Score: 0.8 (>= 0.8) Infected Target: 192.168.1.73 Infector List: 117.32.153.145 Egg Source List: 117.32.153.145 C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:29:17.277 PST Gen. Time: 11/29/2011 14:29:32.313 PST INBOUND SCAN EXPLOIT 117.32.153.145 (7) (14:29:17.277 PST-14:29:18.375 PST) event=1:22003081 (2) {tcp} E2[rb] ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 2: 139<-13658 (14:29:18.016 PST-14:29:18.375 PST) ------------------------- event=1:22492 {tcp} E2[rb] GPL NETBIOS SMB DCERPC ISystemActivator bind attempt, [] MAC_Dst: 00:30:48:30:03:AE 139<-12508 (14:29:23.764 PST) ------------------------- event=1:2537 (3) {tcp} E2[rb] GPL NETBIOS SMB IPC$ share access, [] MAC_Dst: 00:30:48:30:03:AE 139<-12508 (14:29:23.407 PST) 139<-13877 (14:29:20.541 PST) 139<-13658 (14:29:17.277 PST) ------------------------- event=1:2648 {tcp} E2[rb] GPL SHELLCODE x86 NOOP, [] MAC_Dst: 00:30:48:30:03:AE 139<-13877 (14:29:21.082 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 117.32.153.145 (14:29:32.313 PST) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 9988<-13159 (14:29:32.313 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1322605757.277 1322605758.376 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.73' ============================== SEPARATOR ================================