Score: 0.8 (>= 0.8) Infected Target: 192.168.1.171 Infector List: 211.138.35.243 Egg Source List: 211.138.35.243 C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 22:48:00.203 PDT Gen. Time: 09/03/2013 22:48:04.849 PDT INBOUND SCAN EXPLOIT 211.138.35.243 (2) (22:48:00.203 PDT) event=1:22514 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-61689 (22:48:00.203 PDT) 445<-58387 (22:48:03.190 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 211.138.35.243 (22:48:04.849 PDT) event=1:2000047 {tcp} E3[rb] ET WORM Sasser Transfer _up.exe, [] MAC_Src: 00:21:1C:EE:14:00 9996<-28862 (22:48:04.849 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378273680.203 1378273680.204 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.171' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.171 Infector List: 211.138.35.243 Egg Source List: 211.138.35.243 C & C List: Peer Coord. List: Resource List: Observed Start: 09/03/2013 22:48:00.203 PDT Gen. Time: 09/03/2013 22:52:06.341 PDT INBOUND SCAN EXPLOIT 211.138.35.243 (2) (22:48:00.203 PDT) event=1:22514 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-61689 (22:48:00.203 PDT) 445<-58387 (22:48:03.190 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 211.138.35.243 (22:48:04.849 PDT) event=1:2000047 {tcp} E3[rb] ET WORM Sasser Transfer _up.exe, [] MAC_Src: 00:21:1C:EE:14:00 9996<-28862 (22:48:04.849 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 211.138.35.243 (22:48:04.649 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:30:48:30:03:AF 9996->28862 (22:48:04.649 PDT) OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378273680.203 1378273680.204 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.171' ============================== SEPARATOR ================================