Score: 0.8 (>= 0.8) Infected Target: 192.168.1.16 Infector List: 190.11.131.239 Egg Source List: 190.11.131.239 C & C List: Peer Coord. List: Resource List: Observed Start: 08/29/2013 19:04:25.710 PDT Gen. Time: 08/29/2013 19:04:27.084 PDT INBOUND SCAN EXPLOIT 190.11.131.239 (3) (19:04:25.710 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-3934 (19:04:25.779 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:30:48:30:03:AE 445<-3934 (19:04:25.761 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-3934 (19:04:25.710 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 190.11.131.239 (19:04:27.084 PDT) event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-2029 (19:04:27.084 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1377828265.710 1377828265.711 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.16' ============================== SEPARATOR ================================ Score: 2.7 (>= 0.8) Infected Target: 192.168.1.16 Infector List: 190.11.131.239 Egg Source List: 190.11.131.239 C & C List: 213.155.14.161 Peer Coord. List: Resource List: Observed Start: 08/29/2013 19:04:25.710 PDT Gen. Time: 08/29/2013 19:08:02.838 PDT INBOUND SCAN EXPLOIT 190.11.131.239 (3) (19:04:25.710 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-3934 (19:04:25.779 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:30:48:30:03:AE 445<-3934 (19:04:25.761 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-3934 (19:04:25.710 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 190.11.131.239 (19:04:27.084 PDT) event=1:3300004 {tcp} E3[rb] BotHunter HTTP-based .exe Upload on backdoor port, [] MAC_Src: 00:21:1C:EE:14:00 1031<-2029 (19:04:27.084 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC 213.155.14.161 (19:04:34.850 PDT) event=1:2003070 {tcp} E4[rb] ET WORM Korgo.U Reporting, [/index.php?id=xfcwylivqxz&scn=4&inf=0&ver=19&cnt=USA] MAC_Src: 00:30:48:30:03:AE 1049->80 (19:04:34.850 PDT) C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 213.155.14.161 (19:04:34.634 PDT) event=1:9920003 {tcp} E8[std] BotHunter MTC confirmed botnet control server on standard port, [] MAC_Src: 00:30:48:30:03:AF 1049->80 (19:04:34.634 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 146.39.115.148 (19:04:34.773 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:30:48:30:03:AF 0->0 (19:04:34.773 PDT) tcpslice 1377828265.710 1377828265.711 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.16' ============================== SEPARATOR ================================