Score: 0.8 (>= 0.8) Infected Target: 192.168.1.39 Infector List: 96.43.137.98 Egg Source List: C & C List: 96.43.137.98 Peer Coord. List: Resource List: Observed Start: 05/24/2013 16:32:43.663 PDT Gen. Time: 05/24/2013 16:32:44.051 PDT INBOUND SCAN EXPLOIT 96.43.137.98 (16:32:43.663 PDT) event=1:2011680 {tcp} E2[rb] ET CURRENT_EVENTS Skype Easybits Extras Manager - Exploit, [] MAC_Dst: 00:01:64:FF:CE:EA 53053<-80 (16:32:43.663 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 96.43.137.98 (16:32:44.051 PDT) event=1:100000277 {tcp} E4[rb] COMMUNITY BOT GTBot packet command, [] MAC_Src: 00:21:1C:EE:14:00 53053<-80 (16:32:44.051 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369438363.663 1369438363.664 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.39' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.39 Infector List: 96.43.137.98 Egg Source List: C & C List: 96.43.137.98 (17) Peer Coord. List: Resource List: Observed Start: 05/24/2013 16:32:43.663 PDT Gen. Time: 05/24/2013 16:35:18.234 PDT INBOUND SCAN EXPLOIT 96.43.137.98 (9) (16:32:43.663 PDT-16:32:45.706 PDT) event=1:2002971 {tcp} E2[rb] ET EXPLOIT Wmm2fxa.dll COM Object Instantiation Memory Corruption, [] MAC_Dst: 00:01:64:FF:CE:EA 53053<-80 (16:32:44.279 PDT) ------------------------- event=1:2011680 {tcp} E2[rb] ET CURRENT_EVENTS Skype Easybits Extras Manager - Exploit, [] MAC_Dst: 00:01:64:FF:CE:EA 53053<-80 (16:32:43.663 PDT) ------------------------- event=1:2012254 (2) {tcp} E2[rb] ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String, [] MAC_Dst: 00:01:64:FF:CE:EA 2: 53053<-80 (16:32:45.635 PDT-16:32:45.635 PDT) ------------------------- event=1:2012255 (2) {tcp} E2[rb] ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String, [] MAC_Dst: 00:01:64:FF:CE:EA 2: 53053<-80 (16:32:45.635 PDT-16:32:45.635 PDT) ------------------------- event=1:2012257 {tcp} E2[rb] ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String, [] MAC_Dst: 00:01:64:FF:CE:EA 53053<-80 (16:32:45.635 PDT) ------------------------- event=1:2012963 (2) {tcp} E2[rb] ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt, [] MAC_Dst: 00:01:64:FF:CE:EA 2: 53053<-80 (16:32:45.706 PDT-16:32:45.706 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 96.43.137.98 (17) (16:32:44.051 PDT-16:32:44.603 PDT) event=1:100000275 (2) {tcp} E4[rb] COMMUNITY BOT GTBot portscan command, [] MAC_Src: 00:21:1C:EE:14:00 2: 53053<-80 (16:32:44.184 PDT-16:32:44.185 PDT) ------------------------- event=1:100000277 (15) {tcp} E4[rb] COMMUNITY BOT GTBot packet command, [] MAC_Src: 00:21:1C:EE:14:00 15: 53053<-80 (16:32:44.051 PDT-16:32:44.603 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1369438363.663 1369438365.707 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.39' ============================== SEPARATOR ================================