Infected Target: 192.168.1.151 Score: 1.0 (>= 0.8) Infector List: 213.131.252.251 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:31:02.636 PST Gen. Time: 11/02/2009 07:31:03.916 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 213.131.252.251 (07:31:02.636 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: mitglied.lycos.de (zeus/wsnpoem v1 trojan), [/api/livesuite/pickup.asmx?1B35FDFF8A929B86776C97C7CE0E9B14681C8A748A74178D6B8F607215369089FA240B3E9B22D3B04EAA651D63D22F920169] MAC_Dst: 00:00:5E:00:01:6F 38094->80 (07:31:02.636 PST) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.0.0.1 (07:31:03.916 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 21 IPs (1 /24s) (# pkts S/M/O/I=0/0/22/0): 22:22, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:31:03.916 PST) OUTBOUND SCAN 208.0.0.19 (07:31:03.916 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57920->22 (07:31:03.916 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257175862.636 1257175862.637 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 1.8 (>= 0.8) Infector List: 213.131.252.251 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:31:02.636 PST Gen. Time: 11/02/2009 07:35:02.683 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 213.131.252.251 (07:31:02.636 PST) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: mitglied.lycos.de (zeus/wsnpoem v1 trojan), [/api/livesuite/pickup.asmx?1B35FDFF8A929B86776C97C7CE0E9B14681C8A748A74178D6B8F607215369089FA240B3E9B22D3B04EAA651D63D22F920169] MAC_Dst: 00:00:5E:00:01:6F 38094->80 (07:31:02.636 PST) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.0.0.1 (07:31:03.916 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 21 IPs (1 /24s) (# pkts S/M/O/I=0/0/22/0): 22:22, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:31:03.916 PST) 208.0.148.227 (07:34:03.327 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (2 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:34:03.327 PST) 208.0.76.43 (07:32:33.331 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (4 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:32:33.331 PST) OUTBOUND SCAN 208.0.0.90 (07:31:03.918 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34490->22 (07:31:03.918 PST) 208.0.1.33 (07:31:03.922 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34649->22 (07:31:03.922 PST) 208.0.0.234 (07:31:03.921 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56559->22 (07:31:03.921 PST) 208.0.0.73 (07:31:03.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42027->22 (07:31:03.917 PST) 208.0.0.180 (07:31:03.919 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37411->22 (07:31:03.919 PST) 208.0.0.19 (07:31:03.916 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57920->22 (07:31:03.916 PST) 208.0.0.126 (07:31:03.918 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48774->22 (07:31:03.918 PST) 208.0.1.15 (07:31:03.921 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59854->22 (07:31:03.921 PST) 208.0.1.52 (07:31:03.922 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37804->22 (07:31:03.922 PST) 208.0.0.216 (07:31:03.920 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50961->22 (07:31:03.920 PST) 208.0.0.55 (07:31:03.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34648->22 (07:31:03.917 PST) 208.0.0.162 (07:31:03.919 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36572->22 (07:31:03.919 PST) 208.0.0.108 (07:31:03.918 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59945->22 (07:31:03.918 PST) 208.0.0.252 (07:31:03.921 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36716->22 (07:31:03.921 PST) 208.0.0.198 (07:31:03.920 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51125->22 (07:31:03.920 PST) 208.0.0.37 (07:31:03.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47117->22 (07:31:03.917 PST) 208.0.0.144 (07:31:03.919 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41218->22 (07:31:03.919 PST) ATTACK PREP PEER COORDINATION DECLARE BOT 208.0.194.121 (07:35:00.326 PST) event=1:3810003 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:0E:39:E0:94:00 36575->22 (07:35:00.326 PST) tcpslice 1257175862.636 1257175862.637 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:35:03.326 PST Gen. Time: 11/02/2009 07:35:33.324 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.0.219.244 (07:35:33.324 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (3 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:11, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:35:33.324 PST) OUTBOUND SCAN 208.0.196.31 (07:35:03.332 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57876->22 (07:35:03.332 PST) 208.0.196.8 (07:35:03.327 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33135->22 (07:35:03.327 PST) 208.0.196.115 (07:35:03.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49133->22 (07:35:03.330 PST) 208.0.196.153 (07:35:03.334 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32975->22 (07:35:03.334 PST) 208.0.196.15 (07:35:03.329 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60947->22 (07:35:03.329 PST) 208.0.196.45 (07:35:03.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47272->22 (07:35:03.328 PST) 208.0.196.6 (07:35:03.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46381->22 (07:35:03.328 PST) 208.0.196.205 (07:35:03.336 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51987->22 (07:35:03.336 PST) 208.0.196.136 (07:35:03.334 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39480->22 (07:35:03.334 PST) 208.0.194.119 (07:35:03.326 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41150->22 (07:35:03.326 PST) 208.0.194.141 (07:35:03.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58934->22 (07:35:03.330 PST) 208.0.196.80 (07:35:03.329 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56371->22 (07:35:03.329 PST) 208.0.196.187 (07:35:03.335 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37343->22 (07:35:03.335 PST) 208.0.194.131 (07:35:03.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34891->22 (07:35:03.330 PST) 208.0.196.10 (07:35:03.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33210->22 (07:35:03.328 PST) 208.0.196.170 (07:35:03.335 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35214->22 (07:35:03.335 PST) 208.0.194.153 (07:35:03.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44828->22 (07:35:03.330 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257176103.326 1257176103.327 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:35:03.326 PST Gen. Time: 11/02/2009 07:39:03.326 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.0.204.41 (07:37:03.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:24, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:37:03.004 PST) 208.0.30.75 (07:38:33.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:29, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:38:33.001 PST) 208.0.219.244 (07:35:33.324 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (3 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:11, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:35:33.324 PST) OUTBOUND SCAN 208.0.196.31 (07:35:03.332 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57876->22 (07:35:03.332 PST) 208.0.196.8 (07:35:03.327 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33135->22 (07:35:03.327 PST) 208.0.196.115 (07:35:03.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49133->22 (07:35:03.330 PST) 208.0.196.153 (07:35:03.334 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32975->22 (07:35:03.334 PST) 208.0.196.15 (07:35:03.329 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60947->22 (07:35:03.329 PST) 208.0.196.45 (07:35:03.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47272->22 (07:35:03.328 PST) 208.0.196.6 (07:35:03.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46381->22 (07:35:03.328 PST) 208.0.196.205 (07:35:03.336 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51987->22 (07:35:03.336 PST) 208.0.196.136 (07:35:03.334 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39480->22 (07:35:03.334 PST) 208.0.194.119 (07:35:03.326 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41150->22 (07:35:03.326 PST) 208.0.194.141 (07:35:03.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58934->22 (07:35:03.330 PST) 208.0.196.80 (07:35:03.329 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56371->22 (07:35:03.329 PST) 208.0.196.187 (07:35:03.335 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37343->22 (07:35:03.335 PST) 208.0.194.131 (07:35:03.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34891->22 (07:35:03.330 PST) 208.0.196.10 (07:35:03.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33210->22 (07:35:03.328 PST) 208.0.196.170 (07:35:03.335 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35214->22 (07:35:03.335 PST) 208.0.194.153 (07:35:03.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44828->22 (07:35:03.330 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257176103.326 1257176103.327 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:39:03.326 PST Gen. Time: 11/02/2009 07:40:03.029 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.0.147.68 (07:40:03.029 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (15 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:33, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:40:03.029 PST) OUTBOUND SCAN 208.1.120.135 (07:39:03.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51312->22 (07:39:03.330 PST) 208.1.119.230 (07:39:03.326 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44471->22 (07:39:03.326 PST) 208.1.120.35 (07:39:03.327 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53153->22 (07:39:03.327 PST) 208.1.119.7 (07:39:03.338 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37671->22 (07:39:03.338 PST) 208.1.120.95 (07:39:03.329 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45596->22 (07:39:03.329 PST) 208.1.119.82 (07:39:03.376 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33484->22 (07:39:03.376 PST) 208.1.117.241 (07:39:03.343 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40279->22 (07:39:03.343 PST) 208.1.120.155 (07:39:03.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47001->22 (07:39:03.330 PST) 208.1.119.250 (07:39:03.326 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37719->22 (07:39:03.326 PST) 208.1.120.55 (07:39:03.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56558->22 (07:39:03.328 PST) 208.1.119.42 (07:39:03.357 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50391->22 (07:39:03.357 PST) 208.1.120.115 (07:39:03.329 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35872->22 (07:39:03.329 PST) 208.1.120.15 (07:39:03.327 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55068->22 (07:39:03.327 PST) 208.1.119.25 (07:39:03.346 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35064->22 (07:39:03.346 PST) 208.1.120.175 (07:39:03.331 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35432->22 (07:39:03.331 PST) 208.1.120.75 (07:39:03.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34625->22 (07:39:03.328 PST) 208.1.119.62 (07:39:03.361 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33227->22 (07:39:03.361 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257176343.326 1257176343.327 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:39:03.326 PST Gen. Time: 11/02/2009 07:43:03.327 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.0.204.251 (07:41:33.007 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (15 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:35, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:41:33.007 PST) 208.1.62.186 (07:43:03.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (12 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:37, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:43:03.000 PST) 208.0.147.68 (07:40:03.029 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (15 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:33, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:40:03.029 PST) OUTBOUND SCAN 208.1.120.135 (07:39:03.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51312->22 (07:39:03.330 PST) 208.1.119.230 (07:39:03.326 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44471->22 (07:39:03.326 PST) 208.1.120.35 (07:39:03.327 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53153->22 (07:39:03.327 PST) 208.1.119.7 (07:39:03.338 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37671->22 (07:39:03.338 PST) 208.1.120.95 (07:39:03.329 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45596->22 (07:39:03.329 PST) 208.1.119.82 (07:39:03.376 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33484->22 (07:39:03.376 PST) 208.1.117.241 (07:39:03.343 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40279->22 (07:39:03.343 PST) 208.1.120.155 (07:39:03.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47001->22 (07:39:03.330 PST) 208.1.119.250 (07:39:03.326 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37719->22 (07:39:03.326 PST) 208.1.120.55 (07:39:03.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56558->22 (07:39:03.328 PST) 208.1.119.42 (07:39:03.357 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50391->22 (07:39:03.357 PST) 208.1.120.115 (07:39:03.329 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35872->22 (07:39:03.329 PST) 208.1.120.15 (07:39:03.327 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55068->22 (07:39:03.327 PST) 208.1.119.25 (07:39:03.346 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35064->22 (07:39:03.346 PST) 208.1.120.175 (07:39:03.331 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35432->22 (07:39:03.331 PST) 208.1.120.75 (07:39:03.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34625->22 (07:39:03.328 PST) 208.1.119.62 (07:39:03.361 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33227->22 (07:39:03.361 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257176343.326 1257176343.327 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:43:03.387 PST Gen. Time: 11/02/2009 07:44:33.003 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.120.12 (07:44:33.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (12 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:43, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:44:33.003 PST) OUTBOUND SCAN 208.1.216.7 (07:43:03.713 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48443->22 (07:43:03.713 PST) 208.1.90.193 (07:43:03.387 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45010->22 (07:43:03.387 PST) 208.1.0.156 (07:43:04.145 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53161->22 (07:43:04.145 PST) 208.1.216.144 (07:43:04.194 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46013->22 (07:43:04.194 PST) 208.0.30.82 (07:43:03.908 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55025->22 (07:43:03.908 PST) 208.0.110.141 (07:43:03.531 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59084->22 (07:43:03.531 PST) 208.0.17.82 (07:43:04.507 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57234->22 (07:43:04.507 PST) 208.1.140.202 (07:43:03.845 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54206->22 (07:43:03.845 PST) 208.1.63.42 (07:43:03.675 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36311->22 (07:43:03.675 PST) 208.1.140.163 (07:43:03.471 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51537->22 (07:43:03.471 PST) 208.1.216.172 (07:43:03.986 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51930->22 (07:43:03.986 PST) 208.1.140.47 (07:43:04.402 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43418->22 (07:43:04.402 PST) 208.1.140.200 (07:43:04.469 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34475->22 (07:43:04.469 PST) 208.0.224.171 (07:43:04.101 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59732->22 (07:43:04.101 PST) 208.1.216.2 (07:43:03.618 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56855->22 (07:43:03.618 PST) 208.1.100.166 (07:43:03.778 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48024->22 (07:43:03.778 PST) 208.0.17.201 (07:43:04.253 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44348->22 (07:43:04.253 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257176583.387 1257176583.388 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:43:03.387 PST Gen. Time: 11/02/2009 07:47:03.388 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.0.51.24 (07:46:03.009 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (12 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:43, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:46:03.009 PST) 208.1.120.12 (07:44:33.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (12 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:43, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:44:33.003 PST) OUTBOUND SCAN 208.1.216.7 (07:43:03.713 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48443->22 (07:43:03.713 PST) 208.1.90.193 (07:43:03.387 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45010->22 (07:43:03.387 PST) 208.1.0.156 (07:43:04.145 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53161->22 (07:43:04.145 PST) 208.1.216.144 (07:43:04.194 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46013->22 (07:43:04.194 PST) 208.0.30.82 (07:43:03.908 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55025->22 (07:43:03.908 PST) 208.0.110.141 (07:43:03.531 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59084->22 (07:43:03.531 PST) 208.0.17.82 (07:43:04.507 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57234->22 (07:43:04.507 PST) 208.1.140.202 (07:43:03.845 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54206->22 (07:43:03.845 PST) 208.1.63.42 (07:43:03.675 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36311->22 (07:43:03.675 PST) 208.1.140.163 (07:43:03.471 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51537->22 (07:43:03.471 PST) 208.1.216.172 (07:43:03.986 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51930->22 (07:43:03.986 PST) 208.1.140.47 (07:43:04.402 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43418->22 (07:43:04.402 PST) 208.1.140.200 (07:43:04.469 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34475->22 (07:43:04.469 PST) 208.0.224.171 (07:43:04.101 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59732->22 (07:43:04.101 PST) 208.1.216.2 (07:43:03.618 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56855->22 (07:43:03.618 PST) 208.1.100.166 (07:43:03.778 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48024->22 (07:43:03.778 PST) 208.0.17.201 (07:43:04.253 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44348->22 (07:43:04.253 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257176583.387 1257176583.388 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:47:03.435 PST Gen. Time: 11/02/2009 07:47:33.002 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.104.193 (07:47:33.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (12 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:47, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:47:33.002 PST) OUTBOUND SCAN 208.0.249.2 (07:47:04.274 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39626->22 (07:47:04.274 PST) 208.1.120.12 (2) (07:47:03.545 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46680->22 (07:47:03.545 PST) 46760->22 (07:47:04.091 PST) 208.1.40.45 (07:47:03.861 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48834->22 (07:47:03.861 PST) 208.1.60.115 (07:47:03.779 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46770->22 (07:47:03.779 PST) 208.1.140.181 (07:47:03.471 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47986->22 (07:47:03.471 PST) 208.1.140.34 (2) (07:47:03.702 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43130->22 (07:47:03.702 PST) 43240->22 (07:47:04.467 PST) 208.0.17.82 (07:47:03.941 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46555->22 (07:47:03.941 PST) 208.0.75.153 (07:47:03.435 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56151->22 (07:47:03.435 PST) 208.1.0.154 (07:47:04.032 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40664->22 (07:47:04.032 PST) 208.1.140.40 (07:47:04.168 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48409->22 (07:47:04.168 PST) 208.0.108.129 (07:47:04.588 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56693->22 (07:47:04.588 PST) 208.0.204.9 (07:47:04.408 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44153->22 (07:47:04.408 PST) 208.1.216.10 (07:47:03.960 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45885->22 (07:47:03.960 PST) 208.1.140.160 (07:47:04.191 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45844->22 (07:47:04.191 PST) 208.0.121.11 (07:47:03.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43832->22 (07:47:03.650 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257176823.435 1257176823.436 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:47:03.435 PST Gen. Time: 11/02/2009 07:51:03.504 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.216.148 (07:49:03.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:47, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:49:03.002 PST) 208.1.104.193 (07:47:33.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (12 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:47, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:47:33.002 PST) 208.0.30.9 (07:50:33.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (16 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:47, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:50:33.003 PST) OUTBOUND SCAN 208.0.249.2 (07:47:04.274 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39626->22 (07:47:04.274 PST) 208.1.120.12 (2) (07:47:03.545 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46680->22 (07:47:03.545 PST) 46760->22 (07:47:04.091 PST) 208.1.40.45 (07:47:03.861 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48834->22 (07:47:03.861 PST) 208.1.60.115 (07:47:03.779 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46770->22 (07:47:03.779 PST) 208.1.140.181 (07:47:03.471 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47986->22 (07:47:03.471 PST) 208.1.140.34 (2) (07:47:03.702 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43130->22 (07:47:03.702 PST) 43240->22 (07:47:04.467 PST) 208.0.17.82 (07:47:03.941 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46555->22 (07:47:03.941 PST) 208.0.75.153 (07:47:03.435 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56151->22 (07:47:03.435 PST) 208.1.0.154 (07:47:04.032 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40664->22 (07:47:04.032 PST) 208.1.140.40 (07:47:04.168 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48409->22 (07:47:04.168 PST) 208.0.108.129 (07:47:04.588 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56693->22 (07:47:04.588 PST) 208.0.204.9 (07:47:04.408 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44153->22 (07:47:04.408 PST) 208.1.216.10 (07:47:03.960 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45885->22 (07:47:03.960 PST) 208.1.140.160 (07:47:04.191 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45844->22 (07:47:04.191 PST) 208.0.121.11 (07:47:03.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43832->22 (07:47:03.650 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257176823.435 1257176823.436 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:51:03.602 PST Gen. Time: 11/02/2009 07:52:03.005 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.0.121.4 (07:52:03.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:49, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:52:03.005 PST) OUTBOUND SCAN 208.1.216.161 (07:51:04.730 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40475->22 (07:51:04.730 PST) 208.1.216.7 (07:51:04.195 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43579->22 (07:51:04.195 PST) 208.1.140.28 (2) (07:51:03.624 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40206->22 (07:51:03.624 PST) 40306->22 (07:51:04.398 PST) 208.0.224.114 (07:51:04.617 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48096->22 (07:51:04.617 PST) 208.0.9.84 (07:51:04.088 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40563->22 (07:51:04.088 PST) 208.1.140.27 (07:51:03.602 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58808->22 (07:51:03.602 PST) 208.1.216.136 (07:51:04.528 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51190->22 (07:51:04.528 PST) 208.1.140.34 (07:51:03.686 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43982->22 (07:51:03.686 PST) 208.1.29.37 (07:51:04.286 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58232->22 (07:51:04.286 PST) 208.1.140.156 (07:51:04.708 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58732->22 (07:51:04.708 PST) 208.1.216.173 (07:51:04.592 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33629->22 (07:51:04.592 PST) 208.1.216.172 (07:51:04.030 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47702->22 (07:51:04.030 PST) 208.1.140.200 (07:51:03.763 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41771->22 (07:51:03.763 PST) 208.1.44.150 (07:51:03.832 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34897->22 (07:51:03.832 PST) 208.1.216.16 (07:51:04.346 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54754->22 (07:51:04.346 PST) 208.1.140.37 (07:51:03.921 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47622->22 (07:51:03.921 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257177063.602 1257177063.603 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:51:03.602 PST Gen. Time: 11/02/2009 07:55:03.620 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.28 (07:55:03.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:57, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:55:03.000 PST) 208.0.121.4 (2) (07:52:03.005 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:49, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:52:03.005 PST) 0->0 (07:53:33.002 PST) OUTBOUND SCAN 208.1.216.161 (07:51:04.730 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40475->22 (07:51:04.730 PST) 208.1.216.7 (07:51:04.195 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43579->22 (07:51:04.195 PST) 208.1.140.28 (2) (07:51:03.624 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40206->22 (07:51:03.624 PST) 40306->22 (07:51:04.398 PST) 208.0.224.114 (07:51:04.617 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48096->22 (07:51:04.617 PST) 208.0.9.84 (07:51:04.088 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40563->22 (07:51:04.088 PST) 208.1.140.27 (07:51:03.602 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58808->22 (07:51:03.602 PST) 208.1.216.136 (07:51:04.528 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51190->22 (07:51:04.528 PST) 208.1.140.34 (07:51:03.686 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43982->22 (07:51:03.686 PST) 208.1.29.37 (07:51:04.286 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58232->22 (07:51:04.286 PST) 208.1.140.156 (07:51:04.708 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58732->22 (07:51:04.708 PST) 208.1.216.173 (07:51:04.592 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33629->22 (07:51:04.592 PST) 208.1.216.172 (07:51:04.030 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47702->22 (07:51:04.030 PST) 208.1.140.200 (07:51:03.763 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41771->22 (07:51:03.763 PST) 208.1.44.150 (07:51:03.832 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34897->22 (07:51:03.832 PST) 208.1.216.16 (07:51:04.346 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54754->22 (07:51:04.346 PST) 208.1.140.37 (07:51:03.921 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47622->22 (07:51:03.921 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257177063.602 1257177063.603 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:55:03.669 PST Gen. Time: 11/02/2009 07:56:33.005 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.156 (07:56:33.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (14 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:59, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:56:33.005 PST) OUTBOUND SCAN 208.1.6.155 (07:55:04.058 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55516->22 (07:55:04.058 PST) 208.1.120.12 (07:55:03.780 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35282->22 (07:55:03.780 PST) 208.0.249.2 (07:55:03.974 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34960->22 (07:55:03.974 PST) 208.1.40.129 (07:55:03.908 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57594->22 (07:55:03.908 PST) 208.1.216.7 (07:55:04.471 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42708->22 (07:55:04.471 PST) 208.1.140.28 (07:55:03.870 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55175->22 (07:55:03.870 PST) 208.1.90.193 (07:55:03.669 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37909->22 (07:55:03.669 PST) 208.0.30.75 (2) (07:55:04.300 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47834->22 (07:55:04.300 PST) 47874->22 (07:55:04.530 PST) 208.1.140.27 (07:55:04.587 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46539->22 (07:55:04.587 PST) 208.1.29.37 (07:55:04.408 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37662->22 (07:55:04.408 PST) 208.1.216.173 (07:55:04.233 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50339->22 (07:55:04.233 PST) 208.0.204.40 (07:55:04.159 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49522->22 (07:55:04.159 PST) 208.1.140.200 (07:55:03.709 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53605->22 (07:55:03.709 PST) 208.1.44.150 (07:55:04.343 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59482->22 (07:55:04.343 PST) 208.1.140.22 (07:55:04.103 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47335->22 (07:55:04.103 PST) 208.1.140.45 (07:55:03.758 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39046->22 (07:55:03.758 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257177303.669 1257177303.670 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:55:03.669 PST Gen. Time: 11/02/2009 07:59:03.719 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.156 (07:56:33.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (14 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:59, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:56:33.005 PST) 208.1.230.45 (07:58:03.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:59, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:58:03.005 PST) OUTBOUND SCAN 208.1.6.155 (07:55:04.058 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55516->22 (07:55:04.058 PST) 208.1.120.12 (07:55:03.780 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35282->22 (07:55:03.780 PST) 208.0.249.2 (07:55:03.974 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34960->22 (07:55:03.974 PST) 208.1.40.129 (07:55:03.908 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57594->22 (07:55:03.908 PST) 208.1.216.7 (07:55:04.471 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42708->22 (07:55:04.471 PST) 208.1.140.28 (07:55:03.870 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55175->22 (07:55:03.870 PST) 208.1.90.193 (07:55:03.669 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37909->22 (07:55:03.669 PST) 208.0.30.75 (2) (07:55:04.300 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47834->22 (07:55:04.300 PST) 47874->22 (07:55:04.530 PST) 208.1.140.27 (07:55:04.587 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46539->22 (07:55:04.587 PST) 208.1.29.37 (07:55:04.408 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37662->22 (07:55:04.408 PST) 208.1.216.173 (07:55:04.233 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50339->22 (07:55:04.233 PST) 208.0.204.40 (07:55:04.159 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49522->22 (07:55:04.159 PST) 208.1.140.200 (07:55:03.709 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53605->22 (07:55:03.709 PST) 208.1.44.150 (07:55:04.343 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59482->22 (07:55:04.343 PST) 208.1.140.22 (07:55:04.103 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47335->22 (07:55:04.103 PST) 208.1.140.45 (07:55:03.758 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39046->22 (07:55:03.758 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257177303.669 1257177303.670 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:59:03.861 PST Gen. Time: 11/02/2009 07:59:33.015 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.199 (07:59:33.015 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (12 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:59, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:59:33.015 PST) OUTBOUND SCAN 208.2.76.74 (07:59:04.270 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46538->22 (07:59:04.270 PST) 208.1.216.7 (07:59:04.035 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59118->22 (07:59:04.035 PST) 208.1.140.20 (07:59:04.492 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40805->22 (07:59:04.492 PST) 208.2.76.87 (07:59:04.272 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58852->22 (07:59:04.272 PST) 208.0.30.82 (07:59:03.935 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42418->22 (07:59:03.935 PST) 208.1.137.97 (07:59:04.148 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46055->22 (07:59:04.148 PST) 208.1.140.156 (07:59:04.284 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33755->22 (07:59:04.284 PST) 208.2.76.86 (07:59:04.273 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55846->22 (07:59:04.273 PST) 208.0.51.33 (07:59:04.233 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57837->22 (07:59:04.233 PST) 208.1.140.201 (07:59:04.346 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41772->22 (07:59:04.346 PST) 208.0.204.10 (07:59:04.774 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38170->22 (07:59:04.774 PST) 208.1.140.24 (07:59:04.923 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59654->22 (07:59:04.923 PST) 208.1.216.10 (07:59:04.821 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34983->22 (07:59:04.821 PST) 208.0.204.9 (07:59:04.671 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59837->22 (07:59:04.671 PST) 208.1.216.2 (07:59:04.