Score: 0.8 (>= 0.8) Infected Target: 192.168.1.164 Infector List: 109.98.239.211 Egg Source List: 109.98.239.211 C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:22:43.446 PST Gen. Time: 11/29/2011 02:22:43.786 PST INBOUND SCAN EXPLOIT 109.98.239.211 (4) (02:22:43.446 PST) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-12431 (02:22:43.481 PST) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:30:48:30:03:AE 445<-12431 (02:22:43.473 PST) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-12431 (02:22:43.446 PST) ------------------------- event=1:2648 {tcp} E2[rb] GPL SHELLCODE x86 NOOP, [] MAC_Dst: 00:30:48:30:03:AE 445<-12431 (02:22:43.473 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.98.239.211 (02:22:43.786 PST) event=1:3300003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:30:48:30:03:AF 1031->1992 (02:22:43.786 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322562163.446 1322562163.447 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.164' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.164 Infector List: 109.98.239.211 Egg Source List: 109.98.239.211 C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:22:43.446 PST Gen. Time: 11/29/2011 02:26:37.528 PST INBOUND SCAN EXPLOIT 109.98.239.211 (4) (02:22:43.446 PST) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-12431 (02:22:43.481 PST) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:30:48:30:03:AE 445<-12431 (02:22:43.473 PST) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-12431 (02:22:43.446 PST) ------------------------- event=1:2648 {tcp} E2[rb] GPL SHELLCODE x86 NOOP, [] MAC_Dst: 00:30:48:30:03:AE 445<-12431 (02:22:43.473 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.98.239.211 (4) (02:22:43.786 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 1031<-1992 (02:22:44.085 PST) ------------------------- event=1:3300003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:30:48:30:03:AF 1031->1992 (02:22:43.786 PST) ------------------------- event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-1992 (02:22:44.056 PST) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 1031<-1992 (02:22:44.085 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322562163.446 1322562163.447 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.164' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.164 Infector List: 62.182.70.115 Egg Source List: C & C List: 188.247.135.32 Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:53:44.127 PST Gen. Time: 11/29/2011 05:53:45.300 PST INBOUND SCAN EXPLOIT 62.182.70.115 (05:53:45.300 PST) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-35922 (05:53:45.300 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 188.247.135.32 (05:53:44.127 PST) event=1:2013519 {tcp} E4[rb] (experimental) ET TROJAN Driveby Loader Request sn.php, [/sn.php?c=F1EF15F1019120F54C54A1F8C885D43B59C73F0BD9C4198F5F6BECA8D47D644E125B5F48241FBEE163598CE779466A819C6A6CD479E7C8E8ABCE0] MAC_Src: 00:30:48:30:03:AF 1413->80 (05:53:44.127 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322574824.127 1322574824.128 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.164' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.164 Infector List: 62.182.70.115 Egg Source List: C & C List: 188.247.135.32 Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:53:44.127 PST Gen. Time: 11/29/2011 05:55:59.629 PST INBOUND SCAN EXPLOIT 62.182.70.115 (14) (05:53:45.300 PST-05:53:45.536 PST) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-35922 (05:53:45.536 PST) ------------------------- event=1:22000046 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k), [] MAC_Dst: 00:30:48:30:03:AE 445<-35922 (05:53:45.536 PST) ------------------------- event=1:22314 (5) {tcp} E2[rb] GPL SHELLCODE x86 0x90 NOOP unicode, [] MAC_Dst: 00:30:48:30:03:AE 5: 445<-35922 (05:53:45.300 PST-05:53:45.536 PST) ------------------------- event=1:22514 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 2: 445<-35922 (05:53:45.300 PST-05:53:45.535 PST) ------------------------- event=1:2653 (5) {tcp} E2[rb] GPL SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 5: 445<-35922 (05:53:45.300 PST-05:53:45.536 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 188.247.135.32 (05:53:44.127 PST) event=1:2013519 {tcp} E4[rb] (experimental) ET TROJAN Driveby Loader Request sn.php, [/sn.php?c=F1EF15F1019120F54C54A1F8C885D43B59C73F0BD9C4198F5F6BECA8D47D644E125B5F48241FBEE163598CE779466A819C6A6CD479E7C8E8ABCE0] MAC_Src: 00:30:48:30:03:AF 1413->80 (05:53:44.127 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322574824.127 1322574825.537 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.164' ============================== SEPARATOR ================================