Score: 0.8 (>= 0.8) Infected Target: 192.168.1.75 Infector List: 24.40.203.184 Egg Source List: 24.40.203.184 C & C List: Peer Coord. List: Resource List: Observed Start: 10/04/2011 21:55:21.165 PDT Gen. Time: 10/04/2011 21:55:33.770 PDT INBOUND SCAN EXPLOIT 24.40.203.184 (7) (21:55:21.165 PDT-21:55:22.203 PDT) event=1:22003081 (2) {tcp} E2[rb] ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 2: 139<-1770 (21:55:21.763 PDT-21:55:22.203 PDT) ------------------------- event=1:22492 {tcp} E2[rb] GPL NETBIOS SMB DCERPC ISystemActivator bind attempt, [] MAC_Dst: 00:30:48:30:03:AE 139<-1820 (21:55:25.261 PDT) ------------------------- event=1:2537 (3) {tcp} E2[rb] GPL NETBIOS SMB IPC$ share access, [] MAC_Dst: 00:30:48:30:03:AE 139<-1820 (21:55:25.075 PDT) 139<-1794 (21:55:23.523 PDT) 139<-1770 (21:55:21.165 PDT) ------------------------- event=1:2648 {tcp} E2[rb] GPL SHELLCODE x86 NOOP, [] MAC_Dst: 00:30:48:30:03:AE 139<-1794 (21:55:23.807 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 24.40.203.184 (21:55:33.770 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 9988<-1950 (21:55:33.770 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1317790521.165 1317790522.204 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.75' ============================== SEPARATOR ================================