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41815->22 (07:59:04.328 PST) 208.1.140.46 (07:59:03.861 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56123->22 (07:59:03.861 PST) 208.1.140.160 (07:59:04.429 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40518->22 (07:59:04.429 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257177543.861 1257177543.862 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 07:59:03.861 PST Gen. Time: 11/02/2009 08:03:03.891 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.199 (07:59:33.015 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (12 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:59, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (07:59:33.015 PST) 208.1.21.2 (08:01:03.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (11 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:63, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:01:03.000 PST) 208.1.140.40 (08:02:33.010 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (10 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:67, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:02:33.010 PST) OUTBOUND SCAN 208.2.76.74 (07:59:04.270 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46538->22 (07:59:04.270 PST) 208.1.216.7 (07:59:04.035 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59118->22 (07:59:04.035 PST) 208.1.140.20 (07:59:04.492 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40805->22 (07:59:04.492 PST) 208.2.76.87 (07:59:04.272 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58852->22 (07:59:04.272 PST) 208.0.30.82 (07:59:03.935 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42418->22 (07:59:03.935 PST) 208.1.137.97 (07:59:04.148 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46055->22 (07:59:04.148 PST) 208.1.140.156 (07:59:04.284 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33755->22 (07:59:04.284 PST) 208.2.76.86 (07:59:04.273 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55846->22 (07:59:04.273 PST) 208.0.51.33 (07:59:04.233 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57837->22 (07:59:04.233 PST) 208.1.140.201 (07:59:04.346 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41772->22 (07:59:04.346 PST) 208.0.204.10 (07:59:04.774 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38170->22 (07:59:04.774 PST) 208.1.140.24 (07:59:04.923 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59654->22 (07:59:04.923 PST) 208.1.216.10 (07:59:04.821 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34983->22 (07:59:04.821 PST) 208.0.204.9 (07:59:04.671 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59837->22 (07:59:04.671 PST) 208.1.216.2 (07:59:04.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41815->22 (07:59:04.328 PST) 208.1.140.46 (07:59:03.861 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56123->22 (07:59:03.861 PST) 208.1.140.160 (07:59:04.429 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40518->22 (07:59:04.429 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257177543.861 1257177543.862 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:03:03.965 PST Gen. Time: 11/02/2009 08:04:03.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.156 (08:04:03.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:69, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:04:03.000 PST) OUTBOUND SCAN 208.3.3.77 (08:03:04.265 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38545->22 (08:03:04.265 PST) 208.3.3.237 (08:03:04.268 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37711->22 (08:03:04.268 PST) 208.3.3.137 (08:03:04.266 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38028->22 (08:03:04.266 PST) 208.3.3.37 (08:03:04.264 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58525->22 (08:03:04.264 PST) 208.1.18.194 (08:03:03.965 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38525->22 (08:03:03.965 PST) 208.3.3.197 (08:03:04.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46732->22 (08:03:04.267 PST) 208.3.4.2 (08:03:04.268 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33165->22 (08:03:04.268 PST) 208.3.3.97 (08:03:04.265 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56371->22 (08:03:04.265 PST) 208.1.140.202 (08:03:04.123 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55869->22 (08:03:04.123 PST) 208.2.175.3 (08:03:04.013 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59468->22 (08:03:04.013 PST) 208.3.3.157 (08:03:04.266 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33523->22 (08:03:04.266 PST) 208.0.51.17 (08:03:04.066 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44474->22 (08:03:04.066 PST) 208.3.3.57 (08:03:04.264 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60564->22 (08:03:04.264 PST) 208.0.51.24 (08:03:04.182 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39364->22 (08:03:04.182 PST) 208.3.3.217 (08:03:04.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44222->22 (08:03:04.267 PST) 208.3.3.117 (08:03:04.265 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58396->22 (08:03:04.265 PST) 208.3.3.177 (08:03:04.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41312->22 (08:03:04.267 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257177783.965 1257177783.966 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:03:03.965 PST Gen. Time: 11/02/2009 08:07:04.089 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.156 (08:04:03.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:69, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:04:03.000 PST) 208.1.44.150 (08:05:33.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:73, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:05:33.000 PST) 208.1.140.199 (08:07:03.006 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (15 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:75, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:07:03.006 PST) OUTBOUND SCAN 208.3.3.77 (08:03:04.265 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38545->22 (08:03:04.265 PST) 208.3.3.237 (08:03:04.268 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37711->22 (08:03:04.268 PST) 208.3.3.137 (08:03:04.266 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38028->22 (08:03:04.266 PST) 208.3.3.37 (08:03:04.264 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58525->22 (08:03:04.264 PST) 208.1.18.194 (08:03:03.965 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38525->22 (08:03:03.965 PST) 208.3.3.197 (08:03:04.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46732->22 (08:03:04.267 PST) 208.3.4.2 (08:03:04.268 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33165->22 (08:03:04.268 PST) 208.3.3.97 (08:03:04.265 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56371->22 (08:03:04.265 PST) 208.1.140.202 (08:03:04.123 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55869->22 (08:03:04.123 PST) 208.2.175.3 (08:03:04.013 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59468->22 (08:03:04.013 PST) 208.3.3.157 (08:03:04.266 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33523->22 (08:03:04.266 PST) 208.0.51.17 (08:03:04.066 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44474->22 (08:03:04.066 PST) 208.3.3.57 (08:03:04.264 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60564->22 (08:03:04.264 PST) 208.0.51.24 (08:03:04.182 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39364->22 (08:03:04.182 PST) 208.3.3.217 (08:03:04.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44222->22 (08:03:04.267 PST) 208.3.3.117 (08:03:04.265 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58396->22 (08:03:04.265 PST) 208.3.3.177 (08:03:04.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41312->22 (08:03:04.267 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257177783.965 1257177783.966 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:07:04.205 PST Gen. Time: 11/02/2009 08:08:33.002 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.3.243.189 (08:08:33.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:79, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:08:33.002 PST) OUTBOUND SCAN 208.3.193.143 (08:07:04.265 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38444->22 (08:07:04.265 PST) 208.3.194.47 (08:07:04.269 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39242->22 (08:07:04.269 PST) 208.3.193.249 (08:07:04.268 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34473->22 (08:07:04.268 PST) 208.3.193.88 (08:07:04.260 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54576->22 (08:07:04.260 PST) 208.3.193.195 (08:07:04.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33695->22 (08:07:04.267 PST) 208.1.140.27 (08:07:04.205 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53678->22 (08:07:04.205 PST) 208.3.193.103 (08:07:04.262 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58297->22 (08:07:04.262 PST) 208.3.194.30 (08:07:04.268 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41519->22 (08:07:04.268 PST) 208.3.192.143 (08:07:04.252 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36445->22 (08:07:04.252 PST) 208.3.193.231 (08:07:04.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57097->22 (08:07:04.267 PST) 208.3.193.123 (08:07:04.266 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37224->22 (08:07:04.266 PST) 208.3.193.161 (08:07:04.266 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43181->22 (08:07:04.266 PST) 208.3.194.12 (08:07:04.268 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54216->22 (08:07:04.268 PST) 208.3.193.99 (08:07:04.259 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42306->22 (08:07:04.259 PST) 208.3.194.65 (08:07:04.269 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54458->22 (08:07:04.269 PST) 208.3.193.129 (08:07:04.264 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44543->22 (08:07:04.264 PST) 208.3.193.213 (08:07:04.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57757->22 (08:07:04.267 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257178024.205 1257178024.206 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:07:04.205 PST Gen. Time: 11/02/2009 08:11:04.233 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.3.243.189 (2) (08:08:33.002 PST) event=777:7777005 (2) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:79, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:08:33.002 PST) 0->0 (08:10:03.003 PST) OUTBOUND SCAN 208.3.193.143 (08:07:04.265 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38444->22 (08:07:04.265 PST) 208.3.194.47 (08:07:04.269 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39242->22 (08:07:04.269 PST) 208.3.193.249 (08:07:04.268 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34473->22 (08:07:04.268 PST) 208.3.193.88 (08:07:04.260 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54576->22 (08:07:04.260 PST) 208.3.193.195 (08:07:04.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33695->22 (08:07:04.267 PST) 208.1.140.27 (08:07:04.205 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53678->22 (08:07:04.205 PST) 208.3.193.103 (08:07:04.262 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58297->22 (08:07:04.262 PST) 208.3.194.30 (08:07:04.268 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41519->22 (08:07:04.268 PST) 208.3.192.143 (08:07:04.252 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36445->22 (08:07:04.252 PST) 208.3.193.231 (08:07:04.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57097->22 (08:07:04.267 PST) 208.3.193.123 (08:07:04.266 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37224->22 (08:07:04.266 PST) 208.3.193.161 (08:07:04.266 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43181->22 (08:07:04.266 PST) 208.3.194.12 (08:07:04.268 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54216->22 (08:07:04.268 PST) 208.3.193.99 (08:07:04.259 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42306->22 (08:07:04.259 PST) 208.3.194.65 (08:07:04.269 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54458->22 (08:07:04.269 PST) 208.3.193.129 (08:07:04.264 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44543->22 (08:07:04.264 PST) 208.3.193.213 (08:07:04.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57757->22 (08:07:04.267 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257178024.205 1257178024.206 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:11:04.236 PST Gen. Time: 11/02/2009 08:11:33.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.3.243.189 (08:11:33.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:85, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:11:33.000 PST) OUTBOUND SCAN 208.1.62.186 (08:11:04.236 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40838->22 (08:11:04.236 PST) 208.1.60.69 (08:11:04.391 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58018->22 (08:11:04.391 PST) 208.4.120.61 (08:11:04.243 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45094->22 (08:11:04.243 PST) 208.2.190.14 (08:11:04.245 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50474->22 (08:11:04.245 PST) 208.4.123.135 (08:11:04.241 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43722->22 (08:11:04.241 PST) 208.4.120.44 (08:11:04.243 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55116->22 (08:11:04.243 PST) 208.4.120.51 (08:11:04.243 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43212->22 (08:11:04.243 PST) 208.1.0.154 (08:11:04.293 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32959->22 (08:11:04.293 PST) 208.1.140.178 (08:11:04.456 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43886->22 (08:11:04.456 PST) 208.4.120.88 (08:11:04.245 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51243->22 (08:11:04.245 PST) 208.1.19.226 (08:11:04.498 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56159->22 (08:11:04.498 PST) 208.4.120.34 (08:11:04.242 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59127->22 (08:11:04.242 PST) 208.4.120.18 (08:11:04.241 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44356->22 (08:11:04.241 PST) 208.4.120.79 (08:11:04.244 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51738->22 (08:11:04.244 PST) 208.4.120.71 (08:11:04.244 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59208->22 (08:11:04.244 PST) 208.4.120.9 (08:11:04.241 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40075->22 (08:11:04.241 PST) 208.4.123.153 (08:11:04.242 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36533->22 (08:11:04.242 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257178264.236 1257178264.237 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:11:04.236 PST Gen. Time: 11/02/2009 08:15:04.268 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.137.97 (08:14:33.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:91, 60, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:14:33.004 PST) 208.1.230.45 (08:13:03.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:87, 60, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:13:03.005 PST) 208.3.243.189 (08:11:33.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:85, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:11:33.000 PST) OUTBOUND SCAN 208.1.62.186 (08:11:04.236 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40838->22 (08:11:04.236 PST) 208.1.60.69 (08:11:04.391 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58018->22 (08:11:04.391 PST) 208.4.120.61 (08:11:04.243 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45094->22 (08:11:04.243 PST) 208.2.190.14 (08:11:04.245 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50474->22 (08:11:04.245 PST) 208.4.123.135 (08:11:04.241 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43722->22 (08:11:04.241 PST) 208.4.120.44 (08:11:04.243 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55116->22 (08:11:04.243 PST) 208.4.120.51 (08:11:04.243 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43212->22 (08:11:04.243 PST) 208.1.0.154 (08:11:04.293 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32959->22 (08:11:04.293 PST) 208.1.140.178 (08:11:04.456 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43886->22 (08:11:04.456 PST) 208.4.120.88 (08:11:04.245 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51243->22 (08:11:04.245 PST) 208.1.19.226 (08:11:04.498 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56159->22 (08:11:04.498 PST) 208.4.120.34 (08:11:04.242 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59127->22 (08:11:04.242 PST) 208.4.120.18 (08:11:04.241 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44356->22 (08:11:04.241 PST) 208.4.120.79 (08:11:04.244 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51738->22 (08:11:04.244 PST) 208.4.120.71 (08:11:04.244 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59208->22 (08:11:04.244 PST) 208.4.120.9 (08:11:04.241 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40075->22 (08:11:04.241 PST) 208.4.123.153 (08:11:04.242 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36533->22 (08:11:04.242 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257178264.236 1257178264.237 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:15:04.348 PST Gen. Time: 11/02/2009 08:16:03.005 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.4.212.221 (08:16:03.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:93, 60, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:16:03.005 PST) OUTBOUND SCAN 208.4.83.12 (08:15:05.006 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47257->22 (08:15:05.006 PST) 208.1.216.169 (08:15:04.587 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52985->22 (08:15:04.587 PST) 208.0.52.18 (08:15:04.607 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38089->22 (08:15:04.607 PST) 208.1.0.156 (08:15:05.181 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50404->22 (08:15:05.181 PST) 208.4.187.19 (08:15:04.832 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43840->22 (08:15:04.832 PST) 208.3.72.97 (08:15:04.728 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60413->22 (08:15:04.728 PST) 208.1.140.156 (08:15:04.348 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35930->22 (08:15:04.348 PST) 208.1.216.12 (08:15:05.103 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51845->22 (08:15:05.103 PST) 208.0.204.41 (08:15:04.554 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50837->22 (08:15:04.554 PST) 208.4.52.77 (08:15:05.208 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36737->22 (08:15:05.208 PST) 208.1.140.47 (08:15:04.470 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35690->22 (08:15:04.470 PST) 208.1.140.24 (08:15:04.503 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44341->22 (08:15:04.503 PST) 208.0.51.16 (08:15:05.240 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50446->22 (08:15:05.240 PST) 208.1.44.150 (08:15:04.925 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44483->22 (08:15:04.925 PST) 208.1.39.226 (08:15:04.783 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38445->22 (08:15:04.783 PST) 208.4.175.243 (08:15:04.408 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37777->22 (08:15:04.408 PST) 208.0.204.54 (08:15:04.669 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39035->22 (08:15:04.669 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257178504.348 1257178504.349 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:15:04.348 PST Gen. Time: 11/02/2009 08:19:04.390 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.4.212.221 (08:16:03.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:93, 60, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:16:03.005 PST) 208.0.110.141 (08:19:03.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:99, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:19:03.000 PST) 208.1.140.26 (08:17:33.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:97, 60, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:17:33.000 PST) OUTBOUND SCAN 208.4.83.12 (08:15:05.006 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47257->22 (08:15:05.006 PST) 208.1.216.169 (08:15:04.587 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52985->22 (08:15:04.587 PST) 208.0.52.18 (08:15:04.607 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38089->22 (08:15:04.607 PST) 208.1.0.156 (08:15:05.181 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50404->22 (08:15:05.181 PST) 208.4.187.19 (08:15:04.832 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43840->22 (08:15:04.832 PST) 208.3.72.97 (08:15:04.728 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60413->22 (08:15:04.728 PST) 208.1.140.156 (08:15:04.348 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35930->22 (08:15:04.348 PST) 208.1.216.12 (08:15:05.103 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51845->22 (08:15:05.103 PST) 208.0.204.41 (08:15:04.554 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50837->22 (08:15:04.554 PST) 208.4.52.77 (08:15:05.208 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36737->22 (08:15:05.208 PST) 208.1.140.47 (08:15:04.470 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35690->22 (08:15:04.470 PST) 208.1.140.24 (08:15:04.503 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44341->22 (08:15:04.503 PST) 208.0.51.16 (08:15:05.240 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50446->22 (08:15:05.240 PST) 208.1.44.150 (08:15:04.925 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44483->22 (08:15:04.925 PST) 208.1.39.226 (08:15:04.783 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38445->22 (08:15:04.783 PST) 208.4.175.243 (08:15:04.408 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37777->22 (08:15:04.408 PST) 208.0.204.54 (08:15:04.669 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39035->22 (08:15:04.669 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257178504.348 1257178504.349 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:19:04.457 PST Gen. Time: 11/02/2009 08:20:33.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.195 (08:20:33.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:103, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:20:33.000 PST) OUTBOUND SCAN 208.1.60.115 (08:19:04.872 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50673->22 (08:19:04.872 PST) 208.5.247.100 (08:19:05.224 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39743->22 (08:19:05.224 PST) 208.5.250.20 (08:19:05.222 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36180->22 (08:19:05.222 PST) 208.1.140.202 (08:19:04.785 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46168->22 (08:19:04.785 PST) 208.4.212.250 (08:19:05.022 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33562->22 (08:19:05.022 PST) 208.5.247.128 (08:19:05.224 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37813->22 (08:19:05.224 PST) 208.4.189.219 (08:19:04.967 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51909->22 (08:19:04.967 PST) 208.1.140.155 (08:19:04.682 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56598->22 (08:19:04.682 PST) 208.1.140.178 (08:19:04.566 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44790->22 (08:19:04.566 PST) 208.5.247.89 (08:19:05.223 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40321->22 (08:19:05.223 PST) 208.2.67.127 (08:19:05.199 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42212->22 (08:19:05.199 PST) 208.2.159.19 (08:19:04.457 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49721->22 (08:19:04.457 PST) 208.5.247.134 (08:19:05.225 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43673->22 (08:19:05.225 PST) 208.5.247.111 (08:19:05.224 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39306->22 (08:19:05.224 PST) 208.5.247.118 (08:19:05.224 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41847->22 (08:19:05.224 PST) 208.5.250.39 (08:19:05.223 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39542->22 (08:19:05.223 PST) 208.1.140.37 (08:19:04.718 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35569->22 (08:19:04.718 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257178744.457 1257178744.458 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:19:04.457 PST Gen. Time: 11/02/2009 08:23:04.458 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.195 (08:20:33.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:103, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:20:33.000 PST) 208.1.60.115 (08:22:03.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:105, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:22:03.001 PST) OUTBOUND SCAN 208.1.60.115 (08:19:04.872 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50673->22 (08:19:04.872 PST) 208.5.247.100 (08:19:05.224 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39743->22 (08:19:05.224 PST) 208.5.250.20 (08:19:05.222 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36180->22 (08:19:05.222 PST) 208.1.140.202 (08:19:04.785 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46168->22 (08:19:04.785 PST) 208.4.212.250 (08:19:05.022 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33562->22 (08:19:05.022 PST) 208.5.247.128 (08:19:05.224 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37813->22 (08:19:05.224 PST) 208.4.189.219 (08:19:04.967 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51909->22 (08:19:04.967 PST) 208.1.140.155 (08:19:04.682 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56598->22 (08:19:04.682 PST) 208.1.140.178 (08:19:04.566 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44790->22 (08:19:04.566 PST) 208.5.247.89 (08:19:05.223 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40321->22 (08:19:05.223 PST) 208.2.67.127 (08:19:05.199 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42212->22 (08:19:05.199 PST) 208.2.159.19 (08:19:04.457 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49721->22 (08:19:04.457 PST) 208.5.247.134 (08:19:05.225 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43673->22 (08:19:05.225 PST) 208.5.247.111 (08:19:05.224 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39306->22 (08:19:05.224 PST) 208.5.247.118 (08:19:05.224 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41847->22 (08:19:05.224 PST) 208.5.250.39 (08:19:05.223 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39542->22 (08:19:05.223 PST) 208.1.140.37 (08:19:04.718 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35569->22 (08:19:04.718 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257178744.457 1257178744.458 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:23:04.460 PST Gen. Time: 11/02/2009 08:23:33.007 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.202 (08:23:33.007 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:107, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:23:33.007 PST) OUTBOUND SCAN 208.6.180.71 (08:23:04.506 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42805->22 (08:23:04.506 PST) 208.6.190.25 (08:23:04.514 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33626->22 (08:23:04.514 PST) 208.6.189.235 (08:23:04.485 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52016->22 (08:23:04.485 PST) 208.6.190.17 (08:23:04.508 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55420->22 (08:23:04.508 PST) 208.6.189.181 (08:23:04.463 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35816->22 (08:23:04.463 PST) 208.6.189.242 (08:23:04.485 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40717->22 (08:23:04.485 PST) 208.6.190.0 (08:23:04.489 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45526->22 (08:23:04.489 PST) 208.6.190.30 (08:23:04.515 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54067->22 (08:23:04.515 PST) 208.6.180.60 (08:23:04.505 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54425->22 (08:23:04.505 PST) 208.6.190.22 (08:23:04.511 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44176->22 (08:23:04.511 PST) 208.5.87.232 (08:23:04.477 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51267->22 (08:23:04.477 PST) 208.6.189.193 (08:23:04.466 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58293->22 (08:23:04.466 PST) 208.6.190.44 (08:23:04.517 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45521->22 (08:23:04.517 PST) 208.6.189.223 (2) (08:23:04.480 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41465->22 (08:23:04.480 PST) 41465->22 (08:23:04.481 PST) 208.6.189.177 (08:23:04.460 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33289->22 (08:23:04.460 PST) 208.6.189.199 (08:23:04.471 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35592->22 (08:23:04.471 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257178984.460 1257178984.461 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:23:04.460 PST Gen. Time: 11/02/2009 08:27:04.475 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.5.216.39 (08:26:33.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:111, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:26:33.001 PST) 208.1.140.199 (08:25:03.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:111, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:25:03.001 PST) 208.1.140.202 (08:23:33.007 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/4): 22:65535, 6667:107, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:23:33.007 PST) OUTBOUND SCAN 208.6.180.71 (08:23:04.506 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42805->22 (08:23:04.506 PST) 208.6.190.25 (08:23:04.514 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33626->22 (08:23:04.514 PST) 208.6.189.235 (08:23:04.485 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52016->22 (08:23:04.485 PST) 208.6.190.17 (08:23:04.508 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55420->22 (08:23:04.508 PST) 208.6.189.181 (08:23:04.463 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35816->22 (08:23:04.463 PST) 208.6.189.242 (08:23:04.485 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40717->22 (08:23:04.485 PST) 208.6.190.0 (08:23:04.489 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45526->22 (08:23:04.489 PST) 208.6.190.30 (08:23:04.515 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54067->22 (08:23:04.515 PST) 208.6.180.60 (08:23:04.505 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54425->22 (08:23:04.505 PST) 208.6.190.22 (08:23:04.511 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44176->22 (08:23:04.511 PST) 208.5.87.232 (08:23:04.477 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51267->22 (08:23:04.477 PST) 208.6.189.193 (08:23:04.466 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58293->22 (08:23:04.466 PST) 208.6.190.44 (08:23:04.517 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45521->22 (08:23:04.517 PST) 208.6.189.223 (2) (08:23:04.480 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41465->22 (08:23:04.480 PST) 41465->22 (08:23:04.481 PST) 208.6.189.177 (08:23:04.460 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33289->22 (08:23:04.460 PST) 208.6.189.199 (08:23:04.471 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35592->22 (08:23:04.471 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257178984.460 1257178984.461 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:27:04.611 PST Gen. Time: 11/02/2009 08:28:03.007 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.27 (08:28:03.007 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:111, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:28:03.007 PST) OUTBOUND SCAN 208.7.114.214 (08:27:05.206 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50784->22 (08:27:05.206 PST) 208.7.114.160 (08:27:05.203 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41343->22 (08:27:05.203 PST) 208.7.114.152 (08:27:05.202 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45396->22 (08:27:05.202 PST) 208.7.114.204 (08:27:05.206 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48843->22 (08:27:05.206 PST) 208.7.117.172 (08:27:05.203 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60301->22 (08:27:05.203 PST) 208.1.216.136 (08:27:04.771 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47406->22 (08:27:04.771 PST) 208.1.216.212 (08:27:04.879 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34707->22 (08:27:04.879 PST) 208.5.112.227 (08:27:04.611 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37442->22 (08:27:04.611 PST) 208.1.216.12 (08:27:05.074 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55749->22 (08:27:05.074 PST) 208.7.114.187 (08:27:05.204 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52411->22 (08:27:05.204 PST) 208.5.87.232 (08:27:04.674 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34921->22 (08:27:04.674 PST) 208.1.27.218 (08:27:04.793 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42409->22 (08:27:04.793 PST) 208.7.114.224 (08:27:05.207 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52291->22 (08:27:05.207 PST) 208.7.114.193 (08:27:05.206 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50709->22 (08:27:05.206 PST) 208.7.114.177 (08:27:05.204 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57223->22 (08:27:05.204 PST) 208.1.140.37 (08:27:05.198 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46504->22 (08:27:05.198 PST) 208.1.140.152 (08:27:04.951 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42069->22 (08:27:04.951 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257179224.611 1257179224.612 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:27:04.611 PST Gen. Time: 11/02/2009 08:31:04.626 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.5.100.23 (08:29:33.