BotHunter Repository

	The BotHunter Community Repository Botnet C&C Servers Found by BotHunter Users Visit: Malware Attack Sources Found by BotHunter Users
	When you run BotHunter with its auto-update service enabled, you are not just receiving our latest malware threat intelligence to protect your network. You are also contributing to our world-wide knowledge of where Botnet Command and Control (C&C) servers and bot-infected clients live. The data on this website is supplied as is, without warranty of any kind. You may NOT redistribute this data. Use or reliance on this data is at your own risk.

90 Day View: Last Update: Thu Aug 12 12:11:58 2010

Botnet C&C IP, City, Region, Country	Domain/NetSpeed Servicer Provider	Forensics	Evindence Summary: Performed by the Botclient Victim
202.120.79.222 (CN) SHANGHAI SHANGHAI CHINA	- / DSL SHANGHAI MEDICAL UNIVERSITY	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-06-11 to 2010-06-11	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity
4.53.80.100 (US) NEW YORK NEW YORK UNITED STATES	LEVEL3.NET / DSL LEVEL 3 COMMUNICATIONS INC	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-06-28 to 2010-06-28	° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 2007827(1): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
64.65.32.230 (US) ATLANTA GEORGIA UNITED STATES	MAXIM.NET / DSL PEER 1 DEDICATED HOSTING	Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-04-15 to 2010-04-15	° 2007951(2): CandC Communication - ET MALWARE Hex Encoded IP HTTP Request - Likely Malware ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2008660(1): CandC Communication - ET TROJAN Torpig Infection Reporting ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
93.188.166.0 (UA) - - UKRAINE	- / DSL UKRTELEGROUP	High Details (1.8) 5 BotHunter Users 240 Infection Report 2010-04-15 to 2010-07-22	° 9906030(95): not found ° 7777005(64): Outbound Scan - Detected intense non-malware port scanning ° 3(6): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002400(2): not found ° 2003579(2): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile
77.221.140.250 (RU) - - RUSSIAN FEDERATION	DATAPOINT.RU / DSL COLOCATION AND VIRTUAL HOSTING	Moderate Details (1.3) 60 BotHunter Users 3973 Infection Report 2010-05-18 to 2010-08-10	° 3(26): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(15): Outbound Scan - Detected intense non-malware port scanning ° 9906021(12): not found ° 9906023(3): not found ° 2000328(2): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2406004(1): not found ° 2406027(1): not found ° 9906003(1): not found
82.146.59.29 (RU) - - RUSSIAN FEDERATION	FIRSTVDS.RU / DSL ISPSYSTEM AT CORBINA	Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-08-10 to 2010-08-10	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9906025(2): not found ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054
168.187.5.193 (KW) KUWAIT AL KUWAYT KUWAIT	ALDEASASALASIL.COM.KW / DSL KUWAIT ELECTRONIC AND MESSAGING SERVICES COMPANY	High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-05-20 to 2010-05-20	° 2003607(4): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
66.45.250.250 (US) SECAUCUS NEW JERSEY UNITED STATES	NACHI.ORG / DSL INTERSERVER INC	Very High Details (2.2) 5 BotHunter Users 8 Infection Report 2010-04-14 to 2010-06-10	° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
124.150.124.0 (AU) MELBOURNE VICTORIA AUSTRALIA	WESTNET.COM.AU / DSL WESTNET INTERNET SERVICES	Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-06-27 to 2010-06-27	° 2007711(3): CandC Communication - ET TROJAN Srizbi registering with controller ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906025(1): not found
194.67.28.57 (RU) MURMANSK MURMANSK RUSSIAN FEDERATION	GLDN.NET / DSL SOVAM TELEPORT	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-07-26 to 2010-07-26	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
122.174.117.207 (IN) NEW DELHI DELHI INDIA	122.AIRTELBROADBAND.IN / DSL ABTS-TN-DSL-122884-CHN	Moderate Details (1.2) 1 BotHunter Users 2 Infection Report 2010-06-30 to 2010-06-30	° 7777055(6): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
70.74.220.67 (CA) EDMONTON ALBERTA CANADA	SHAWCABLE.NET / DSL SHAW COMMUNICATIONS INC	Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-06-26 to 2010-06-26	° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download
87.241.237.70 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	- / DSL ZAO PRESTIGE-INTERNET NOVOSIBIRSK	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-06-06 to 2010-06-06	° 2009292(1): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 7777008(1): Malware Scan - Detected intense malware port scanning
200.121.154.66 (PE) LIMA LIMA PERU	SPEEDY.NET.PE / COMP TDPERX1-LACNIC	Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-05-25 to 2010-05-25	° 2001569(8): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 52009201(1): Outbound Attack - ET CURRENT_EVENTS Conficker.b Shellcode
72.20.45.86 (US) FULLERTON CALIFORNIA UNITED STATES	STAMINUS.NET / DSL STAMINUS COMMUNICATIONS	Very High Details (2.2) 3 BotHunter Users 3 Infection Report 2010-05-30 to 2010-06-09	° 2003607(3): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
94.1.155.10 (UK) - - UNITED KINGDOM	SKY.COM / DSL SKY BROADBAND	Moderate Details (1.2) 1 BotHunter Users 3 Infection Report 2010-06-07 to 2010-06-07	° 2007711(4): CandC Communication - ET TROJAN Srizbi registering with controller ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777055(2): Outbound Scan - Detected intense non-malware port scanning (P2P)
88.214.192.200 (UK) - - UNITED KINGDOM	EVPATORIA.NET / DSL FOR HQHOST VIRTUAL HOSTING	High Details (1.6) 2 BotHunter Users 28 Infection Report 2010-06-10 to 2010-08-11	° 3(19): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(12): Outbound Scan - Detected intense non-malware port scanning ° 9906027(10): not found ° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2000328(2): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906021(1): not found
41.140.44.0 (MA) RABAT RABAT-SALE MOROCCO	IAM.NET.MA / DSL AFRINIC	Very High Details (2.0) 1 BotHunter Users 2 Infection Report 2010-07-18 to 2010-07-18	° 2007711(3): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9906003(1): not found
66.232.113.44 (US) TAMPA FLORIDA UNITED STATES	CRESCENDO-RO.COM / DSL NOC4HOSTS INC	Very High Details (2.2) 15 BotHunter Users 598 Infection Report 2010-04-14 to 2010-06-11	° 7777005(63): Outbound Scan - Detected intense non-malware port scanning ° 3810007(46): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777008(5): Malware Scan - Detected intense malware port scanning ° 2003219(1): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
222.18.0.8 (CN) CHENGDU SICHUAN CHINA	- / DSL SICHUAN UNIVERSITY JIANG'AN CAMPUS	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-04-16 to 2010-04-16	° 2007962(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Checkin ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
221.238.27.188 (CN) TIANJIN TIANJIN CHINA	163DATA.COM.CN / DSL TIANJIN-WANGSUKEJI-LTD	High Details (1.7) 2 BotHunter Users 19 Infection Report 2010-07-25 to 2010-08-10	° 2003492(64): not found ° 7777005(41): Outbound Scan - Detected intense non-malware port scanning ° 3(26): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile
193.34.65.98 (RS) - - SERBIA	PANONNET.NET / DSL PANON NET WIRELESS INTERNET SERVICE PROVIDER	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-05-04 to 2010-05-04	° 2008390(13): CandC Communication - ET TROJAN Hupigon Response from Controller (YES - ~~@@) ° 2003380(2): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc) ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2009897(1): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send html content
68.70.49.17 (US) FREDERICK MARYLAND UNITED STATES	FLTG.NET / DSL FINGER LAKES TECHNOLOGIES GROUP INC	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-04-27 to 2010-04-27	° 2007963(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Status OK ° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server
113.107.96.157 (CN) GUANGZHOU GUANGDONG CHINA	163DATA.COM.CN / DSL CHINANET GUANGDONG PROVINCE NETWORK	Very High Details (2.2) 27 BotHunter Users 1946 Infection Report 2010-05-15 to 2010-06-12	° 2003607(49): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 7777005(31): Outbound Scan - Detected intense non-malware port scanning ° 2003438(19): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2002196(18): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3810007(14): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810005(9): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810001(5): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2009880(4): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3
61.4.190.206 (CN) BEIJING BEIJING CHINA	- / DSL BEIJING FEIHUALINGHANG TECHNOLOGY DEVELOPMENT CO. LTD	High Details (1.4) 8 BotHunter Users 10 Infection Report 2010-04-15 to 2010-06-12	° 2003179(6): Egg Download - ET POLICY exe download without User Agent ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
213.131.252.251 (DE) DUISBURG NORDRHEIN-WESTFALEN GERMANY	INETBONE.NET / DSL CONVERSIS GMBH	Moderate Details (1.2) 156 BotHunter Users 1148 Infection Report 2010-04-14 to 2010-07-31	° 2002196(7): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3810007(6): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 2003438(4): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(4): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810005(3): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2009880(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity
79.20.129.94 (IT) MILANO LOMBARDIA ITALY	RETAIL.TELECOMITALIA.IT / DSL TELECOM ITALIA NET	Maximum Details (2.5) 3 BotHunter Users 5 Infection Report 2010-05-26 to 2010-05-26	° 2000328(8): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777005(7): Outbound Scan - Detected intense non-malware port scanning ° 2007711(6): CandC Communication - ET TROJAN Srizbi registering with controller ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777055(1): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
195.122.131.2 (DE) - - GERMANY	- / DSL TERRASPACE-GMBH	High Details (1.5) 161 BotHunter Users 1039 Infection Report 2010-04-14 to 2010-08-03	° 2632222(14): not found ° 7777005(9): Outbound Scan - Detected intense non-malware port scanning ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2003179(2): Egg Download - ET POLICY exe download without User Agent ° 2007671(2): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2008124(2): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 2008450(2): CandC Communication - ET TROJAN Buzus.lyz Connect to CnC ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity
58.60.10.10 (CN) GUANGZHOU GUANGDONG CHINA	163DATA.COM.CN / DSL CHINANET GUANGDONG PROVINCE NETWORK	Very High Details (2.2) 4 BotHunter Users 8 Infection Report 2010-05-29 to 2010-06-11	° 2003438(2): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810009(2): Bot Space Access - ET COMPROMISED Known Compromised or Hostile Host Traffic ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002196(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
85.116.130.133 (IT) PERUGIA UMBRIA ITALY	- / DSL TELEUNIT ADSL CUSTOMER NETWORK	Maximum Details (2.6) 3 BotHunter Users 3 Infection Report 2010-05-26 to 2010-05-26	° 2000328(42): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(6): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 9910014(4): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2007711(3): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777055(1): Outbound Scan - Detected intense non-malware port scanning (P2P)
194.14.236.50 (SE) - - SWEDEN	- / DSL DALNET UNROUTED SERVERS	Very High Details (2.2) 27 BotHunter Users 304 Infection Report 2010-04-18 to 2010-06-12	° 2003438(5): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810001(5): Bot Space Access - BotHunter MTC confirmed botnet control server ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 2002196(4): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
77.235.44.0 (NL) - - NETHERLANDS	WEBHOSTBYTES.INFO / DSL EUROVPS INC	Very High Details (2.1) 1 BotHunter Users 2 Infection Report 2010-06-09 to 2010-06-09	° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2008501(2): CandC Communication - ET TROJAN Peed Report to Controller ° 2009353(2): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1) ° 2009354(2): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (2) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
64.111.196.114 (US) NEW YORK NEW YORK UNITED STATES	ISPRIME.COM / DSL ISPRIME INC	Very High Details (2.2) 13 BotHunter Users 105 Infection Report 2010-04-14 to 2010-06-30	° 7777005(17): Outbound Scan - Detected intense non-malware port scanning ° 3810007(9): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server
95.220.66.196 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	- / DSL FAIRLIE HOLDING & FINANCE LIMITED	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-05-02 to 2010-05-02	° 2007711(4): CandC Communication - ET TROJAN Srizbi registering with controller ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777055(1): Outbound Scan - Detected intense non-malware port scanning (P2P)
80.93.62.125 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	PETERHOST.RU / DSL PETERHOST.RU VIRTUAL HOSTING	High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-05-24 to 2010-05-24	° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
192.48.79.30 (US) STERLING VIRGINIA UNITED STATES	NSTLD.COM / DSL VERISIGN GLOBAL REGISTRY SERVICES	Moderate Details (1.3) 16 BotHunter Users 24 Infection Report 2010-04-23 to 2010-06-15	° 2003330(178): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2000328(87): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 9910014(71): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 1(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2009126(1): CandC Communication - ET TROJAN Win32/Monkif Downloader Checkin
81.94.21.11 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP VPN POOL	High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-07-11 to 2010-07-11	° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007827(1): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906003(1): not found ° 9906025(1): not found
204.45.85.210 (-) - - -	- / - -	Maximum Details (2.3) 1 BotHunter Users 4 Infection Report 2010-07-12 to 2010-07-12	° 2000328(16): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(12): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2002033(4): CandC Communication - ET TROJAN BOT - potential response ° 9910014(4): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2008189(3): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin ° 2008124(2): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..)
