Score: 0.8 (>= 0.8) Infected Target: 192.168.1.175 Infector List: 42.70.197.71 Egg Source List: 42.70.197.71 C & C List: Peer Coord. List: Resource List: Observed Start: 01/31/2013 01:56:23.774 PST Gen. Time: 01/31/2013 01:56:24.399 PST INBOUND SCAN EXPLOIT 42.70.197.71 (01:56:23.774 PST) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-4555 (01:56:23.774 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 42.70.197.71 (01:56:24.399 PST) event=1:3300003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:30:48:30:03:AF 1031->4589 (01:56:24.399 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359626183.774 1359626183.775 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.175' ============================== SEPARATOR ================================ Score: 3.5 (>= 0.8) Infected Target: 192.168.1.175 Infector List: 42.70.197.71 Egg Source List: 42.70.197.71 C & C List: 213.155.14.161 Peer Coord. List: Resource List: Observed Start: 01/31/2013 01:56:23.774 PST Gen. Time: 01/31/2013 01:59:39.689 PST INBOUND SCAN EXPLOIT 42.70.197.71 (01:56:23.774 PST) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-4555 (01:56:23.774 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 42.70.197.71 (2) (01:56:24.399 PST) event=1:3300003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:30:48:30:03:AF 1031->4589 (01:56:24.399 PST) ------------------------- event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-4589 (01:56:24.662 PST) C and C TRAFFIC 213.155.14.161 (01:56:30.854 PST) event=1:2003070 {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=xvqclixiqxivkqek&scn=0&inf=0&ver=19&cnt=USA] MAC_Src: 00:30:48:30:03:AE 1050->80 (01:56:30.854 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 189.80.57.11 (01:56:30.539 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (01:56:30.539 PST) OUTBOUND SCAN 130.198.56.47 (01:56:39.571 PST) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:30:48:30:03:AF 1043->445 (01:56:39.571 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 213.155.14.161 (01:56:30.561 PST) event=1:9920003 {tcp} E8[std] BotHunter MTC confirmed botnet control server on standard port, [] MAC_Src: 00:30:48:30:03:AF 1050->80 (01:56:30.561 PST) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.80.57.11 (01:56:30.657 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:30:48:30:03:AF 0->0 (01:56:30.657 PST) tcpslice 1359626183.774 1359626183.775 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.175' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.175 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/31/2013 04:10:03.230 PST Gen. Time: 01/31/2013 04:10:03.380 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.116.216.199 (04:10:03.230 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (04:10:03.230 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.3.134.39 (04:10:03.380 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (04:10:03.380 PST) tcpslice 1359634203.230 1359634203.231 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.175' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.175 Infector List: 79.121.70.109 Egg Source List: 79.121.70.109 C & C List: Peer Coord. List: Resource List: Observed Start: 01/31/2013 06:48:49.355 PST Gen. Time: 01/31/2013 06:48:49.722 PST INBOUND SCAN EXPLOIT 79.121.70.109 (3) (06:48:49.355 PST) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-51318 (06:48:49.404 PST) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:30:48:30:03:AE 445<-51318 (06:48:49.393 PST) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-51318 (06:48:49.355 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 79.121.70.109 (06:48:49.722 PST) event=1:3300003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:30:48:30:03:AF 1031->5658 (06:48:49.722 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359643729.355 1359643729.356 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.175' ============================== SEPARATOR ================================ Score: 3.0 (>= 0.8) Infected Target: 192.168.1.175 Infector List: 79.121.70.109 Egg Source List: 79.121.70.109 C & C List: Peer Coord. List: Resource List: Observed Start: 01/31/2013 06:48:49.355 PST Gen. Time: 01/31/2013 06:52:49.943 PST INBOUND SCAN EXPLOIT 79.121.70.109 (3) (06:48:49.355 PST) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-51318 (06:48:49.404 PST) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:30:48:30:03:AE 445<-51318 (06:48:49.393 PST) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-51318 (06:48:49.355 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD 79.121.70.109 (2) (06:48:49.722 PST) event=1:3300003 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:30:48:30:03:AF 1031->5658 (06:48:49.722 PST) ------------------------- event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-5658 (06:48:49.940 PST) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 197.23.26.21 (06:49:08.271 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (06:49:08.271 PST) OUTBOUND SCAN 99.91.50.129 (06:49:17.930 PST) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:30:48:30:03:AF 1062->445 (06:49:17.930 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 213.155.14.161 (06:49:06.876 PST) event=1:9920003 {tcp} E8[std] BotHunter MTC confirmed botnet control server on standard port, [] MAC_Src: 00:30:48:30:03:AF 1032->80 (06:49:06.876 PST) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 197.23.26.21 (06:49:09.047 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:30:48:30:03:AF 0->0 (06:49:09.047 PST) tcpslice 1359643729.355 1359643729.356 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.175' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.175 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/31/2013 07:25:45.785 PST Gen. Time: 01/31/2013 07:25:45.910 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.247.21.87 (07:25:45.785 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (07:25:45.785 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.247.21.87 (07:25:45.910 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (07:25:45.910 PST) tcpslice 1359645945.785 1359645945.786 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.175' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.175 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/31/2013 11:00:25.743 PST Gen. Time: 01/31/2013 11:00:25.865 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.84.209.122 (11:00:25.743 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 135:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (11:00:25.743 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.84.209.122 (11:00:25.865 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 135:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (11:00:25.865 PST) tcpslice 1359658825.743 1359658825.744 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.175' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.175 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/31/2013 19:19:53.658 PST Gen. Time: 01/31/2013 19:19:53.765 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.208.67.49 (19:19:53.658 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 135:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (19:19:53.658 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.127.207.182 (19:19:53.765 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 135:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (19:19:53.765 PST) tcpslice 1359688793.658 1359688793.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.175' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.175 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/31/2013 21:44:56.528 PST Gen. Time: 01/31/2013 21:44:56.803 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.181.106.183 (21:44:56.528 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (21:44:56.528 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.181.106.183 (21:44:56.803 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (21:44:56.803 PST) tcpslice 1359697496.528 1359697496.529 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.175' ============================== SEPARATOR ================================