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:113, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:29:33.002 PST) 208.1.140.27 (08:28:03.007 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:111, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:28:03.007 PST) 208.5.125.167 (08:31:03.016 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:115, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:31:03.016 PST) OUTBOUND SCAN 208.7.114.214 (08:27:05.206 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50784->22 (08:27:05.206 PST) 208.7.114.160 (08:27:05.203 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41343->22 (08:27:05.203 PST) 208.7.114.152 (08:27:05.202 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45396->22 (08:27:05.202 PST) 208.7.114.204 (08:27:05.206 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48843->22 (08:27:05.206 PST) 208.7.117.172 (08:27:05.203 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60301->22 (08:27:05.203 PST) 208.1.216.136 (08:27:04.771 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47406->22 (08:27:04.771 PST) 208.1.216.212 (08:27:04.879 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34707->22 (08:27:04.879 PST) 208.5.112.227 (08:27:04.611 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37442->22 (08:27:04.611 PST) 208.1.216.12 (08:27:05.074 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55749->22 (08:27:05.074 PST) 208.7.114.187 (08:27:05.204 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52411->22 (08:27:05.204 PST) 208.5.87.232 (08:27:04.674 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34921->22 (08:27:04.674 PST) 208.1.27.218 (08:27:04.793 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42409->22 (08:27:04.793 PST) 208.7.114.224 (08:27:05.207 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52291->22 (08:27:05.207 PST) 208.7.114.193 (08:27:05.206 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50709->22 (08:27:05.206 PST) 208.7.114.177 (08:27:05.204 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57223->22 (08:27:05.204 PST) 208.1.140.37 (08:27:05.198 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46504->22 (08:27:05.198 PST) 208.1.140.152 (08:27:04.951 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42069->22 (08:27:04.951 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257179224.611 1257179224.612 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:31:04.691 PST Gen. Time: 11/02/2009 08:32:33.004 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.60.115 (08:32:33.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:115, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:32:33.004 PST) OUTBOUND SCAN 208.8.47.45 (08:31:05.203 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37424->22 (08:31:05.203 PST) 208.1.216.7 (08:31:04.787 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38076->22 (08:31:04.787 PST) 208.8.47.205 (08:31:05.204 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55175->22 (08:31:05.204 PST) 208.8.47.97 (08:31:05.202 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53460->22 (08:31:05.202 PST) 208.1.216.136 (08:31:05.117 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36953->22 (08:31:05.117 PST) 208.0.147.68 (08:31:04.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40776->22 (08:31:04.898 PST) 208.8.47.80 (08:31:05.201 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42074->22 (08:31:05.201 PST) 208.8.47.187 (08:31:05.203 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60400->22 (08:31:05.203 PST) 208.0.204.41 (08:31:04.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42715->22 (08:31:04.691 PST) 208.8.47.133 (08:31:05.202 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42225->22 (08:31:05.202 PST) 208.1.216.172 (08:31:05.172 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42503->22 (08:31:05.172 PST) 208.8.47.33 (08:31:05.200 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36505->22 (08:31:05.200 PST) 208.8.47.47 (08:31:05.203 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33655->22 (08:31:05.203 PST) 208.1.140.199 (08:31:05.032 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58013->22 (08:31:05.032 PST) 208.8.47.223 (08:31:05.204 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59995->22 (08:31:05.204 PST) 208.8.47.62 (08:31:05.201 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56773->22 (08:31:05.201 PST) 208.8.47.115 (08:31:05.202 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33561->22 (08:31:05.202 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257179464.691 1257179464.692 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:31:04.691 PST Gen. Time: 11/02/2009 08:35:04.737 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.60.115 (08:32:33.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:115, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:32:33.004 PST) 208.4.181.29 (08:34:03.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:119, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:34:03.000 PST) OUTBOUND SCAN 208.8.47.45 (08:31:05.203 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37424->22 (08:31:05.203 PST) 208.1.216.7 (08:31:04.787 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38076->22 (08:31:04.787 PST) 208.8.47.205 (08:31:05.204 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55175->22 (08:31:05.204 PST) 208.8.47.97 (08:31:05.202 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53460->22 (08:31:05.202 PST) 208.1.216.136 (08:31:05.117 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36953->22 (08:31:05.117 PST) 208.0.147.68 (08:31:04.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40776->22 (08:31:04.898 PST) 208.8.47.80 (08:31:05.201 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42074->22 (08:31:05.201 PST) 208.8.47.187 (08:31:05.203 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60400->22 (08:31:05.203 PST) 208.0.204.41 (08:31:04.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42715->22 (08:31:04.691 PST) 208.8.47.133 (08:31:05.202 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42225->22 (08:31:05.202 PST) 208.1.216.172 (08:31:05.172 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42503->22 (08:31:05.172 PST) 208.8.47.33 (08:31:05.200 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36505->22 (08:31:05.200 PST) 208.8.47.47 (08:31:05.203 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33655->22 (08:31:05.203 PST) 208.1.140.199 (08:31:05.032 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58013->22 (08:31:05.032 PST) 208.8.47.223 (08:31:05.204 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59995->22 (08:31:05.204 PST) 208.8.47.62 (08:31:05.201 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56773->22 (08:31:05.201 PST) 208.8.47.115 (08:31:05.202 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33561->22 (08:31:05.202 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257179464.691 1257179464.692 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:35:04.799 PST Gen. Time: 11/02/2009 08:35:33.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.2.210.104 (08:35:33.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:121, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:35:33.000 PST) OUTBOUND SCAN 208.8.237.227 (08:35:05.189 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42694->22 (08:35:05.189 PST) 208.8.237.242 (08:35:05.192 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43293->22 (08:35:05.192 PST) 208.8.238.78 (08:35:05.191 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52065->22 (08:35:05.191 PST) 208.8.238.185 (08:35:05.193 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43554->22 (08:35:05.193 PST) 208.8.238.131 (08:35:05.192 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40971->22 (08:35:05.192 PST) 208.8.237.57 (08:35:05.183 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44961->22 (08:35:05.183 PST) 208.8.238.8 (08:35:05.189 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51762->22 (08:35:05.189 PST) 208.8.238.168 (08:35:05.193 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37656->22 (08:35:05.193 PST) 208.8.238.114 (08:35:05.192 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46223->22 (08:35:05.192 PST) 208.8.237.231 (08:35:05.190 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43402->22 (08:35:05.190 PST) 208.1.27.218 (08:35:05.072 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34368->22 (08:35:05.072 PST) 208.0.204.10 (08:35:04.799 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57248->22 (08:35:04.799 PST) 208.8.237.245 (08:35:05.189 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55654->22 (08:35:05.189 PST) 208.8.238.96 (08:35:05.191 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55155->22 (08:35:05.191 PST) 208.1.140.200 (08:35:04.910 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58599->22 (08:35:04.910 PST) 208.8.238.42 (08:35:05.190 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47951->22 (08:35:05.190 PST) 208.8.238.25 (08:35:05.190 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60546->22 (08:35:05.190 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257179704.799 1257179704.800 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 1.6 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:35:04.799 PST Gen. Time: 11/02/2009 08:39:04.836 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.6.238.10 (08:38:33.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:125, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:38:33.001 PST) 208.2.210.104 (08:35:33.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:121, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:35:33.000 PST) 208.8.94.1 (08:37:03.006 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:121, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:37:03.006 PST) OUTBOUND SCAN 208.8.237.227 (08:35:05.189 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42694->22 (08:35:05.189 PST) 208.8.237.242 (08:35:05.192 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43293->22 (08:35:05.192 PST) 208.8.238.78 (08:35:05.191 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52065->22 (08:35:05.191 PST) 208.8.238.185 (08:35:05.193 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43554->22 (08:35:05.193 PST) 208.8.238.131 (08:35:05.192 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40971->22 (08:35:05.192 PST) 208.8.237.57 (08:35:05.183 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44961->22 (08:35:05.183 PST) 208.8.238.8 (08:35:05.189 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51762->22 (08:35:05.189 PST) 208.8.238.168 (08:35:05.193 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37656->22 (08:35:05.193 PST) 208.8.238.114 (08:35:05.192 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46223->22 (08:35:05.192 PST) 208.8.237.231 (08:35:05.190 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43402->22 (08:35:05.190 PST) 208.1.27.218 (08:35:05.072 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34368->22 (08:35:05.072 PST) 208.0.204.10 (08:35:04.799 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57248->22 (08:35:04.799 PST) 208.8.237.245 (08:35:05.189 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55654->22 (08:35:05.189 PST) 208.8.238.96 (08:35:05.191 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55155->22 (08:35:05.191 PST) 208.1.140.200 (08:35:04.910 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58599->22 (08:35:04.910 PST) 208.8.238.42 (08:35:05.190 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47951->22 (08:35:05.190 PST) 208.8.238.25 (08:35:05.190 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60546->22 (08:35:05.190 PST) ATTACK PREP PEER COORDINATION DECLARE BOT 208.9.98.208 (08:37:44.185 PST) event=1:3810005 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:0E:39:E0:94:00 44884->22 (08:37:44.185 PST) tcpslice 1257179704.799 1257179704.800 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:39:04.959 PST Gen. Time: 11/02/2009 08:40:03.011 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.6.232.32 (08:40:03.011 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:129, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:40:03.011 PST) OUTBOUND SCAN 208.9.161.70 (08:39:05.177 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41943->22 (08:39:05.177 PST) 208.9.164.84 (08:39:05.174 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37166->22 (08:39:05.174 PST) 208.1.140.28 (08:39:06.063 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53979->22 (08:39:06.063 PST) 208.7.9.152 (08:39:05.601 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51327->22 (08:39:05.601 PST) 208.9.161.76 (08:39:06.174 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34004->22 (08:39:06.174 PST) 208.5.214.98 (08:39:06.150 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47491->22 (08:39:06.150 PST) 208.9.164.97 (08:39:05.175 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34878->22 (08:39:05.175 PST) 208.2.204.193 (08:39:05.563 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48406->22 (08:39:05.563 PST) 208.9.161.89 (08:39:06.174 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56952->22 (08:39:06.174 PST) 208.1.140.201 (08:39:05.463 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38338->22 (08:39:05.463 PST) 208.1.140.40 (08:39:05.294 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55646->22 (08:39:05.294 PST) 208.5.209.4 (08:39:05.339 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39715->22 (08:39:05.339 PST) 208.1.140.47 (08:39:05.887 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40083->22 (08:39:05.887 PST) 208.5.144.14 (08:39:05.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58077->22 (08:39:05.999 PST) 208.0.17.201 (08:39:05.749 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33539->22 (08:39:05.749 PST) 208.0.226.126 (08:39:04.959 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38242->22 (08:39:04.959 PST) 208.6.248.21 (08:39:05.086 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54063->22 (08:39:05.086 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257179944.959 1257179944.960 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:39:04.959 PST Gen. Time: 11/02/2009 08:43:05.032 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.6.232.32 (08:40:03.011 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:129, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:40:03.011 PST) 208.7.95.158 (08:41:33.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:131, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:41:33.005 PST) 208.0.65.65 (08:43:03.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:133, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:43:03.000 PST) OUTBOUND SCAN 208.9.161.70 (08:39:05.177 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41943->22 (08:39:05.177 PST) 208.9.164.84 (08:39:05.174 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37166->22 (08:39:05.174 PST) 208.1.140.28 (08:39:06.063 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53979->22 (08:39:06.063 PST) 208.7.9.152 (08:39:05.601 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51327->22 (08:39:05.601 PST) 208.9.161.76 (08:39:06.174 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34004->22 (08:39:06.174 PST) 208.5.214.98 (08:39:06.150 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47491->22 (08:39:06.150 PST) 208.9.164.97 (08:39:05.175 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34878->22 (08:39:05.175 PST) 208.2.204.193 (08:39:05.563 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48406->22 (08:39:05.563 PST) 208.9.161.89 (08:39:06.174 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56952->22 (08:39:06.174 PST) 208.1.140.201 (08:39:05.463 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38338->22 (08:39:05.463 PST) 208.1.140.40 (08:39:05.294 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55646->22 (08:39:05.294 PST) 208.5.209.4 (08:39:05.339 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39715->22 (08:39:05.339 PST) 208.1.140.47 (08:39:05.887 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40083->22 (08:39:05.887 PST) 208.5.144.14 (08:39:05.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58077->22 (08:39:05.999 PST) 208.0.17.201 (08:39:05.749 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33539->22 (08:39:05.749 PST) 208.0.226.126 (08:39:04.959 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38242->22 (08:39:04.959 PST) 208.6.248.21 (08:39:05.086 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54063->22 (08:39:05.086 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257179944.959 1257179944.960 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:43:05.041 PST Gen. Time: 11/02/2009 08:44:33.002 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.0.65.65 (08:44:33.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:137, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:44:33.002 PST) OUTBOUND SCAN 208.10.83.65 (08:43:05.171 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51664->22 (08:43:05.171 PST) 208.10.82.213 (08:43:05.169 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45241->22 (08:43:05.169 PST) 208.10.85.219 (08:43:05.166 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53246->22 (08:43:05.166 PST) 208.10.83.48 (08:43:05.171 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33380->22 (08:43:05.171 PST) 208.1.140.42 (08:43:05.124 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35731->22 (08:43:05.124 PST) 208.10.83.24 (08:43:05.170 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60535->22 (08:43:05.170 PST) 208.10.83.15 (08:43:05.170 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56619->22 (08:43:05.170 PST) 208.10.82.240 (08:43:05.170 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44977->22 (08:43:05.170 PST) 208.10.83.75 (08:43:05.171 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40756->22 (08:43:05.171 PST) 208.10.83.59 (08:43:05.171 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50949->22 (08:43:05.171 PST) 208.10.83.5 (08:43:05.170 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53352->22 (08:43:05.170 PST) 208.10.82.253 (08:43:05.170 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37898->22 (08:43:05.170 PST) 208.10.82.207 (08:43:05.168 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42592->22 (08:43:05.168 PST) 208.5.125.215 (08:43:05.041 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46838->22 (08:43:05.041 PST) 208.10.82.230 (08:43:05.169 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48066->22 (08:43:05.169 PST) 208.10.83.35 (08:43:05.171 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55661->22 (08:43:05.171 PST) 208.10.82.222 (08:43:05.169 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41625->22 (08:43:05.169 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257180185.041 1257180185.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:43:05.041 PST Gen. Time: 11/02/2009 08:47:05.043 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.0.65.65 (08:44:33.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:137, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:44:33.002 PST) 208.0.147.68 (08:46:03.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:141, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:46:03.003 PST) OUTBOUND SCAN 208.10.83.65 (08:43:05.171 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51664->22 (08:43:05.171 PST) 208.10.82.213 (08:43:05.169 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45241->22 (08:43:05.169 PST) 208.10.85.219 (08:43:05.166 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53246->22 (08:43:05.166 PST) 208.10.83.48 (08:43:05.171 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33380->22 (08:43:05.171 PST) 208.1.140.42 (08:43:05.124 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35731->22 (08:43:05.124 PST) 208.10.83.24 (08:43:05.170 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60535->22 (08:43:05.170 PST) 208.10.83.15 (08:43:05.170 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56619->22 (08:43:05.170 PST) 208.10.82.240 (08:43:05.170 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44977->22 (08:43:05.170 PST) 208.10.83.75 (08:43:05.171 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40756->22 (08:43:05.171 PST) 208.10.83.59 (08:43:05.171 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50949->22 (08:43:05.171 PST) 208.10.83.5 (08:43:05.170 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53352->22 (08:43:05.170 PST) 208.10.82.253 (08:43:05.170 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37898->22 (08:43:05.170 PST) 208.10.82.207 (08:43:05.168 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42592->22 (08:43:05.168 PST) 208.5.125.215 (08:43:05.041 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46838->22 (08:43:05.041 PST) 208.10.82.230 (08:43:05.169 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48066->22 (08:43:05.169 PST) 208.10.83.35 (08:43:05.171 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55661->22 (08:43:05.171 PST) 208.10.82.222 (08:43:05.169 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41625->22 (08:43:05.169 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257180185.041 1257180185.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:47:05.066 PST Gen. Time: 11/02/2009 08:47:33.009 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.7.173.70 (08:47:33.009 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:143, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:47:33.009 PST) OUTBOUND SCAN 208.1.31.103 (08:47:05.259 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41693->22 (08:47:05.259 PST) 208.2.153.241 (08:47:05.815 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54563->22 (08:47:05.815 PST) 208.2.87.155 (08:47:06.012 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60189->22 (08:47:06.012 PST) 208.10.47.249 (08:47:05.662 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41294->22 (08:47:05.662 PST) 208.11.6.110 (08:47:05.633 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52220->22 (08:47:05.633 PST) 208.0.30.83 (08:47:05.140 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43687->22 (08:47:05.140 PST) 208.10.139.233 (08:47:05.585 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59864->22 (08:47:05.585 PST) 208.0.51.35 (08:47:05.526 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43422->22 (08:47:05.526 PST) 208.6.238.10 (08:47:05.764 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41901->22 (08:47:05.764 PST) 208.11.6.85 (08:47:05.310 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41909->22 (08:47:05.310 PST) 208.1.27.218 (08:47:05.923 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59007->22 (08:47:05.923 PST) 208.1.140.201 (08:47:05.367 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53245->22 (08:47:05.367 PST) 208.11.6.99 (08:47:05.380 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39733->22 (08:47:05.380 PST) 208.0.204.10 (08:47:05.384 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55644->22 (08:47:05.384 PST) 208.1.19.226 (08:47:05.434 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39198->22 (08:47:05.434 PST) 208.7.141.241 (08:47:05.066 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41101->22 (08:47:05.066 PST) 208.11.6.119 (08:47:05.638 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49342->22 (08:47:05.638 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257180425.066 1257180425.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 1.6 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:47:05.066 PST Gen. Time: 11/02/2009 08:51:05.146 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.0.51.30 (08:50:33.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:149, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:50:33.005 PST) 208.7.173.70 (08:47:33.009 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:143, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:47:33.009 PST) 208.1.90.193 (08:49:03.011 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:145, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:49:03.011 PST) OUTBOUND SCAN 208.1.31.103 (08:47:05.259 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41693->22 (08:47:05.259 PST) 208.2.153.241 (08:47:05.815 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54563->22 (08:47:05.815 PST) 208.2.87.155 (08:47:06.012 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60189->22 (08:47:06.012 PST) 208.10.47.249 (08:47:05.662 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41294->22 (08:47:05.662 PST) 208.11.6.110 (08:47:05.633 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52220->22 (08:47:05.633 PST) 208.0.30.83 (08:47:05.140 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43687->22 (08:47:05.140 PST) 208.10.139.233 (08:47:05.585 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59864->22 (08:47:05.585 PST) 208.0.51.35 (08:47:05.526 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43422->22 (08:47:05.526 PST) 208.6.238.10 (08:47:05.764 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41901->22 (08:47:05.764 PST) 208.11.6.85 (08:47:05.310 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41909->22 (08:47:05.310 PST) 208.1.27.218 (08:47:05.923 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59007->22 (08:47:05.923 PST) 208.1.140.201 (08:47:05.367 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53245->22 (08:47:05.367 PST) 208.11.6.99 (08:47:05.380 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39733->22 (08:47:05.380 PST) 208.0.204.10 (08:47:05.384 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55644->22 (08:47:05.384 PST) 208.1.19.226 (08:47:05.434 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39198->22 (08:47:05.434 PST) 208.7.141.241 (08:47:05.066 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41101->22 (08:47:05.066 PST) 208.11.6.119 (08:47:05.638 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49342->22 (08:47:05.638 PST) ATTACK PREP PEER COORDINATION DECLARE BOT 208.11.76.76 (2) (08:48:25.155 PST) event=1:3810003 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:0E:39:E0:94:00 38097->22 (08:48:25.155 PST) ------------------------- event=1:3810005 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:0E:39:E0:94:00 38097->22 (08:48:25.155 PST) tcpslice 1257180425.066 1257180425.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:51:05.147 PST Gen. Time: 11/02/2009 08:52:03.041 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.9.203.129 (08:52:03.041 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:153, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:52:03.041 PST) OUTBOUND SCAN 208.11.204.92 (08:51:05.149 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55126->22 (08:51:05.149 PST) 208.11.204.130 (08:51:05.153 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59758->22 (08:51:05.153 PST) 208.11.204.84 (08:51:05.149 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59253->22 (08:51:05.149 PST) 208.11.207.21 (08:51:05.153 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58292->22 (08:51:05.153 PST) 208.11.206.169 (08:51:05.149 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47324->22 (08:51:05.149 PST) 208.11.206.161 (08:51:05.150 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35647->22 (08:51:05.150 PST) 208.11.204.52 (08:51:05.147 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41709->22 (08:51:05.147 PST) 208.11.204.75 (08:51:05.148 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49136->22 (08:51:05.148 PST) 208.11.204.44 (08:51:05.147 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37317->22 (08:51:05.147 PST) 208.11.204.112 (08:51:05.152 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58475->22 (08:51:05.152 PST) 208.11.204.104 (08:51:05.151 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33537->22 (08:51:05.151 PST) 208.11.206.235 (08:51:05.151 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49241->22 (08:51:05.151 PST) 208.11.204.118 (08:51:05.152 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58147->22 (08:51:05.152 PST) 208.11.206.250 (08:51:05.152 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49683->22 (08:51:05.152 PST) 208.11.206.219 (08:51:05.151 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43545->22 (08:51:05.151 PST) 208.11.204.62 (08:51:05.148 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59389->22 (08:51:05.148 PST) 208.11.206.186 (08:51:05.149 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34896->22 (08:51:05.149 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257180665.147 1257180665.148 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:51:05.147 PST Gen. Time: 11/02/2009 08:55:05.147 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.50 (08:55:03.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:153, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:55:03.001 PST) 208.7.173.193 (08:53:33.014 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:153, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:53:33.014 PST) 208.9.203.129 (08:52:03.041 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:153, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:52:03.041 PST) OUTBOUND SCAN 208.11.204.92 (08:51:05.149 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55126->22 (08:51:05.149 PST) 208.11.204.130 (08:51:05.153 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59758->22 (08:51:05.153 PST) 208.11.204.84 (08:51:05.149 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59253->22 (08:51:05.149 PST) 208.11.207.21 (08:51:05.153 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58292->22 (08:51:05.153 PST) 208.11.206.169 (08:51:05.149 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47324->22 (08:51:05.149 PST) 208.11.206.161 (08:51:05.150 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35647->22 (08:51:05.150 PST) 208.11.204.52 (08:51:05.147 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41709->22 (08:51:05.147 PST) 208.11.204.75 (08:51:05.148 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49136->22 (08:51:05.148 PST) 208.11.204.44 (08:51:05.147 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37317->22 (08:51:05.147 PST) 208.11.204.112 (08:51:05.152 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58475->22 (08:51:05.152 PST) 208.11.204.104 (08:51:05.151 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33537->22 (08:51:05.151 PST) 208.11.206.235 (08:51:05.151 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49241->22 (08:51:05.151 PST) 208.11.204.118 (08:51:05.152 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58147->22 (08:51:05.152 PST) 208.11.206.250 (08:51:05.152 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49683->22 (08:51:05.152 PST) 208.11.206.219 (08:51:05.151 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43545->22 (08:51:05.151 PST) 208.11.204.62 (08:51:05.148 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59389->22 (08:51:05.148 PST) 208.11.206.186 (08:51:05.149 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34896->22 (08:51:05.149 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257180665.147 1257180665.148 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:55:05.243 PST Gen. Time: 11/02/2009 08:56:33.006 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.9.203.129 (08:56:33.006 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:157, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:56:33.006 PST) OUTBOUND SCAN 208.11.220.159 (08:55:06.210 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58551->22 (08:55:06.210 PST) 208.1.60.115 (08:55:05.809 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41101->22 (08:55:05.809 PST) 208.2.153.241 (08:55:05.751 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49668->22 (08:55:05.751 PST) 208.11.220.58 (08:55:05.717 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39707->22 (08:55:05.717 PST) 208.11.77.226 (08:55:06.378 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45488->22 (08:55:06.378 PST) 208.1.140.35 (08:55:05.930 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58159->22 (08:55:05.930 PST) 208.8.89.33 (08:55:05.413 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35819->22 (08:55:05.413 PST) 208.1.140.50 (08:55:06.087 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41446->22 (08:55:06.087 PST) 208.1.140.134 (08:55:05.571 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58051->22 (08:55:05.571 PST) 208.1.0.154 (08:55:05.489 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57629->22 (08:55:05.489 PST) 208.1.140.40 (08:55:05.889 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46008->22 (08:55:05.889 PST) 208.1.140.200 (08:55:06.011 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56564->22 (08:55:06.011 PST) 208.7.173.70 (08:55:05.674 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51903->22 (08:55:05.674 PST) 208.1.140.199 (08:55:05.624 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47958->22 (08:55:05.624 PST) 208.11.220.145 (08:55:05.333 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40456->22 (08:55:05.333 PST) 208.1.140.45 (08:55:06.273 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45224->22 (08:55:06.273 PST) 208.1.140.37 (08:55:05.243 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60337->22 (08:55:05.243 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257180905.243 1257180905.244 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:55:05.243 PST Gen. Time: 11/02/2009 08:59:05.243 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.160 (08:58:03.