222.173.188.14 (CN) JINAN SHANDONG CHINA	163DATA.COM.CN / DSL CHINANET SHANDONG PROVINCE NETWORK	Moderate Details (1.2) 22 BotHunter Users 37 Infection Report 2010-04-18 to 2010-08-11	° 2003620(3): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected ° 2008429(1): Egg Download - ET USER_AGENTS Suspicious User-Agent (HttpDownload) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
81.94.31.0 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP VPN POOL	Very High Details (2.0) 3 BotHunter Users 149 Infection Report 2010-04-14 to 2010-04-20	° 7777005(105): Outbound Scan - Detected intense non-malware port scanning ° 9906025(58): not found ° 3(23): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008564(5): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 9906003(3): not found ° 9906021(2): not found ° 9906028(2): not found ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906008(1): not found
94.155.113.167 (BG) SOFIA GRAD SOFIYA BULGARIA	SOFIALAN.COM / DSL ITD	High Details (1.8) 1 BotHunter Users 2 Infection Report 2010-06-21 to 2010-06-21	° 2007711(5): CandC Communication - ET TROJAN Srizbi registering with controller ° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
64.124.109.200 (US) GAITHERSBURG MARYLAND UNITED STATES	AWS.COM / COMP AWS	High Details (1.8) 257 BotHunter Users 2066 Infection Report 2010-04-14 to 2010-08-07	° 2003422(42): CandC Communication - ET MALWARE Weatherbug Command Activity ° 7777005(33): Outbound Scan - Detected intense non-malware port scanning ° 7777008(9): Malware Scan - Detected intense malware port scanning ° 2003179(8): Egg Download - ET POLICY exe download without User Agent ° 25(3): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2007827(3): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 2002836(2): Egg Download - ET MALWARE MyWebSearch Toolbar Traffic (bar config download) ° 2008564(2): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 2632222(1): not found
91.194.10.60 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	BSYS-NET.RU / DSL BANKING SYSTEMS LTD	High Details (1.9) 2 BotHunter Users 2 Infection Report 2010-05-23 to 2010-05-25	° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
88.10.32.64 (ES) BARCELONA CATALONIA SPAIN	RIMA-TDE.NET / DSL TELEFONICA DE ESPANA	Moderate Details (1.3) 3 BotHunter Users 3 Infection Report 2010-06-02 to 2010-06-02	° 2001569(12): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(9): Malware Scan - Detected intense malware port scanning ° 3810005(3): Bot Space Access - ET ShadowServer confirmed botnet control server
75.134.26.0 (US) MADISON WISCONSIN UNITED STATES	CHARTER.COM / DSL CHARTER COMMUNICATIONS	Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-06-25 to 2010-06-25	° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906008(1): not found
217.16.17.59 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MASTERHOST.RU / DSL MASTERHOST.RU IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-06-05 to 2010-06-05	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
74.222.1.134 (US) LOS ANGELES CALIFORNIA UNITED STATES	VRTSERVERS.NET / DSL VRTSERVERS INC	Maximum Details (2.3) 1 BotHunter Users 8 Infection Report 2010-04-18 to 2010-04-18	° 2000328(11): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2009292(8): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 7777005(8): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
77.221.129.106 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	DATAPOINT.RU / DSL COLOCATION AND VIRTUAL HOSTING	High Details (1.8) 1 BotHunter Users 2 Infection Report 2010-07-29 to 2010-07-29	° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000328(2): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 9906003(2): not found ° 9906021(2): not found ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2406003(1): not found ° 9906027(1): not found
208.88.180.81 (US) SUNNYVALE CALIFORNIA UNITED STATES	- / DSL FRIENDFINDER NETWORKS INC	High Details (1.5) 16 BotHunter Users 43 Infection Report 2010-04-16 to 2010-08-03	° 2003179(3): Egg Download - ET POLICY exe download without User Agent ° 2632222(3): not found ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
194.149.73.154 (ES) LLEIDA CATALONIA SPAIN	LLEIDA.NET / DSL INTERNET SERVICE PROVIDER	High Details (1.5) 5 BotHunter Users 5 Infection Report 2010-05-23 to 2010-06-06	° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 7777008(1): Malware Scan - Detected intense malware port scanning
131.238.222.0 (US) DAYTON OHIO UNITED STATES	SBCGLOBAL.NET / DSL UNIVERSITY OF DAYTON	Very High Details (2.0) 1 BotHunter Users 5 Infection Report 2010-07-02 to 2010-07-02	° 2007711(7): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 9906027(1): not found
24.215.122.0 (CA) SUMMERSIDE PRINCE EDWARD ISLAND CANADA	EASTLINK.CA / DSL EASTLINK HSI	Very High Details (2.0) 1 BotHunter Users 2 Infection Report 2010-06-22 to 2010-06-22	° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9906025(1): not found
203.117.33.18 (SG) SINGAPORE SINGAPORE SINGAPORE	- / DSL VLAN 12-SB PROXY & RADIUS	High Details (1.6) 6 BotHunter Users 45 Infection Report 2010-06-22 to 2010-08-06	° 7777005(9): Outbound Scan - Detected intense non-malware port scanning ° 3(6): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906003(5): not found ° 25(3): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2000328(1): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2406027(1): not found ° 9906021(1): not found
222.191.251.131 (CN) WUXI JIANGSU CHINA	163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK	Moderate Details (1.2) 44 BotHunter Users 79 Infection Report 2010-04-14 to 2010-08-11	° 2003620(8): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2003219(3): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2632222(3): not found ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
89.178.12.172 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	CORBINA.RU / DSL BROADBAND CUSTOMERS IN MOSCOW	High Details (1.5) 2 BotHunter Users 3 Infection Report 2010-06-03 to 2010-06-03	° 2007711(5): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777055(4): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 3300007(3): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download
113.69.129.55 (CN) GUANGZHOU GUANGDONG CHINA	163DATA.COM.CN / DSL CHINANET GUANGDONG PROVINCE NETWORK	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-06-10 to 2010-06-10	° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007962(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Checkin ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
74.68.154.0 (US) NEW YORK NEW YORK UNITED STATES	RR.COM / DSL ROAD RUNNER HOLDCO LLC	Very High Details (2.0) 1 BotHunter Users 5 Infection Report 2010-06-23 to 2010-06-23	° 2007711(6): CandC Communication - ET TROJAN Srizbi registering with controller ° 3(5): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 9906008(2): not found
118.19.17.85 (JP) TOKYO TOKYO JAPAN	PLALA.OR.JP / DSL NTT PLALA INC	High Details (1.7) 1 BotHunter Users 2 Infection Report 2010-07-23 to 2010-07-23	° 2001219(34): Outbound Attack - ET SCAN Potential SSH Scan (20 in 60 secs) ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
193.124.133.217 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	STEL.RU / DSL EUNET/RELCOM	Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-05-25 to 2010-05-25	° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
83.137.194.83 (NL) HELMOND NOORD-BRABANT NETHERLANDS	HOSTING2GO.NL / DSL SUPERIOR INTERNET SERVICES	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-05-29 to 2010-05-29	° 2007860(1): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request)
71.115.253.3 (US) RICHLAND WASHINGTON UNITED STATES	VERIZON.NET / DSL VERIZON INTERNET SERVICES INC	Moderate Details (1.2) 1 BotHunter Users 2 Infection Report 2010-05-27 to 2010-05-27	° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777055(2): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download
91.206.201.110 (UA) - - UKRAINE	- / DSL PE SERGEY DEMIN	Maximum Details (2.6) 3 BotHunter Users 162 Infection Report 2010-05-01 to 2010-05-02	° 7777005(61): Outbound Scan - Detected intense non-malware port scanning ° 2008109(60): CandC Communication - ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound ° 53196(55): Outbound Attack - REGISTERED FREE NETBIOS name query overflow attempt UDP ° 7777008(41): Malware Scan - Detected intense malware port scanning ° 3300003(2): Egg Download - BotHunter HTTP-based .exe Upload on backdoor port
88.201.211.0 (RU) - - RUSSIAN FEDERATION	SPB.RU / DSL CABLE TV AND INTERNET PROVIDER	High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-04-24 to 2010-04-24	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 9906027(1): not found
189.59.157.61 (BR) SãO PAULO SAO PAULO BRAZIL	VELOXZONE.COM.BR / DSL COMITE GESTOR DA INTERNET NO BRASIL	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-08-02 to 2010-08-02	° 7777055(2): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 3300001(1): Egg Download - BotHunter Scrip-based Windows egg download .exe
85.29.102.0 (FI) KAJAANI OULU FINLAND	KPONET.FI / DSL KPO-BROADBAND-CUSTOMERS-CABLE	Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-07-12 to 2010-07-12	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 9906029(1): not found
205.171.2.65 (US) NEW YORK NEW YORK UNITED STATES	QWEST.NET / DSL QWEST COMMUNICATIONS CORPORATION	High Details (1.8) 2 BotHunter Users 2 Infection Report 2010-07-16 to 2010-07-21	° 2003330(6): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(6): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2000328(4): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3800002(1): Bot Space Access - BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host
81.94.31.131 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP VPN POOL	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-04-15 to 2010-04-15	° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906025(1): not found
218.30.115.254 (CN) BEIJING BEIJING CHINA	HICHINA.COM / DSL CHINANET IDC CENTER	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-06-17 to 2010-06-17	° 90909090(8): not found ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity
194.67.18.76 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	APORT.RU / DSL GOLDEN TELECOM	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-08-01 to 2010-08-01	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
221.10.128.197 (CN) CHENGDU SICHUAN CHINA	SHUZG.COM / DSL CHINA UNICOM SICHUAN PROVINCE NETWORK	High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-06-06 to 2010-06-06	° 2009292(1): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
195.161.119.240 (RU) KRASNOYARSK KRASNOYARSK RUSSIAN FEDERATION	EHOUSE.RU / DSL EHOUSE (CO-LOCATION) NETWORK	High Details (1.9) 1 BotHunter Users 1 Infection Report 2010-04-17 to 2010-04-17	° 2000328(15): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
89.208.35.28 (RU) - - RUSSIAN FEDERATION	DI-NET.RU / DSL HOSTING AND COLOCATION SERVICES	High Details (1.5) 2 BotHunter Users 3 Infection Report 2010-08-05 to 2010-08-05	° 7777008(6): Malware Scan - Detected intense malware port scanning ° 3810002(2): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810004(2): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810006(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810008(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
222.173.188.0 (CN) JINAN SHANDONG CHINA	163DATA.COM.CN / DSL CHINANET SHANDONG PROVINCE NETWORK	Moderate Details (1.2) 16 BotHunter Users 47 Infection Report 2010-04-15 to 2010-08-11	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2003620(2): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2008428(1): Egg Download - ET USER_AGENTS Suspicious User-Agent (HTTP Downloader)
64.191.89.229 (US) SCRANTON PENNSYLVANIA UNITED STATES	HOSTNOC.NET / DSL NETWORK OPERATIONS CENTER INC	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-05-03 to 2010-05-03	° 2001219(15): Outbound Attack - ET SCAN Potential SSH Scan (20 in 60 secs) ° 1(11): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
195.88.144.61 (UA) - - UKRAINE	- / DSL VLAFF PROCESSING LTD	Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-05-06 to 2010-05-06	° 7777005(7): Outbound Scan - Detected intense non-malware port scanning ° 2009353(2): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1) ° 2008501(1): CandC Communication - ET TROJAN Peed Report to Controller ° 2009388(1): Egg Download - ET TROJAN Bredolab Downloader Response Binaries from Controller
200.83.0.116 (CL) SANTIAGO REGION METROPOLITANA CHILE	VTR.NET / DSL VTR BANDA ANCHA S.A	High Details (1.8) 19 BotHunter Users 81 Infection Report 2010-05-18 to 2010-06-09	° 2002196(4): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2009880(3): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 2003581(1): CandC Communication - ET MALWARE Findwhat.com Spyware (sendmedia) ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
219.234.81.131 (CN) BEIJING BEIJING CHINA	IAPCM.AC.CN / DSL BEIJING TELETRON TELECOM ENGINEERING CO. LTD	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-04-25 to 2010-04-25	° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity
88.255.117.209 (TR) ISTANBUL ISTANBUL TURKEY	DAKIKHOST.COM / DSL SUNUCU BILGISAYAR VE INTERNET HIZMETLERI	High Details (1.6) 2 BotHunter Users 15 Infection Report 2010-07-14 to 2010-07-27	° 7777005(18): Outbound Scan - Detected intense non-malware port scanning ° 9906027(15): not found ° 3(9): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2000328(2): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2406027(1): not found
88.29.47.146 (ES) MADRID MADRID SPAIN	RIMA-TDE.NET / DSL TELEFONICA MOVILES ESPANA (NCC#2007041930)	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-05-04 to 2010-05-04	° 2008390(13): CandC Communication - ET TROJAN Hupigon Response from Controller (YES - ~~@@) ° 2003380(2): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc) ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2009897(1): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send html content
213.163.89.55 (NL) ROTTERDAM ZUID-HOLLAND NETHERLANDS	- / DSL SERVERBOOST IP SPACE	High Details (1.5) 1 BotHunter Users 35 Infection Report 2010-05-06 to 2010-05-06	° 2632222(35): not found ° 2002196(31): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2009880(19): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 2008373(4): CandC Communication - ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request ° 2003620(3): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2001685(2): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send an image ° 2009031(2): CandC Communication - ET TROJAN Possible Armitage Loader Request
77.85.161.0 (BG) - - BULGARIA	77-85-168-10.BTC-NET.BG / DSL BTC BROADBAND SERVICE	High Details (1.8) 1 BotHunter Users 4 Infection Report 2010-06-04 to 2010-06-04	° 9910014(6): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2007711(4): CandC Communication - ET TROJAN Srizbi registering with controller ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count
203.117.196.86 (SG) SINGAPORE SINGAPORE SINGAPORE	- / COMP SKYWAVE-ENGINEERING-PL-SID	Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-04-15 to 2010-04-15	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
58.212.218.0 (CN) NANJING JIANGSU CHINA	163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-07-22 to 2010-07-22	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2002728(1): CandC Communication - ET TROJAN Ransky or variant backdoor communication ping ° 2008428(1): Egg Download - ET USER_AGENTS Suspicious User-Agent (HTTP Downloader)
119.84.84.207 (CN) CHONGQING CHONGQING CHINA	163DATA.COM.CN / DSL CHINANET CHONGQING PROVINCE NETWORK	Moderate Details (1.2) 4 BotHunter Users 93 Infection Report 2010-05-27 to 2010-05-31	° 2008110(59): CandC Communication - ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound ° 7777005(59): Outbound Scan - Detected intense non-malware port scanning ° 2007840(1): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Shell)
88.255.104.171 (TR) ISTANBUL ISTANBUL TURKEY	CIZGIBILGISAYAR.COM / COMP ANATOLIA BILGISAYAR VE MEDYA HIZMETLERI	High Details (1.5) 1 BotHunter Users 26 Infection Report 2010-06-14 to 2010-06-14	° 2001569(64): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2008124(26): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 2008398(2): CandC Communication - ET TROJAN Fullspace.cc or Related Checkin (2) ° 2002839(1): Egg Download - ET MALWARE My Search Spyware Config Download
117.85.161.36 (CN) BEIJING BEIJING CHINA	163DATA.COM.CN / DIAL CHINANET JIANGSU PROVINCE NETWORK	High Details (1.8) 1 BotHunter Users 4 Infection Report 2010-05-24 to 2010-05-24	° 2009292(4): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 7777008(1): Malware Scan - Detected intense malware port scanning
174.37.217.96 (US) DALLAS TEXAS UNITED STATES	SOFTLAYER.COM / DSL SOFTLAYER TECHNOLOGIES INC	Very High Details (2.0) 2 BotHunter Users 6 Infection Report 2010-04-20 to 2010-04-27	° 2000328(32): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(5): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
217.16.20.20 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MASTERHOST.RU / DSL MASTERHOST.RU IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-07-25 to 2010-07-25	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
83.222.3.175 (RU) - - RUSSIAN FEDERATION	MASTERHOST.RU / DSL MASTERHOST IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-08-09 to 2010-08-09	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 9906026(1): not found
83.173.188.59 (ES) PAMPLONA NAVARRA SPAIN	ONO.COM / DSL CLIENTES DE CABLEMODEMS	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-05-04 to 2010-05-04	° 2008390(13): CandC Communication - ET TROJAN Hupigon Response from Controller (YES - ~~@@) ° 2003380(2): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc) ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2009897(1): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send html content
