnx43-N2.Ust.Hk, Hong Kong University Of Science And Technology, Hong Kong, Hong Kong (Sar), Hong Kong, Malware Controller Mail Abuser. 12.46.129.16 12.46.129.16 (Comp), Comcastbusiness.Net, Intel, Berkeley, California, United States, Malware Controller. 192.168.1.230 192.168.1.230 (-), -, Private Ip Address Lan, -. 195.116.60.211 195.116.60.211 (Dsl), Tp.Pl, Tpsa Dyr.Sp./Cbr, Bialystok, Podlaskie, Poland, Mail Abuser Malware Controller. 98.124.199.1 98.124.199.1 (Dsl), Name-Services.Com, Enom Incorporated, Bellevue, Washington, United States, Malware Propagator. 98.124.198.1 98.124.198.1 (Dsl), Name-Services.Com, Enom Incorporated, Bellevue, Washington, United States, Malware Propagator.	1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 48261->2126 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 3124->59264 1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 4795->4795 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 3124->47236 1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 2122->2122 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 46624->2128 1:3810008 {udp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 60236->53 1:9910006 {udp} Bot Space Access: BotHunter REPO confirmed botnet control server; 23127->23127 1:2003179 {tcp} Egg Download: ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-enUS-patch.exe]; 53221->80 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 3124->53518 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 41178->3128 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 3124->47975 1:3810008 {udp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 55591->53 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 3124->55398 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 60732->3128 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 3124->36321 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 52959->2126 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 59620->3128 1:3810007 {tcp} Russian Business Network: ET Known Russian Business Network Monitored Domain; 3124->52394 1:9910005 {tcp} Bot Space Access: BotHunter REPO confirmed botnet control server; 56964->2126