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:157, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:58:03.002 PST) 208.9.203.129 (08:56:33.006 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:157, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:56:33.006 PST) OUTBOUND SCAN 208.11.220.159 (08:55:06.210 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58551->22 (08:55:06.210 PST) 208.1.60.115 (08:55:05.809 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41101->22 (08:55:05.809 PST) 208.2.153.241 (08:55:05.751 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49668->22 (08:55:05.751 PST) 208.11.220.58 (08:55:05.717 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39707->22 (08:55:05.717 PST) 208.11.77.226 (08:55:06.378 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45488->22 (08:55:06.378 PST) 208.1.140.35 (08:55:05.930 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58159->22 (08:55:05.930 PST) 208.8.89.33 (08:55:05.413 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35819->22 (08:55:05.413 PST) 208.1.140.50 (08:55:06.087 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41446->22 (08:55:06.087 PST) 208.1.140.134 (08:55:05.571 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58051->22 (08:55:05.571 PST) 208.1.0.154 (08:55:05.489 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57629->22 (08:55:05.489 PST) 208.1.140.40 (08:55:05.889 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46008->22 (08:55:05.889 PST) 208.1.140.200 (08:55:06.011 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56564->22 (08:55:06.011 PST) 208.7.173.70 (08:55:05.674 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51903->22 (08:55:05.674 PST) 208.1.140.199 (08:55:05.624 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47958->22 (08:55:05.624 PST) 208.11.220.145 (08:55:05.333 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40456->22 (08:55:05.333 PST) 208.1.140.45 (08:55:06.273 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45224->22 (08:55:06.273 PST) 208.1.140.37 (08:55:05.243 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60337->22 (08:55:05.243 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257180905.243 1257180905.244 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:59:05.289 PST Gen. Time: 11/02/2009 08:59:33.003 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.11.77.221 (08:59:33.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:161, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:59:33.003 PST) OUTBOUND SCAN 208.1.140.51 (08:59:05.798 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53109->22 (08:59:05.798 PST) 208.1.140.181 (08:59:07.079 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49973->22 (08:59:07.079 PST) 208.1.140.20 (08:59:05.964 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51443->22 (08:59:05.964 PST) 208.1.0.156 (08:59:06.111 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38510->22 (08:59:06.111 PST) 208.11.220.157 (08:59:07.190 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50741->22 (08:59:07.190 PST) 208.2.67.122 (08:59:07.012 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41052->22 (08:59:07.012 PST) 208.10.62.249 (08:59:05.444 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39938->22 (08:59:05.444 PST) 208.7.9.151 (08:59:06.570 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35102->22 (08:59:06.570 PST) 208.11.220.41 (08:59:06.850 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53378->22 (08:59:06.850 PST) 208.11.220.148 (08:59:05.289 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48995->22 (08:59:05.289 PST) 208.6.232.34 (08:59:06.516 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47518->22 (08:59:06.516 PST) 208.6.232.33 (08:59:07.247 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57876->22 (08:59:07.247 PST) 208.2.210.104 (08:59:06.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41372->22 (08:59:06.690 PST) 208.11.220.230 (08:59:05.889 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39260->22 (08:59:05.889 PST) 208.1.0.6 (08:59:06.381 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47140->22 (08:59:06.381 PST) 208.11.77.221 (08:59:05.616 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51038->22 (08:59:05.616 PST) 208.11.76.162 (08:59:06.273 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54000->22 (08:59:06.273 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257181145.289 1257181145.290 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 08:59:05.289 PST Gen. Time: 11/02/2009 09:03:05.311 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.7.132.225 (09:02:33.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:165, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:02:33.000 PST) 208.11.77.221 (08:59:33.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:161, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (08:59:33.003 PST) 208.1.140.51 (09:01:03.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (8 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:161, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:01:03.003 PST) OUTBOUND SCAN 208.1.140.51 (08:59:05.798 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53109->22 (08:59:05.798 PST) 208.1.140.181 (08:59:07.079 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49973->22 (08:59:07.079 PST) 208.1.140.20 (08:59:05.964 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51443->22 (08:59:05.964 PST) 208.1.0.156 (08:59:06.111 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38510->22 (08:59:06.111 PST) 208.11.220.157 (08:59:07.190 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50741->22 (08:59:07.190 PST) 208.2.67.122 (08:59:07.012 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41052->22 (08:59:07.012 PST) 208.10.62.249 (08:59:05.444 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39938->22 (08:59:05.444 PST) 208.7.9.151 (08:59:06.570 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35102->22 (08:59:06.570 PST) 208.11.220.41 (08:59:06.850 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53378->22 (08:59:06.850 PST) 208.11.220.148 (08:59:05.289 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48995->22 (08:59:05.289 PST) 208.6.232.34 (08:59:06.516 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47518->22 (08:59:06.516 PST) 208.6.232.33 (08:59:07.247 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57876->22 (08:59:07.247 PST) 208.2.210.104 (08:59:06.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41372->22 (08:59:06.690 PST) 208.11.220.230 (08:59:05.889 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39260->22 (08:59:05.889 PST) 208.1.0.6 (08:59:06.381 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47140->22 (08:59:06.381 PST) 208.11.77.221 (08:59:05.616 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51038->22 (08:59:05.616 PST) 208.11.76.162 (08:59:06.273 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54000->22 (08:59:06.273 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257181145.289 1257181145.290 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:03:05.477 PST Gen. Time: 11/02/2009 09:04:03.010 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.7.132.225 (09:04:03.010 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:165, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:04:03.010 PST) OUTBOUND SCAN 208.11.220.13 (09:03:06.860 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54405->22 (09:03:06.860 PST) 208.1.140.181 (09:03:06.784 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47727->22 (09:03:06.784 PST) 208.11.220.149 (09:03:06.589 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60590->22 (09:03:06.589 PST) 208.1.140.42 (09:03:06.061 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42631->22 (09:03:06.061 PST) 208.11.220.57 (09:03:05.876 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58366->22 (09:03:05.876 PST) 208.0.147.68 (09:03:05.965 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34604->22 (09:03:05.965 PST) 208.4.187.19 (09:03:06.519 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46645->22 (09:03:06.519 PST) 208.11.220.10 (09:03:06.313 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47025->22 (09:03:06.313 PST) 208.1.140.163 (09:03:05.678 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34303->22 (09:03:05.678 PST) 208.10.54.179 (09:03:06.219 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56873->22 (09:03:06.219 PST) 208.1.140.201 (09:03:07.350 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52684->22 (09:03:07.350 PST) 208.0.204.41 (09:03:07.299 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53038->22 (09:03:07.299 PST) 208.4.181.28 (09:03:05.567 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60665->22 (09:03:05.567 PST) 208.0.51.24 (09:03:05.788 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50376->22 (09:03:05.788 PST) 208.7.173.70 (09:03:06.957 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60429->22 (09:03:06.957 PST) 208.5.100.23 (2) (09:03:05.477 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60845->22 (09:03:05.477 PST) 60985->22 (09:03:07.133 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257181385.477 1257181385.478 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:03:05.477 PST Gen. Time: 11/02/2009 09:07:05.520 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.11.220.160 (09:07:03.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:169, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:07:03.000 PST) 208.11.220.156 (09:05:33.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:165, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:05:33.002 PST) 208.7.132.225 (09:04:03.010 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:165, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:04:03.010 PST) OUTBOUND SCAN 208.11.220.13 (09:03:06.860 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54405->22 (09:03:06.860 PST) 208.1.140.181 (09:03:06.784 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47727->22 (09:03:06.784 PST) 208.11.220.149 (09:03:06.589 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60590->22 (09:03:06.589 PST) 208.1.140.42 (09:03:06.061 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42631->22 (09:03:06.061 PST) 208.11.220.57 (09:03:05.876 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58366->22 (09:03:05.876 PST) 208.0.147.68 (09:03:05.965 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34604->22 (09:03:05.965 PST) 208.4.187.19 (09:03:06.519 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46645->22 (09:03:06.519 PST) 208.11.220.10 (09:03:06.313 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47025->22 (09:03:06.313 PST) 208.1.140.163 (09:03:05.678 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34303->22 (09:03:05.678 PST) 208.10.54.179 (09:03:06.219 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56873->22 (09:03:06.219 PST) 208.1.140.201 (09:03:07.350 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52684->22 (09:03:07.350 PST) 208.0.204.41 (09:03:07.299 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53038->22 (09:03:07.299 PST) 208.4.181.28 (09:03:05.567 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60665->22 (09:03:05.567 PST) 208.0.51.24 (09:03:05.788 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50376->22 (09:03:05.788 PST) 208.7.173.70 (09:03:06.957 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60429->22 (09:03:06.957 PST) 208.5.100.23 (2) (09:03:05.477 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60845->22 (09:03:05.477 PST) 60985->22 (09:03:07.133 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257181385.477 1257181385.478 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:07:05.661 PST Gen. Time: 11/02/2009 09:08:33.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.10.197.187 (09:08:33.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:173, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:08:33.000 PST) OUTBOUND SCAN 208.2.153.241 (09:07:06.489 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60410->22 (09:07:06.489 PST) 208.0.204.251 (09:07:06.631 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52081->22 (09:07:06.631 PST) 208.1.140.35 (09:07:05.661 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58540->22 (09:07:05.661 PST) 208.4.187.19 (09:07:05.799 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37348->22 (09:07:05.799 PST) 208.11.220.41 (09:07:05.973 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44680->22 (09:07:05.973 PST) 208.1.140.163 (09:07:06.316 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40400->22 (09:07:06.316 PST) 208.1.216.19 (09:07:05.744 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36250->22 (09:07:05.744 PST) 208.11.220.231 (09:07:06.407 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50136->22 (09:07:06.407 PST) 208.2.210.104 (09:07:06.057 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45715->22 (09:07:06.057 PST) 208.11.220.146 (09:07:06.513 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34967->22 (09:07:06.513 PST) 208.5.144.14 (09:07:06.249 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33492->22 (09:07:06.249 PST) 208.1.104.193 (09:07:06.192 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52377->22 (09:07:06.192 PST) 208.11.220.15 (09:07:06.552 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45053->22 (09:07:06.552 PST) 208.2.84.113 (09:07:05.945 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58092->22 (09:07:05.945 PST) 208.11.220.30 (09:07:06.681 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38818->22 (09:07:06.681 PST) 208.11.174.145 (09:07:06.437 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38713->22 (09:07:06.437 PST) 208.11.220.213 (09:07:05.863 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39225->22 (09:07:05.863 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257181625.661 1257181625.662 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:07:05.661 PST Gen. Time: 11/02/2009 09:11:05.669 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.10.6.132 (09:10:03.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:175, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:10:03.001 PST) 208.7.173.70 (09:10:28.241 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/0/41/0): 22:41, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:10:28.241 PST) 208.10.197.187 (09:08:33.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/10): 22:65535, 6667:173, 60, 288:2, 291, 62532:2, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:08:33.000 PST) OUTBOUND SCAN 208.2.153.241 (09:07:06.489 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60410->22 (09:07:06.489 PST) 208.0.204.251 (09:07:06.631 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52081->22 (09:07:06.631 PST) 208.1.140.35 (09:07:05.661 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58540->22 (09:07:05.661 PST) 208.4.187.19 (09:07:05.799 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37348->22 (09:07:05.799 PST) 208.11.220.41 (09:07:05.973 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44680->22 (09:07:05.973 PST) 208.1.140.163 (09:07:06.316 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40400->22 (09:07:06.316 PST) 208.1.216.19 (09:07:05.744 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36250->22 (09:07:05.744 PST) 208.11.220.231 (09:07:06.407 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50136->22 (09:07:06.407 PST) 208.2.210.104 (09:07:06.057 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45715->22 (09:07:06.057 PST) 208.11.220.146 (09:07:06.513 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34967->22 (09:07:06.513 PST) 208.5.144.14 (09:07:06.249 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33492->22 (09:07:06.249 PST) 208.1.104.193 (09:07:06.192 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52377->22 (09:07:06.192 PST) 208.11.220.15 (09:07:06.552 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45053->22 (09:07:06.552 PST) 208.2.84.113 (09:07:05.945 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58092->22 (09:07:05.945 PST) 208.11.220.30 (09:07:06.681 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38818->22 (09:07:06.681 PST) 208.11.174.145 (09:07:06.437 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38713->22 (09:07:06.437 PST) 208.11.220.213 (09:07:05.863 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39225->22 (09:07:05.863 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257181625.661 1257181625.662 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:11:05.732 PST Gen. Time: 11/02/2009 09:11:58.006 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.0.6 (09:11:58.006 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (20 /24s) (# pkts S/M/O/I=0/0/31715/0): 22:31715, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:11:58.006 PST) OUTBOUND SCAN 208.11.77.220 (09:11:07.788 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33649->22 (09:11:07.788 PST) 208.11.220.165 (09:11:05.966 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33700->22 (09:11:05.966 PST) 208.11.220.95 (09:11:06.570 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54798->22 (09:11:06.570 PST) 208.11.77.225 (09:11:06.498 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37063->22 (09:11:06.498 PST) 208.11.220.41 (09:11:05.848 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44215->22 (09:11:05.848 PST) 208.7.141.145 (09:11:07.434 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54766->22 (09:11:07.434 PST) 208.11.220.10 (09:11:05.938 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50094->22 (09:11:05.938 PST) 208.11.220.155 (09:11:06.029 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37993->22 (09:11:06.029 PST) 208.10.54.179 (09:11:06.127 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47687->22 (09:11:06.127 PST) 208.10.6.131 (09:11:06.987 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35543->22 (09:11:06.987 PST) 208.11.220.231 (09:11:07.585 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49751->22 (09:11:07.585 PST) 208.1.90.113 (09:11:05.732 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35274->22 (09:11:05.732 PST) 208.11.220.85 (09:11:06.832 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60811->22 (09:11:06.832 PST) 208.1.104.193 (09:11:06.719 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51972->22 (09:11:06.719 PST) 208.11.174.145 (09:11:07.940 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38338->22 (09:11:07.940 PST) 208.0.51.30 (09:11:07.266 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56702->22 (09:11:07.266 PST) 208.11.220.121 (09:11:06.263 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40116->22 (09:11:06.263 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257181865.732 1257181865.733 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:11:05.732 PST Gen. Time: 11/02/2009 09:15:05.743 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.11.191.56 (09:14:58.011 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (20 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:14:58.011 PST) 208.1.0.6 (09:11:58.006 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (20 /24s) (# pkts S/M/O/I=0/0/31715/0): 22:31715, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:11:58.006 PST) 208.1.23.174 (09:13:28.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (16 /24s) (# pkts S/M/O/I=0/0/56559/0): 22:56559, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:13:28.004 PST) OUTBOUND SCAN 208.11.77.220 (09:11:07.788 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33649->22 (09:11:07.788 PST) 208.11.220.165 (09:11:05.966 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33700->22 (09:11:05.966 PST) 208.11.220.95 (09:11:06.570 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54798->22 (09:11:06.570 PST) 208.11.77.225 (09:11:06.498 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37063->22 (09:11:06.498 PST) 208.11.220.41 (09:11:05.848 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44215->22 (09:11:05.848 PST) 208.7.141.145 (09:11:07.434 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54766->22 (09:11:07.434 PST) 208.11.220.10 (09:11:05.938 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50094->22 (09:11:05.938 PST) 208.11.220.155 (09:11:06.029 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37993->22 (09:11:06.029 PST) 208.10.54.179 (09:11:06.127 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47687->22 (09:11:06.127 PST) 208.10.6.131 (09:11:06.987 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35543->22 (09:11:06.987 PST) 208.11.220.231 (09:11:07.585 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49751->22 (09:11:07.585 PST) 208.1.90.113 (09:11:05.732 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35274->22 (09:11:05.732 PST) 208.11.220.85 (09:11:06.832 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60811->22 (09:11:06.832 PST) 208.1.104.193 (09:11:06.719 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51972->22 (09:11:06.719 PST) 208.11.174.145 (09:11:07.940 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38338->22 (09:11:07.940 PST) 208.0.51.30 (09:11:07.266 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56702->22 (09:11:07.266 PST) 208.11.220.121 (09:11:06.263 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40116->22 (09:11:06.263 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257181865.732 1257181865.733 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:15:05.813 PST Gen. Time: 11/02/2009 09:16:28.002 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.8.51.189 (09:16:28.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:16:28.002 PST) OUTBOUND SCAN 208.9.56.209 (09:15:06.839 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49751->22 (09:15:06.839 PST) 208.0.52.18 (09:15:07.312 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50418->22 (09:15:07.312 PST) 208.11.220.212 (09:15:07.233 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43511->22 (09:15:07.233 PST) 208.11.179.59 (09:15:05.813 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33852->22 (09:15:05.813 PST) 208.2.87.155 (09:15:07.463 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43336->22 (09:15:07.463 PST) 208.11.220.12 (09:15:07.554 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51433->22 (09:15:07.554 PST) 208.4.181.146 (09:15:06.696 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47186->22 (09:15:06.696 PST) 208.8.51.70 (09:15:07.192 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50008->22 (09:15:07.192 PST) 208.10.62.249 (09:15:06.104 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47952->22 (09:15:06.104 PST) 208.9.56.214 (09:15:06.036 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41457->22 (09:15:06.036 PST) 208.10.54.179 (09:15:06.599 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34879->22 (09:15:06.599 PST) 208.11.220.9 (09:15:07.404 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46822->22 (09:15:07.404 PST) 208.0.204.41 (09:15:06.279 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54680->22 (09:15:06.279 PST) 208.6.232.33 (09:15:06.427 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38272->22 (09:15:06.427 PST) 208.11.118.121 (09:15:07.058 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53076->22 (09:15:07.058 PST) 208.11.126.227 (09:15:05.945 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57687->22 (09:15:05.945 PST) 208.10.54.122 (09:15:06.929 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51972->22 (09:15:06.929 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257182105.813 1257182105.814 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:15:05.813 PST Gen. Time: 11/02/2009 09:19:05.818 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.5.100.23 (09:17:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (20 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:17:58.000 PST) 208.8.51.189 (09:16:28.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:16:28.002 PST) OUTBOUND SCAN 208.9.56.209 (09:15:06.839 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49751->22 (09:15:06.839 PST) 208.0.52.18 (09:15:07.312 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50418->22 (09:15:07.312 PST) 208.11.220.212 (09:15:07.233 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43511->22 (09:15:07.233 PST) 208.11.179.59 (09:15:05.813 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33852->22 (09:15:05.813 PST) 208.2.87.155 (09:15:07.463 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43336->22 (09:15:07.463 PST) 208.11.220.12 (09:15:07.554 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51433->22 (09:15:07.554 PST) 208.4.181.146 (09:15:06.696 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47186->22 (09:15:06.696 PST) 208.8.51.70 (09:15:07.192 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50008->22 (09:15:07.192 PST) 208.10.62.249 (09:15:06.104 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47952->22 (09:15:06.104 PST) 208.9.56.214 (09:15:06.036 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41457->22 (09:15:06.036 PST) 208.10.54.179 (09:15:06.599 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34879->22 (09:15:06.599 PST) 208.11.220.9 (09:15:07.404 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46822->22 (09:15:07.404 PST) 208.0.204.41 (09:15:06.279 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54680->22 (09:15:06.279 PST) 208.6.232.33 (09:15:06.427 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38272->22 (09:15:06.427 PST) 208.11.118.121 (09:15:07.058 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53076->22 (09:15:07.058 PST) 208.11.126.227 (09:15:05.945 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57687->22 (09:15:05.945 PST) 208.10.54.122 (09:15:06.929 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51972->22 (09:15:06.929 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257182105.813 1257182105.814 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:19:05.880 PST Gen. Time: 11/02/2009 09:19:28.004 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.0.156 (09:19:28.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (19 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:4, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:19:28.004 PST) OUTBOUND SCAN 208.8.61.19 (09:19:07.254 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38018->22 (09:19:07.254 PST) 208.11.220.212 (09:19:07.005 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56799->22 (09:19:07.005 PST) 208.10.207.152 (09:19:07.759 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36609->22 (09:19:07.759 PST) 208.10.62.249 (3) (09:19:05.880 PST) event=1:2001219 (3) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50245->22 (09:19:05.880 PST) 50324->22 (09:19:06.804 PST) 50374->22 (09:19:07.657 PST) 208.10.6.133 (09:19:06.380 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53949->22 (09:19:06.380 PST) 208.11.220.233 (09:19:06.105 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42642->22 (09:19:06.105 PST) 208.2.204.193 (09:19:07.381 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55091->22 (09:19:07.381 PST) 208.4.187.19 (2) (09:19:06.186 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36341->22 (09:19:06.186 PST) 36481->22 (09:19:07.958 PST) 208.11.220.55 (09:19:07.871 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54945->22 (09:19:07.871 PST) 208.2.210.104 (09:19:06.484 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41576->22 (09:19:06.484 PST) 208.0.204.40 (09:19:07.181 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55237->22 (09:19:07.181 PST) 208.11.220.245 (09:19:06.705 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47266->22 (09:19:06.705 PST) 208.11.220.14 (09:19:06.722 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35889->22 (09:19:06.722 PST) 208.11.220.244 (09:19:06.556 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57383->22 (09:19:06.556 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257182345.880 1257182345.881 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:19:05.880 PST Gen. Time: 11/02/2009 09:23:05.925 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.104.193 (09:20:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (19 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:8, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:20:58.000 PST) 208.1.0.156 (09:19:28.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (19 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:4, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:19:28.004 PST) 208.11.220.238 (09:22:28.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (22 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:10, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:22:28.003 PST) OUTBOUND SCAN 208.8.61.19 (09:19:07.254 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38018->22 (09:19:07.254 PST) 208.11.220.212 (09:19:07.005 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56799->22 (09:19:07.005 PST) 208.10.207.152 (09:19:07.759 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36609->22 (09:19:07.759 PST) 208.10.62.249 (3) (09:19:05.880 PST) event=1:2001219 (3) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50245->22 (09:19:05.880 PST) 50324->22 (09:19:06.804 PST) 50374->22 (09:19:07.657 PST) 208.10.6.133 (09:19:06.380 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53949->22 (09:19:06.380 PST) 208.11.220.233 (09:19:06.105 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42642->22 (09:19:06.105 PST) 208.2.204.193 (09:19:07.381 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55091->22 (09:19:07.381 PST) 208.4.187.19 (2) (09:19:06.186 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36341->22 (09:19:06.186 PST) 36481->22 (09:19:07.958 PST) 208.11.220.55 (09:19:07.871 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54945->22 (09:19:07.871 PST) 208.2.210.104 (09:19:06.484 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41576->22 (09:19:06.484 PST) 208.0.204.40 (09:19:07.181 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55237->22 (09:19:07.181 PST) 208.11.220.245 (09:19:06.705 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47266->22 (09:19:06.705 PST) 208.11.220.14 (09:19:06.722 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35889->22 (09:19:06.722 PST) 208.11.220.244 (09:19:06.556 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57383->22 (09:19:06.556 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257182345.880 1257182345.881 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:23:06.143 PST Gen. Time: 11/02/2009 09:23:58.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.2.153.241 (09:23:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (22 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:10, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:23:58.000 PST) OUTBOUND SCAN 208.8.61.19 (09:23:06.348 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43219->22 (09:23:06.348 PST) 208.11.220.13 (09:23:07.215 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60984->22 (09:23:07.215 PST) 208.2.153.241 (09:23:07.896 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55234->22 (09:23:07.896 PST) 208.8.82.1 (09:23:06.505 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40748->22 (09:23:06.505 PST) 208.1.0.156 (09:23:06.806 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39101->22 (09:23:06.806 PST) 208.10.62.249 (09:23:07.732 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54282->22 (09:23:07.732 PST) 208.11.220.180 (09:23:07.448 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49880->22 (09:23:07.448 PST) 208.11.220.241 (09:23:07.939 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48479->22 (09:23:07.939 PST) 208.2.204.193 (09:23:07.570 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40629->22 (09:23:07.570 PST) 208.1.23.9 (09:23:06.143 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49904->22 (09:23:06.143 PST) 208.11.220.102 (09:23:07.045 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33141->22 (09:23:07.045 PST) 208.11.220.17 (09:23:08.012 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55019->22 (09:23:08.012 PST) 208.10.54.179 (09:23:06.965 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49071->22 (09:23:06.965 PST) 208.11.189.71 (09:23:06.633 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59332->22 (09:23:06.633 PST) 208.1.216.10 (09:23:08.100 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56377->22 (09:23:08.100 PST) 208.11.126.227 (09:23:07.353 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46390->22 (09:23:07.353 PST) 208.11.220.98 (09:23:08.150 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38928->22 (09:23:08.150 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257182586.143 1257182586.144 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:23:06.143 PST Gen. Time: 11/02/2009 09:27:06.148 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.8.89.33 (09:25:28.013 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (23 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:14, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:25:28.013 PST) 208.2.153.241 (09:23:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (22 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:10, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:23:58.000 PST) 208.1.90.193 (09:26:58.