213.206.95.11 (NL) AMSTERDAM NOORD-HOLLAND NETHERLANDS	SNAFU.ONLINE.BE / COMP WIDEXS	Very High Details (2.2) 6 BotHunter Users 62 Infection Report 2010-05-28 to 2010-06-11	° 2002196(5): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3810005(5): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 2009880(4): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 2003438(3): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810007(3): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2002818(2): Egg Download - ET MALWARE MyWebSearch Toolbar Traffic (general download) ° 2002819(2): Egg Download - ET MALWARE MyWebSearch Toolbar Traffic (bin download) ° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting
112.198.64.116 (PH) MAKATI RIZAL PHILIPPINES	KAAKBAYMD.COM.PH / DSL GLOBE TELECOM/INNOVE COMMUNICATION	Very High Details (2.0) 1 BotHunter Users 3 Infection Report 2010-08-11 to 2010-08-11	° 2007711(3): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777055(3): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
221.181.73.216 (CN) BEIJING BEIJING CHINA	MINTEL.COM / DSL CHINA MOBILE COMMUNICATIONS CORPORATION	Moderate Details (1.2) 45 BotHunter Users 138 Infection Report 2010-04-16 to 2010-08-10	° 2003620(18): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2007671(4): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2008429(3): Egg Download - ET USER_AGENTS Suspicious User-Agent (HttpDownload) ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected ° 3810004(1): Bot Space Access - BotHunter REPO confirmed botnet control server
98.124.198.1 (US) BELLEVUE WASHINGTON UNITED STATES	- / DSL ENOM INCORPORATED	Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-06-06 to 2010-06-06	° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2007951(1): CandC Communication - ET MALWARE Hex Encoded IP HTTP Request - Likely Malware ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 7777008(1): Malware Scan - Detected intense malware port scanning
89.238.71.19 (DE) RHEDA-WIEDENBRUECK NORDRHEIN-WESTFALEN GERMANY	LORETIS.COM / COMP SYSPROFILER	Moderate Details (1.3) 5 BotHunter Users 29 Infection Report 2010-06-16 to 2010-07-06	° 2001569(7): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2008124(3): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 1(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner
81.94.23.231 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP VPN POOL	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-08-03 to 2010-08-03	° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906025(1): not found
174.120.120.151 (US) DALLAS TEXAS UNITED STATES	THEPLANET.COM / DSL THEPLANET.COM INTERNET SERVICES INC	High Details (1.4) 22 BotHunter Users 86 Infection Report 2010-04-14 to 2010-06-10	° 2003179(10): Egg Download - ET POLICY exe download without User Agent ° 3(8): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(6): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 2003219(1): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
195.64.140.63 (RU) - - RUSSIAN FEDERATION	DMNET.RU / DSL MEDIASTAR LTD	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-07-04 to 2010-07-04	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
207.81.185.208 (CA) COURTENAY BRITISH COLUMBIA CANADA	TELUS.NET / DSL TELUS COMMUNICATIONS INC	Moderate Details (1.3) 1 BotHunter Users 3 Infection Report 2010-08-05 to 2010-08-05	° 3810006(3): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
61.147.67.212 (CN) BEIJING BEIJING CHINA	163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK	Moderate Details (1.2) 29 BotHunter Users 50 Infection Report 2010-04-14 to 2010-08-08	° 2003620(19): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2007671(2): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
79.170.40.38 (UK) - - UNITED KINGDOM	EXTENDCP.CO.UK / DSL HEART INTERNET NETWORK	Very High Details (2.2) 3 BotHunter Users 3 Infection Report 2010-05-24 to 2010-05-27	° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
69.31.86.203 (US) NEW YORK NEW YORK UNITED STATES	PILOSOFT.COM / DSL PILOSOFT INC	Very High Details (2.0) 1 BotHunter Users 6 Infection Report 2010-07-19 to 2010-07-19	° 7777005(15): Outbound Scan - Detected intense non-malware port scanning ° 9906018(6): not found ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 2002400(2): not found ° 2406018(1): not found
61.147.124.0 (CN) BEIJING BEIJING CHINA	163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK	Moderate Details (1.2) 6 BotHunter Users 10 Infection Report 2010-04-15 to 2010-08-09	° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003620(2): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity
77.221.149.227 (RU) - - RUSSIAN FEDERATION	DATAPOINT.RU / DSL COLOCATION AND VIRTUAL HOSTING	Maximum Details (2.3) 3 BotHunter Users 6 Infection Report 2010-04-22 to 2010-05-06	° 2000328(42): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(9): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(5): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2007743(4): CandC Communication - ET TROJAN Dialer.qn HTTP Request - Checkin ° 2008271(4): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (1)
221.238.27.154 (CN) TIANJIN TIANJIN CHINA	163DATA.COM.CN / DSL TIANJIN-WANGSUKEJI-LTD	High Details (1.7) 2 BotHunter Users 176 Infection Report 2010-07-25 to 2010-07-26	° 2003492(428): not found ° 7777005(278): Outbound Scan - Detected intense non-malware port scanning ° 3(120): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 1(11): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2003620(4): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2007671(3): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download
151.51.150.66 (IT) BOLOGNA EMILIA-ROMAGNA ITALY	51-151.NET24.IT / DSL IUNET-BNET	Moderate Details (1.3) 2 BotHunter Users 2 Infection Report 2010-05-24 to 2010-05-24	° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3810003(2): Bot Space Access - BotHunter REPO confirmed botnet control server ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download
66.111.36.61 (EE) - - ESTONIA	- / COMP MARTTI VARIK	Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-05-26 to 2010-05-26	° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
81.94.26.43 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP VPN POOL	Maximum Details (2.3) 1 BotHunter Users 1 Infection Report 2010-06-17 to 2010-06-17	° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007827(1): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906025(1): not found
119.154.124.19 (PK) ISLAMABAD ISLAMABAD PAKISTAN	PIE.NET.PK / DSL PAKISTAN TELECOMMUNICATION COMPANY LIMITED	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-05-04 to 2010-05-04	° 2008390(13): CandC Communication - ET TROJAN Hupigon Response from Controller (YES - ~~@@) ° 2003380(2): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc) ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2009897(1): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send html content
95.105.214.29 (SK) BRATISLAVA BRATISLAVA SLOVAKIA	ORANGE.SK / DSL ORANGE SLOVENSKO A.S	High Details (1.5) 2 BotHunter Users 6 Infection Report 2010-06-03 to 2010-06-03	° 2007711(6): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777055(1): Outbound Scan - Detected intense non-malware port scanning (P2P)
194.85.61.78 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	- / DSL RU NCC NETWORK	High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-06-11 to 2010-06-11	° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
192.231.202.150 (US) LAKEWOOD NEW JERSEY UNITED STATES	GEORGIAN.EDU / COMP GEORGIAN COURT COLLEGE	High Details (1.6) 1 BotHunter Users 1 Infection Report 2010-08-09 to 2010-08-09	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2007962(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Checkin ° 9906022(1): not found
222.191.251.98 (CN) WUXI JIANGSU CHINA	163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK	Moderate Details (1.2) 40 BotHunter Users 72 Infection Report 2010-04-14 to 2010-08-11	° 2003607(4): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003438(2): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003620(2): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001892(1): Egg Download - ET MALWARE ToolbarPartner Spyware Agent Download (2) ° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 2003581(1): CandC Communication - ET MALWARE Findwhat.com Spyware (sendmedia)
66.40.65.7 (US) ATLANTA GEORGIA UNITED STATES	MAXIM.NET / DSL PEER 1 DEDICATED HOSTING	High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-05-21 to 2010-05-21	° 2003607(3): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
219.142.78.202 (CN) BEIJING BEIJING CHINA	BJTELECOM.NET / DSL SINA	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-06-17 to 2010-06-17	° 90909090(8): not found ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity
88.255.41.0 (TR) ISTANBUL ISTANBUL TURKEY	- / COMP NUHKUYUSU CAD. NO:94 OZEL ACADEMIC HOSPITAL BAGLARBASI USKUDAR ISTANBUL	Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-07-27 to 2010-07-27	° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906027(1): not found
174.36.118.208 (US) DALLAS TEXAS UNITED STATES	SOFTLAYER.COM / COMP SOFTLAYER TECHNOLOGIES INC	Moderate Details (1.3) 3 BotHunter Users 313 Infection Report 2010-05-03 to 2010-05-04	° 7777005(88): Outbound Scan - Detected intense non-malware port scanning ° 2008109(87): CandC Communication - ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound ° 7777008(50): Malware Scan - Detected intense malware port scanning ° 53196(32): Outbound Attack - REGISTERED FREE NETBIOS name query overflow attempt UDP
174.36.251.247 (US) DALLAS TEXAS UNITED STATES	SOFTLAYER.COM / COMP SOFTLAYER TECHNOLOGIES INC	Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-05-30 to 2010-05-30	° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
121.195.178.201 (CN) BEIJING BEIJING CHINA	- / DSL GUANGZHOU NETEASE COMPUTER SYSTEM COMPANY (BEIJING)	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-05-26 to 2010-05-26	° 2007860(4): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(4): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
118.145.5.14 (CN) BEIJING BEIJING CHINA	- / DSL BEIJING BITONE UNITED NETWORKS	High Details (1.9) 6 BotHunter Users 56 Infection Report 2010-04-14 to 2010-04-18	° 2003179(42): Egg Download - ET POLICY exe download without User Agent ° 2003607(30): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2000328(14): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777005(11): Outbound Scan - Detected intense non-malware port scanning ° 2000419(7): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003219(7): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 3300007(7): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(3): Russian Business Network - ET Known Russian Business Network Monitored Domain
173.73.185.9 (US) - - UNITED STATES	VERIZON.NET / DSL VERIZON INTERNET SERVICES INC	Moderate Details (1.3) 3 BotHunter Users 5 Infection Report 2010-06-01 to 2010-06-01	° 7777055(6): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 2007711(5): CandC Communication - ET TROJAN Srizbi registering with controller ° 3300007(5): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2000419(3): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
83.231.138.0 (UK) LONDON ENGLAND UNITED KINGDOM	VERIO.NET / COMP TMW-NET	Maximum Details (2.5) 6 BotHunter Users 11 Infection Report 2010-06-10 to 2010-06-24	° 2000328(51): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(47): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(10): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 7777005(7): Outbound Scan - Detected intense non-malware port scanning ° 3810007(3): Russian Business Network - ET Known Russian Business Network Monitored Domain
158.38.8.251 (NO) TRONDHEIM SOR-TRONDELAG NORWAY	HIALS.NO / DSL UNINETT	High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-05-27 to 2010-05-27	° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
84.19.161.78 (RU) - - RUSSIAN FEDERATION	- / DSL RU-KEYWEB-VDSWIN-I	High Details (1.5) 1 BotHunter Users 2 Infection Report 2010-06-09 to 2010-06-09	° 2008523(2): CandC Communication - ET TROJAN Generic Trojan Checkin ° 2632222(2): not found ° 1444(1): Egg Download - TFTP GET from external source ° 2008120(1): Egg Download - ET POLICY Outbound TFTP Read Request
80.70.226.117 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DIAL CREDOLINK ISP DIAL-UP	High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-06-08 to 2010-06-08	° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906023(1): not found
211.172.232.237 (KR) SEOUL SEOUL-T'UKPYOLSI KOREA, REPUBLIC OF	KCI.CO.KR / DSL HANNET-INFRA	Very High Details (2.2) 3 BotHunter Users 6 Infection Report 2010-06-01 to 2010-06-07	° 2003438(2): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2009031(1): CandC Communication - ET TROJAN Possible Armitage Loader Request
69.43.160.175 (US) SAN DIEGO CALIFORNIA UNITED STATES	22A52.COM / DSL BASIC LINK	Very High Details (2.1) 1 BotHunter Users 1 Infection Report 2010-07-19 to 2010-07-19	° 2003330(8): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2632222(1): not found
86.122.209.254 (RO) BRASOV BRASOV ROMANIA	RDSNET.RO / DSL ROMANIA DATA SYSTEMS	Very High Details (2.0) 2 BotHunter Users 3 Infection Report 2010-07-19 to 2010-07-19	° 2007711(3): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 7777055(2): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810004(1): Bot Space Access - BotHunter REPO confirmed botnet control server
76.10.138.220 (CA) - - CANADA	TEKSAVVY.COM / DSL TEKSAVVY SOLUTIONS INC	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-07-01 to 2010-07-01	° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2007827(1): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 2007962(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Checkin
212.77.141.16 (RU) - - RUSSIAN FEDERATION	RIKT.RU / DSL JSC RITC	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-08-09 to 2010-08-09	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
189.100.159.78 (BR) - - BRAZIL	VELOXZONE.COM.BR / DSL COMITE GESTOR DA INTERNET NO BRASIL	Moderate Details (1.2) 1 BotHunter Users 4 Infection Report 2010-06-07 to 2010-06-07	° 3810006(4): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
60.173.10.254 (CN) HEFEI ANHUI CHINA	CNDATA.COM / DSL CHINANET ANHUI PROVINCE NETWORK	High Details (1.8) 2 BotHunter Users 2 Infection Report 2010-06-02 to 2010-06-03	° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2009292(1): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 7777008(1): Malware Scan - Detected intense malware port scanning
69.64.145.0 (US) BELLEVUE WASHINGTON UNITED STATES	- / DSL ENOM INCORPORATED	Very High Details (2.0) 4 BotHunter Users 2026 Infection Report 2010-04-14 to 2010-08-11	° 9906018(746): not found ° 9906001(238): not found ° 9906003(200): not found ° 9906015(146): not found ° 7777005(123): Outbound Scan - Detected intense non-malware port scanning ° 9906004(94): not found ° 9906014(77): not found ° 2406027(56): not found ° 9906025(50): not found
81.94.21.227 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP VPN POOL	High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-06-18 to 2010-06-18	° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906025(1): not found
60.20.55.16 (CN) SHENYANG LIAONING CHINA	DCB.LN.CN / DSL CHINA UNICOM LIAONING PROVINCE NETWORK	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-04-24 to 2010-04-24	° 2007962(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Checkin ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
88.201.213.0 (RU) - - RUSSIAN FEDERATION	SPB.RU / DSL CABLE TV AND INTERNET PROVIDER	High Details (1.5) 2 BotHunter Users 55 Infection Report 2010-04-14 to 2010-04-15	° 7777005(35): Outbound Scan - Detected intense non-malware port scanning ° 9906027(35): not found ° 9906004(3): not found ° 9906008(3): not found ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906003(1): not found ° 9906023(1): not found ° 9906025(1): not found ° 52007933(1): Outbound Attack - ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability
209.162.0.17 (US) SUSANVILLE CALIFORNIA UNITED STATES	MINDSPRING.COM / DSL EARTHLINK INC	Maximum Details (2.5) 1 BotHunter Users 1 Infection Report 2010-04-28 to 2010-04-28	° 2000328(9): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 2632222(1): not found
12.125.101.212 (US) COMPTON CALIFORNIA UNITED STATES	ATT.NET / DSL AT&T WORLDNET SERVICES	Moderate Details (1.3) 2 BotHunter Users 5 Infection Report 2010-05-01 to 2010-05-02	° 2001569(6): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server
69.64.155.7 (US) BELLEVUE WASHINGTON UNITED STATES	- / DSL ENOM INCORPORATED	Maximum Details (2.6) 1 BotHunter Users 1 Infection Report 2010-07-06 to 2010-07-06	° 2009456(2): CandC Communication - ET USER_AGENTS Suspicious User Agent (ClickAdsByIE) ° 3300003(2): Egg Download - BotHunter HTTP-based .exe Upload on backdoor port ° 90909090(2): not found ° 1444(1): Egg Download - TFTP GET from external source ° 22351(1): Inbound Attack - REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode ° 552123(1): Outbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003603(1): CandC Communication - ET TROJAN W32.Virut.A joining an IRC Channel ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2008120(1): Egg Download - ET POLICY Outbound TFTP Read Request
82.98.86.180 (DE) BERLIN BERLIN GERMANY	FHE3RZ.NET / DSL SEDO DOMAIN PARKING	Very High Details (2.2) 4 BotHunter Users 11 Infection Report 2010-06-19 to 2010-07-12	° 7777005(12): Outbound Scan - Detected intense non-malware port scanning ° 3810007(8): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server
217.112.37.30 (RU) - - RUSSIAN FEDERATION	VALUEHOST.RU / DSL VALUEHOST DEDICATED SERVERS AND COLO SUBNET	Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-05-24 to 2010-05-24	° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
85.27.33.33 (BE) BRUSSELS BRUSSELS HOOFDSTEDELIJK GEWEST BELGIUM	HOST-85-27-36-10.BRUTELE.BE / DSL NETWORKIP7BRUTELE	Very High Details (2.0) 2 BotHunter Users 2 Infection Report 2010-04-25 to 2010-04-25	° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 3810008(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810044(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
