Score: 0.8 (>= 0.8) Infected Target: 192.168.1.158 Infector List: 62.149.74.173 Egg Source List: 62.149.74.173 C & C List: Peer Coord. List: Resource List: Observed Start: 09/05/2013 02:03:20.559 PDT Gen. Time: 09/05/2013 02:03:35.950 PDT INBOUND SCAN EXPLOIT 62.149.74.173 (2) (02:03:20.559 PDT) event=1:22514 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-3092 (02:03:20.559 PDT) 445<-3125 (02:03:33.540 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 62.149.74.173 (02:03:35.950 PDT) event=1:2000047 {tcp} E3[rb] ET WORM Sasser Transfer _up.exe, [] MAC_Src: 00:21:1C:EE:14:00 9996<-3212 (02:03:35.950 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378371800.559 1378371800.560 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.158' ============================== SEPARATOR ================================