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (20 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:14, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:26:58.004 PST) OUTBOUND SCAN 208.8.61.19 (09:23:06.348 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43219->22 (09:23:06.348 PST) 208.11.220.13 (09:23:07.215 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60984->22 (09:23:07.215 PST) 208.2.153.241 (09:23:07.896 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55234->22 (09:23:07.896 PST) 208.8.82.1 (09:23:06.505 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40748->22 (09:23:06.505 PST) 208.1.0.156 (09:23:06.806 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39101->22 (09:23:06.806 PST) 208.10.62.249 (09:23:07.732 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54282->22 (09:23:07.732 PST) 208.11.220.180 (09:23:07.448 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49880->22 (09:23:07.448 PST) 208.11.220.241 (09:23:07.939 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48479->22 (09:23:07.939 PST) 208.2.204.193 (09:23:07.570 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40629->22 (09:23:07.570 PST) 208.1.23.9 (09:23:06.143 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49904->22 (09:23:06.143 PST) 208.11.220.102 (09:23:07.045 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33141->22 (09:23:07.045 PST) 208.11.220.17 (09:23:08.012 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55019->22 (09:23:08.012 PST) 208.10.54.179 (09:23:06.965 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49071->22 (09:23:06.965 PST) 208.11.189.71 (09:23:06.633 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59332->22 (09:23:06.633 PST) 208.1.216.10 (09:23:08.100 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56377->22 (09:23:08.100 PST) 208.11.126.227 (09:23:07.353 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46390->22 (09:23:07.353 PST) 208.11.220.98 (09:23:08.150 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38928->22 (09:23:08.150 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257182586.143 1257182586.144 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:27:06.280 PST Gen. Time: 11/02/2009 09:28:28.019 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.175 (09:28:28.019 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:18, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:28:28.019 PST) OUTBOUND SCAN 208.1.62.186 (09:27:07.509 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45007->22 (09:27:07.509 PST) 208.11.220.120 (09:27:06.875 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56336->22 (09:27:06.875 PST) 208.2.153.241 (09:27:07.172 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59016->22 (09:27:07.172 PST) 208.0.30.83 (09:27:07.257 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43272->22 (09:27:07.257 PST) 208.11.77.226 (09:27:08.111 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52428->22 (09:27:08.111 PST) 208.11.220.57 (09:27:07.345 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49179->22 (09:27:07.345 PST) 208.11.220.95 (09:27:06.441 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48066->22 (09:27:06.441 PST) 208.2.204.193 (09:27:07.944 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57748->22 (09:27:07.944 PST) 208.10.197.187 (09:27:06.280 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45899->22 (09:27:06.280 PST) 208.11.220.17 (09:27:06.970 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46955->22 (09:27:06.970 PST) 208.1.27.218 (09:27:07.462 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50998->22 (09:27:07.462 PST) 208.1.90.113 (09:27:07.686 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48515->22 (09:27:07.686 PST) 208.1.19.226 (09:27:08.184 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40107->22 (09:27:08.184 PST) 208.0.51.24 (09:27:06.621 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49068->22 (09:27:06.621 PST) 208.11.220.100 (09:27:08.324 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58807->22 (09:27:08.324 PST) 208.11.174.145 (09:27:08.244 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51868->22 (09:27:08.244 PST) 208.7.129.17 (09:27:06.729 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48072->22 (09:27:06.729 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257182826.280 1257182826.281 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:27:06.280 PST Gen. Time: 11/02/2009 09:31:06.382 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.4.208.5 (09:29:58.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (23 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:18, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:29:58.005 PST) 208.1.140.175 (09:28:28.019 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:18, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:28:28.019 PST) OUTBOUND SCAN 208.1.62.186 (09:27:07.509 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45007->22 (09:27:07.509 PST) 208.11.220.120 (09:27:06.875 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56336->22 (09:27:06.875 PST) 208.2.153.241 (09:27:07.172 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59016->22 (09:27:07.172 PST) 208.0.30.83 (09:27:07.257 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43272->22 (09:27:07.257 PST) 208.11.77.226 (09:27:08.111 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52428->22 (09:27:08.111 PST) 208.11.220.57 (09:27:07.345 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49179->22 (09:27:07.345 PST) 208.11.220.95 (09:27:06.441 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48066->22 (09:27:06.441 PST) 208.2.204.193 (09:27:07.944 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57748->22 (09:27:07.944 PST) 208.10.197.187 (09:27:06.280 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45899->22 (09:27:06.280 PST) 208.11.220.17 (09:27:06.970 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46955->22 (09:27:06.970 PST) 208.1.27.218 (09:27:07.462 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50998->22 (09:27:07.462 PST) 208.1.90.113 (09:27:07.686 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48515->22 (09:27:07.686 PST) 208.1.19.226 (09:27:08.184 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40107->22 (09:27:08.184 PST) 208.0.51.24 (09:27:06.621 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49068->22 (09:27:06.621 PST) 208.11.220.100 (09:27:08.324 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58807->22 (09:27:08.324 PST) 208.11.174.145 (09:27:08.244 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51868->22 (09:27:08.244 PST) 208.7.129.17 (09:27:06.729 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48072->22 (09:27:06.729 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257182826.280 1257182826.281 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:31:06.496 PST Gen. Time: 11/02/2009 09:31:28.014 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.175 (09:31:28.014 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (23 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:18, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:31:28.014 PST) OUTBOUND SCAN 208.11.220.59 (09:31:08.218 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33825->22 (09:31:08.218 PST) 208.10.62.249 (2) (09:31:06.929 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39275->22 (09:31:06.929 PST) 39295->22 (09:31:07.260 PST) 208.11.220.26 (09:31:06.746 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41727->22 (09:31:06.746 PST) 208.5.55.161 (09:31:07.579 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35446->22 (09:31:07.579 PST) 208.11.0.34 (09:31:08.619 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39365->22 (09:31:08.619 PST) 208.2.204.193 (09:31:07.793 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43629->22 (09:31:07.793 PST) 208.11.146.209 (09:31:06.665 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41123->22 (09:31:06.665 PST) 208.11.220.101 (09:31:07.929 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55790->22 (09:31:07.929 PST) 208.6.232.33 (09:31:08.069 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35537->22 (09:31:08.069 PST) 208.0.51.24 (09:31:06.496 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34949->22 (09:31:06.496 PST) 208.1.0.6 (09:31:07.721 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38673->22 (09:31:07.721 PST) 208.10.23.17 (09:31:07.478 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36889->22 (09:31:07.478 PST) 208.1.39.226 (09:31:07.992 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41623->22 (09:31:07.992 PST) 208.11.220.214 (09:31:07.058 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46468->22 (09:31:07.058 PST) 208.11.220.244 (09:31:08.469 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38660->22 (09:31:08.469 PST) 208.1.140.175 (09:31:06.819 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51251->22 (09:31:06.819 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257183066.496 1257183066.497 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:31:06.496 PST Gen. Time: 11/02/2009 09:35:06.600 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.11.220.247 (09:34:28.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (14 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:22, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:34:28.004 PST) 208.4.187.231 (09:32:58.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:18, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:32:58.003 PST) 208.1.140.175 (09:31:28.014 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (23 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:18, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:31:28.014 PST) OUTBOUND SCAN 208.11.220.59 (09:31:08.218 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33825->22 (09:31:08.218 PST) 208.10.62.249 (2) (09:31:06.929 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39275->22 (09:31:06.929 PST) 39295->22 (09:31:07.260 PST) 208.11.220.26 (09:31:06.746 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41727->22 (09:31:06.746 PST) 208.5.55.161 (09:31:07.579 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35446->22 (09:31:07.579 PST) 208.11.0.34 (09:31:08.619 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39365->22 (09:31:08.619 PST) 208.2.204.193 (09:31:07.793 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43629->22 (09:31:07.793 PST) 208.11.146.209 (09:31:06.665 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41123->22 (09:31:06.665 PST) 208.11.220.101 (09:31:07.929 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55790->22 (09:31:07.929 PST) 208.6.232.33 (09:31:08.069 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35537->22 (09:31:08.069 PST) 208.0.51.24 (09:31:06.496 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34949->22 (09:31:06.496 PST) 208.1.0.6 (09:31:07.721 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38673->22 (09:31:07.721 PST) 208.10.23.17 (09:31:07.478 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36889->22 (09:31:07.478 PST) 208.1.39.226 (09:31:07.992 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41623->22 (09:31:07.992 PST) 208.11.220.214 (09:31:07.058 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46468->22 (09:31:07.058 PST) 208.11.220.244 (09:31:08.469 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38660->22 (09:31:08.469 PST) 208.1.140.175 (09:31:06.819 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51251->22 (09:31:06.819 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257183066.496 1257183066.497 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:35:07.029 PST Gen. Time: 11/02/2009 09:35:58.003 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.11.220.97 (09:35:58.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:26, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:35:58.003 PST) OUTBOUND SCAN 208.8.61.19 (09:35:08.560 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50383->22 (09:35:08.560 PST) 208.11.5.6 (09:35:09.588 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54894->22 (09:35:09.588 PST) 208.11.220.96 (09:35:07.706 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46529->22 (09:35:07.706 PST) 208.11.220.180 (09:35:07.029 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49267->22 (09:35:07.029 PST) 208.5.55.161 (09:35:08.754 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42737->22 (09:35:08.754 PST) 208.11.220.26 (09:35:07.470 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50386->22 (09:35:07.470 PST) 208.2.204.193 (09:35:10.252 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43149->22 (09:35:10.252 PST) 208.1.216.212 (09:35:08.185 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48986->22 (09:35:08.185 PST) 208.11.220.248 (09:35:08.204 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45589->22 (09:35:08.204 PST) 208.11.220.155 (09:35:11.011 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38798->22 (09:35:11.011 PST) 208.6.232.33 (09:35:09.004 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42303->22 (09:35:09.004 PST) 208.11.76.163 (09:35:10.620 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35144->22 (09:35:10.620 PST) 208.11.220.7 (09:35:08.412 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58142->22 (09:35:08.412 PST) 208.11.220.45 (09:35:09.426 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58552->22 (09:35:09.426 PST) 208.9.192.177 (09:35:09.984 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39086->22 (09:35:09.984 PST) 208.11.220.236 (09:35:09.220 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34014->22 (09:35:09.220 PST) 208.1.140.175 (09:35:07.955 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47692->22 (09:35:07.955 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257183307.029 1257183307.030 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:35:07.029 PST Gen. Time: 11/02/2009 09:39:07.094 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.6.232.33 (09:38:58.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (19 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:30, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:38:58.002 PST) 208.11.146.209 (09:37:28.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (16 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:26, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:37:28.002 PST) 208.11.220.97 (09:35:58.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:26, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:35:58.003 PST) OUTBOUND SCAN 208.8.61.19 (09:35:08.560 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50383->22 (09:35:08.560 PST) 208.11.5.6 (09:35:09.588 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54894->22 (09:35:09.588 PST) 208.11.220.96 (09:35:07.706 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46529->22 (09:35:07.706 PST) 208.11.220.180 (09:35:07.029 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49267->22 (09:35:07.029 PST) 208.5.55.161 (09:35:08.754 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42737->22 (09:35:08.754 PST) 208.11.220.26 (09:35:07.470 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50386->22 (09:35:07.470 PST) 208.2.204.193 (09:35:10.252 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43149->22 (09:35:10.252 PST) 208.1.216.212 (09:35:08.185 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48986->22 (09:35:08.185 PST) 208.11.220.248 (09:35:08.204 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45589->22 (09:35:08.204 PST) 208.11.220.155 (09:35:11.011 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38798->22 (09:35:11.011 PST) 208.6.232.33 (09:35:09.004 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42303->22 (09:35:09.004 PST) 208.11.76.163 (09:35:10.620 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35144->22 (09:35:10.620 PST) 208.11.220.7 (09:35:08.412 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58142->22 (09:35:08.412 PST) 208.11.220.45 (09:35:09.426 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58552->22 (09:35:09.426 PST) 208.9.192.177 (09:35:09.984 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39086->22 (09:35:09.984 PST) 208.11.220.236 (09:35:09.220 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34014->22 (09:35:09.220 PST) 208.1.140.175 (09:35:07.955 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47692->22 (09:35:07.955 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257183307.029 1257183307.030 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:39:07.301 PST Gen. Time: 11/02/2009 09:40:28.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.9.203.129 (09:40:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:30, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:40:28.000 PST) OUTBOUND SCAN 208.11.220.212 (09:39:09.023 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47548->22 (09:39:09.023 PST) 208.11.220.242 (09:39:07.625 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34778->22 (09:39:07.625 PST) 208.10.207.152 (2) (09:39:07.301 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53160->22 (09:39:07.301 PST) 53260->22 (09:39:09.380 PST) 208.2.86.81 (09:39:08.443 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46065->22 (09:39:08.443 PST) 208.11.220.96 (09:39:07.552 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58106->22 (09:39:07.552 PST) 208.11.179.58 (09:39:07.913 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44145->22 (09:39:07.913 PST) 208.11.220.241 (09:39:10.499 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55551->22 (09:39:10.499 PST) 208.11.220.101 (09:39:09.162 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34801->22 (09:39:09.162 PST) 208.1.104.193 (09:39:10.140 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57853->22 (09:39:10.140 PST) 208.11.220.31 (09:39:08.244 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45519->22 (09:39:08.244 PST) 208.10.23.17 (09:39:09.909 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49103->22 (09:39:09.909 PST) 208.11.174.145 (09:39:10.372 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48389->22 (09:39:10.372 PST) 208.11.220.7 (09:39:09.544 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46749->22 (09:39:09.544 PST) 208.11.77.221 (09:39:07.758 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39062->22 (09:39:07.758 PST) 208.11.220.160 (09:39:08.817 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43097->22 (09:39:08.817 PST) 208.11.76.162 (09:39:09.705 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32939->22 (09:39:09.705 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257183547.301 1257183547.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:39:07.301 PST Gen. Time: 11/02/2009 09:43:07.343 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.11.220.149 (09:41:58.008 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (14 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:30, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:41:58.008 PST) 208.9.203.129 (09:40:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:30, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:40:28.000 PST) OUTBOUND SCAN 208.11.220.212 (09:39:09.023 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47548->22 (09:39:09.023 PST) 208.11.220.242 (09:39:07.625 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34778->22 (09:39:07.625 PST) 208.10.207.152 (2) (09:39:07.301 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53160->22 (09:39:07.301 PST) 53260->22 (09:39:09.380 PST) 208.2.86.81 (09:39:08.443 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46065->22 (09:39:08.443 PST) 208.11.220.96 (09:39:07.552 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58106->22 (09:39:07.552 PST) 208.11.179.58 (09:39:07.913 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44145->22 (09:39:07.913 PST) 208.11.220.241 (09:39:10.499 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55551->22 (09:39:10.499 PST) 208.11.220.101 (09:39:09.162 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34801->22 (09:39:09.162 PST) 208.1.104.193 (09:39:10.140 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57853->22 (09:39:10.140 PST) 208.11.220.31 (09:39:08.244 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45519->22 (09:39:08.244 PST) 208.10.23.17 (09:39:09.909 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49103->22 (09:39:09.909 PST) 208.11.174.145 (09:39:10.372 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48389->22 (09:39:10.372 PST) 208.11.220.7 (09:39:09.544 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46749->22 (09:39:09.544 PST) 208.11.77.221 (09:39:07.758 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39062->22 (09:39:07.758 PST) 208.11.220.160 (09:39:08.817 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43097->22 (09:39:08.817 PST) 208.11.76.162 (09:39:09.705 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32939->22 (09:39:09.705 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257183547.301 1257183547.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:43:07.477 PST Gen. Time: 11/02/2009 09:43:28.030 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.11.222.128 (09:43:28.030 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (15 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:34, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:43:28.030 PST) OUTBOUND SCAN 208.8.61.19 (09:43:08.879 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38296->22 (09:43:08.879 PST) 208.11.220.13 (09:43:10.776 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53689->22 (09:43:10.776 PST) 208.11.220.212 (09:43:08.429 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33486->22 (09:43:08.429 PST) 208.0.110.141 (09:43:07.820 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41662->22 (09:43:07.820 PST) 208.11.146.209 (09:43:08.085 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35349->22 (09:43:08.085 PST) 208.11.220.25 (09:43:10.112 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45318->22 (09:43:10.112 PST) 208.10.54.179 (09:43:07.953 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48099->22 (09:43:07.953 PST) 208.0.50.66 (09:43:08.747 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54639->22 (09:43:08.747 PST) 208.6.232.33 (09:43:07.668 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36612->22 (09:43:07.668 PST) 208.11.220.169 (09:43:08.544 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52342->22 (09:43:08.544 PST) 208.5.100.23 (09:43:09.507 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36082->22 (09:43:09.507 PST) 208.11.220.245 (09:43:07.595 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56900->22 (09:43:07.595 PST) 208.11.220.7 (09:43:09.233 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60015->22 (09:43:09.233 PST) 208.0.51.30 (09:43:09.088 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38170->22 (09:43:09.088 PST) 208.11.220.121 (09:43:10.493 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36911->22 (09:43:10.493 PST) 208.11.220.98 (2) (09:43:07.477 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59027->22 (09:43:07.477 PST) 59173->22 (09:43:09.865 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257183787.477 1257183787.478 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:43:07.477 PST Gen. Time: 11/02/2009 09:47:07.545 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.11.222.128 (09:43:28.030 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (15 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:34, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:43:28.030 PST) 208.11.220.16 (09:46:28.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (9 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:36, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:46:28.003 PST) 208.11.220.249 (09:44:58.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (12 /24s) (# pkts S/M/O/I=0/0/65535/0): 22:65535, 6667:34, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:44:58.004 PST) OUTBOUND SCAN 208.8.61.19 (09:43:08.879 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38296->22 (09:43:08.879 PST) 208.11.220.13 (09:43:10.776 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53689->22 (09:43:10.776 PST) 208.11.220.212 (09:43:08.429 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33486->22 (09:43:08.429 PST) 208.0.110.141 (09:43:07.820 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41662->22 (09:43:07.820 PST) 208.11.146.209 (09:43:08.085 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35349->22 (09:43:08.085 PST) 208.11.220.25 (09:43:10.112 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45318->22 (09:43:10.112 PST) 208.10.54.179 (09:43:07.953 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48099->22 (09:43:07.953 PST) 208.0.50.66 (09:43:08.747 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54639->22 (09:43:08.747 PST) 208.6.232.33 (09:43:07.668 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36612->22 (09:43:07.668 PST) 208.11.220.169 (09:43:08.544 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52342->22 (09:43:08.544 PST) 208.5.100.23 (09:43:09.507 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36082->22 (09:43:09.507 PST) 208.11.220.245 (09:43:07.595 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56900->22 (09:43:07.595 PST) 208.11.220.7 (09:43:09.233 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60015->22 (09:43:09.233 PST) 208.0.51.30 (09:43:09.088 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38170->22 (09:43:09.088 PST) 208.11.220.121 (09:43:10.493 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36911->22 (09:43:10.493 PST) 208.11.220.98 (2) (09:43:07.477 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59027->22 (09:43:07.477 PST) 59173->22 (09:43:09.865 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257183787.477 1257183787.478 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:47:07.815 PST Gen. Time: 11/02/2009 09:47:58.015 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.4.181.12 (09:47:58.015 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (15 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:36, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:47:58.015 PST) OUTBOUND SCAN 208.12.182.133 (09:47:08.025 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36647->22 (09:47:08.025 PST) 208.12.182.185 (09:47:08.026 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37159->22 (09:47:08.026 PST) 208.12.184.186 (09:47:08.023 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50369->22 (09:47:08.023 PST) 208.12.184.239 (09:47:08.025 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50992->22 (09:47:08.025 PST) 208.11.220.232 (09:47:07.815 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33382->22 (09:47:07.815 PST) 208.12.182.152 (09:47:08.025 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42150->22 (09:47:08.025 PST) 208.12.184.169 (09:47:08.023 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34372->22 (09:47:08.023 PST) 208.12.185.20 (09:47:08.026 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52165->22 (09:47:08.026 PST) 208.12.184.161 (09:47:08.024 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55720->22 (09:47:08.024 PST) 208.12.182.113 (09:47:08.024 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53291->22 (09:47:08.024 PST) 208.12.185.50 (09:47:08.027 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34815->22 (09:47:08.027 PST) 208.12.182.166 (09:47:08.026 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35796->22 (09:47:08.026 PST) 208.12.182.97 (09:47:08.023 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46976->22 (09:47:08.023 PST) 208.12.184.152 (09:47:08.022 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49897->22 (09:47:08.022 PST) 208.12.185.3 (09:47:08.025 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60204->22 (09:47:08.025 PST) 208.12.182.119 (09:47:08.025 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47449->22 (09:47:08.025 PST) 208.12.184.197 (09:47:08.024 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40688->22 (09:47:08.024 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257184027.815 1257184027.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:47:07.815 PST Gen. Time: 11/02/2009 09:51:07.848 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.8.89.33 (09:49:28.012 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (14 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:36, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:49:28.012 PST) 208.12.107.133 (09:50:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (15 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:36, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:50:58.000 PST) 208.4.181.12 (09:47:58.015 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (15 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:36, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:47:58.015 PST) OUTBOUND SCAN 208.12.182.133 (09:47:08.025 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36647->22 (09:47:08.025 PST) 208.12.182.185 (09:47:08.026 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37159->22 (09:47:08.026 PST) 208.12.184.186 (09:47:08.023 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50369->22 (09:47:08.023 PST) 208.12.184.239 (09:47:08.025 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50992->22 (09:47:08.025 PST) 208.11.220.232 (09:47:07.815 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33382->22 (09:47:07.815 PST) 208.12.182.152 (09:47:08.025 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42150->22 (09:47:08.025 PST) 208.12.184.169 (09:47:08.023 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34372->22 (09:47:08.023 PST) 208.12.185.20 (09:47:08.026 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52165->22 (09:47:08.026 PST) 208.12.184.161 (09:47:08.024 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55720->22 (09:47:08.024 PST) 208.12.182.113 (09:47:08.024 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53291->22 (09:47:08.024 PST) 208.12.185.50 (09:47:08.027 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34815->22 (09:47:08.027 PST) 208.12.182.166 (09:47:08.026 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35796->22 (09:47:08.026 PST) 208.12.182.97 (09:47:08.023 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46976->22 (09:47:08.023 PST) 208.12.184.152 (09:47:08.022 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49897->22 (09:47:08.022 PST) 208.12.185.3 (09:47:08.025 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60204->22 (09:47:08.025 PST) 208.12.182.119 (09:47:08.025 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47449->22 (09:47:08.025 PST) 208.12.184.197 (09:47:08.024 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40688->22 (09:47:08.024 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257184027.815 1257184027.