149.9.1.16 (US) WASHINGTON DISTRICT OF COLUMBIA UNITED STATES	COGENTCO.COM / DSL PSINET INC	High Details (1.7) 5 BotHunter Users 8 Infection Report 2010-05-29 to 2010-06-08	° 2003438(2): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
201.114.19.142 (MX) - - MEXICO	PROD-INFINITUM.COM.MX / DSL UNINET S.A. DE C.V	High Details (1.8) 1 BotHunter Users 2 Infection Report 2010-06-21 to 2010-06-21	° 2007711(4): CandC Communication - ET TROJAN Srizbi registering with controller ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
64.214.232.203 (US) - - UNITED STATES	GBLX.NET / DSL GLOBAL CROSSING	High Details (1.9) 1 BotHunter Users 1 Infection Report 2010-04-14 to 2010-04-14	° 2003179(2): Egg Download - ET POLICY exe download without User Agent ° 2003579(2): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
194.67.4.71 (RU) ST. PETERSBURG SAINT PETERSBURG CITY RUSSIAN FEDERATION	GLDN.NET / DSL SOVINTEL	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-06-28 to 2010-06-28	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
195.216.243.18 (UK) - - UNITED KINGDOM	UCOZ.NET / DSL COMPUBYTE LIMITED	Very High Details (2.2) 2 BotHunter Users 3 Infection Report 2010-04-14 to 2010-05-24	° 2003607(6): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3(5): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 1(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(2): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
122.207.45.117 (CN) CHANGSHA HUNAN CHINA	- / DSL HUNAN UNIVERSITY	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-07-23 to 2010-07-23	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2007962(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Checkin
217.170.67.5 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	ELTEL.NET / DSL JSC ELTEL NETWORK	Moderate Details (1.3) 10 BotHunter Users 60 Infection Report 2010-08-01 to 2010-08-10	° 7777005(27): Outbound Scan - Detected intense non-malware port scanning ° 9906010(10): not found ° 9906015(8): not found ° 9906004(5): not found ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 9906001(1): not found ° 9906007(1): not found ° 9906013(1): not found
91.207.6.234 (UA) KHARKIV KHARKIVS'KA OBLAST' UKRAINE	STEEPHOST.NET / DSL STEEPHOST.COM DATACENTRE ALLOCATION	Moderate Details (1.3) 1 BotHunter Users 6 Infection Report 2010-04-15 to 2010-04-15	° 7777005(11): Outbound Scan - Detected intense non-malware port scanning ° 2008189(6): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin ° 2000328(2): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs)
62.80.127.193 (DE) LANDAU RHEINLAND-PFALZ GERMANY	MEGASPACE.DE / DSL MEGASPACE	High Details (1.4) 14 BotHunter Users 29 Infection Report 2010-04-18 to 2010-06-12	° 3810007(6): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2003438(2): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777008(1): Malware Scan - Detected intense malware port scanning
81.94.17.252 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP VPN POOLS	High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-07-04 to 2010-07-04	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2007827(1): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 9906025(1): not found
204.137.28.217 (US) KANSAS CITY MISSOURI UNITED STATES	VIRTUEMAILS.COM / DSL ADKNOWLEDGE INC	High Details (1.8) 34 BotHunter Users 104 Infection Report 2010-04-17 to 2010-06-11	° 2002196(20): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2003581(14): CandC Communication - ET MALWARE Findwhat.com Spyware (sendmedia) ° 7777005(14): Outbound Scan - Detected intense non-malware port scanning ° 2003438(11): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2009880(9): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 2003607(8): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810005(6): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(5): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2003620(2): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity
217.129.20.147 (PT) LISBON LISBOA PORTUGAL	MO-217-129-0-10.NETVISAO.PT / DSL CABOVISAO SA	Maximum Details (2.3) 1 BotHunter Users 9 Infection Report 2010-06-30 to 2010-06-30	° 2001569(23): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2007711(16): CandC Communication - ET TROJAN Srizbi registering with controller ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
194.67.41.0 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	- / DSL JV MOLCOM LTD	Very High Details (2.0) 1 BotHunter Users 59 Infection Report 2010-04-21 to 2010-04-21	° 9906001(69): not found ° 7777005(59): Outbound Scan - Detected intense non-malware port scanning ° 3(13): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906023(3): not found ° 9906003(2): not found ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 9906004(1): not found ° 9906008(1): not found ° 9906025(1): not found
74.220.220.81 (US) OREM UTAH UNITED STATES	BLUEHOST.COM / DSL BLUEHOST INC	High Details (1.6) 1 BotHunter Users 1 Infection Report 2010-06-01 to 2010-06-01	° 2009456(2): CandC Communication - ET USER_AGENTS Suspicious User Agent (ClickAdsByIE) ° 22351(1): Inbound Attack - REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode ° 2299913(1): Inbound Attack - ET SHELLCODE x86 0x90 unicode NOOP ° 90909090(1): not found
204.45.65.10 (-) - - -	- / - -	Moderate Details (1.3) 8 BotHunter Users 157 Infection Report 2010-06-25 to 2010-07-05	° 7777005(11): Outbound Scan - Detected intense non-malware port scanning ° 2008450(10): CandC Communication - ET TROJAN Buzus.lyz Connect to CnC ° 2000328(4): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2008189(2): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin
221.181.73.220 (CN) BEIJING BEIJING CHINA	MINTEL.COM / DSL CHINA MOBILE COMMUNICATIONS CORPORATION	Moderate Details (1.2) 30 BotHunter Users 60 Infection Report 2010-04-16 to 2010-08-09	° 2000328(3): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity
89.39.166.97 (RO) BUCHAREST BUCURESTI ROMANIA	ACX.RO / DSL SC-NET-AND-COMPUTERS-SRL	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-05-04 to 2010-05-04	° 2008390(13): CandC Communication - ET TROJAN Hupigon Response from Controller (YES - ~~@@) ° 2003380(2): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc) ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2009897(1): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send html content
194.67.14.82 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	GLDN.NET / DSL SOVINTEL-STNET	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-06-17 to 2010-06-17	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
66.79.164.102 (US) FREMONT CALIFORNIA UNITED STATES	MANAGED.COM / DSL MANAGED SOLUTIONS GROUP INC	Moderate Details (1.3) 1 BotHunter Users 4 Infection Report 2010-06-23 to 2010-06-23	° 2001569(9): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2008124(5): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 1(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner
209.66.100.34 (US) ALBUQUERQUE NEW MEXICO UNITED STATES	SANTACRUZTECH.COM / DSL GOT-NET (GOT-DOM)	High Details (1.8) 6 BotHunter Users 23 Infection Report 2010-04-14 to 2010-05-30	° 2003179(45): Egg Download - ET POLICY exe download without User Agent ° 3810005(18): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(15): Outbound Scan - Detected intense non-malware port scanning ° 2003607(10): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003219(8): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 3(7): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(6): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2003620(2): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2007671(2): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile
64.211.162.96 (US) HERMITAGE TENNESSEE UNITED STATES	GBLX.NET / DSL GLOBAL CROSSING	Very High Details (2.2) 4 BotHunter Users 10 Infection Report 2010-04-14 to 2010-06-08	° 2002196(12): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3810009(7): Bot Space Access - ET COMPROMISED Known Compromised or Hostile Host Traffic ° 2003438(6): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 7777008(6): Malware Scan - Detected intense malware port scanning ° 2003607(4): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2009880(3): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3810005(3): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(3): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning
173.223.52.171 (-) - - -	- / - -	Maximum Details (2.3) 1 BotHunter Users 1 Infection Report 2010-06-21 to 2010-06-21	° 2003492(2): not found ° 2007827(1): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 7777008(1): Malware Scan - Detected intense malware port scanning
77.221.129.82 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	DATAPOINT.RU / DSL COLOCATION AND VIRTUAL HOSTING	Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-08-08 to 2010-08-08	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9906021(2): not found ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054
187.20.142.202 (BR) BELO HORIZONTE MINAS GERAIS BRAZIL	VELOXZONE.COM.BR / DSL COMITE GESTOR DA INTERNET NO BRASIL	High Details (1.4) 50 BotHunter Users 517 Infection Report 2010-05-14 to 2010-06-18	° 3810008(44): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2007711(40): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777055(39): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 3810044(4): Bot Space Access - BotHunter REPO confirmed botnet control server ° 2000419(3): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3810006(3): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2000427(2): Egg Download - ET POLICY PE EXE Install Windows file download ° 2632222(2): not found ° 2007962(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Checkin
81.176.226.188 (RU) YAKUTSK SAKHA RUSSIAN FEDERATION	IN-SOLVE.RU / DSL IN-SOLVE/1GB.RU HOSTING SERVICES PROVIDER	High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-06-10 to 2010-06-10	° 2002196(3): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
74.54.191.130 (US) DALLAS TEXAS UNITED STATES	THEPLANET.COM / COMP THEPLANET.COM INTERNET SERVICES INC	Maximum Details (2.4) 5 BotHunter Users 5 Infection Report 2010-05-21 to 2010-06-23	° 2000328(8): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007742(1): CandC Communication - ET TROJAN Storm C&C with typo'd User-Agent (Windoss) ° 3007742(1): Peer to Peer - ET TROJAN Storm C&C with typo'd User-Agent (Windoss)
142.163.181.0 (CA) ST. JOHN'S NEWFOUNDLAND AND LABRADOR CANADA	ALIANT.NET / DIAL STENTOR NATIONAL INTEGRATED COMMUNICATIONS NETWORK	Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-07-02 to 2010-07-02	° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906027(1): not found
85.24.169.91 (SE) STOCKHOLM STOCKHOLMS LAN SWEDEN	BAHNHOF.SE / DSL DYNAMIC PRIVATE NETWORK	Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-07-09 to 2010-07-09	° 3300007(3): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
65.61.216.43 (CA) BURNABY BRITISH COLUMBIA CANADA	IN2NET.COM / DSL DOTEASY TECHNOLOGY INC	Moderate Details (1.3) 2 BotHunter Users 2 Infection Report 2010-04-25 to 2010-04-25	° 2009024(3): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 2001683(1): Egg Download - ET MALWARE Windows executable sent when remote host claims to send an image ° 3810004(1): Bot Space Access - BotHunter REPO confirmed botnet control server
81.94.19.63 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP VPN POOL	High Details (1.7) 1 BotHunter Users 2 Infection Report 2010-05-01 to 2010-05-01	° 2001569(8): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(6): Malware Scan - Detected intense malware port scanning ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain
81.95.129.1 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MATRIXTELECOM.NET / DSL MATRIX TELECOM MOSCOW	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-07-22 to 2010-07-22	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
64.4.50.62 (US) REDMOND WASHINGTON UNITED STATES	HMDEVLAB.COM / DSL MS HOTMAIL	High Details (1.8) 1 BotHunter Users 94 Infection Report 2010-08-02 to 2010-08-02	° 2003492(97): not found ° 7777005(94): Outbound Scan - Detected intense non-malware port scanning ° 25(74): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 3(73): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 1(21): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008564(20): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 7777008(14): Malware Scan - Detected intense malware port scanning ° 9906004(6): not found ° 2002818(1): Egg Download - ET MALWARE MyWebSearch Toolbar Traffic (general download)
131.154.1.3 (IT) BOLOGNA EMILIA-ROMAGNA ITALY	NA.INFN.IT / DSL INFN (NATIONAL INSTITUTE OF NUCLEAR PHYSICS)	Maximum Details (2.6) 1 BotHunter Users 2 Infection Report 2010-05-27 to 2010-05-27	° 2000328(3): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 1(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
63.97.123.8 (US) EULESS TEXAS UNITED STATES	ALTER.NET / DSL MCI COMMUNICATIONS SERVICES INC. D/B/A VERIZON BUSINESS	Moderate Details (1.2) 2 BotHunter Users 4 Infection Report 2010-06-11 to 2010-06-11	° 3300003(5): Egg Download - BotHunter HTTP-based .exe Upload on backdoor port ° 2002196(4): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2009880(3): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
78.47.222.220 (DE) BERLIN BERLIN GERMANY	YOUR-SERVER.DE / COMP YOYO SP. Z O.O	Very High Details (2.2) 20 BotHunter Users 231 Infection Report 2010-04-14 to 2010-06-12	° 2000328(79): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003179(72): Egg Download - ET POLICY exe download without User Agent ° 7777005(30): Outbound Scan - Detected intense non-malware port scanning ° 3810007(28): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2000419(17): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(17): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2003607(13): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003219(12): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 3810005(6): Bot Space Access - ET ShadowServer confirmed botnet control server
117.85.162.197 (CN) BEIJING BEIJING CHINA	163DATA.COM.CN / DIAL CHINANET JIANGSU PROVINCE NETWORK	High Details (1.5) 1 BotHunter Users 7 Infection Report 2010-05-31 to 2010-05-31	° 2009292(7): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 7777008(2): Malware Scan - Detected intense malware port scanning
63.254.70.150 (US) OLATHE KANSAS UNITED STATES	- / COMP ESOLUTIONS	Very High Details (2.2) 1 BotHunter Users 20 Infection Report 2010-05-15 to 2010-05-15	° 3810003(20): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008110(3): CandC Communication - ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
187.117.130.61 (-) - - -	- / - -	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-05-04 to 2010-05-04	° 2008390(13): CandC Communication - ET TROJAN Hupigon Response from Controller (YES - ~~@@) ° 2003380(2): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc) ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2009897(1): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send html content
58.215.74.30 (CN) BEIJING BEIJING CHINA	163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK	High Details (1.6) 25 BotHunter Users 49 Infection Report 2010-05-08 to 2010-08-11	° 2000328(9): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(4): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2003620(2): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
210.32.188.86 (CN) HANGZHOU ZHEJIANG CHINA	- / DSL ZHEJIANG UNIVERSITY (MERGED FORMER HANGZHOU UNIVERSITY)	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-07-30 to 2010-07-30	° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2007962(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Checkin
187.37.177.159 (BR) - - BRAZIL	VELOXZONE.COM.BR / DSL COMITE GESTOR DA INTERNET NO BRASIL	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-07-06 to 2010-07-06	° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777055(1): Outbound Scan - Detected intense non-malware port scanning (P2P)
208.53.168.4 (US) WOODSTOCK ILLINOIS UNITED STATES	EDIGITALSTUDIOS.COM / DSL FDCSERVERS.NET	High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-05-28 to 2010-05-28	° 2003607(3): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
217.16.17.31 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MASTERHOST.RU / DSL MASTERHOST.RU IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-08-08 to 2010-08-08	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
118.145.5.19 (CN) BEIJING BEIJING CHINA	- / DSL BEIJING BITONE UNITED NETWORKS	Moderate Details (1.3) 8 BotHunter Users 57 Infection Report 2010-04-14 to 2010-04-24	° 2003607(15): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003179(12): Egg Download - ET POLICY exe download without User Agent ° 7777005(7): Outbound Scan - Detected intense non-malware port scanning ° 3(5): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810007(4): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2003219(3): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server
79.23.159.67 (IT) MATERA BASILICATA ITALY	RETAIL.TELECOMITALIA.IT / DSL TELECOM ITALIA NET	Moderate Details (1.2) 2 BotHunter Users 3 Infection Report 2010-06-07 to 2010-06-07	° 2000419(3): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2007711(3): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777055(3): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
209.249.20.0 (US) WHITE PLAINS NEW YORK UNITED STATES	ABOVE.NET / COMP ABOVENET COMMUNICATIONS INC	High Details (1.7) 18 BotHunter Users 338 Infection Report 2010-04-19 to 2010-08-06	° 7777005(27): Outbound Scan - Detected intense non-malware port scanning ° 2003422(20): CandC Communication - ET MALWARE Weatherbug Command Activity ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002836(1): Egg Download - ET MALWARE MyWebSearch Toolbar Traffic (bar config download)
