Marc Blanchard Virus Docteur

Aller au contenu | Aller au menu | Aller à la recherche

samedi 19 septembre 2009

19th september 2009 : Infection plateforms are now stabilized

Par Marc Blanchard [Virus Docteur], samedi 19 septembre 2009 à 13:15 :: Epidemiology - english section -

Isomorphic behaviors :

On XP:

The activity seems stabilized and proceed to infection and get external sites / Internal network each 2 hours.

No file were modified or created

On WIN2003:

The activity seems stabilized and proceed to infection and get external sites / Internal network each 2 hours.

No file were modified or created

NOTA:

To analyze now the viruslab and confiker behaviors, it seems that the plateform is now stabilized.

So, I decide to wait few days and to let probes and lan analyzer to get informations to start to study some activities behaviors.

No. Time Source Destination Protocol Info

712359 2009-09-19 00:39:11.459587 192.168.1.10          192.168.1.20          TCP      nesh-broker > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 712359 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: nesh-broker (3507), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info

712365 2009-09-19 00:39:11.912276 192.168.1.10          192.168.1.20          TCP      nesh-broker > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 712365 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: nesh-broker (3507), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info

712369 2009-09-19 00:39:12.349806 192.168.1.10          192.168.1.20          TCP      nesh-broker > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 712369 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: nesh-broker (3507), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info

773854 2009-09-19 02:43:49.252061 192.168.1.20          www.l.google.com      TCP      pxc-sapxom > http SYN Seq=0 Win=65535 Len=0 MSS=1460

Frame 773854 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: 3com_1d:42:a7 (00:01:02:1d:42:a7), Dst: HSIB.home (00:19:4b:f3:54:12) Internet Protocol, Src: 192.168.1.20 (192.168.1.20), Dst: www.l.google.com (209.85.229.147) Transmission Control Protocol, Src Port: pxc-sapxom (2680), Dst Port: http (80), Seq: 0, Len: 0

No. Time Source Destination Protocol Info

773856 2009-09-19 02:43:49.298232 192.168.1.20          www.l.google.com      TCP      pxc-sapxom > http ACK Seq=1 Ack=1 Win=65535 Len=0

Frame 773856 (54 bytes on wire, 54 bytes captured) Ethernet II, Src: 3com_1d:42:a7 (00:01:02:1d:42:a7), Dst: HSIB.home (00:19:4b:f3:54:12) Internet Protocol, Src: 192.168.1.20 (192.168.1.20), Dst: www.l.google.com (209.85.229.147) Transmission Control Protocol, Src Port: pxc-sapxom (2680), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0

No. Time Source Destination Protocol Info

773858 2009-09-19 02:43:49.310283 192.168.1.20          www.l.google.com      HTTP     GET /tools/swg2/update?auv=1&r=2&up=30&p=w&ma=5&mi=1&b=2600&sp=ServicePack2&as=swg&pv=5.2.4204.1700&type=a&hl=fr&os=win&ie=6.0.2900.2180&brand=GGLL&pds=1&ds=1&su=0&gus=1&hpi=-1&lsp=86281&rep=1&rlz=I7:,W1:,R2:&dcc=T4:1T4ADBR_frFR283FR298&dsc1=0&hpc1=0&sdsa1=0&sdsa7=0&dsbc1=0&dsbc7=0&ust=3 HTTP/1.0

Frame 773858 (724 bytes on wire, 724 bytes captured) Ethernet II, Src: 3com_1d:42:a7 (00:01:02:1d:42:a7), Dst: HSIB.home (00:19:4b:f3:54:12) Internet Protocol, Src: 192.168.1.20 (192.168.1.20), Dst: www.l.google.com (209.85.229.147) Transmission Control Protocol, Src Port: pxc-sapxom (2680), Dst Port: http (80), Seq: 1, Ack: 1, Len: 670 Hypertext Transfer Protocol

No. Time Source Destination Protocol Info

773862 2009-09-19 02:43:49.375586 192.168.1.20          www.l.google.com      TCP      pxc-sapxom > http ACK Seq=671 Ack=390 Win=65147 Len=0

Frame 773862 (54 bytes on wire, 54 bytes captured) Ethernet II, Src: 3com_1d:42:a7 (00:01:02:1d:42:a7), Dst: HSIB.home (00:19:4b:f3:54:12) Internet Protocol, Src: 192.168.1.20 (192.168.1.20), Dst: www.l.google.com (209.85.229.147) Transmission Control Protocol, Src Port: pxc-sapxom (2680), Dst Port: http (80), Seq: 671, Ack: 390, Len: 0

No. Time Source Destination Protocol Info

773869 2009-09-19 02:43:49.634774 192.168.1.20          www.l.google.com      TCP      pxc-sapxom > http FIN, ACK Seq=671 Ack=390 Win=65147 Len=0