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:51:07.887 PST Gen. Time: 11/02/2009 09:52:28.006 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.11.220.19 (09:52:28.006 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:40, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:52:28.006 PST) OUTBOUND SCAN 208.13.104.174 (09:51:08.018 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37592->22 (09:51:08.018 PST) 208.13.104.204 (09:51:08.019 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36733->22 (09:51:08.019 PST) 208.2.86.81 (09:51:07.887 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50477->22 (09:51:07.887 PST) 208.13.105.9 (09:51:08.020 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47573->22 (09:51:08.020 PST) 208.13.107.171 (09:51:08.012 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57672->22 (09:51:08.012 PST) 208.13.104.164 (09:51:08.018 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50320->22 (09:51:08.018 PST) 208.13.104.194 (09:51:08.019 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60586->22 (09:51:08.019 PST) 208.13.104.232 (09:51:08.020 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41386->22 (09:51:08.020 PST) 208.13.104.224 (09:51:08.020 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42385->22 (09:51:08.020 PST) 208.13.105.29 (09:51:08.021 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37930->22 (09:51:08.021 PST) 208.13.104.254 (09:51:08.020 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46565->22 (09:51:08.020 PST) 208.13.104.154 (09:51:08.018 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37691->22 (09:51:08.018 PST) 208.13.107.191 (09:51:08.013 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50616->22 (09:51:08.013 PST) 208.13.105.20 (09:51:08.021 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40865->22 (09:51:08.021 PST) 208.13.104.184 (09:51:08.019 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36852->22 (09:51:08.019 PST) 208.13.104.214 (09:51:08.019 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57952->22 (09:51:08.019 PST) 208.13.104.244 (09:51:08.020 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57840->22 (09:51:08.020 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257184267.887 1257184267.888 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:51:07.887 PST Gen. Time: 11/02/2009 09:55:07.945 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.11.220.19 (09:52:28.006 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:40, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:52:28.006 PST) 208.0.51.33 (09:53:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:44, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:53:58.000 PST) OUTBOUND SCAN 208.13.104.174 (09:51:08.018 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37592->22 (09:51:08.018 PST) 208.13.104.204 (09:51:08.019 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36733->22 (09:51:08.019 PST) 208.2.86.81 (09:51:07.887 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50477->22 (09:51:07.887 PST) 208.13.105.9 (09:51:08.020 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47573->22 (09:51:08.020 PST) 208.13.107.171 (09:51:08.012 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57672->22 (09:51:08.012 PST) 208.13.104.164 (09:51:08.018 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50320->22 (09:51:08.018 PST) 208.13.104.194 (09:51:08.019 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60586->22 (09:51:08.019 PST) 208.13.104.232 (09:51:08.020 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41386->22 (09:51:08.020 PST) 208.13.104.224 (09:51:08.020 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42385->22 (09:51:08.020 PST) 208.13.105.29 (09:51:08.021 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37930->22 (09:51:08.021 PST) 208.13.104.254 (09:51:08.020 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46565->22 (09:51:08.020 PST) 208.13.104.154 (09:51:08.018 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37691->22 (09:51:08.018 PST) 208.13.107.191 (09:51:08.013 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50616->22 (09:51:08.013 PST) 208.13.105.20 (09:51:08.021 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40865->22 (09:51:08.021 PST) 208.13.104.184 (09:51:08.019 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36852->22 (09:51:08.019 PST) 208.13.104.214 (09:51:08.019 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57952->22 (09:51:08.019 PST) 208.13.104.244 (09:51:08.020 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57840->22 (09:51:08.020 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257184267.887 1257184267.888 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:55:07.967 PST Gen. Time: 11/02/2009 09:55:28.013 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.13.140.104 (09:55:28.013 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (15 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:44, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:55:28.013 PST) OUTBOUND SCAN 208.10.207.152 (09:55:08.320 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50865->22 (09:55:08.320 PST) 208.13.96.5 (09:55:09.309 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38943->22 (09:55:09.309 PST) 208.11.220.95 (09:55:09.425 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47753->22 (09:55:09.425 PST) 208.13.140.133 (09:55:09.240 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56733->22 (09:55:09.240 PST) 208.11.220.210 (09:55:09.022 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34787->22 (09:55:09.022 PST) 208.13.144.90 (09:55:08.119 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48066->22 (09:55:08.119 PST) 208.11.220.232 (09:55:08.513 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33614->22 (09:55:08.513 PST) 208.13.144.204 (09:55:09.531 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52207->22 (09:55:09.531 PST) 208.13.158.39 (09:55:09.347 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51997->22 (09:55:09.347 PST) 208.13.143.176 (09:55:07.967 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49840->22 (09:55:07.967 PST) 208.13.106.11 (09:55:08.904 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55127->22 (09:55:08.904 PST) 208.11.77.230 (09:55:08.694 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44945->22 (09:55:08.694 PST) 208.7.173.70 (09:55:08.809 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54289->22 (09:55:08.809 PST) 208.1.216.10 (09:55:09.156 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37284->22 (09:55:09.156 PST) 208.11.222.147 (09:55:08.211 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50141->22 (09:55:08.211 PST) 208.13.144.56 (09:55:09.387 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48835->22 (09:55:09.387 PST) 208.13.144.148 (09:55:09.106 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39464->22 (09:55:09.106 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257184507.967 1257184507.968 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:55:07.967 PST Gen. Time: 11/02/2009 09:59:07.994 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.14.130.17 (09:58:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (3 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:52, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:58:28.000 PST) 208.13.130.88 (09:56:58.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (13 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:48, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:56:58.003 PST) 208.13.140.104 (09:55:28.013 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (15 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:44, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:55:28.013 PST) OUTBOUND SCAN 208.10.207.152 (09:55:08.320 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50865->22 (09:55:08.320 PST) 208.13.96.5 (09:55:09.309 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38943->22 (09:55:09.309 PST) 208.11.220.95 (09:55:09.425 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47753->22 (09:55:09.425 PST) 208.13.140.133 (09:55:09.240 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56733->22 (09:55:09.240 PST) 208.11.220.210 (09:55:09.022 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34787->22 (09:55:09.022 PST) 208.13.144.90 (09:55:08.119 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48066->22 (09:55:08.119 PST) 208.11.220.232 (09:55:08.513 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33614->22 (09:55:08.513 PST) 208.13.144.204 (09:55:09.531 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52207->22 (09:55:09.531 PST) 208.13.158.39 (09:55:09.347 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51997->22 (09:55:09.347 PST) 208.13.143.176 (09:55:07.967 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49840->22 (09:55:07.967 PST) 208.13.106.11 (09:55:08.904 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55127->22 (09:55:08.904 PST) 208.11.77.230 (09:55:08.694 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44945->22 (09:55:08.694 PST) 208.7.173.70 (09:55:08.809 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54289->22 (09:55:08.809 PST) 208.1.216.10 (09:55:09.156 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37284->22 (09:55:09.156 PST) 208.11.222.147 (09:55:08.211 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50141->22 (09:55:08.211 PST) 208.13.144.56 (09:55:09.387 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48835->22 (09:55:09.387 PST) 208.13.144.148 (09:55:09.106 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39464->22 (09:55:09.106 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257184507.967 1257184507.968 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:59:07.995 PST Gen. Time: 11/02/2009 09:59:58.001 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.13.131.86 (09:59:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (15 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:56, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:59:58.001 PST) OUTBOUND SCAN 208.14.161.147 (09:59:07.997 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58129->22 (09:59:07.997 PST) 208.14.158.156 (09:59:07.997 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49619->22 (09:59:07.997 PST) 208.14.161.78 (09:59:07.995 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60280->22 (09:59:07.995 PST) 208.14.158.217 (09:59:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49680->22 (09:59:07.999 PST) 208.14.161.169 (09:59:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40580->22 (09:59:07.999 PST) 208.14.158.224 (09:59:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50221->22 (09:59:07.999 PST) 208.14.161.69 (09:59:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59494->22 (09:59:07.998 PST) 208.14.158.238 (09:59:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38494->22 (09:59:07.999 PST) 208.14.158.207 (09:59:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49425->22 (09:59:07.999 PST) 208.14.161.129 (09:59:07.996 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55609->22 (09:59:07.996 PST) 208.14.158.144 (09:59:07.997 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47365->22 (09:59:07.997 PST) 208.14.161.112 (09:59:07.996 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42964->22 (09:59:07.996 PST) 208.14.158.197 (09:59:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49301->22 (09:59:07.998 PST) 208.14.161.96 (09:59:07.995 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53649->22 (09:59:07.995 PST) 208.14.158.166 (09:59:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43119->22 (09:59:07.998 PST) 208.14.158.173 (09:59:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56829->22 (09:59:07.998 PST) 208.14.158.188 (09:59:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32803->22 (09:59:07.998 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257184747.995 1257184747.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 1.6 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 09:59:07.995 PST Gen. Time: 11/02/2009 10:03:07.995 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.13.131.86 (09:59:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (15 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:56, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (09:59:58.001 PST) 208.13.144.35 (10:02:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (16 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:60, 5197:2, 20618:2, 2304, 12827, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:02:58.000 PST) 208.15.4.127 (10:01:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (2 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:56, 5197:2, 20618:2, 2304, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:01:28.000 PST) OUTBOUND SCAN 208.14.161.147 (09:59:07.997 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58129->22 (09:59:07.997 PST) 208.14.158.156 (09:59:07.997 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49619->22 (09:59:07.997 PST) 208.14.161.78 (09:59:07.995 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60280->22 (09:59:07.995 PST) 208.14.158.217 (09:59:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49680->22 (09:59:07.999 PST) 208.14.161.169 (09:59:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40580->22 (09:59:07.999 PST) 208.14.158.224 (09:59:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50221->22 (09:59:07.999 PST) 208.14.161.69 (09:59:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59494->22 (09:59:07.998 PST) 208.14.158.238 (09:59:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38494->22 (09:59:07.999 PST) 208.14.158.207 (09:59:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49425->22 (09:59:07.999 PST) 208.14.161.129 (09:59:07.996 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55609->22 (09:59:07.996 PST) 208.14.158.144 (09:59:07.997 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47365->22 (09:59:07.997 PST) 208.14.161.112 (09:59:07.996 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42964->22 (09:59:07.996 PST) 208.14.158.197 (09:59:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49301->22 (09:59:07.998 PST) 208.14.161.96 (09:59:07.995 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53649->22 (09:59:07.995 PST) 208.14.158.166 (09:59:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43119->22 (09:59:07.998 PST) 208.14.158.173 (09:59:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56829->22 (09:59:07.998 PST) 208.14.158.188 (09:59:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32803->22 (09:59:07.998 PST) ATTACK PREP PEER COORDINATION DECLARE BOT 208.15.20.72 (10:01:47.998 PST) event=1:3810005 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:0E:39:E0:94:00 39787->22 (10:01:47.998 PST) tcpslice 1257184747.995 1257184747.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:03:07.995 PST Gen. Time: 11/02/2009 10:04:28.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.15.148.159 (10:04:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (3 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:64, 5197:2, 20618:2, 2304, 12827, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:04:28.000 PST) OUTBOUND SCAN 208.15.85.83 (10:03:08.000 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58999->22 (10:03:08.000 PST) 208.15.85.228 (10:03:07.995 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52099->22 (10:03:07.995 PST) 208.15.85.128 (10:03:08.001 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51346->22 (10:03:08.001 PST) 208.15.85.235 (10:03:07.996 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49253->22 (10:03:07.996 PST) 208.15.85.250 (10:03:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36566->22 (10:03:07.999 PST) 208.15.86.9 (10:03:08.002 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58148->22 (10:03:08.002 PST) 208.15.85.118 (10:03:08.001 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58587->22 (10:03:08.001 PST) 208.15.85.64 (10:03:08.000 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57350->22 (10:03:08.000 PST) 208.15.85.102 (10:03:08.000 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39059->22 (10:03:08.000 PST) 208.15.85.48 (10:03:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39657->22 (10:03:07.999 PST) 208.15.84.250 (10:03:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40436->22 (10:03:07.998 PST) 208.15.85.247 (10:03:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52140->22 (10:03:07.999 PST) 208.15.84.227 (10:03:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49673->22 (10:03:07.998 PST) 208.15.86.29 (10:03:08.005 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50887->22 (10:03:08.005 PST) 208.15.85.138 (10:03:08.001 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57183->22 (10:03:08.001 PST) 208.15.84.210 (10:03:07.995 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51953->22 (10:03:07.995 PST) 208.15.84.240 (10:03:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47882->22 (10:03:07.998 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257184987.995 1257184987.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:03:07.995 PST Gen. Time: 11/02/2009 10:07:07.995 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.12.111.5 (10:05:58.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (14 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:68, 5197:2, 20618:2, 2304, 12827, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:05:58.002 PST) 208.15.148.159 (10:04:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (3 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:64, 5197:2, 20618:2, 2304, 12827, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:04:28.000 PST) OUTBOUND SCAN 208.15.85.83 (10:03:08.000 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58999->22 (10:03:08.000 PST) 208.15.85.228 (10:03:07.995 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52099->22 (10:03:07.995 PST) 208.15.85.128 (10:03:08.001 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51346->22 (10:03:08.001 PST) 208.15.85.235 (10:03:07.996 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49253->22 (10:03:07.996 PST) 208.15.85.250 (10:03:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36566->22 (10:03:07.999 PST) 208.15.86.9 (10:03:08.002 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58148->22 (10:03:08.002 PST) 208.15.85.118 (10:03:08.001 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58587->22 (10:03:08.001 PST) 208.15.85.64 (10:03:08.000 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57350->22 (10:03:08.000 PST) 208.15.85.102 (10:03:08.000 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39059->22 (10:03:08.000 PST) 208.15.85.48 (10:03:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39657->22 (10:03:07.999 PST) 208.15.84.250 (10:03:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40436->22 (10:03:07.998 PST) 208.15.85.247 (10:03:07.999 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52140->22 (10:03:07.999 PST) 208.15.84.227 (10:03:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49673->22 (10:03:07.998 PST) 208.15.86.29 (10:03:08.005 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50887->22 (10:03:08.005 PST) 208.15.85.138 (10:03:08.001 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57183->22 (10:03:08.001 PST) 208.15.84.210 (10:03:07.995 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51953->22 (10:03:07.995 PST) 208.15.84.240 (10:03:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47882->22 (10:03:07.998 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257184987.995 1257184987.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:07:07.995 PST Gen. Time: 11/02/2009 10:07:28.004 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.13.144.59 (10:07:28.004 PST) event=777:7777005 {icmp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:68, 5197:2, 20618:2, 2304, 12827, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 (10:07:28.004 PST) OUTBOUND SCAN 208.16.12.25 (10:07:07.996 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59031->22 (10:07:07.996 PST) 208.16.9.194 (10:07:08.045 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45926->22 (10:07:08.045 PST) 208.16.12.85 (10:07:07.997 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35470->22 (10:07:07.997 PST) 208.16.9.155 (10:07:08.038 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51878->22 (10:07:08.038 PST) 208.16.11.240 (10:07:07.996 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49954->22 (10:07:07.996 PST) 208.16.9.215 (10:07:08.049 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56309->22 (10:07:08.049 PST) 208.16.12.45 (10:07:07.997 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34640->22 (10:07:07.997 PST) 208.16.9.253 (10:07:08.056 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42365->22 (10:07:08.056 PST) 208.16.12.105 (10:07:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41227->22 (10:07:07.998 PST) 208.16.9.175 (10:07:08.042 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57707->22 (10:07:08.042 PST) 208.16.12.5 (10:07:07.996 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54430->22 (10:07:07.996 PST) 208.16.10.18 (10:07:08.060 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40080->22 (10:07:08.060 PST) 208.16.9.136 (10:07:08.034 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33543->22 (10:07:08.034 PST) 208.16.12.65 (10:07:07.997 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49781->22 (10:07:07.997 PST) 208.16.9.234 (10:07:08.053 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55303->22 (10:07:08.053 PST) 208.16.12.125 (10:07:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51475->22 (10:07:07.998 PST) 208.16.11.220 (10:07:07.995 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52922->22 (10:07:07.995 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257185227.995 1257185227.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 1.2 (>= 0.8) Infector List: Egg Source List: C & C List: 208.16.109.62 Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:07:07.995 PST Gen. Time: 11/02/2009 10:11:07.996 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 208.16.109.62 (10:09:07.974 PST) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:0E:39:E0:94:00 43743->22 (10:09:07.974 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.13.144.59 (3) (10:07:28.004 PST) event=777:7777005 (3) {icmp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/14): 22:65535, 6667:68, 5197:2, 20618:2, 2304, 12827, 63018:2, 57501, [] MAC_Src: 00:0E:39:E0:94:00 (10:07:28.004 PST) 0->0 (10:08:58.000 PST) 0->0 (10:10:28.000 PST) OUTBOUND SCAN 208.16.12.25 (10:07:07.996 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59031->22 (10:07:07.996 PST) 208.16.9.194 (10:07:08.045 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45926->22 (10:07:08.045 PST) 208.16.12.85 (10:07:07.997 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35470->22 (10:07:07.997 PST) 208.16.9.155 (10:07:08.038 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51878->22 (10:07:08.038 PST) 208.16.11.240 (10:07:07.996 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49954->22 (10:07:07.996 PST) 208.16.9.215 (10:07:08.049 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56309->22 (10:07:08.049 PST) 208.16.12.45 (10:07:07.997 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34640->22 (10:07:07.997 PST) 208.16.9.253 (10:07:08.056 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42365->22 (10:07:08.056 PST) 208.16.12.105 (10:07:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41227->22 (10:07:07.998 PST) 208.16.9.175 (10:07:08.042 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57707->22 (10:07:08.042 PST) 208.16.12.5 (10:07:07.996 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54430->22 (10:07:07.996 PST) 208.16.10.18 (10:07:08.060 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40080->22 (10:07:08.060 PST) 208.16.9.136 (10:07:08.034 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33543->22 (10:07:08.034 PST) 208.16.12.65 (10:07:07.997 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49781->22 (10:07:07.997 PST) 208.16.9.234 (10:07:08.053 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55303->22 (10:07:08.053 PST) 208.16.12.125 (10:07:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51475->22 (10:07:07.998 PST) 208.16.11.220 (10:07:07.995 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52922->22 (10:07:07.995 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257185227.995 1257185227.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:11:07.998 PST Gen. Time: 11/02/2009 10:11:58.015 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.11.220.58 (10:11:58.015 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/30): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:11:58.015 PST) OUTBOUND SCAN 208.16.205.136 (10:11:08.181 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53161->22 (10:11:08.181 PST) 208.16.208.58 (10:11:08.020 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55605->22 (10:11:08.020 PST) 208.14.108.230 (10:11:08.548 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48277->22 (10:11:08.548 PST) 208.16.208.142 (10:11:08.174 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39128->22 (10:11:08.174 PST) 208.16.205.128 (10:11:08.161 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53659->22 (10:11:08.161 PST) 208.14.25.26 (10:11:08.257 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33553->22 (10:11:08.257 PST) 208.14.222.194 (10:11:08.061 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33582->22 (10:11:08.061 PST) 208.16.205.118 (10:11:08.078 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34624->22 (10:11:08.078 PST) 208.1.216.212 (10:11:08.100 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38392->22 (10:11:08.100 PST) 208.16.208.39 (10:11:08.005 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36513->22 (10:11:08.005 PST) 208.16.208.77 (10:11:08.030 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56612->22 (10:11:08.030 PST) 208.13.140.77 (10:11:08.660 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53162->22 (10:11:08.660 PST) 208.16.205.123 (10:11:08.127 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38497->22 (10:11:08.127 PST) 208.16.208.114 (10:11:08.056 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46749->22 (10:11:08.056 PST) 208.14.136.9 (10:11:08.414 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43415->22 (10:11:08.414 PST) 208.16.208.97 (10:11:08.042 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55137->22 (10:11:08.042 PST) 208.16.208.20 (10:11:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53442->22 (10:11:07.998 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257185467.998 1257185467.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:11:07.998 PST Gen. Time: 11/02/2009 10:15:08.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.16.129.46 (10:14:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/30): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:14:58.000 PST) 208.1.63.14 (10:13:28.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/30): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:13:28.005 PST) 208.11.220.58 (10:11:58.015 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/30): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:11:58.015 PST) OUTBOUND SCAN 208.16.205.136 (10:11:08.181 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53161->22 (10:11:08.181 PST) 208.16.208.58 (10:11:08.020 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55605->22 (10:11:08.020 PST) 208.14.108.230 (10:11:08.548 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48277->22 (10:11:08.548 PST) 208.16.208.142 (10:11:08.174 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39128->22 (10:11:08.174 PST) 208.16.205.128 (10:11:08.161 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53659->22 (10:11:08.161 PST) 208.14.25.26 (10:11:08.257 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33553->22 (10:11:08.257 PST) 208.14.222.194 (10:11:08.061 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33582->22 (10:11:08.061 PST) 208.16.205.118 (10:11:08.078 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34624->22 (10:11:08.078 PST) 208.1.216.212 (10:11:08.100 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38392->22 (10:11:08.100 PST) 208.16.208.39 (10:11:08.005 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36513->22 (10:11:08.005 PST) 208.16.208.77 (10:11:08.030 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56612->22 (10:11:08.030 PST) 208.13.140.77 (10:11:08.660 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53162->22 (10:11:08.660 PST) 208.16.205.123 (10:11:08.127 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38497->22 (10:11:08.127 PST) 208.16.208.114 (10:11:08.056 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46749->22 (10:11:08.056 PST) 208.14.136.9 (10:11:08.414 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43415->22 (10:11:08.414 PST) 208.16.208.97 (10:11:08.042 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55137->22 (10:11:08.042 PST) 208.16.208.20 (10:11:07.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53442->22 (10:11:07.998 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257185467.998 1257185467.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:15:08.026 PST Gen. Time: 11/02/2009 10:16:28.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.11.220.101 (10:16:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/42): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:16:28.000 PST) OUTBOUND SCAN 208.16.132.33 (10:15:08.916 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58310->22 (10:15:08.916 PST) 208.11.220.159 (10:15:08.038 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49807->22 (10:15:08.038 PST) 208.13.131.86 (10:15:08.329 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50348->22 (10:15:08.329 PST) 208.16.137.171 (10:15:08.958 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44847->22 (10:15:08.958 PST) 208.16.132.63 (10:15:08.213 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47826->22 (10:15:08.213 PST) 208.13.130.88 (10:15:08.574 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46357->22 (10:15:08.574 PST) 208.0.30.83 (10:15:08.150 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33410->22 (10:15:08.150 PST) 208.13.130.103 (10:15:08.443 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34345->22 (10:15:08.443 PST) 208.8.89.33 (10:15:08.813 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34368->22 (10:15:08.813 PST) 208.15.165.10 (10:15:08.665 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46240->22 (10:15:08.665 PST) 208.16.137.153 (10:15:08.958 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39507->22 (10:15:08.958 PST) 208.16.137.137 (10:15:08.954 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40367->22 (10:15:08.954 PST) 208.16.199.234 (10:15:08.717 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36737->22 (10:15:08.717 PST) 208.16.137.120 (10:15:08.026 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59505->22 (10:15:08.026 PST) 208.16.135.141 (10:15:08.958 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53730->22 (10:15:08.958 PST) 208.11.220.107 (10:15:08.063 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53535->22 (10:15:08.063 PST) 208.13.150.122 (10:15:08.377 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53486->22 (10:15:08.377 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257185708.026 1257185708.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:15:08.026 PST Gen. Time: 11/02/2009 10:19:08.027 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.11.220.101 (10:16:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/42): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:16:28.000 PST) 208.13.129.83 (10:17:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:17:58.001 PST) OUTBOUND SCAN 208.16.132.33 (10:15:08.916 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58310->22 (10:15:08.916 PST) 208.11.220.159 (10:15:08.038 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49807->22 (10:15:08.038 PST) 208.13.131.86 (10:15:08.329 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50348->22 (10:15:08.329 PST) 208.16.137.171 (10:15:08.958 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44847->22 (10:15:08.958 PST) 208.16.132.63 (10:15:08.213 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47826->22 (10:15:08.213 PST) 208.13.130.88 (10:15:08.574 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46357->22 (10:15:08.574 PST) 208.0.30.83 (10:15:08.150 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33410->22 (10:15:08.150 PST) 208.13.130.103 (10:15:08.443 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34345->22 (10:15:08.443 PST) 208.8.89.33 (10:15:08.813 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34368->22 (10:15:08.813 PST) 208.15.165.10 (10:15:08.665 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46240->22 (10:15:08.665 PST) 208.16.137.153 (10:15:08.958 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39507->22 (10:15:08.958 PST) 208.16.137.137 (10:15:08.954 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40367->22 (10:15:08.954 PST) 208.16.199.234 (10:15:08.717 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36737->22 (10:15:08.717 PST) 208.16.137.120 (10:15:08.026 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59505->22 (10:15:08.026 PST) 208.16.135.141 (10:15:08.958 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53730->22 (10:15:08.958 PST) 208.11.220.107 (10:15:08.063 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53535->22 (10:15:08.063 PST) 208.13.150.122 (10:15:08.377 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53486->22 (10:15:08.377 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257185708.026 1257185708.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:19:08.030 PST Gen. Time: 11/02/2009 10:19:28.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.17.82.24 (10:19:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:19:28.000 PST) OUTBOUND SCAN 208.17.66.38 (10:19:08.111 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59779->22 (10:19:08.111 PST) 208.16.132.63 (10:19:08.159 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36914->22 (10:19:08.159 PST) 208.17.65.224 (10:19:08.057 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52152->22 (10:19:08.057 PST) 208.17.65.62 (10:19:08.054 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39741->22 (10:19:08.054 PST) 208.13.78.242 (10:19:08.071 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40150->22 (10:19:08.071 PST) 208.17.64.202 (10:19:08.033 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39652->22 (10:19:08.033 PST) 208.17.64.240 (10:19:08.040 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50797->22 (10:19:08.040 PST) 208.17.65.22 (10:19:08.046 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36828->22 (10:19:08.046 PST) 208.17.66.56 (10:19:08.125 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50108->22 (10:19:08.125 PST) 208.1.19.226 (10:19:08.118 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50045->22 (10:19:08.118 PST) 208.17.65.243 (10:19:08.061 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44336->22 (10:19:08.061 PST) 208.17.64.184 (10:19:08.030 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58233->22 (10:19:08.030 PST) 208.17.64.222 (10:19:08.037 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54499->22 (10:19:08.037 PST) 208.17.66.62 (10:19:08.132 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49702->22 (10:19:08.132 PST) 208.17.65.42 (10:19:08.050 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46951->22 (10:19:08.050 PST) 208.17.66.31 (10:19:08.088 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42635->22 (10:19:08.088 PST) 208.17.65.3 (10:19:08.043 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44610->22 (10:19:08.043 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257185948.030 1257185948.031 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:19:08.030 PST Gen. Time: 11/02/2009 10:23:08.100 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.17.158.159 (10:20:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:20:58.001 PST) 208.17.82.24 (10:19:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:19:28.000 PST) 208.17.234.87 (10:22:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:22:28.000 PST) OUTBOUND SCAN 208.17.66.38 (10:19:08.111 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59779->22 (10:19:08.111 PST) 208.16.132.63 (10:19:08.159 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36914->22 (10:19:08.159 PST) 208.17.65.224 (10:19:08.057 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52152->22 (10:19:08.057 PST) 208.17.65.62 (10:19:08.054 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39741->22 (10:19:08.054 PST) 208.13.78.242 (10:19:08.071 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40150->22 (10:19:08.071 PST) 208.17.64.202 (10:19:08.033 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39652->22 (10:19:08.033 PST) 208.17.64.240 (10:19:08.040 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50797->22 (10:19:08.040 PST) 208.17.65.22 (10:19:08.046 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36828->22 (10:19:08.046 PST) 208.17.66.56 (10:19:08.125 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50108->22 (10:19:08.125 PST) 208.1.19.226 (10:19:08.118 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50045->22 (10:19:08.118 PST) 208.17.65.243 (10:19:08.061 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44336->22 (10:19:08.061 PST) 208.17.64.184 (10:19:08.030 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58233->22 (10:19:08.030 PST) 208.17.64.222 (10:19:08.037 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54499->22 (10:19:08.037 PST) 208.17.66.62 (10:19:08.132 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49702->22 (10:19:08.132 PST) 208.17.65.42 (10:19:08.050 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46951->22 (10:19:08.050 PST) 208.17.66.31 (10:19:08.088 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42635->22 (10:19:08.088 PST) 208.17.65.3 (10:19:08.043 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44610->22 (10:19:08.043 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257185948.030 1257185948.031 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:23:08.151 PST Gen. Time: 11/02/2009 10:23:58.