222.173.188.39 (CN) JINAN SHANDONG CHINA	163DATA.COM.CN / DSL CHINANET SHANDONG PROVINCE NETWORK	Moderate Details (1.3) 55 BotHunter Users 187 Infection Report 2010-04-14 to 2010-08-11	° 2003620(40): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2007840(31): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Shell) ° 2003179(12): Egg Download - ET POLICY exe download without User Agent ° 2632222(6): not found ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 2000419(4): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(4): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2003174(2): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002167(1): Egg Download - ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related
81.95.135.5 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MOSTCOM.RU / DSL MOSTCOM PK JOINT STOCK COMPANY	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-07-18 to 2010-07-18	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
93.188.161.105 (UA) - - UKRAINE	UKRTELEGROUP.COM.UA / DSL GEEK RACK NETWORKS	High Details (1.8) 10 BotHunter Users 15 Infection Report 2010-05-16 to 2010-08-05	° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 2007827(2): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 9906030(2): not found ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003492(1): not found
67.210.14.195 (US) ALBANY NEW YORK UNITED STATES	- / DSL INTERNET PATH INC	Very High Details (2.2) 1 BotHunter Users 12 Infection Report 2010-04-20 to 2010-04-20	° 7777005(17): Outbound Scan - Detected intense non-malware port scanning ° 3810007(12): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810008(9): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810003(5): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough)
82.98.86.0 (DE) BERLIN BERLIN GERMANY	FHE3RZ.NET / DSL SEDO DOMAIN PARKING	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-05-28 to 2010-05-28	° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server
110.83.33.219 (CN) BEIJING BEIJING CHINA	163DATA.COM.CN / DSL CHINANET FUJIAN PROVINCE NETWORK	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-05-31 to 2010-05-31	° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810044(1): Bot Space Access - BotHunter REPO confirmed botnet control server
94.47.254.1 (IT) CATANZARO CALABRIA ITALY	- / DSL NO WIRE S.R.L. NETWORK	High Details (1.5) 1 BotHunter Users 7 Infection Report 2010-06-15 to 2010-06-15	° 2001569(21): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2008124(8): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 2002839(1): Egg Download - ET MALWARE My Search Spyware Config Download
184.56.94.43 (-) - - -	- / - -	High Details (1.5) 3 BotHunter Users 3 Infection Report 2010-06-03 to 2010-06-03	° 2007711(6): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777055(4): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2632222(1): not found ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
73.164.85.64 (US) MT. LAUREL NEW JERSEY UNITED STATES	COMCAST.NET / DSL COMCAST IP SERVICES L.L.C	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-05-16 to 2010-05-16	° 2001219(17): Outbound Attack - ET SCAN Potential SSH Scan (20 in 60 secs) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
201.89.68.80 (BR) - - BRAZIL	STERLINGSTUDENTS.NET / DSL COMITE GESTOR DA INTERNET NO BRASIL	Moderate Details (1.3) 4 BotHunter Users 6 Infection Report 2010-04-19 to 2010-07-06	° 3810006(3): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2003179(1): Egg Download - ET POLICY exe download without User Agent
83.140.172.212 (SE) STOCKHOLM STOCKHOLMS LAN SWEDEN	- / COMP NETWORK FOR RIX	High Details (1.5) 2 BotHunter Users 2 Infection Report 2010-05-29 to 2010-06-05	° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
222.173.188.7 (CN) JINAN SHANDONG CHINA	163DATA.COM.CN / DSL CHINANET SHANDONG PROVINCE NETWORK	Moderate Details (1.2) 8 BotHunter Users 14 Infection Report 2010-04-15 to 2010-05-17	° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
66.7.179.198 (US) BOCA RATON FLORIDA UNITED STATES	- / DSL BRAVATAS LLC	Very High Details (2.2) 4 BotHunter Users 4 Infection Report 2010-04-15 to 2010-06-03	° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 7777008(1): Malware Scan - Detected intense malware port scanning
91.121.61.0 (FR) PARIS ILE-DE-FRANCE FRANCE	GERGOSNET.COM / DSL OVH SAS	Maximum Details (2.6) 1 BotHunter Users 2 Infection Report 2010-06-08 to 2010-06-08	° 2000328(17): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(15): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2009353(2): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1) ° 2008501(1): CandC Communication - ET TROJAN Peed Report to Controller
97.74.144.123 (US) SCOTTSDALE ARIZONA UNITED STATES	JWS.COM / DSL GODADDY.COM INC	Very High Details (2.2) 5 BotHunter Users 187 Infection Report 2010-05-22 to 2010-06-09	° 3810007(26): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(26): Outbound Scan - Detected intense non-malware port scanning ° 2003438(21): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2002196(17): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3810005(9): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2009880(6): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 2003607(5): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 1(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810001(2): Bot Space Access - BotHunter MTC confirmed botnet control server
85.17.216.83 (NL) AMSTERDAM NOORD-HOLLAND NETHERLANDS	LEASEWEB.COM / DSL LEASEWEB	Very High Details (2.2) 9 BotHunter Users 15 Infection Report 2010-04-14 to 2010-06-09	° 2003179(24): Egg Download - ET POLICY exe download without User Agent ° 2000419(4): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(4): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3810007(4): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected ° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
221.181.73.214 (CN) BEIJING BEIJING CHINA	MINTEL.COM / DSL CHINA MOBILE COMMUNICATIONS CORPORATION	Moderate Details (1.2) 85 BotHunter Users 264 Infection Report 2010-04-14 to 2010-08-11	° 2003179(10): Egg Download - ET POLICY exe download without User Agent ° 2003620(5): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2009024(2): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
194.135.105.3 (RU) - - RUSSIAN FEDERATION	MTW.RU / DSL RELCOM.BUSINESS NETWORK LTD	Very High Details (2.2) 2 BotHunter Users 2 Infection Report 2010-05-25 to 2010-05-29	° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
94.47.0.10 (IT) - - ITALY	VI-MI.E4A.IT / DSL IT-E4A	Moderate Details (1.3) 6 BotHunter Users 21 Infection Report 2010-05-15 to 2010-07-25	° 7777005(14): Outbound Scan - Detected intense non-malware port scanning ° 2002196(7): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2009880(3): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 2002839(2): Egg Download - ET MALWARE My Search Spyware Config Download
69.64.145.225 (US) BELLEVUE WASHINGTON UNITED STATES	- / DSL ENOM INCORPORATED	Very High Details (2.0) 14 BotHunter Users 109 Infection Report 2010-06-14 to 2010-08-09	° 7777005(27): Outbound Scan - Detected intense non-malware port scanning ° 9906018(9): not found ° 7777008(5): Malware Scan - Detected intense malware port scanning ° 3810008(3): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2000328(2): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2002400(1): not found
64.71.152.147 (US) NASHVILLE TENNESSEE UNITED STATES	LINODE.COM / DSL SHORE NETWORK TECHNOLOGIES	High Details (1.4) 21 BotHunter Users 67 Infection Report 2010-04-14 to 2010-06-09	° 2003438(2): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2007951(2): CandC Communication - ET MALWARE Hex Encoded IP HTTP Request - Likely Malware ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2002298(1): CandC Communication - ET MALWARE Searchfeed.com Spyware 3 ° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
189.38.90.14 (BR) PORTO ALEGRE RIO GRANDE DO SUL BRAZIL	VELOXZONE.COM.BR / DSL COMITE GESTOR DA INTERNET NO BRASIL	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-07-30 to 2010-07-30	° 2000328(3): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2632222(1): not found
77.221.136.252 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	DATAPOINT.RU / DSL COLOCATION AND VIRTUAL HOSTING	High Details (1.5) 6 BotHunter Users 22 Infection Report 2010-05-17 to 2010-05-27	° 7777005(23): Outbound Scan - Detected intense non-malware port scanning ° 9906021(11): not found ° 2008564(3): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
208.43.232.80 (US) DALLAS TEXAS UNITED STATES	SOFTLAYER.COM / COMP SOFTLAYER TECHNOLOGIES INC	Very High Details (2.2) 1 BotHunter Users 2 Infection Report 2010-06-01 to 2010-06-01	° 2003438(2): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 2009031(1): CandC Communication - ET TROJAN Possible Armitage Loader Request ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
194.67.29.86 (RU) APATITY KARELIA RUSSIAN FEDERATION	- / DSL SOVINTEL-RUSSIAN-STANDARD-BANK-NET	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-07-03 to 2010-07-03	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
72.20.40.26 (US) FULLERTON CALIFORNIA UNITED STATES	STAMINUS.NET / DSL STAMINUS COMMUNICATIONS	High Details (1.8) 2 BotHunter Users 2 Infection Report 2010-07-11 to 2010-07-11	° 1444(2): Egg Download - TFTP GET from external source ° 22351(2): Inbound Attack - REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode ° 552123(2): Outbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008120(2): Egg Download - ET POLICY Outbound TFTP Read Request ° 2299913(2): Inbound Attack - ET SHELLCODE x86 0x90 unicode NOOP ° 2632222(2): not found ° 3001441(2): Egg Download - TFTP GET .exe from external source
109.196.130.66 (UK) - - UNITED KINGDOM	STERLINGSTUDENTS.NET / DSL EU-ZZ	Maximum Details (2.3) 5 BotHunter Users 39 Infection Report 2010-07-15 to 2010-07-23	° 2000328(42): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(28): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(13): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2002033(11): CandC Communication - ET TROJAN BOT - potential response ° 2008124(10): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 2008189(10): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin
203.5.76.33 (AU) CANBERRA AUSTRALIAN CAPITAL TERRITORY AUSTRALIA	- / DSL AARNET	Moderate Details (1.3) 6 BotHunter Users 27 Infection Report 2010-06-03 to 2010-08-05	° 2003219(6): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2002196(5): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2003179(3): Egg Download - ET POLICY exe download without User Agent ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2009880(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2009452(1): CandC Communication - ET TROJAN General DNS Changer Checkin ° 2632222(1): not found
203.117.47.0 (SG) WOODLANDS SINGAPORE SINGAPORE	CYBERWAY.COM.SG / COMP STARHUBINTERNET	Very High Details (2.0) 1 BotHunter Users 3 Infection Report 2010-07-18 to 2010-07-18	° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 9906003(3): not found ° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 2406003(1): not found ° 2406027(1): not found ° 9906001(1): not found
193.200.173.2 (UA) - - UKRAINE	FREEHOST.COM.UA / DSL FREEHOST UA LTD	Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-06-04 to 2010-06-04	° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
87.252.1.21 (FR) PARIS ILE-DE-FRANCE FRANCE	OXYD.NET / DSL OXYD-NETWORK	Very High Details (2.2) 3 BotHunter Users 3 Infection Report 2010-05-23 to 2010-06-06	° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2009292(1): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777008(1): Malware Scan - Detected intense malware port scanning
217.107.217.27 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	JINO.RU / COMP AVGURO TECHNOLOGIES LTD. HOSTING SERVICE PROVIDER	Very High Details (2.2) 5 BotHunter Users 6 Infection Report 2010-04-17 to 2010-06-10	° 2002196(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
88.255.120.129 (TR) ANKARA ANKARA TURKEY	- / DSL AKSERVERS INTERNET HIZMETLERI	High Details (1.8) 2 BotHunter Users 233 Infection Report 2010-07-27 to 2010-07-28	° 7777005(308): Outbound Scan - Detected intense non-malware port scanning ° 9906027(158): not found ° 3(125): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906001(17): not found ° 9906021(14): not found ° 2000328(9): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 1(8): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(8): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 9906008(7): not found
77.244.211.125 (RU) - - RUSSIAN FEDERATION	RSSPNET.RU / DSL RTS NETWORK SOUTH-WEST 3RD BLOCK	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-06-15 to 2010-06-15	° 25(3): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906004(1): not found ° 9906021(1): not found
92.243.0.110 (FR) PARIS ILE-DE-FRANCE FRANCE	GHST.NET / DSL GANDI DEDICATED HOSTING SERVERS	High Details (1.5) 3 BotHunter Users 55 Infection Report 2010-07-05 to 2010-07-13	° 2008124(42): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 1(27): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2632222(24): not found ° 2000328(4): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2002839(2): Egg Download - ET MALWARE My Search Spyware Config Download
83.231.138.193 (UK) LONDON ENGLAND UNITED KINGDOM	VERIO.NET / COMP EMIRATES GROUP	Very High Details (2.2) 6 BotHunter Users 11 Infection Report 2010-04-26 to 2010-06-21	° 2000328(49): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(22): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(10): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 3810007(4): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2009126(1): CandC Communication - ET TROJAN Win32/Monkif Downloader Checkin
91.213.157.72 (UK) - - UNITED KINGDOM	NACKSYSTEM.NET / DSL EU-ZZ	Moderate Details (1.2) 2 BotHunter Users 3 Infection Report 2010-04-22 to 2010-05-04	° 2003179(2): Egg Download - ET POLICY exe download without User Agent ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2008944(1): CandC Communication - ET TROJAN TDSServ or Tidserv variant Checkin ° 2010288(1): Egg Download - ET TROJAN W32/Scar Downloader Request
202.190.126.56 (MY) KUALA LUMPUR WILAYAH PERSEKUTUAN MALAYSIA	FWA27.JARING.MY / DSL JARING COMMUNICATIONS SDN BHD	High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-05-06 to 2010-05-06	° 2003330(13): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(13): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2000328(8): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3800002(1): Bot Space Access - BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host
216.17.104.158 (US) SAN DIEGO CALIFORNIA UNITED STATES	PHATSERVERS.COM / DSL PHATSERVERS.NET	High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-05-04 to 2010-05-04	° 2000328(16): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
66.230.184.71 (US) BROOKLYN NEW YORK UNITED STATES	COOLPRICEBUSTERS.COM / DSL REALITY CHECK NETWORK CORP	Maximum Details (2.3) 3 BotHunter Users 3 Infection Report 2010-05-04 to 2010-05-05	° 2000328(12): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2007743(1): CandC Communication - ET TROJAN Dialer.qn HTTP Request - Checkin ° 2008271(1): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (1)
200.117.186.213 (AR) MAR DEL PLATA BUENOS AIRES ARGENTINA	NET.AR / DSL APOLO -GOLD-TELECOM-PER	Very High Details (2.0) 7 BotHunter Users 40 Infection Report 2010-04-15 to 2010-05-17	° 7777005(32): Outbound Scan - Detected intense non-malware port scanning ° 3810044(24): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810008(13): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2000419(12): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(12): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
91.216.122.0 (UK) - - UNITED KINGDOM	NACKSYSTEM.NET / DSL EU-ZZ	Moderate Details (1.2) 2 BotHunter Users 112 Infection Report 2010-07-08 to 2010-07-23	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2002854(2): not found ° 2003579(2): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008501(1): CandC Communication - ET TROJAN Peed Report to Controller
81.94.29.251 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP VPN POOL	High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-08-09 to 2010-08-09	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 9906025(1): not found
204.0.5.50 (US) ENGLEWOOD COLORADO UNITED STATES	ONRAMP.NET / DSL NTT AMERICA INC	Maximum Details (2.3) 1 BotHunter Users 1 Infection Report 2010-04-15 to 2010-04-15	° 2003179(6): Egg Download - ET POLICY exe download without User Agent ° 2003607(3): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
74.220.215.56 (US) OREM UTAH UNITED STATES	BLUEHOST.COM / DSL BLUEHOST INC	High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-05-26 to 2010-05-26	° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003581(1): CandC Communication - ET MALWARE Findwhat.com Spyware (sendmedia) ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
174.116.20.0 (CA) ST. JOHN'S NEWFOUNDLAND AND LABRADOR CANADA	ROGERS.COM / DSL ROGERS CABLE COMMUNICATIONS INC	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-07-02 to 2010-07-02	° 2007711(3): CandC Communication - ET TROJAN Srizbi registering with controller ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
219.232.241.187 (CN) BEIJING BEIJING CHINA	CRC.COM.CN / DSL BEIJING PRIMEZONE TECHNOLOGIES INC	High Details (1.8) 19 BotHunter Users 362 Infection Report 2010-04-14 to 2010-05-27	° 2003179(38): Egg Download - ET POLICY exe download without User Agent ° 2003607(29): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 7777005(9): Outbound Scan - Detected intense non-malware port scanning ° 2000419(6): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(6): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003219(3): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