Frame 773869 (54 bytes on wire, 54 bytes captured) Ethernet II, Src: 3com_1d:42:a7 (00:01:02:1d:42:a7), Dst: HSIB.home (00:19:4b:f3:54:12) Internet Protocol, Src: 192.168.1.20 (192.168.1.20), Dst: www.l.google.com (209.85.229.147) Transmission Control Protocol, Src Port: pxc-sapxom (2680), Dst Port: http (80), Seq: 671, Ack: 390, Len: 0

No. Time Source Destination Protocol Info

794586 2009-09-19 03:25:24.995844 192.168.1.10          192.168.1.20          TCP      4210 > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 794586 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: 4210 (4210), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info

794591 2009-09-19 03:25:25.464227 192.168.1.10          192.168.1.20          TCP      4210 > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 794591 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: 4210 (4210), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info

794597 2009-09-19 03:25:25.901713 192.168.1.10          192.168.1.20          TCP      4210 > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 794597 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: 4210 (4210), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info

875197 2009-09-19 06:10:38.505103 192.168.1.10          192.168.1.20          TCP      4886 > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 875197 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: 4886 (4886), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info

875203 2009-09-19 06:10:38.973358 192.168.1.10          192.168.1.20          TCP      4886 > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 875203 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: 4886 (4886), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info

875212 2009-09-19 06:10:39.520209 192.168.1.10          192.168.1.20          TCP      4886 > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 875212 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: 4886 (4886), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info

950886 2009-09-19 08:44:52.290427 192.168.1.10          192.168.1.20          TCP      uohost > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 950886 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: uohost (3314), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info

950893 2009-09-19 08:44:52.743105 192.168.1.10          192.168.1.20          TCP      uohost > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 950893 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: uohost (3314), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info

950900 2009-09-19 08:44:53.289926 192.168.1.10          192.168.1.20          TCP      uohost > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 950900 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: uohost (3314), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1020429 2009-09-19 11:03:05.960251 192.168.1.10 192.168.1.20 TCP hicp > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1020429 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: hicp (3250), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1020435 2009-09-19 11:03:06.428629 192.168.1.10 192.168.1.20 TCP hicp > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1020435 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: hicp (3250), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1020441 2009-09-19 11:03:06.975463 192.168.1.10 192.168.1.20 TCP hicp > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1020441 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: hicp (3250), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1099802 2009-09-19 13:46:19.590963 192.168.1.10 192.168.1.20 TCP ciphire-data > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1099802 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: ciphire-data (3887), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1099811 2009-09-19 13:46:20.168725 192.168.1.10 192.168.1.20 TCP ciphire-data > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1099811 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: ciphire-data (3887), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1099818 2009-09-19 13:46:20.715577 192.168.1.10 192.168.1.20 TCP ciphire-data > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1099818 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: ciphire-data (3887), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1174609 2009-09-19 16:20:33.468964 192.168.1.10 192.168.1.20 TCP 4315 > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1174609 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: 4315 (4315), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1174617 2009-09-19 16:20:33.952927 192.168.1.10 192.168.1.20 TCP 4315 > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1174617 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: 4315 (4315), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1174623 2009-09-19 16:20:34.374814 192.168.1.10 192.168.1.20 TCP 4315 > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1174623 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: 4315 (4315), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1254243 2009-09-19 19:05:46.981383 192.168.1.10 192.168.1.20 TCP parallel > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1254243 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: parallel (4989), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1254248 2009-09-19 19:05:47.449677 192.168.1.10 192.168.1.20 TCP parallel > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1254248 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: parallel (4989), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1254253 2009-09-19 19:05:48.012164 192.168.1.10 192.168.1.20 TCP parallel > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1254253 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: parallel (4989), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1329172 2009-09-19 21:40:00.751117 192.168.1.10 192.168.1.20 TCP twcss > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1329172 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: twcss (3428), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1329178 2009-09-19 21:40:01.219493 192.168.1.10 192.168.1.20 TCP twcss > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1329178 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: twcss (3428), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

No. Time Source Destination Protocol Info 1329181 2009-09-19 21:40:01.656970 192.168.1.10 192.168.1.20 TCP twcss > microsoft-ds SYN Seq=0 Win=16384 Len=0 MSS=1460

Frame 1329181 (62 bytes on wire, 62 bytes captured) Ethernet II, Src: Dell_2e:9e:54 (00:1e:c9:2e:9e:54), Dst: 3com_1d:42:a7 (00:01:02:1d:42:a7) Internet Protocol, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.20 (192.168.1.20) Transmission Control Protocol, Src Port: twcss (3428), Dst Port: microsoft-ds (445), Seq: 0, Len: 0

un commentaire :: aucun trackback

À retenir

Catégories

Liens

Calendrier

Syndication