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.4.181.29 (10:23:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:23:58.000 PST) OUTBOUND SCAN 208.13.140.13 (10:23:08.425 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45169->22 (10:23:08.425 PST) 208.13.106.15 (10:23:08.929 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53819->22 (10:23:08.929 PST) 208.16.23.229 (10:23:08.989 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56733->22 (10:23:08.989 PST) 208.17.25.244 (10:23:09.120 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37728->22 (10:23:09.120 PST) 208.16.230.167 (10:23:08.785 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46193->22 (10:23:08.785 PST) 208.16.225.28 (10:23:08.668 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59657->22 (10:23:08.668 PST) 208.17.94.174 (10:23:08.357 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50683->22 (10:23:08.357 PST) 208.16.90.241 (10:23:08.548 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54657->22 (10:23:08.548 PST) 208.13.144.121 (10:23:09.173 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49382->22 (10:23:09.173 PST) 208.17.180.138 (10:23:08.861 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41466->22 (10:23:08.861 PST) 208.13.130.9 (10:23:08.725 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42764->22 (10:23:08.725 PST) 208.13.144.59 (10:23:08.227 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33895->22 (10:23:08.227 PST) 208.0.51.24 (10:23:08.151 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50123->22 (10:23:08.151 PST) 208.13.130.145 (10:23:08.268 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55994->22 (10:23:08.268 PST) 208.16.230.178 (10:23:08.603 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43281->22 (10:23:08.603 PST) 208.13.144.124 (10:23:09.039 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36165->22 (10:23:09.039 PST) 208.1.140.175 (10:23:08.506 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40773->22 (10:23:08.506 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257186188.151 1257186188.152 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:23:08.151 PST Gen. Time: 11/02/2009 10:27:08.167 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.18.109.43 (10:25:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:25:28.000 PST) 208.17.91.3 (10:26:58.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:26:58.002 PST) 208.4.181.29 (10:23:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:23:58.000 PST) OUTBOUND SCAN 208.13.140.13 (10:23:08.425 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45169->22 (10:23:08.425 PST) 208.13.106.15 (10:23:08.929 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53819->22 (10:23:08.929 PST) 208.16.23.229 (10:23:08.989 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56733->22 (10:23:08.989 PST) 208.17.25.244 (10:23:09.120 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37728->22 (10:23:09.120 PST) 208.16.230.167 (10:23:08.785 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46193->22 (10:23:08.785 PST) 208.16.225.28 (10:23:08.668 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59657->22 (10:23:08.668 PST) 208.17.94.174 (10:23:08.357 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50683->22 (10:23:08.357 PST) 208.16.90.241 (10:23:08.548 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54657->22 (10:23:08.548 PST) 208.13.144.121 (10:23:09.173 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49382->22 (10:23:09.173 PST) 208.17.180.138 (10:23:08.861 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41466->22 (10:23:08.861 PST) 208.13.130.9 (10:23:08.725 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42764->22 (10:23:08.725 PST) 208.13.144.59 (10:23:08.227 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33895->22 (10:23:08.227 PST) 208.0.51.24 (10:23:08.151 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50123->22 (10:23:08.151 PST) 208.13.130.145 (10:23:08.268 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55994->22 (10:23:08.268 PST) 208.16.230.178 (10:23:08.603 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43281->22 (10:23:08.603 PST) 208.13.144.124 (10:23:09.039 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36165->22 (10:23:09.039 PST) 208.1.140.175 (10:23:08.506 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40773->22 (10:23:08.506 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257186188.151 1257186188.152 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:27:08.203 PST Gen. Time: 11/02/2009 10:28:28.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.18.254.227 (10:28:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:28:28.000 PST) OUTBOUND SCAN 208.16.163.93 (10:27:09.282 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56691->22 (10:27:09.282 PST) 208.17.91.1 (10:27:08.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51766->22 (10:27:08.690 PST) 208.16.145.47 (10:27:08.412 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52058->22 (10:27:08.412 PST) 208.13.144.123 (10:27:08.630 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37090->22 (10:27:08.630 PST) 208.16.23.229 (10:27:08.561 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50835->22 (10:27:08.561 PST) 208.16.206.17 (10:27:08.816 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35767->22 (10:27:08.816 PST) 208.13.144.53 (10:27:09.227 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58969->22 (10:27:09.227 PST) 208.17.80.200 (10:27:08.900 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38233->22 (10:27:08.900 PST) 208.16.208.116 (10:27:09.078 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41826->22 (10:27:09.078 PST) 208.17.77.184 (10:27:08.203 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59320->22 (10:27:08.203 PST) 208.15.228.2 (10:27:08.505 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38588->22 (10:27:08.505 PST) 208.13.130.145 (10:27:08.734 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52848->22 (10:27:08.734 PST) 208.17.69.153 (10:27:09.024 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35059->22 (10:27:09.024 PST) 208.7.129.17 (10:27:08.952 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52486->22 (10:27:08.952 PST) 208.13.106.9 (10:27:08.336 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46202->22 (10:27:08.336 PST) 208.18.191.23 (10:27:08.925 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42429->22 (10:27:08.925 PST) 208.15.24.6 (10:27:09.152 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41114->22 (10:27:09.152 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257186428.203 1257186428.204 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:27:08.203 PST Gen. Time: 11/02/2009 10:31:08.235 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.18.254.227 (10:28:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:28:28.000 PST) 208.19.61.12 (10:29:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:29:58.000 PST) OUTBOUND SCAN 208.16.163.93 (10:27:09.282 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56691->22 (10:27:09.282 PST) 208.17.91.1 (10:27:08.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51766->22 (10:27:08.690 PST) 208.16.145.47 (10:27:08.412 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52058->22 (10:27:08.412 PST) 208.13.144.123 (10:27:08.630 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37090->22 (10:27:08.630 PST) 208.16.23.229 (10:27:08.561 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50835->22 (10:27:08.561 PST) 208.16.206.17 (10:27:08.816 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35767->22 (10:27:08.816 PST) 208.13.144.53 (10:27:09.227 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58969->22 (10:27:09.227 PST) 208.17.80.200 (10:27:08.900 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38233->22 (10:27:08.900 PST) 208.16.208.116 (10:27:09.078 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41826->22 (10:27:09.078 PST) 208.17.77.184 (10:27:08.203 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59320->22 (10:27:08.203 PST) 208.15.228.2 (10:27:08.505 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38588->22 (10:27:08.505 PST) 208.13.130.145 (10:27:08.734 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52848->22 (10:27:08.734 PST) 208.17.69.153 (10:27:09.024 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35059->22 (10:27:09.024 PST) 208.7.129.17 (10:27:08.952 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52486->22 (10:27:08.952 PST) 208.13.106.9 (10:27:08.336 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46202->22 (10:27:08.336 PST) 208.18.191.23 (10:27:08.925 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42429->22 (10:27:08.925 PST) 208.15.24.6 (10:27:09.152 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41114->22 (10:27:09.152 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257186428.203 1257186428.204 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:31:08.319 PST Gen. Time: 11/02/2009 10:31:28.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.19.132.117 (10:31:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:31:28.000 PST) OUTBOUND SCAN 208.19.119.21 (10:31:08.916 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44745->22 (10:31:08.916 PST) 208.19.117.72 (10:31:08.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55976->22 (10:31:08.917 PST) 208.19.119.58 (10:31:08.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43697->22 (10:31:08.917 PST) 208.19.117.102 (10:31:08.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36387->22 (10:31:08.917 PST) 208.16.72.218 (10:31:08.562 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56298->22 (10:31:08.562 PST) 208.17.78.98 (10:31:08.319 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45328->22 (10:31:08.319 PST) 208.19.119.41 (10:31:08.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34924->22 (10:31:08.917 PST) 208.12.102.170 (10:31:08.649 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51247->22 (10:31:08.649 PST) 208.17.74.48 (10:31:08.736 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56085->22 (10:31:08.736 PST) 208.19.117.92 (10:31:08.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40380->22 (10:31:08.917 PST) 208.17.88.97 (10:31:08.469 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39860->22 (10:31:08.469 PST) 208.19.119.77 (10:31:08.918 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54462->22 (10:31:08.918 PST) 208.19.117.60 (10:31:08.916 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45759->22 (10:31:08.916 PST) 208.13.144.125 (10:31:08.384 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37771->22 (10:31:08.384 PST) 208.12.111.10 (10:31:08.854 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49120->22 (10:31:08.854 PST) 208.19.117.82 (10:31:08.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32956->22 (10:31:08.917 PST) 208.16.141.14 (10:31:08.789 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34501->22 (10:31:08.789 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257186668.319 1257186668.320 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:31:08.319 PST Gen. Time: 11/02/2009 10:35:08.331 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.19.132.117 (10:31:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:31:28.000 PST) 208.16.230.241 (10:34:28.009 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:34:28.009 PST) 208.13.72.242 (10:32:58.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:32:58.005 PST) OUTBOUND SCAN 208.19.119.21 (10:31:08.916 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44745->22 (10:31:08.916 PST) 208.19.117.72 (10:31:08.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55976->22 (10:31:08.917 PST) 208.19.119.58 (10:31:08.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43697->22 (10:31:08.917 PST) 208.19.117.102 (10:31:08.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36387->22 (10:31:08.917 PST) 208.16.72.218 (10:31:08.562 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56298->22 (10:31:08.562 PST) 208.17.78.98 (10:31:08.319 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45328->22 (10:31:08.319 PST) 208.19.119.41 (10:31:08.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34924->22 (10:31:08.917 PST) 208.12.102.170 (10:31:08.649 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51247->22 (10:31:08.649 PST) 208.17.74.48 (10:31:08.736 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56085->22 (10:31:08.736 PST) 208.19.117.92 (10:31:08.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40380->22 (10:31:08.917 PST) 208.17.88.97 (10:31:08.469 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39860->22 (10:31:08.469 PST) 208.19.119.77 (10:31:08.918 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54462->22 (10:31:08.918 PST) 208.19.117.60 (10:31:08.916 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45759->22 (10:31:08.916 PST) 208.13.144.125 (10:31:08.384 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37771->22 (10:31:08.384 PST) 208.12.111.10 (10:31:08.854 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49120->22 (10:31:08.854 PST) 208.19.117.82 (10:31:08.917 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32956->22 (10:31:08.917 PST) 208.16.141.14 (10:31:08.789 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34501->22 (10:31:08.789 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257186668.319 1257186668.320 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:35:08.366 PST Gen. Time: 11/02/2009 10:35:58.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.20.69.10 (10:35:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:35:58.000 PST) OUTBOUND SCAN 208.20.28.240 (10:35:08.909 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60088->22 (10:35:08.909 PST) 208.19.38.12 (10:35:08.656 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58082->22 (10:35:08.656 PST) 208.19.38.19 (10:35:08.619 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42216->22 (10:35:08.619 PST) 208.16.129.118 (10:35:08.563 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53903->22 (10:35:08.563 PST) 208.19.38.11 (10:35:08.516 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36771->22 (10:35:08.516 PST) 208.20.28.254 (10:35:08.910 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43330->22 (10:35:08.910 PST) 208.17.87.81 (10:35:08.366 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45785->22 (10:35:08.366 PST) 208.19.38.25 (10:35:08.546 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59165->22 (10:35:08.546 PST) 208.16.158.6 (10:35:08.469 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50230->22 (10:35:08.469 PST) 208.17.80.200 (2) (10:35:08.434 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34573->22 (10:35:08.434 PST) 34674->22 (10:35:08.856 PST) 208.16.208.116 (10:35:08.722 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49393->22 (10:35:08.722 PST) 208.16.205.2 (10:35:08.896 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39209->22 (10:35:08.896 PST) 208.20.28.220 (10:35:08.905 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42937->22 (10:35:08.905 PST) 208.20.28.212 (10:35:08.907 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42489->22 (10:35:08.907 PST) 208.19.38.6 (10:35:08.795 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56098->22 (10:35:08.795 PST) 208.19.38.28 (10:35:08.828 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37444->22 (10:35:08.828 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257186908.366 1257186908.367 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:35:08.366 PST Gen. Time: 11/02/2009 10:39:08.375 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.20.69.10 (10:35:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:35:58.000 PST) 208.13.144.53 (10:38:58.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:38:58.002 PST) 208.19.38.27 (10:37:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:37:28.000 PST) OUTBOUND SCAN 208.20.28.240 (10:35:08.909 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60088->22 (10:35:08.909 PST) 208.19.38.12 (10:35:08.656 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58082->22 (10:35:08.656 PST) 208.19.38.19 (10:35:08.619 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42216->22 (10:35:08.619 PST) 208.16.129.118 (10:35:08.563 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53903->22 (10:35:08.563 PST) 208.19.38.11 (10:35:08.516 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36771->22 (10:35:08.516 PST) 208.20.28.254 (10:35:08.910 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43330->22 (10:35:08.910 PST) 208.17.87.81 (10:35:08.366 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45785->22 (10:35:08.366 PST) 208.19.38.25 (10:35:08.546 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59165->22 (10:35:08.546 PST) 208.16.158.6 (10:35:08.469 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50230->22 (10:35:08.469 PST) 208.17.80.200 (2) (10:35:08.434 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34573->22 (10:35:08.434 PST) 34674->22 (10:35:08.856 PST) 208.16.208.116 (10:35:08.722 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49393->22 (10:35:08.722 PST) 208.16.205.2 (10:35:08.896 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39209->22 (10:35:08.896 PST) 208.20.28.220 (10:35:08.905 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42937->22 (10:35:08.905 PST) 208.20.28.212 (10:35:08.907 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42489->22 (10:35:08.907 PST) 208.19.38.6 (10:35:08.795 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56098->22 (10:35:08.795 PST) 208.19.38.28 (10:35:08.828 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37444->22 (10:35:08.828 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257186908.366 1257186908.367 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:39:08.473 PST Gen. Time: 11/02/2009 10:40:28.004 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.90.193 (10:40:28.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:40:28.004 PST) OUTBOUND SCAN 208.20.221.159 (10:39:08.897 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54957->22 (10:39:08.897 PST) 208.19.38.96 (10:39:08.637 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51754->22 (10:39:08.637 PST) 208.16.163.93 (10:39:08.506 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47222->22 (10:39:08.506 PST) 208.13.140.104 (10:39:08.862 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45961->22 (10:39:08.862 PST) 208.19.38.10 (10:39:08.591 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60334->22 (10:39:08.591 PST) 208.20.219.86 (10:39:08.899 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35651->22 (10:39:08.899 PST) 208.16.225.27 (10:39:08.763 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32997->22 (10:39:08.763 PST) 208.20.219.54 (10:39:08.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51674->22 (10:39:08.898 PST) 208.19.38.100 (10:39:08.552 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43178->22 (10:39:08.552 PST) 208.13.131.227 (10:39:08.693 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54332->22 (10:39:08.693 PST) 208.20.219.76 (10:39:08.899 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38342->22 (10:39:08.899 PST) 208.20.221.169 (10:39:08.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58048->22 (10:39:08.898 PST) 208.20.219.37 (10:39:08.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54441->22 (10:39:08.898 PST) 208.20.219.67 (10:39:08.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43228->22 (10:39:08.898 PST) 208.20.219.44 (10:39:08.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40732->22 (10:39:08.898 PST) 208.15.6.206 (10:39:08.800 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49890->22 (10:39:08.800 PST) 208.19.102.250 (10:39:08.473 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42076->22 (10:39:08.473 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257187148.473 1257187148.474 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:39:08.473 PST Gen. Time: 11/02/2009 10:43:08.516 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.17.119.131 (10:41:58.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:41:58.002 PST) 208.1.90.193 (10:40:28.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:40:28.004 PST) OUTBOUND SCAN 208.20.221.159 (10:39:08.897 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54957->22 (10:39:08.897 PST) 208.19.38.96 (10:39:08.637 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51754->22 (10:39:08.637 PST) 208.16.163.93 (10:39:08.506 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47222->22 (10:39:08.506 PST) 208.13.140.104 (10:39:08.862 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45961->22 (10:39:08.862 PST) 208.19.38.10 (10:39:08.591 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60334->22 (10:39:08.591 PST) 208.20.219.86 (10:39:08.899 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35651->22 (10:39:08.899 PST) 208.16.225.27 (10:39:08.763 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32997->22 (10:39:08.763 PST) 208.20.219.54 (10:39:08.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51674->22 (10:39:08.898 PST) 208.19.38.100 (10:39:08.552 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43178->22 (10:39:08.552 PST) 208.13.131.227 (10:39:08.693 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54332->22 (10:39:08.693 PST) 208.20.219.76 (10:39:08.899 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38342->22 (10:39:08.899 PST) 208.20.221.169 (10:39:08.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58048->22 (10:39:08.898 PST) 208.20.219.37 (10:39:08.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54441->22 (10:39:08.898 PST) 208.20.219.67 (10:39:08.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43228->22 (10:39:08.898 PST) 208.20.219.44 (10:39:08.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40732->22 (10:39:08.898 PST) 208.15.6.206 (10:39:08.800 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49890->22 (10:39:08.800 PST) 208.19.102.250 (10:39:08.473 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42076->22 (10:39:08.473 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257187148.473 1257187148.474 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:43:08.590 PST Gen. Time: 11/02/2009 10:43:28.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.21.127.112 (10:43:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:43:28.000 PST) OUTBOUND SCAN 208.20.225.109 (10:43:09.052 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43293->22 (10:43:09.052 PST) 208.17.180.133 (10:43:08.637 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32803->22 (10:43:08.637 PST) 208.17.69.182 (10:43:09.369 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35345->22 (10:43:09.369 PST) 208.16.23.229 (10:43:09.175 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37856->22 (10:43:09.175 PST) 208.16.230.167 (10:43:09.224 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56308->22 (10:43:09.224 PST) 208.19.38.87 (10:43:08.711 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49656->22 (10:43:08.711 PST) 208.16.145.46 (10:43:08.910 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43030->22 (10:43:08.910 PST) 208.19.38.10 (10:43:09.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60147->22 (10:43:09.328 PST) 208.19.38.17 (10:43:08.800 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60303->22 (10:43:08.800 PST) 208.16.72.218 (10:43:08.881 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58589->22 (10:43:08.881 PST) 208.16.164.3 (10:43:09.485 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39553->22 (10:43:09.485 PST) 208.19.38.9 (10:43:09.216 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59213->22 (10:43:09.216 PST) 208.16.225.27 (10:43:08.590 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36738->22 (10:43:08.590 PST) 208.20.254.134 (10:43:08.983 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51583->22 (10:43:08.983 PST) 208.13.72.244 (10:43:09.300 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51434->22 (10:43:09.300 PST) 208.20.21.218 (10:43:09.094 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47233->22 (10:43:09.094 PST) 208.20.0.225 (10:43:09.444 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39721->22 (10:43:09.444 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257187388.590 1257187388.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:43:08.590 PST Gen. Time: 11/02/2009 10:47:08.605 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.20.225.245 (10:46:28.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:46:28.002 PST) 208.21.127.112 (10:43:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:43:28.000 PST) 208.20.21.218 (10:44:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:44:58.001 PST) OUTBOUND SCAN 208.20.225.109 (10:43:09.052 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43293->22 (10:43:09.052 PST) 208.17.180.133 (10:43:08.637 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32803->22 (10:43:08.637 PST) 208.17.69.182 (10:43:09.369 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35345->22 (10:43:09.369 PST) 208.16.23.229 (10:43:09.175 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37856->22 (10:43:09.175 PST) 208.16.230.167 (10:43:09.224 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56308->22 (10:43:09.224 PST) 208.19.38.87 (10:43:08.711 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49656->22 (10:43:08.711 PST) 208.16.145.46 (10:43:08.910 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43030->22 (10:43:08.910 PST) 208.19.38.10 (10:43:09.328 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60147->22 (10:43:09.328 PST) 208.19.38.17 (10:43:08.800 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60303->22 (10:43:08.800 PST) 208.16.72.218 (10:43:08.881 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58589->22 (10:43:08.881 PST) 208.16.164.3 (10:43:09.485 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39553->22 (10:43:09.485 PST) 208.19.38.9 (10:43:09.216 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59213->22 (10:43:09.216 PST) 208.16.225.27 (10:43:08.590 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36738->22 (10:43:08.590 PST) 208.20.254.134 (10:43:08.983 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51583->22 (10:43:08.983 PST) 208.13.72.244 (10:43:09.300 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51434->22 (10:43:09.300 PST) 208.20.21.218 (10:43:09.094 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47233->22 (10:43:09.094 PST) 208.20.0.225 (10:43:09.444 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39721->22 (10:43:09.444 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257187388.590 1257187388.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:47:08.648 PST Gen. Time: 11/02/2009 10:47:58.001 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.19.38.90 (10:47:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:47:58.001 PST) OUTBOUND SCAN 208.22.35.147 (10:47:08.877 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59873->22 (10:47:08.877 PST) 208.19.38.4 (10:47:08.827 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39672->22 (10:47:08.827 PST) 208.19.38.27 (10:47:08.814 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55065->22 (10:47:08.814 PST) 208.16.129.118 (10:47:08.905 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50448->22 (10:47:08.905 PST) 208.20.225.200 (10:47:09.100 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48226->22 (10:47:09.100 PST) 208.21.28.137 (10:47:08.944 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60488->22 (10:47:08.944 PST) 208.22.35.168 (10:47:08.878 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60621->22 (10:47:08.878 PST) 208.22.35.175 (10:47:08.878 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33781->22 (10:47:08.878 PST) 208.21.22.131 (10:47:08.849 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39259->22 (10:47:08.849 PST) 208.19.65.142 (10:47:09.142 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39365->22 (10:47:09.142 PST) 208.22.35.181 (10:47:08.989 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37890->22 (10:47:08.989 PST) 208.22.35.158 (10:47:08.878 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56623->22 (10:47:08.878 PST) 208.20.225.196 (10:47:08.694 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35936->22 (10:47:08.694 PST) 208.22.35.134 (10:47:08.875 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46676->22 (10:47:08.875 PST) 208.22.35.141 (10:47:08.876 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39625->22 (10:47:08.876 PST) 208.19.65.162 (10:47:08.648 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33569->22 (10:47:08.648 PST) 208.22.35.117 (10:47:08.792 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55215->22 (10:47:08.792 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257187628.648 1257187628.649 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:47:08.648 PST Gen. Time: 11/02/2009 10:51:08.696 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.16.23.225 (10:49:28.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:49:28.004 PST) 208.19.38.90 (10:47:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:47:58.001 PST) 208.15.32.51 (10:50:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:50:58.000 PST) OUTBOUND SCAN 208.22.35.147 (10:47:08.877 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59873->22 (10:47:08.877 PST) 208.19.38.4 (10:47:08.827 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39672->22 (10:47:08.827 PST) 208.19.38.27 (10:47:08.814 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55065->22 (10:47:08.814 PST) 208.16.129.118 (10:47:08.905 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50448->22 (10:47:08.905 PST) 208.20.225.200 (10:47:09.100 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48226->22 (10:47:09.100 PST) 208.21.28.137 (10:47:08.944 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60488->22 (10:47:08.944 PST) 208.22.35.168 (10:47:08.878 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60621->22 (10:47:08.878 PST) 208.22.35.175 (10:47:08.878 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33781->22 (10:47:08.878 PST) 208.21.22.131 (10:47:08.849 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39259->22 (10:47:08.849 PST) 208.19.65.142 (10:47:09.142 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39365->22 (10:47:09.142 PST) 208.22.35.181 (10:47:08.989 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37890->22 (10:47:08.989 PST) 208.22.35.158 (10:47:08.878 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56623->22 (10:47:08.878 PST) 208.20.225.196 (10:47:08.694 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35936->22 (10:47:08.694 PST) 208.22.35.134 (10:47:08.875 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46676->22 (10:47:08.875 PST) 208.22.35.141 (10:47:08.876 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39625->22 (10:47:08.876 PST) 208.19.65.162 (10:47:08.648 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33569->22 (10:47:08.648 PST) 208.22.35.117 (10:47:08.792 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55215->22 (10:47:08.792 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257187628.648 1257187628.649 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:51:08.753 PST Gen. Time: 11/02/2009 10:52:28.002 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.17.94.205 (10:52:28.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:52:28.002 PST) OUTBOUND SCAN 208.19.38.88 (10:51:08.