212.77.135.0 (RU) - - RUSSIAN FEDERATION	RIKT.RU / DSL JSC RITC	Very High Details (2.0) 2 BotHunter Users 9 Infection Report 2010-04-26 to 2010-06-23	° 7777005(14): Outbound Scan - Detected intense non-malware port scanning ° 9906008(8): not found ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008109(1): CandC Communication - ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound
194.67.32.79 (RU) KRASNOYARSK KRASNOYARSK RUSSIAN FEDERATION	HW.RU / DSL SOVINTEL-MSK-RUNET-RU-NET	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-07-27 to 2010-07-27	° 7777008(3): Malware Scan - Detected intense malware port scanning ° 2001569(2): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
142.166.231.0 (CA) - - CANADA	NB.CA / DSL STENTOR NATIONAL INTEGRATED COMMUNICATIONS NETWORK	Very High Details (2.0) 1 BotHunter Users 3 Infection Report 2010-04-26 to 2010-04-26	° 2007711(3): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9904007(1): not found
98.158.124.203 (-) - - -	- / - -	High Details (1.4) 1 BotHunter Users 3 Infection Report 2010-06-06 to 2010-06-06	° 2009292(3): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
59.32.232.232 (CN) GUANGZHOU GUANGDONG CHINA	- / COMP SHAO GUAN SHI PENG XUN KE JI FA ZHAN COMPANY	Moderate Details (1.3) 12 BotHunter Users 686 Infection Report 2010-04-22 to 2010-06-27	° 7777005(309): Outbound Scan - Detected intense non-malware port scanning ° 3(141): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2008564(105): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 7777008(1): Malware Scan - Detected intense malware port scanning
217.199.218.50 (RU) - - RUSSIAN FEDERATION	QUICKLINE.RU / DSL MASTAK.RU	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-04-14 to 2010-04-14	° 2000328(16): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
89.149.227.79 (DE) BERLIN BERLIN GERMANY	INTERNETSERVICETEAM.COM / DSL NETDIREKT E.K	Maximum Details (2.3) 1 BotHunter Users 2 Infection Report 2010-07-23 to 2010-07-23	° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 25(3): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 9906028(2): not found ° 2007827(1): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request)
187.28.28.235 (BR) - - BRAZIL	VELOXZONE.COM.BR / DSL COMITE GESTOR DA INTERNET NO BRASIL	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-07-28 to 2010-07-28	° 7777055(3): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server
204.137.28.0 (US) KANSAS CITY MISSOURI UNITED STATES	VIRTUEMAILS.COM / DSL ADKNOWLEDGE INC	Moderate Details (1.2) 12 BotHunter Users 137 Infection Report 2010-04-15 to 2010-07-23	° 2000328(16): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(14): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(4): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough)
77.221.139.106 (RU) - - RUSSIAN FEDERATION	DATAPOINT.RU / DSL COLOCATION AND VIRTUAL HOSTING	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-08-10 to 2010-08-10	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 9906021(1): not found
195.122.131.250 (DE) - - GERMANY	- / DSL TERRASPACE-GMBH	Very High Details (2.0) 14 BotHunter Users 89 Infection Report 2010-06-08 to 2010-07-29	° 1(11): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810004(6): Bot Space Access - BotHunter REPO confirmed botnet control server ° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 2001687(4): Attack Prep - BLEEDING-EDGE WORM MySQL bot DNS lookup ° 3810008(3): Russian Business Network - ET Known Russian Business Network Monitored Domain
61.250.91.73 (KR) CHINJU KYONGSANG-NAMDO KOREA, REPUBLIC OF	CNINET.CO.KR / DSL ENTERPRISENET-IDC-HOSTWAY	Moderate Details (1.3) 17 BotHunter Users 80 Infection Report 2010-06-25 to 2010-07-23	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2008124(3): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 2000352(2): Attack Prep - ET ATTACK RESPONSE IRC - dns request on non-std port ° 2002029(2): CandC Communication - ET TROJAN BOT - channel topic scan/exploit command ° 2008398(2): CandC Communication - ET TROJAN Fullspace.cc or Related Checkin (2) ° 22000346(2): Inbound Attack - ET ATTACK RESPONSE IRC - Name response on non-std port ° 2002839(1): Egg Download - ET MALWARE My Search Spyware Config Download
123.123.123.123 (CN) BEIJING BEIJING CHINA	BTA.NET.CN / DSL CHINA UNICOM BEIJING PROVINCE NETWORK	High Details (1.7) 54 BotHunter Users 833 Infection Report 2010-04-14 to 2010-08-10	° 3810003(36): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810007(19): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2003330(5): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2001569(1): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs)
217.199.217.9 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	UCOZ.NET / DSL UCOZ	Very High Details (2.2) 11 BotHunter Users 14 Infection Report 2010-04-14 to 2010-06-11	° 2003607(6): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(2): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2007951(1): CandC Communication - ET MALWARE Hex Encoded IP HTTP Request - Likely Malware ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server
75.183.100.0 (US) WINSTON SALEM NORTH CAROLINA UNITED STATES	RR.COM / DSL ROAD RUNNER HOLDCO LLC	Very High Details (2.0) 1 BotHunter Users 7 Infection Report 2010-04-14 to 2010-04-14	° 7777005(13): Outbound Scan - Detected intense non-malware port scanning ° 2008110(7): CandC Communication - ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906023(1): not found
66.96.130.50 (US) BURLINGTON MASSACHUSETTS UNITED STATES	EIGBOX.NET / DSL THE ENDURANCE INTERNATIONAL GROUP INC	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-07-15 to 2010-07-15	° 2003088(4): CandC Communication - ET TROJAN Sality Trojan User-Agent (KUKU v3.09 exp) ° 2003636(4): CandC Communication - ET VIRUS Sality Virus User Agent Detected (KUKU) ° 3810004(1): Bot Space Access - BotHunter REPO confirmed botnet control server
212.227.111.29 (DE) FRANKFURT HESSEN GERMANY	KEY-SYSTEMS.NET / DSL KEY-SYSTEMS GMBH	High Details (1.8) 4 BotHunter Users 6 Infection Report 2010-04-18 to 2010-07-26	° 2000328(15): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
81.95.138.0 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	CITYNET.RU / DSL MATRIX TELECOM MOSCOW	Moderate Details (1.3) 1 BotHunter Users 3 Infection Report 2010-08-09 to 2010-08-09	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9906025(3): not found ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906028(1): not found ° 52007933(1): Outbound Attack - ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability
194.67.27.250 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	UKR-INFO.NET / DSL TELEROSS	Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-07-13 to 2010-07-13	° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9906001(3): not found ° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2123(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906006(1): not found
218.25.54.174 (CN) SHENYANG LIAONING CHINA	DCB.LN.CN / DSL CHINA UNICOM LIAONING PROVINCE NETWORK	High Details (1.6) 2 BotHunter Users 16 Infection Report 2010-04-21 to 2010-04-23	° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 3810044(2): Bot Space Access - BotHunter REPO confirmed botnet control server ° 2007671(1): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile
93.147.197.92 (IT) NAPOLI CAMPANIA ITALY	DSL.VODAFONE.IT / DSL IP ADDRESSES ALLOCATED TO DSL CUSTOMERS	Maximum Details (2.6) 3 BotHunter Users 3 Infection Report 2010-05-26 to 2010-05-26	° 2000328(29): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(6): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(5): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2007711(4): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 3810004(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 7777055(1): Outbound Scan - Detected intense non-malware port scanning (P2P)
203.121.31.0 (MY) KUALA LUMPUR WILAYAH PERSEKUTUAN MALAYSIA	TIME.NET.MY / DSL TIME TELECOMMUNICATIONS SDN. BHD	Very High Details (2.0) 2 BotHunter Users 62 Infection Report 2010-04-25 to 2010-07-08	° 7777005(59): Outbound Scan - Detected intense non-malware port scanning ° 9906004(46): not found ° 3(21): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906023(9): not found ° 3300007(4): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 9906003(4): not found ° 2000419(3): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 9906027(3): not found ° 9906028(3): not found
113.193.69.185 (IN) - - INDIA	- / DSL TIKONA DIGITAL NETWORKS PVT. LTD	Moderate Details (1.3) 2 BotHunter Users 3 Infection Report 2010-07-11 to 2010-07-11	° 2007711(3): CandC Communication - ET TROJAN Srizbi registering with controller ° 3300007(3): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 7777055(2): Outbound Scan - Detected intense non-malware port scanning (P2P)
59.71.65.81 (CN) CHANGSHA HUNAN CHINA	- / DSL HUNAN UNIVERSITY	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-05-01 to 2010-05-01	° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007963(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Status OK ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
204.15.240.0 (US) MOUNTAIN VIEW CALIFORNIA UNITED STATES	PLAXO.COM / DSL PLAXO INCORPORATED	Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-08-11 to 2010-08-11	° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906018(1): not found ° 9906027(1): not found ° 100000272(1): not found
59.173.98.98 (CN) WUHAN HUBEI CHINA	163DATA.COM.CN / DSL CHINANET HUBEI PROVINCE NETWORK	High Details (1.5) 1 BotHunter Users 6 Infection Report 2010-06-02 to 2010-06-02	° 2009292(6): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 2003607(3): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity
65.182.100.196 (US) PHOENIX ARIZONA UNITED STATES	BRINKSTER.COM / COMP BRINKSTER COMMUNICATIONS CORPORATION	Very High Details (2.2) 2 BotHunter Users 2 Infection Report 2010-05-19 to 2010-06-06	° 2001892(1): Egg Download - ET MALWARE ToolbarPartner Spyware Agent Download (2) ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
69.64.155.0 (US) BELLEVUE WASHINGTON UNITED STATES	- / DSL ENOM INCORPORATED	High Details (1.5) 1 BotHunter Users 3 Infection Report 2010-07-08 to 2010-07-08	° 2003330(12): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2000328(9): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 9910014(5): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 9906003(2): not found ° 9906018(2): not found ° 2406003(1): not found ° 2406018(1): not found ° 9906001(1): not found
218.93.205.117 (CN) BEIJING BEIJING CHINA	163DATA.COM.CN / DSL CHINANET JIANGSU PROVINCE NETWORK	Very High Details (2.2) 2 BotHunter Users 2 Infection Report 2010-05-22 to 2010-05-23	° 2003607(3): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
195.122.131.7 (DE) - - GERMANY	- / DSL TERRASPACE-GMBH	Moderate Details (1.3) 34 BotHunter Users 128 Infection Report 2010-04-14 to 2010-06-28	° 2003620(5): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2632222(5): not found ° 2003179(3): Egg Download - ET POLICY exe download without User Agent ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
194.226.65.9 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	RELARN.RU / DSL RUSSIAN INSTITUTE FOR PUBLIC NETWORKS	High Details (1.6) 1 BotHunter Users 2 Infection Report 2010-06-07 to 2010-06-07	° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 2000328(2): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 9906001(2): not found ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner
12.79.31.69 (US) FLEMINGTON NEW JERSEY UNITED STATES	ATT.NET / DSL AT&T WORLDNET SERVICES	Moderate Details (1.3) 2 BotHunter Users 6 Infection Report 2010-04-27 to 2010-04-28	° 2001569(12): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810001(4): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810003(2): Bot Space Access - BotHunter REPO confirmed botnet control server
194.67.28.97 (RU) MURMANSK MURMANSK RUSSIAN FEDERATION	GLDN.NET / DSL SOVAM TELEPORT	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-07-16 to 2010-07-16	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
151.32.154.116 (IT) ROME LAZIO ITALY	14-151.IOL.IT / DSL ITALIA ONLINE S.P.A	Moderate Details (1.2) 1 BotHunter Users 2 Infection Report 2010-05-27 to 2010-05-27	° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777055(2): Outbound Scan - Detected intense non-malware port scanning (P2P)
201.3.62.210 (BR) - - BRAZIL	STERLINGSTUDENTS.NET / DSL COMITE GESTOR DA INTERNET NO BRASIL	Maximum Details (2.3) 1 BotHunter Users 2 Infection Report 2010-07-01 to 2010-07-01	° 2003330(4): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2001569(2): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
200.111.121.203 (CL) SANTIAGO REGION METROPOLITANA CHILE	ENTELCHILE.NET / DSL ENTEL CHILE S.A	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-04-21 to 2010-04-21	° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810008(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810044(1): Bot Space Access - BotHunter REPO confirmed botnet control server
81.95.133.20 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	- / DSL MATRIXTELECOM	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-04-29 to 2010-04-29	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
93.174.95.238 (NL) HAARLEM NOORD-HOLLAND NETHERLANDS	BWHS.NL / DSL BULLCAT HOSTING	Moderate Details (1.2) 1 BotHunter Users 2 Infection Report 2010-04-21 to 2010-04-21	° 2003380(4): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc) ° 2008944(2): CandC Communication - ET TROJAN TDSServ or Tidserv variant Checkin ° 2009897(2): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send html content ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2632222(1): not found
125.64.24.110 (CN) CHENGDU SICHUAN CHINA	163DATA.COM.CN / DSL CHINANET SICHUAN PROVINCE NETWORK	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-06-17 to 2010-06-17	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request)
69.89.17.18 (US) PROVO UTAH UNITED STATES	BLUEHOST.COM / DSL BLUEHOST INC	Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-05-22 to 2010-05-22	° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
63.161.160.2 (US) SANTA MONICA CALIFORNIA UNITED STATES	- / COMP AGENSYS	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-05-21 to 2010-05-21	° 2007963(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Status OK ° 3810006(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810044(1): Bot Space Access - BotHunter REPO confirmed botnet control server
80.70.229.49 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP NETWORK	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-07-20 to 2010-07-20	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
194.67.32.69 (RU) KRASNOYARSK KRASNOYARSK RUSSIAN FEDERATION	HW.RU / DSL SOVINTEL-MSK-RUNET-RU-NET	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-08-08 to 2010-08-08	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
91.212.226.97 (RU) ARTEM PRIMOR'YE RUSSIAN FEDERATION	- / DSL NETD-LUX-NETWORK	Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-04-27 to 2010-04-27	° 2008189(2): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin ° 3810004(2): Bot Space Access - BotHunter REPO confirmed botnet control server
193.232.159.1 (RU) - - RUSSIAN FEDERATION	- / DSL AUTONOMOUS NONPROFIT ORGANIZATION	Very High Details (2.2) 6 BotHunter Users 7 Infection Report 2010-04-14 to 2010-06-03	° 2003219(3): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2003179(2): Egg Download - ET POLICY exe download without User Agent ° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
143.225.93.198 (IT) NAPOLI CAMPANIA ITALY	- / DSL UNIVERSITA DEGLI' STUDI DI NAPOLI FEDERICO II	Maximum Details (2.9) 2 BotHunter Users 38 Infection Report 2010-08-01 to 2010-08-02	° 2000352(6): Attack Prep - ET ATTACK RESPONSE IRC - dns request on non-std port ° 2008124(6): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 22000346(4): Inbound Attack - ET ATTACK RESPONSE IRC - Name response on non-std port ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 1444(2): Egg Download - TFTP GET from external source ° 22351(2): Inbound Attack - REGISTERED FREE NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode ° 2008120(2): Egg Download - ET POLICY Outbound TFTP Read Request ° 2299913(2): Inbound Attack - ET SHELLCODE x86 0x90 unicode NOOP ° 3001441(2): Egg Download - TFTP GET .exe from external source ° 7777008(1): Malware Scan - Detected intense malware port scanning
64.15.72.80 (CA) PIERREFONDS QUEBEC CANADA	- / COMP SEARCHANYWAY	Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-05-23 to 2010-05-23	° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
67.212.162.250 (US) CHICAGO ILLINOIS UNITED STATES	NHSDNS.COM / DSL SINGLEHOP INC	Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-05-26 to 2010-05-26	° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
83.226.204.28 (SE) GOTHENBURG VASTRA GOTALAND SWEDEN	BREDBANDSBOLAGET.SE / DSL B2-BISP	High Details (1.6) 1 BotHunter Users 1 Infection Report 2010-05-08 to 2010-05-08	° 2009026(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Status OK (variant 2) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
67.15.47.0 (US) HOUSTON TEXAS UNITED STATES	THEPLANET.COM / DSL OPTICAL JUNGLE	High Details (1.5) 1 BotHunter Users 86 Infection Report 2010-06-28 to 2010-06-28	° 9906015(86): not found ° 9906014(41): not found ° 9906018(25): not found ° 9906001(23): not found ° 7777005(19): Outbound Scan - Detected intense non-malware port scanning ° 2003330(15): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9906004(12): not found ° 2000328(11): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 9906003(8): not found
222.222.222.222 (CN) BEIJING BEIJING CHINA	163DATA.COM.CN / DSL CHINANET HEBEI PROVINCE NETWORK	Very High Details (2.0) 204 BotHunter Users 12163 Infection Report 2010-04-14 to 2010-08-05	° 3810004(249): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810008(234): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777055(180): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 7777005(110): Outbound Scan - Detected intense non-malware port scanning ° 3810044(45): Bot Space Access - BotHunter REPO confirmed botnet control server ° 1(25): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2001687(6): Attack Prep - BLEEDING-EDGE WORM MySQL bot DNS lookup ° 2000328(2): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
194.67.40.39 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	- / DSL ARBAT RECONSTRUCTION	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-06-28 to 2010-06-28	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
78.110.52.68 (RU) - - RUSSIAN FEDERATION	BETAPRESS.RU / DSL HOSTING TELESYSTEMS NETWORK	High Details (1.8) 5 BotHunter Users 10 Infection Report 2010-04-29 to 2010-04-29	° 2009024(18): CandC Communication - ET TROJAN Downadup/Conficker A or B Worm reporting ° 3300007(12): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2000419(7): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003179(6): Egg Download - ET POLICY exe download without User Agent ° 2003330(1): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 3810004(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
79.103.149.172 (GR) - - GREECE	FORTHNET.GR / DSL ADSL-LLU-CUSTOMERS-LSF	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-06-23 to 2010-06-23	° 2000419(4): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2007711(3): CandC Communication - ET TROJAN Srizbi registering with controller ° 3300007(3): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777055(3): Outbound Scan - Detected intense non-malware port scanning (P2P)
69.64.42.97 (US) NEW YORK NEW YORK UNITED STATES	ANIDB.NET / DSL HOSTING SOLUTIONS INTERNATIONAL INC	Moderate Details (1.3) 2 BotHunter Users 2 Infection Report 2010-06-26 to 2010-08-02	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
81.94.31.222 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP VPN POOL	High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-06-28 to 2010-06-28	° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2007827(1): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 7777008(1): Malware Scan - Detected intense malware port scanning ° 9906025(1): not found
64.120.149.70 (US) SCRANTON PENNSYLVANIA UNITED STATES	HOSTNOC.NET / DSL NETWORK OPERATIONS CENTER INC	High Details (1.4) 1 BotHunter Users 1 Infection Report 2010-05-27 to 2010-05-27	° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2007951(1): CandC Communication - ET MALWARE Hex Encoded IP HTTP Request - Likely Malware ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
219.232.241.164 (CN) BEIJING BEIJING CHINA	CRC.COM.CN / DSL BEIJING PRIMEZONE TECHNOLOGIES INC	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-06-11 to 2010-06-11	° 90909090(5): not found ° 2003620(3): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity
64.213.163.40 (US) NEW YORK NEW YORK UNITED STATES	GBLX.NET / DSL GLOBAL CROSSING	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-06-11 to 2010-06-11	° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
89.149.220.70 (DE) - - GERMANY	BCES.DE / DSL NETDIREKT E.K	High Details (1.8) 1 BotHunter Users 212 Infection Report 2010-07-02 to 2010-07-02	° 7777005(298): Outbound Scan - Detected intense non-malware port scanning ° 9906028(212): not found ° 3(163): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(74): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2000328(35): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 9906006(21): not found ° 9906008(17): not found ° 1(9): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906003(6): not found
87.106.138.9 (DE) BERLIN BERLIN GERMANY	EIM-LTD.CO.UK / DSL SCHLUND-CUSTOMERS	High Details (1.5) 2 BotHunter Users 2 Infection Report 2010-05-24 to 2010-06-03	° 1(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777008(1): Malware Scan - Detected intense malware port scanning
212.57.145.150 (RU) CHELYABINSK CHELYABINSK RUSSIAN FEDERATION	- / DSL 64 P2P LINKS TO CUSTOMERS FOR LEASED LINES	High Details (1.7) 5 BotHunter Users 83 Infection Report 2010-06-02 to 2010-06-08	° 3810009(23): Bot Space Access - ET COMPROMISED Known Compromised or Hostile Host Traffic ° 7777008(16): Malware Scan - Detected intense malware port scanning ° 7777005(13): Outbound Scan - Detected intense non-malware port scanning ° 2003607(12): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810007(10): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2003438(9): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(6): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2003581(3): CandC Communication - ET MALWARE Findwhat.com Spyware (sendmedia) ° 3810001(3): Bot Space Access - BotHunter MTC confirmed botnet control server
195.170.178.91 (MD) CHISINAU CHISINAU MOLDOVA, REPUBLIC OF	- / DSL S.C. UNINET S.R.L	High Details (1.8) 3 BotHunter Users 8 Infection Report 2010-05-18 to 2010-05-21	° 2009354(3): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (2) ° 2632222(3): not found ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2008501(2): CandC Communication - ET TROJAN Peed Report to Controller ° 2009353(2): CandC Communication - ET TROJAN Bredolab/Gumblar Downloader Communicating With Controller (1) ° 2000328(1): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs)
209.190.24.6 (US) COLUMBUS OHIO UNITED STATES	XLHOST.COM / COMP COLUMBUS NETWORK ACCESS POINT INC	High Details (1.9) 7 BotHunter Users 10 Infection Report 2010-04-15 to 2010-06-07	° 2003179(7): Egg Download - ET POLICY exe download without User Agent ° 7777005(5): Outbound Scan - Detected intense non-malware port scanning ° 3810007(3): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
195.122.131.14 (DE) - - GERMANY	- / DSL TERRASPACE-GMBH	Moderate Details (1.3) 35 BotHunter Users 133 Infection Report 2010-04-14 to 2010-06-18	° 2632222(6): not found ° 1(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(3): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2008271(1): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (1) ° 2008272(1): CandC Communication - ET TROJAN DMSpammer HTTP Post Checkin (2)
67.236.43.67 (US) - - UNITED STATES	EMBARQHSD.NET / COMP EMBARQ CORPORATION	High Details (1.6) 1 BotHunter Users 3 Infection Report 2010-07-21 to 2010-07-21	° 3810006(3): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 3810002(1): Bot Space Access - BotHunter MTC confirmed botnet control server ° 3810044(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 7777055(1): Outbound Scan - Detected intense non-malware port scanning (P2P)
69.59.17.202 (US) CHARLOTTE NORTH CAROLINA UNITED STATES	CAROHOSTING.NET / DSL CARONET MANAGED HOSTING	High Details (1.9) 2 BotHunter Users 2 Infection Report 2010-05-29 to 2010-06-05	° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
212.77.133.121 (RU) - - RUSSIAN FEDERATION	RIKT.RU / DSL JSC RITC	High Details (1.8) 1 BotHunter Users 3 Infection Report 2010-06-28 to 2010-06-28	° 2007827(3): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9906008(3): not found ° 7777008(1): Malware Scan - Detected intense malware port scanning
59.97.120.16 (IN) CHENNAI TAMIL NADU INDIA	10/24.BSNL.IN / DSL NIB (NATIONAL INTERNET BACKBONE)	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-07-14 to 2010-07-14	° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller
202.75.36.22 (MY) KUALA LUMPUR WILAYAH PERSEKUTUAN MALAYSIA	TM.NET.MY / DSL TELEKOM MALAYSIA BERHAD	Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-05-22 to 2010-05-22	° 2003607(3): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
212.77.140.192 (RU) - - RUSSIAN FEDERATION	RIKT.RU / DSL JSC RITC	High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-06-21 to 2010-06-21	° 2007827(1): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906008(1): not found
64.127.41.31 (US) HUNTINGTON WEST VIRGINIA UNITED STATES	HACKERSPLANET.ORG / DSL COMPUCRASH	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-07-01 to 2010-07-01	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server
188.222.124.43 (UK) - - UNITED KINGDOM	BETHERE.CO.UK / DSL AVATARBROADBAND	Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-07-08 to 2010-07-08	° 2007711(4): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
210.72.2.195 (CN) GUANGZHOU GUANGDONG CHINA	- / DSL GUANG ZHOU INFORMATION NETWORK	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-07-10 to 2010-07-10	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2007860(1): Egg Download - ET USER_AGENTS Suspicious User Agent - Possible Trojan Downloader (Internet Explorer 6.0) ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request)
59.152.214.246 (HK) HONG KONG HONG KONG (SAR) HONG KONG	DYXNET.COM / DSL WHARF T&T LIMITED	Maximum Details (2.3) 1 BotHunter Users 4 Infection Report 2010-07-23 to 2010-07-23	° 2003330(8): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2000328(7): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2008124(4): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..) ° 2008189(4): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin ° 2002033(2): CandC Communication - ET TROJAN BOT - potential response ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
43.65.34.116 (JP) - - JAPAN	BBTEC.NET / DSL APNIC-AP-ERX	Very High Details (2.0) 2 BotHunter Users 2 Infection Report 2010-06-20 to 2010-06-20	° 2001569(8): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(6): Malware Scan - Detected intense malware port scanning ° 3810007(2): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
114.255.0.20 (CN) BEIJING BEIJING CHINA	- / COMP ZGTYJIS	Moderate Details (1.2) 1 BotHunter Users 4 Infection Report 2010-08-01 to 2010-08-01	° 3(8): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2007963(4): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Status OK ° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity
71.127.131.216 (US) RICHMOND VIRGINIA UNITED STATES	VERIZON.NET / COMP VERIZON INTERNET SERVICES INC	Very High Details (2.0) 2 BotHunter Users 4 Infection Report 2010-04-25 to 2010-04-25	° 3810008(4): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810044(3): Bot Space Access - BotHunter REPO confirmed botnet control server ° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning
91.211.117.109 (UA) KIEV KYYIV UKRAINE	- / DSL ZHARKOV MUKOLA MUKOLAYOVUCH	High Details (1.5) 3 BotHunter Users 4 Infection Report 2010-06-04 to 2010-06-07	° 2007671(2): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2008450(2): CandC Communication - ET TROJAN Buzus.lyz Connect to CnC ° 2632222(2): not found ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2008124(1): CandC Communication - ET TROJAN Likely Bot Nick in IRC (USA +..)
66.40.52.7 (US) ATLANTA GEORGIA UNITED STATES	MAXIM.NET / DSL PEER 1 DEDICATED HOSTING	Very High Details (2.2) 2 BotHunter Users 2 Infection Report 2010-05-31 to 2010-06-09	° 2002298(1): CandC Communication - ET MALWARE Searchfeed.com Spyware 3 ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
222.173.188.48 (CN) JINAN SHANDONG CHINA	163DATA.COM.CN / DSL CHINANET SHANDONG PROVINCE NETWORK	Moderate Details (1.2) 32 BotHunter Users 51 Infection Report 2010-04-14 to 2010-08-04	° 2003620(12): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2007671(2): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected
80.70.233.228 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP NETWORK	High Details (1.8) 2 BotHunter Users 4 Infection Report 2010-07-22 to 2010-07-22	° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 9906023(4): not found ° 2007827(2): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(1): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2003422(1): CandC Communication - ET MALWARE Weatherbug Command Activity ° 7777008(1): Malware Scan - Detected intense malware port scanning
209.51.196.242 (US) COLUMBUS OHIO UNITED STATES	XLHOST.COM / COMP XLHOST.COM INC	Very High Details (2.2) 3 BotHunter Users 3 Infection Report 2010-04-16 to 2010-06-02	° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2009031(1): CandC Communication - ET TROJAN Possible Armitage Loader Request ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
204.9.163.0 (CA) TORONTO ONTARIO CANADA	QUIETTOUCH.COM / COMP M-QUBE INC	High Details (1.7) 19 BotHunter Users 1579 Infection Report 2010-04-15 to 2010-08-09	° 7777005(217): Outbound Scan - Detected intense non-malware port scanning ° 2008564(129): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 3(38): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 1(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906001(3): not found ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
82.129.39.205 (DE) - - GERMANY	RAPIDSHARE.COM / DSL PA-TERASPACE-COGENT	Very High Details (2.2) 9 BotHunter Users 52 Infection Report 2010-06-06 to 2010-06-09	° 1(24): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(22): Outbound Scan - Detected intense non-malware port scanning ° 3810004(9): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810008(6): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2001687(2): Attack Prep - BLEEDING-EDGE WORM MySQL bot DNS lookup
92.48.91.0 (UK) - - UNITED KINGDOM	AS29550.NET / COMP POUNDHOST	Very High Details (2.1) 2 BotHunter Users 3 Infection Report 2010-05-05 to 2010-06-08	° 2003330(2): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2008944(2): CandC Communication - ET TROJAN TDSServ or Tidserv variant Checkin ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9910014(1): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
212.77.133.4 (RU) - - RUSSIAN FEDERATION	RIKT.RU / DSL JSC RITC	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-06-06 to 2010-06-06	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
209.156.25.0 (US) FAIRPORT NEW YORK UNITED STATES	MCLEODUSA.NET / DSL PAETEC COMMUNICATIONS INC	Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-04-26 to 2010-04-26	° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906027(1): not found
216.152.78.165 (US) SANTA CLARA CALIFORNIA UNITED STATES	WEBMASTER.COM / DSL WEBMASTER INCORPORATED	High Details (1.8) 14 BotHunter Users 34 Infection Report 2010-04-17 to 2010-06-10	° 3810005(7): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(7): Outbound Scan - Detected intense non-malware port scanning ° 2003607(5): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003438(4): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810007(3): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 2003219(1): CandC Communication - ET MALWARE Alexa Spyware Reporting ° 2003581(1): CandC Communication - ET MALWARE Findwhat.com Spyware (sendmedia) ° 3810001(1): Bot Space Access - BotHunter MTC confirmed botnet control server
77.91.225.0 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	- / DSL RU-WEBALTA	Very High Details (2.0) 1 BotHunter Users 2 Infection Report 2010-06-23 to 2010-06-23	° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9906022(2): not found ° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 9906004(1): not found
58.247.184.16 (CN) SHANGHAI SHANGHAI CHINA	JOININGTEK.COM / DSL CHINA UNICOM SHANGHAI NETWORK	Moderate Details (1.2) 1 BotHunter Users 4 Infection Report 2010-05-30 to 2010-05-30	° 7777005(11): Outbound Scan - Detected intense non-malware port scanning ° 2008110(4): CandC Communication - ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner
192.35.222.230 (US) SANTA BARBARA CALIFORNIA UNITED STATES	UCSB.EDU / COMP UNIVERSITY OF CALIFORNIA SANTA BARBARA	Moderate Details (1.3) 3 BotHunter Users 18 Infection Report 2010-06-11 to 2010-07-03	° 2000427(5): Egg Download - ET POLICY PE EXE Install Windows file download ° 100000262(4): CandC Communication - COMMUNITY BOT SDBot cdkey command ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2002032(2): CandC Communication - ET TROJAN BOT - potential DDoS command (1) ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 100000277(2): CandC Communication - COMMUNITY BOT GTBot packet command ° 22007933(1): Inbound Attack - ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability
217.170.64.5 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	ELTEL.NET / DSL JSC ELTEL NETWORK	Moderate Details (1.3) 11 BotHunter Users 65 Infection Report 2010-07-12 to 2010-08-11	° 7777005(4): Outbound Scan - Detected intense non-malware port scanning ° 25(2): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 9906010(2): not found ° 1(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906003(1): not found ° 9906007(1): not found ° 9906013(1): not found ° 9906015(1): not found
174.142.109.139 (CA) MONTREAL QUEBEC CANADA	PRIVATEDNS.COM / DSL IWEB TECHNOLOGIES INC	Very High Details (2.2) 4 BotHunter Users 4 Infection Report 2010-04-14 to 2010-06-11	° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
194.67.35.28 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	FAQ.RU / DSL SOVINTEL-MSK-XDSL-CLIENTNETWORK-NET	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-04-18 to 2010-04-18	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
89.149.253.183 (DE) - - GERMANY	INTERNETSERVICETEAM.COM / DSL NETDIREKT E.K	High Details (1.9) 1 BotHunter Users 1 Infection Report 2010-04-15 to 2010-04-15	° 2003179(5): Egg Download - ET POLICY exe download without User Agent ° 2009292(1): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
194.67.40.99 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	- / DSL ARBAT RECONSTRUCTION	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-08-11 to 2010-08-11	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
194.67.7.64 (RU) ST. PETERSBURG SAINT PETERSBURG CITY RUSSIAN FEDERATION	GLDN.NET / DSL SOVINTEL	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-06-24 to 2010-06-24	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
118.78.108.75 (CN) LINYI SHANDONG CHINA	CN.NET / DSL CHINA UNICOM SHANXI PROVINCE NETWORK	Moderate Details (1.2) 1 BotHunter Users 2 Infection Report 2010-08-04 to 2010-08-04	° 2008110(2): CandC Communication - ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning
192.219.30.200 (CA) TORONTO ONTARIO CANADA	- / DSL UNITED CHURCH OF CANADA	Very High Details (2.2) 6 BotHunter Users 8 Infection Report 2010-04-15 to 2010-05-04	° 2000328(16): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
121.14.35.166 (CN) GUANGZHOU GUANGDONG CHINA	163DATA.COM.CN / DSL CHINANET GUANGDONG PROVINCE NETWORK	High Details (1.8) 9 BotHunter Users 72 Infection Report 2010-04-14 to 2010-05-05	° 2003179(46): Egg Download - ET POLICY exe download without User Agent ° 2003607(24): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 7777005(11): Outbound Scan - Detected intense non-malware port scanning ° 2000419(8): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(8): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3810007(7): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810005(5): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003219(3): CandC Communication - ET MALWARE Alexa Spyware Reporting
81.94.31.100 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP VPN POOL	High Details (1.8) 1 BotHunter Users 3 Infection Report 2010-06-25 to 2010-06-25	° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 9906025(3): not found ° 7777008(2): Malware Scan - Detected intense malware port scanning ° 2008564(1): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request)
203.191.149.26 (CN) SHANGHAI SHANGHAI CHINA	- / DSL EDONG NETWORK	Moderate Details (1.2) 75 BotHunter Users 155 Infection Report 2010-04-14 to 2010-08-10	° 2003620(3): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 2000419(2): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003422(2): CandC Communication - ET MALWARE Weatherbug Command Activity ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server
202.187.31.9 (MY) KUALA LUMPUR WILAYAH PERSEKUTUAN MALAYSIA	MEA50.JARING.MY / DSL JARING COMMUNICATIONS SDN BHD	Moderate Details (1.3) 2 BotHunter Users 3 Infection Report 2010-04-26 to 2010-06-29	° 2000328(7): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2002196(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2009880(2): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2632222(1): not found
125.160.17.71 (ID) JAKARTA JAKARTA RAYA INDONESIA	TELKOM.NET.ID / DSL PT TELKOM DIVISI MULTIMEDIA	High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-05-27 to 2010-05-27	° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(1): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 2003620(1): CandC Communication - ET MALWARE 51yes.com Spyware Reporting User Activity ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
90.156.178.41 (RU) - - RUSSIAN FEDERATION	VEGA.RU / DSL SOVREMENNYE INTERNET TEHNOLOGII ZAO PROVIDE PUBLIC WEB SERVICES	High Details (1.5) 16 BotHunter Users 51 Infection Report 2010-04-14 to 2010-08-11	° 7777005(7): Outbound Scan - Detected intense non-malware port scanning ° 3810003(4): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810007(3): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected
198.189.255.75 (US) SEASIDE CALIFORNIA UNITED STATES	CA.US / DSL CALIFORNIA STATE UNIVERSITY NETWORK	High Details (1.5) 4 BotHunter Users 179 Infection Report 2010-05-05 to 2010-06-30	° 2002196(116): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2632222(75): not found ° 2009880(74): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3 ° 2009031(4): CandC Communication - ET TROJAN Possible Armitage Loader Request ° 2010288(4): Egg Download - ET TROJAN W32/Scar Downloader Request ° 2000419(3): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2006434(3): Egg Download - ET POLICY Possible Ecard Trojan download ° 2007671(3): Egg Download - ET POLICY Binary Download Smaller than 1 MB Likely Hostile ° 3300007(3): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2001685(2): Egg Download - ET MALWARE Possible Windows executable sent when remote host claims to send an image
58.246.202.132 (CN) SHANGHAI SHANGHAI CHINA	JOININGTEK.COM / DSL CHINA UNICOM SHANGHAI NETWORK	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-05-15 to 2010-05-15	° 2007962(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Checkin ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
69.89.31.107 (US) PROVO UTAH UNITED STATES	BLUEHOST.COM / DSL BLUEHOST INC	High Details (1.4) 2 BotHunter Users 2 Infection Report 2010-05-22 to 2010-06-10	° 2003607(3): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
220.168.206.146 (CN) CHANGSHA HUNAN CHINA	STERLINGSTUDENTS.NET / DSL CHINANET HUNAN PROVINCE NETWORK	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-06-27 to 2010-06-27	° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2007962(1): CandC Communication - ET TROJAN Vipdataend C&C Traffic - Checkin
81.94.21.125 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP VPN POOL	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-05-30 to 2010-05-30	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
195.122.131.20 (DE) - - GERMANY	- / DSL TERRASPACE-GMBH	Moderate Details (1.3) 56 BotHunter Users 190 Infection Report 2010-04-14 to 2010-07-14	° 2003330(22): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2632222(10): not found ° 7777005(7): Outbound Scan - Detected intense non-malware port scanning ° 9910014(6): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 1(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2000419(3): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(2): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2002196(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2008661(1): CandC Communication - ET TROJAN Zbot/Zeus HTTP POST ° 7777055(1): Outbound Scan - Detected intense non-malware port scanning (P2P)
208.87.149.251 (US) EL SEGUNDO CALIFORNIA UNITED STATES	F.COM / DSL FIRSTLOOK INC	Moderate Details (1.3) 35 BotHunter Users 85 Infection Report 2010-04-15 to 2010-06-11	° 7777005(15): Outbound Scan - Detected intense non-malware port scanning ° 2007805(14): CandC Communication - ET TROJAN Blink.com related Backdoor Checkin ° 2000922(4): Egg Download - ET MALWARE Hotbar Install (3) ° 2000923(2): CandC Communication - ET MALWARE Hotbar Agent Reporting Information ° 2000925(2): CandC Communication - ET MALWARE Hotbar Agent Partner Checkin ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2632222(1): not found
209.62.85.110 (US) BEAVERTON OREGON UNITED STATES	THEPLANET.COM / DSL OPTICAL JUNGLE	Very High Details (2.2) 1 BotHunter Users 1 Infection Report 2010-06-02 to 2010-06-02	° 2003579(1): CandC Communication - ET MALWARE Findwhat.com Spyware (clickthrough) ° 3810005(1): Bot Space Access - ET ShadowServer confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 7777008(1): Malware Scan - Detected intense malware port scanning
82.73.147.0 (NL) GRONINGEN GRONINGEN NETHERLANDS	HOME.NL / DSL ESSENT KABELCOM B.V	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-07-08 to 2010-07-08	° 2007711(4): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(3): Outbound Scan - Detected intense non-malware port scanning ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
97.74.215.71 (US) SCOTTSDALE ARIZONA UNITED STATES	JWS.COM / DSL GODADDY.COM INC	High Details (1.5) 1 BotHunter Users 1 Infection Report 2010-08-10 to 2010-08-10	° 2002196(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 2632222(1): not found
12.84.170.83 (US) NEW YORK NEW YORK UNITED STATES	ATT.NET / DSL AT&T WORLDNET SERVICES	Moderate Details (1.3) 2 BotHunter Users 6 Infection Report 2010-04-28 to 2010-04-29	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server
71.190.140.0 (US) OAKLAND GARDENS NEW YORK UNITED STATES	VERIZON.NET / DSL VERIZON INTERNET SERVICES INC	Moderate Details (1.2) 1 BotHunter Users 4 Infection Report 2010-06-18 to 2010-06-18	° 7777005(12): Outbound Scan - Detected intense non-malware port scanning ° 2008246(4): CandC Communication - ET TROJAN Juicopotomous ack from Controller ° 2008247(1): CandC Communication - ET TROJAN Juicopotomous ack to Controller
189.61.184.185 (BR) BELO HORIZONTE MINAS GERAIS BRAZIL	VELOXZONE.COM.BR / DSL COMITE GESTOR DA INTERNET NO BRASIL	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-06-19 to 2010-06-19	° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
79.113.167.82 (RO) ORADEA BIHOR ROMANIA	RDSPT.RO / DSL RCS & RDS S.A	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-06-07 to 2010-06-07	° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777055(2): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
71.6.199.44 (US) CHULA VISTA CALIFORNIA UNITED STATES	ASPADMIN.NET / DSL CALIFORNIA REGIONAL INTRANET INC	High Details (1.8) 3 BotHunter Users 3 Infection Report 2010-05-21 to 2010-06-11	° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002032(1): CandC Communication - ET TROJAN BOT - potential DDoS command (1) ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2007951(1): CandC Communication - ET MALWARE Hex Encoded IP HTTP Request - Likely Malware ° 2009292(1): CandC Communication - ET TROJAN Hupigon CnC Server Response ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
88.212.196.66 (RU) - - RUSSIAN FEDERATION	RAX.RU / COMP HTTP://WWW.LIVEINTERNET.RU	Very High Details (2.0) 13 BotHunter Users 53 Infection Report 2010-04-22 to 2010-05-26	° 7777005(22): Outbound Scan - Detected intense non-malware port scanning ° 3810003(15): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810007(5): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003174(1): Inbound Attack - ET EXPLOIT Possible UTF-16 encoded Shellcode Detected
201.62.216.245 (BR) - - BRAZIL	STERLINGSTUDENTS.NET / DSL COMITE GESTOR DA INTERNET NO BRASIL	High Details (1.8) 1 BotHunter Users 1 Infection Report 2010-07-01 to 2010-07-01	° 2003330(3): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 9910014(2): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller
195.64.163.103 (UA) - - UKRAINE	AVENUE.COM.UA / DSL PHYSICAL PERSON-BUSINESSMAN KUPRIENKO VICTOR VICTOROVICH	High Details (1.7) 1 BotHunter Users 1 Infection Report 2010-07-18 to 2010-07-18	° 2001569(4): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 7777008(3): Malware Scan - Detected intense malware port scanning ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
99.242.23.0 (CA) TORONTO ONTARIO CANADA	ROGERS.COM / DSL ROGERS CABLE INC. BLOOR	Very High Details (2.0) 1 BotHunter Users 1 Infection Report 2010-07-12 to 2010-07-12	° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning ° 9906018(1): not found
38.99.186.27 (US) WASHINGTON DISTRICT OF COLUMBIA UNITED STATES	NETRACKSERVERS.COM / DIAL PSINET INC	High Details (1.8) 194 BotHunter Users 3199 Infection Report 2010-04-14 to 2010-08-09	° 7777005(85): Outbound Scan - Detected intense non-malware port scanning ° 3810007(51): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3(31): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2002196(27): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 3810003(26): Bot Space Access - BotHunter REPO confirmed botnet control server ° 2003438(24): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 2003607(15): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3810005(14): Bot Space Access - ET ShadowServer confirmed botnet control server ° 2009880(13): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3
74.52.73.98 (US) DALLAS TEXAS UNITED STATES	THEPLANET.COM / COMP THEPLANET.COM INTERNET SERVICES INC	Moderate Details (1.3) 1 BotHunter Users 5 Infection Report 2010-05-04 to 2010-05-04	° 7777008(14): Malware Scan - Detected intense malware port scanning ° 2001569(5): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(5): Bot Space Access - ET ShadowServer confirmed botnet control server
85.190.0.3 (DE) - - GERMANY	FREENODE.NET / DSL PROBE NETWORKS COLO3-TELECITY FFM	Very High Details (2.2) 11 BotHunter Users 14 Infection Report 2010-05-19 to 2010-06-10	° 2003607(2): CandC Communication - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 2003438(1): CandC Communication - ET MALWARE Abcsearch.com Spyware Reporting ° 3810003(1): Bot Space Access - BotHunter REPO confirmed botnet control server ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain ° 3810009(1): Bot Space Access - ET COMPROMISED Known Compromised or Hostile Host Traffic ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
80.70.236.71 (RU) ST. PETERSBURG SAINT PETERSBURG CITY RUSSIAN FEDERATION	MNS.RU / COMP NAT FOR CLIENT NETWORK	Maximum Details (2.3) 2 BotHunter Users 8 Infection Report 2010-07-22 to 2010-07-22	° 7777005(8): Outbound Scan - Detected intense non-malware port scanning ° 9906023(8): not found ° 2007827(6): Egg Download - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ie) ° 3(3): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 25(3): Inbound Attack - ET EXPLOIT COM Object Instantiation Memory Corruption Vulnerability MS05-054 ° 2008564(3): CandC Communication - ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ° 1(2): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 7777008(1): Malware Scan - Detected intense malware port scanning ° 9906025(1): not found
93.186.127.238 (TR) - - TURKEY	VITALHOSTING.COM.TR / DSL VITAL TEKNOLOJI - DEDICATED POOL	Maximum Details (3.3) 2 BotHunter Users 7 Infection Report 2010-04-14 to 2010-04-14	° 2003330(12): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2003179(8): Egg Download - ET POLICY exe download without User Agent ° 2008523(8): CandC Communication - ET TROJAN Generic Trojan Checkin ° 3300007(8): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777005(8): Outbound Scan - Detected intense non-malware port scanning ° 2000419(7): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2008576(5): Egg Download - ET TROJAN TinyPE Binary - Possibly Hostile ° 2010288(5): Egg Download - ET TROJAN W32/Scar Downloader Request ° 9910014(5): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2000328(3): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs)
213.89.179.38 (SE) STOCKHOLM STOCKHOLMS LAN SWEDEN	COMHEM.SE / DSL COMHEM	Moderate Details (1.3) 1 BotHunter Users 2 Infection Report 2010-07-08 to 2010-07-08	° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host
213.230.203.86 (UK) LEEDS ENGLAND UNITED KINGDOM	JIMMYHAT.CO.UK / DSL UH HOSTING LTD	Maximum Details (2.5) 10 BotHunter Users 17 Infection Report 2010-04-26 to 2010-08-11	° 2003330(29): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2001569(7): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 9910014(7): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count ° 2000328(5): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 3810007(4): Russian Business Network - ET Known Russian Business Network Monitored Domain
64.124.109.0 (US) SAN JOSE CALIFORNIA UNITED STATES	ABOVE.NET / COMP ABOVENET COMMUNICATIONS INC	High Details (1.7) 21 BotHunter Users 451 Infection Report 2010-04-14 to 2010-08-03	° 7777005(22): Outbound Scan - Detected intense non-malware port scanning ° 2003422(17): CandC Communication - ET MALWARE Weatherbug Command Activity ° 2002836(1): Egg Download - ET MALWARE MyWebSearch Toolbar Traffic (bar config download)
212.77.137.0 (RU) - - RUSSIAN FEDERATION	RIKT.RU / DSL JSC RITC	Very High Details (2.0) 1 BotHunter Users 2 Infection Report 2010-06-23 to 2010-06-23	° 2007711(2): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(2): Outbound Scan - Detected intense non-malware port scanning ° 9906008(2): not found ° 3(1): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner
93.174.95.145 (NL) HAARLEM NOORD-HOLLAND NETHERLANDS	BWHS.NL / DSL BULLCAT HOSTING	Maximum Details (2.3) 3 BotHunter Users 45 Infection Report 2010-04-15 to 2010-04-16	° 2000328(170): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2003330(64): Attack Prep - ET POLICY Possible Spambot Host DNS MX Query High Count ° 2008189(37): CandC Communication - ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin ° 9910014(34): Bot Space Access - ET POLICY Spambot Host DNS MX Query High Count
12.8.252.66 (US) TAMPA FLORIDA UNITED STATES	ATT.NET / DSL AT&T WORLDNET SERVICES	Moderate Details (1.3) 2 BotHunter Users 6 Infection Report 2010-04-22 to 2010-04-23	° 2001569(8): Outbound Attack - ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs) ° 3810005(2): Bot Space Access - ET ShadowServer confirmed botnet control server
81.94.28.0 (RU) MOSCOW MOSCOW CITY RUSSIAN FEDERATION	MNS.RU / DSL CREDOLINK ISP VPN POOL	High Details (1.5) 1 BotHunter Users 13 Infection Report 2010-04-19 to 2010-04-19	° 7777005(22): Outbound Scan - Detected intense non-malware port scanning ° 9906025(13): not found ° 3(4): Inbound Attack - REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner ° 9906023(3): not found ° 9906003(1): not found ° 9906027(1): not found ° 52007933(1): Outbound Attack - ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability
90.224.58.152 (SE) STOCKHOLM STOCKHOLMS LAN SWEDEN	TELIA.COM / DSL TELIA NETWORK SERVICES	Moderate Details (1.3) 1 BotHunter Users 1 Infection Report 2010-07-09 to 2010-07-09	° 3300007(3): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 7777005(1): Outbound Scan - Detected intense non-malware port scanning
219.232.241.135 (CN) BEIJING BEIJING CHINA	CRC.COM.CN / DSL BEIJING PRIMEZONE TECHNOLOGIES INC	High Details (1.6) 14 BotHunter Users 37 Infection Report 2010-05-27 to 2010-08-05	° 3810003(7): Bot Space Access - BotHunter REPO confirmed botnet control server ° 7777005(6): Outbound Scan - Detected intense non-malware port scanning ° 2003179(1): Egg Download - ET POLICY exe download without User Agent ° 3810007(1): Russian Business Network - ET Known Russian Business Network Monitored Domain
193.45.15.16 (SE) - - SWEDEN	TELIA.COM / DSL PROVIDER LOCAL REGISTRY	Moderate Details (1.2) 1 BotHunter Users 2 Infection Report 2010-05-15 to 2010-05-15	° 2000328(28): Outbound Attack - ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs) ° 2002196(3): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 2 ° 7777055(2): Outbound Scan - Detected intense non-malware port scanning (P2P) ° 2009880(1): CandC Communication - ET MALWARE Casalemedia Spyware Reporting URL Visited 3
80.70.227.67 (RU) ST. PETERSBURG SAINT PETERSBURG CITY RUSSIAN FEDERATION	MNS.RU / DIAL CREDOLINK ISP DIAL-UP	Moderate Details (1.2) 1 BotHunter Users 1 Infection Report 2010-07-01 to 2010-07-01	° 2000419(1): Egg Download - ET POLICY PE EXE or DLL Windows file download ° 2007711(1): CandC Communication - ET TROJAN Srizbi registering with controller ° 3300007(1): Egg Download - BotHunter Malware Windows executable (PE) sent from remote host ° 7777055(1): Outbound Scan - Detected intense non-malware port scanning (P2P)
67.215.66.132 (US) SAN FRANCISCO CALIFORNIA UNITED STATES	OPENDNS.COM / DSL OPENDNS LLC	Maximum Detail