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58711->22 (10:51:08.998 PST) 208.22.225.211 (10:51:08.869 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41293->22 (10:51:08.869 PST) 208.22.225.164 (10:51:08.867 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36613->22 (10:51:08.867 PST) 208.22.225.171 (10:51:08.868 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39174->22 (10:51:08.868 PST) 208.19.38.30 (10:51:09.109 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52428->22 (10:51:09.109 PST) 208.4.181.12 (2) (10:51:08.936 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59060->22 (10:51:08.936 PST) 59060->22 (10:51:08.943 PST) 208.19.38.99 (10:51:08.890 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44477->22 (10:51:08.890 PST) 208.22.225.201 (10:51:08.869 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41738->22 (10:51:08.869 PST) 208.22.225.155 (10:51:08.865 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43664->22 (10:51:08.865 PST) 208.19.38.22 (10:51:08.805 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34194->22 (10:51:08.805 PST) 208.20.225.188 (10:51:08.753 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37096->22 (10:51:08.753 PST) 208.17.94.78 (10:51:09.049 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41847->22 (10:51:09.049 PST) 208.20.225.187 (10:51:08.957 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39501->22 (10:51:08.957 PST) 208.22.225.184 (10:51:08.868 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35133->22 (10:51:08.868 PST) 208.17.69.221 (10:51:09.163 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 32943->22 (10:51:09.163 PST) 208.22.225.191 (10:51:08.868 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53182->22 (10:51:08.868 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257187868.753 1257187868.754 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:51:08.753 PST Gen. Time: 11/02/2009 10:55:08.787 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.17.94.205 (10:52:28.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:52:28.002 PST) 208.13.140.13 (10:53:58.006 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:53:58.006 PST) OUTBOUND SCAN 208.19.38.88 (10:51:08.998 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58711->22 (10:51:08.998 PST) 208.22.225.211 (10:51:08.869 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41293->22 (10:51:08.869 PST) 208.22.225.164 (10:51:08.867 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36613->22 (10:51:08.867 PST) 208.22.225.171 (10:51:08.868 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39174->22 (10:51:08.868 PST) 208.19.38.30 (10:51:09.109 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52428->22 (10:51:09.109 PST) 208.4.181.12 (2) (10:51:08.936 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59060->22 (10:51:08.936 PST) 59060->22 (10:51:08.943 PST) 208.19.38.99 (10:51:08.890 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44477->22 (10:51:08.890 PST) 208.22.225.201 (10:51:08.869 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41738->22 (10:51:08.869 PST) 208.22.225.155 (10:51:08.865 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43664->22 (10:51:08.865 PST) 208.19.38.22 (10:51:08.805 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34194->22 (10:51:08.805 PST) 208.20.225.188 (10:51:08.753 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37096->22 (10:51:08.753 PST) 208.17.94.78 (10:51:09.049 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41847->22 (10:51:09.049 PST) 208.20.225.187 (10:51:08.957 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39501->22 (10:51:08.957 PST) 208.22.225.184 (10:51:08.868 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35133->22 (10:51:08.868 PST) 208.17.69.221 (10:51:09.163 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 32943->22 (10:51:09.163 PST) 208.22.225.191 (10:51:08.868 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53182->22 (10:51:08.868 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257187868.753 1257187868.754 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:55:08.815 PST Gen. Time: 11/02/2009 10:55:28.001 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.1.140.175 (10:55:28.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:55:28.001 PST) OUTBOUND SCAN 208.22.87.29 (10:55:09.224 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34382->22 (10:55:09.224 PST) 208.22.87.21 (10:55:09.273 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33815->22 (10:55:09.273 PST) 208.22.87.89 (10:55:08.987 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37299->22 (10:55:08.987 PST) 208.22.87.20 (10:55:09.071 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37931->22 (10:55:09.071 PST) 208.19.38.17 (10:55:09.175 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35289->22 (10:55:09.175 PST) 208.19.38.86 (10:55:09.100 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57351->22 (10:55:09.100 PST) 208.20.254.134 (10:55:08.897 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53608->22 (10:55:08.897 PST) 208.16.208.116 (10:55:08.964 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52363->22 (10:55:08.964 PST) 208.18.132.226 (10:55:08.857 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60496->22 (10:55:08.857 PST) 208.20.225.197 (10:55:08.936 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46063->22 (10:55:08.936 PST) 208.16.230.179 (10:55:09.125 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35227->22 (10:55:09.125 PST) 208.19.38.22 (10:55:09.195 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55108->22 (10:55:09.195 PST) 208.17.71.56 (10:55:09.136 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44564->22 (10:55:09.136 PST) 208.22.87.39 (10:55:09.248 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36782->22 (10:55:09.248 PST) 208.19.38.98 (10:55:09.087 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 32796->22 (10:55:09.087 PST) 208.17.91.3 (10:55:08.815 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59463->22 (10:55:08.815 PST) 208.20.1.200 (10:55:09.019 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59328->22 (10:55:09.019 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257188108.815 1257188108.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:55:08.815 PST Gen. Time: 11/02/2009 10:59:08.820 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.21.22.131 (10:56:58.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:56:58.002 PST) 208.11.127.195 (10:58:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:58:28.000 PST) 208.1.140.175 (10:55:28.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:55:28.001 PST) OUTBOUND SCAN 208.22.87.29 (10:55:09.224 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34382->22 (10:55:09.224 PST) 208.22.87.21 (10:55:09.273 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33815->22 (10:55:09.273 PST) 208.22.87.89 (10:55:08.987 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37299->22 (10:55:08.987 PST) 208.22.87.20 (10:55:09.071 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37931->22 (10:55:09.071 PST) 208.19.38.17 (10:55:09.175 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35289->22 (10:55:09.175 PST) 208.19.38.86 (10:55:09.100 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57351->22 (10:55:09.100 PST) 208.20.254.134 (10:55:08.897 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53608->22 (10:55:08.897 PST) 208.16.208.116 (10:55:08.964 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52363->22 (10:55:08.964 PST) 208.18.132.226 (10:55:08.857 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60496->22 (10:55:08.857 PST) 208.20.225.197 (10:55:08.936 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46063->22 (10:55:08.936 PST) 208.16.230.179 (10:55:09.125 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35227->22 (10:55:09.125 PST) 208.19.38.22 (10:55:09.195 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55108->22 (10:55:09.195 PST) 208.17.71.56 (10:55:09.136 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44564->22 (10:55:09.136 PST) 208.22.87.39 (10:55:09.248 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36782->22 (10:55:09.248 PST) 208.19.38.98 (10:55:09.087 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 32796->22 (10:55:09.087 PST) 208.17.91.3 (10:55:08.815 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59463->22 (10:55:08.815 PST) 208.20.1.200 (10:55:09.019 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59328->22 (10:55:09.019 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257188108.815 1257188108.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:59:08.964 PST Gen. Time: 11/02/2009 10:59:58.002 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.22.87.60 (10:59:58.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:59:58.002 PST) OUTBOUND SCAN 208.13.144.200 (10:59:08.964 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54362->22 (10:59:08.964 PST) 208.13.144.54 (10:59:10.010 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51461->22 (10:59:10.010 PST) 208.13.130.88 (10:59:09.228 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43238->22 (10:59:09.228 PST) 208.22.87.59 (10:59:09.539 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37202->22 (10:59:09.539 PST) 208.13.144.129 (10:59:09.449 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34625->22 (10:59:09.449 PST) 208.19.38.86 (10:59:09.173 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59305->22 (10:59:09.173 PST) 208.21.28.105 (10:59:10.107 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42558->22 (10:59:10.107 PST) 208.15.38.129 (10:59:10.051 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48092->22 (10:59:10.051 PST) 208.19.38.85 (10:59:09.343 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36017->22 (10:59:09.343 PST) 208.16.230.179 (10:59:09.607 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58097->22 (10:59:09.607 PST) 208.17.71.56 (10:59:09.703 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36218->22 (10:59:09.703 PST) 208.18.132.140 (10:59:09.059 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35978->22 (10:59:09.059 PST) 208.21.170.236 (10:59:09.389 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42960->22 (10:59:09.389 PST) 208.20.160.190 (10:59:09.756 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34559->22 (10:59:09.756 PST) 208.22.87.15 (10:59:09.108 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57634->22 (10:59:09.108 PST) 208.17.69.221 (2) (10:59:09.504 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42147->22 (10:59:09.504 PST) 42625->22 (10:59:09.893 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257188348.964 1257188348.965 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 10:59:08.964 PST Gen. Time: 11/02/2009 11:03:09.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.19.65.142 (11:02:58.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:02:58.003 PST) 208.22.87.60 (10:59:58.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (10:59:58.002 PST) 208.13.144.70 (11:01:28.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:01:28.003 PST) OUTBOUND SCAN 208.13.144.200 (10:59:08.964 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54362->22 (10:59:08.964 PST) 208.13.144.54 (10:59:10.010 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51461->22 (10:59:10.010 PST) 208.13.130.88 (10:59:09.228 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43238->22 (10:59:09.228 PST) 208.22.87.59 (10:59:09.539 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37202->22 (10:59:09.539 PST) 208.13.144.129 (10:59:09.449 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34625->22 (10:59:09.449 PST) 208.19.38.86 (10:59:09.173 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59305->22 (10:59:09.173 PST) 208.21.28.105 (10:59:10.107 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42558->22 (10:59:10.107 PST) 208.15.38.129 (10:59:10.051 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48092->22 (10:59:10.051 PST) 208.19.38.85 (10:59:09.343 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36017->22 (10:59:09.343 PST) 208.16.230.179 (10:59:09.607 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58097->22 (10:59:09.607 PST) 208.17.71.56 (10:59:09.703 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36218->22 (10:59:09.703 PST) 208.18.132.140 (10:59:09.059 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35978->22 (10:59:09.059 PST) 208.21.170.236 (10:59:09.389 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42960->22 (10:59:09.389 PST) 208.20.160.190 (10:59:09.756 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34559->22 (10:59:09.756 PST) 208.22.87.15 (10:59:09.108 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57634->22 (10:59:09.108 PST) 208.17.69.221 (2) (10:59:09.504 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42147->22 (10:59:09.504 PST) 42625->22 (10:59:09.893 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257188348.964 1257188348.965 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:03:09.057 PST Gen. Time: 11/02/2009 11:04:28.001 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.19.38.9 (11:04:28.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:04:28.001 PST) OUTBOUND SCAN 208.20.225.109 (11:03:09.077 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52687->22 (11:03:09.077 PST) 208.19.38.27 (11:03:09.559 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38706->22 (11:03:09.559 PST) 208.20.225.185 (11:03:09.655 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60328->22 (11:03:09.655 PST) 208.22.87.44 (11:03:09.747 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59277->22 (11:03:09.747 PST) 208.22.87.36 (11:03:09.099 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48582->22 (11:03:09.099 PST) 208.22.87.82 (11:03:09.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36897->22 (11:03:09.267 PST) 208.19.38.94 (11:03:09.240 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60801->22 (11:03:09.240 PST) 208.22.87.19 (11:03:09.057 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53165->22 (11:03:09.057 PST) 208.15.38.129 (11:03:09.393 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46600->22 (11:03:09.393 PST) 208.22.87.57 (11:03:09.223 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53303->22 (11:03:09.223 PST) 208.19.38.85 (11:03:09.305 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34134->22 (11:03:09.305 PST) 208.19.65.142 (11:03:09.139 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59070->22 (11:03:09.139 PST) 208.17.91.250 (11:03:09.634 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57228->22 (11:03:09.634 PST) 208.5.144.14 (11:03:09.705 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55740->22 (11:03:09.705 PST) 208.19.38.22 (11:03:09.367 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38584->22 (11:03:09.367 PST) 208.22.58.65 (11:03:09.520 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56555->22 (11:03:09.520 PST) 208.16.141.14 (11:03:09.433 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49754->22 (11:03:09.433 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257188589.057 1257188589.058 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:03:09.057 PST Gen. Time: 11/02/2009 11:07:09.073 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.19.38.87 (11:05:58.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:05:58.002 PST) 208.19.38.9 (11:04:28.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:04:28.001 PST) OUTBOUND SCAN 208.20.225.109 (11:03:09.077 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52687->22 (11:03:09.077 PST) 208.19.38.27 (11:03:09.559 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38706->22 (11:03:09.559 PST) 208.20.225.185 (11:03:09.655 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60328->22 (11:03:09.655 PST) 208.22.87.44 (11:03:09.747 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59277->22 (11:03:09.747 PST) 208.22.87.36 (11:03:09.099 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48582->22 (11:03:09.099 PST) 208.22.87.82 (11:03:09.267 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36897->22 (11:03:09.267 PST) 208.19.38.94 (11:03:09.240 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60801->22 (11:03:09.240 PST) 208.22.87.19 (11:03:09.057 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53165->22 (11:03:09.057 PST) 208.15.38.129 (11:03:09.393 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46600->22 (11:03:09.393 PST) 208.22.87.57 (11:03:09.223 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53303->22 (11:03:09.223 PST) 208.19.38.85 (11:03:09.305 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34134->22 (11:03:09.305 PST) 208.19.65.142 (11:03:09.139 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59070->22 (11:03:09.139 PST) 208.17.91.250 (11:03:09.634 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57228->22 (11:03:09.634 PST) 208.5.144.14 (11:03:09.705 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55740->22 (11:03:09.705 PST) 208.19.38.22 (11:03:09.367 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38584->22 (11:03:09.367 PST) 208.22.58.65 (11:03:09.520 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56555->22 (11:03:09.520 PST) 208.16.141.14 (11:03:09.433 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49754->22 (11:03:09.433 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257188589.057 1257188589.058 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:07:09.120 PST Gen. Time: 11/02/2009 11:07:28.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.17.25.244 (11:07:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:07:28.000 PST) OUTBOUND SCAN 208.20.225.109 (11:07:09.904 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57598->22 (11:07:09.904 PST) 208.21.28.100 (11:07:09.960 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 32790->22 (11:07:09.960 PST) 208.22.87.75 (11:07:09.780 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33420->22 (11:07:09.780 PST) 208.19.38.11 (11:07:10.010 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49882->22 (11:07:10.010 PST) 208.22.87.59 (11:07:09.752 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51535->22 (11:07:09.752 PST) 208.17.25.244 (11:07:09.157 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40146->22 (11:07:09.157 PST) 208.17.78.123 (11:07:09.415 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53484->22 (11:07:09.415 PST) 208.19.38.10 (11:07:09.929 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37224->22 (11:07:09.929 PST) 208.16.164.3 (11:07:09.369 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57184->22 (11:07:09.369 PST) 208.19.38.16 (11:07:09.120 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54754->22 (11:07:09.120 PST) 208.22.87.87 (11:07:09.567 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52961->22 (11:07:09.567 PST) 208.20.6.209 (11:07:09.226 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33915->22 (11:07:09.226 PST) 208.1.104.193 (11:07:09.871 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57568->22 (11:07:09.871 PST) 208.21.28.149 (11:07:09.492 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55211->22 (11:07:09.492 PST) 208.14.108.217 (11:07:09.641 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53770->22 (11:07:09.641 PST) 208.19.38.83 (11:07:09.282 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47670->22 (11:07:09.282 PST) 208.22.87.23 (11:07:09.721 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33475->22 (11:07:09.721 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257188829.120 1257188829.121 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:07:09.120 PST Gen. Time: 11/02/2009 11:11:09.128 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.19.65.162 (11:10:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:10:28.000 PST) 208.20.225.101 (11:08:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:08:58.000 PST) 208.17.25.244 (11:07:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:07:28.000 PST) OUTBOUND SCAN 208.20.225.109 (11:07:09.904 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57598->22 (11:07:09.904 PST) 208.21.28.100 (11:07:09.960 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 32790->22 (11:07:09.960 PST) 208.22.87.75 (11:07:09.780 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33420->22 (11:07:09.780 PST) 208.19.38.11 (11:07:10.010 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49882->22 (11:07:10.010 PST) 208.22.87.59 (11:07:09.752 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51535->22 (11:07:09.752 PST) 208.17.25.244 (11:07:09.157 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40146->22 (11:07:09.157 PST) 208.17.78.123 (11:07:09.415 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53484->22 (11:07:09.415 PST) 208.19.38.10 (11:07:09.929 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37224->22 (11:07:09.929 PST) 208.16.164.3 (11:07:09.369 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57184->22 (11:07:09.369 PST) 208.19.38.16 (11:07:09.120 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54754->22 (11:07:09.120 PST) 208.22.87.87 (11:07:09.567 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52961->22 (11:07:09.567 PST) 208.20.6.209 (11:07:09.226 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33915->22 (11:07:09.226 PST) 208.1.104.193 (11:07:09.871 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57568->22 (11:07:09.871 PST) 208.21.28.149 (11:07:09.492 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55211->22 (11:07:09.492 PST) 208.14.108.217 (11:07:09.641 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53770->22 (11:07:09.641 PST) 208.19.38.83 (11:07:09.282 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47670->22 (11:07:09.282 PST) 208.22.87.23 (11:07:09.721 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33475->22 (11:07:09.721 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257188829.120 1257188829.121 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:11:09.160 PST Gen. Time: 11/02/2009 11:11:58.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.16.145.47 (11:11:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:11:58.000 PST) OUTBOUND SCAN 208.16.132.10 (11:11:09.366 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51764->22 (11:11:09.366 PST) 208.16.129.118 (11:11:09.391 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36393->22 (11:11:09.391 PST) 208.22.87.44 (11:11:09.564 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35337->22 (11:11:09.564 PST) 208.16.206.17 (11:11:09.531 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42884->22 (11:11:09.531 PST) 208.19.38.34 (11:11:09.160 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51519->22 (11:11:09.160 PST) 208.22.87.51 (11:11:09.378 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55286->22 (11:11:09.378 PST) 208.16.225.28 (11:11:09.273 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45903->22 (11:11:09.273 PST) 208.19.38.10 (11:11:09.231 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39922->22 (11:11:09.231 PST) 208.22.87.20 (11:11:09.195 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49322->22 (11:11:09.195 PST) 208.21.22.9 (11:11:09.457 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54352->22 (11:11:09.457 PST) 208.20.225.167 (11:11:09.296 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41174->22 (11:11:09.296 PST) 208.19.38.23 (11:11:09.207 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39951->22 (11:11:09.207 PST) 208.22.87.40 (11:11:09.324 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50061->22 (11:11:09.324 PST) 208.13.144.57 (11:11:09.479 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45655->22 (11:11:09.479 PST) 208.19.65.163 (11:11:09.340 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36709->22 (11:11:09.340 PST) 208.19.38.83 (11:11:09.285 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50498->22 (11:11:09.285 PST) 208.19.190.170 (11:11:09.418 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48401->22 (11:11:09.418 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257189069.160 1257189069.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:11:09.160 PST Gen. Time: 11/02/2009 11:15:09.173 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.15.165.10 (11:14:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:14:58.001 PST) 208.16.208.116 (11:13:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:13:28.000 PST) 208.16.145.47 (11:11:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:11:58.000 PST) OUTBOUND SCAN 208.16.132.10 (11:11:09.366 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51764->22 (11:11:09.366 PST) 208.16.129.118 (11:11:09.391 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36393->22 (11:11:09.391 PST) 208.22.87.44 (11:11:09.564 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35337->22 (11:11:09.564 PST) 208.16.206.17 (11:11:09.531 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42884->22 (11:11:09.531 PST) 208.19.38.34 (11:11:09.160 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51519->22 (11:11:09.160 PST) 208.22.87.51 (11:11:09.378 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55286->22 (11:11:09.378 PST) 208.16.225.28 (11:11:09.273 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45903->22 (11:11:09.273 PST) 208.19.38.10 (11:11:09.231 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39922->22 (11:11:09.231 PST) 208.22.87.20 (11:11:09.195 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49322->22 (11:11:09.195 PST) 208.21.22.9 (11:11:09.457 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54352->22 (11:11:09.457 PST) 208.20.225.167 (11:11:09.296 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41174->22 (11:11:09.296 PST) 208.19.38.23 (11:11:09.207 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39951->22 (11:11:09.207 PST) 208.22.87.40 (11:11:09.324 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50061->22 (11:11:09.324 PST) 208.13.144.57 (11:11:09.479 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45655->22 (11:11:09.479 PST) 208.19.65.163 (11:11:09.340 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36709->22 (11:11:09.340 PST) 208.19.38.83 (11:11:09.285 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50498->22 (11:11:09.285 PST) 208.19.190.170 (11:11:09.418 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48401->22 (11:11:09.418 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257189069.160 1257189069.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:15:09.195 PST Gen. Time: 11/02/2009 11:16:28.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.17.76.17 (11:16:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:16:28.000 PST) OUTBOUND SCAN 208.14.108.253 (11:15:09.195 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50859->22 (11:15:09.195 PST) 208.16.129.118 (11:15:09.385 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57260->22 (11:15:09.385 PST) 208.21.15.161 (11:15:09.459 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41671->22 (11:15:09.459 PST) 208.15.165.10 (11:15:09.696 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43780->22 (11:15:09.696 PST) 208.22.87.50 (11:15:09.669 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41982->22 (11:15:09.669 PST) 208.21.22.131 (11:15:09.219 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46154->22 (11:15:09.219 PST) 208.22.87.11 (11:15:09.542 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46484->22 (11:15:09.542 PST) 208.19.38.8 (11:15:09.314 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44548->22 (11:15:09.314 PST) 208.22.87.10 (11:15:09.743 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34276->22 (11:15:09.743 PST) 208.19.69.129 (11:15:09.247 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44336->22 (11:15:09.247 PST) 208.20.62.225 (11:15:09.722 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58608->22 (11:15:09.722 PST) 208.19.38.98 (11:15:09.347 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52729->22 (11:15:09.347 PST) 208.7.129.17 (11:15:09.494 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59948->22 (11:15:09.494 PST) 208.20.225.248 (11:15:09.288 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51721->22 (11:15:09.288 PST) 208.4.181.41 (11:15:09.443 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42190->22 (11:15:09.443 PST) 208.22.87.15 (11:15:09.634 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37695->22 (11:15:09.634 PST) 208.13.130.82 (11:15:09.577 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40189->22 (11:15:09.577 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257189309.195 1257189309.196 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:15:09.195 PST Gen. Time: 11/02/2009 11:19:09.218 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.17.76.17 (11:16:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:16:28.000 PST) 208.22.87.25 (11:17:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:17:58.000 PST) OUTBOUND SCAN 208.14.108.253 (11:15:09.195 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50859->22 (11:15:09.195 PST) 208.16.129.118 (11:15:09.385 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57260->22 (11:15:09.385 PST) 208.21.15.161 (11:15:09.459 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41671->22 (11:15:09.459 PST) 208.15.165.10 (11:15:09.696 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43780->22 (11:15:09.696 PST) 208.22.87.50 (11:15:09.669 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41982->22 (11:15:09.669 PST) 208.21.22.131 (11:15:09.219 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46154->22 (11:15:09.219 PST) 208.22.87.11 (11:15:09.542 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46484->22 (11:15:09.542 PST) 208.19.38.8 (11:15:09.314 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44548->22 (11:15:09.314 PST) 208.22.87.10 (11:15:09.743 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34276->22 (11:15:09.743 PST) 208.19.69.129 (11:15:09.247 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44336->22 (11:15:09.247 PST) 208.20.62.225 (11:15:09.722 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58608->22 (11:15:09.722 PST) 208.19.38.98 (11:15:09.347 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52729->22 (11:15:09.347 PST) 208.7.129.17 (11:15:09.494 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59948->22 (11:15:09.494 PST) 208.20.225.248 (11:15:09.288 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51721->22 (11:15:09.288 PST) 208.4.181.41 (11:15:09.443 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42190->22 (11:15:09.443 PST) 208.22.87.15 (11:15:09.634 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37695->22 (11:15:09.634 PST) 208.13.130.82 (11:15:09.577 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40189->22 (11:15:09.577 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257189309.195 1257189309.196 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:19:09.274 PST Gen. Time: 11/02/2009 11:19:28.001 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.18.143.49 (11:19:28.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:19:28.001 PST) OUTBOUND SCAN 208.22.87.22 (11:19:09.576 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47383->22 (11:19:09.576 PST) 208.20.0.193 (11:19:09.946 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52276->22 (11:19:09.946 PST) 208.22.87.98 (11:19:09.358 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34841->22 (11:19:09.358 PST) 208.19.38.34 (11:19:09.975 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35566->22 (11:19:09.975 PST) 208.22.87.44 (11:19:09.709 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44550->22 (11:19:09.709 PST) 208.16.206.17 (11:19:09.542 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60794->22 (11:19:09.542 PST) 208.16.145.46 (11:19:09.886 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54009->22 (11:19:09.886 PST) 208.22.87.74 (11:19:09.393 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45109->22 (11:19:09.393 PST) 208.19.38.93 (11:19:09.811 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49720->22 (11:19:09.811 PST) 208.4.181.29 (11:19:09.656 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47264->22 (11:19:09.656 PST) 208.22.87.26 (11:19:09.775 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42996->22 (11:19:09.775 PST) 208.16.230.241 (11:19:09.756 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38887->22 (11:19:09.756 PST) 208.22.87.94 (11:19:09.274 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56031->22 (11:19:09.274 PST) 208.22.87.101 (11:19:09.411 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44588->22 (11:19:09.411 PST) 208.22.87.62 (11:19:09.623 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44569->22 (11:19:09.623 PST) 208.19.38.90 (11:19:09.858 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56514->22 (11:19:09.858 PST) 208.20.1.215 (11:19:09.321 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60904->22 (11:19:09.321 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257189549.274 1257189549.275 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:19:09.274 PST Gen. Time: 11/02/2009 11:23:09.317 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.18.143.49 (11:19:28.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:19:28.001 PST) 208.19.102.250 (11:22:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:22:28.000 PST) 208.17.188.16 (11:20:58.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:20:58.002 PST) OUTBOUND SCAN 208.22.87.22 (11:19:09.576 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47383->22 (11:19:09.576 PST) 208.20.0.193 (11:19:09.946 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52276->22 (11:19:09.946 PST) 208.22.87.98 (11:19:09.358 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34841->22 (11:19:09.358 PST) 208.19.38.34 (11:19:09.975 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35566->22 (11:19:09.975 PST) 208.22.87.44 (11:19:09.709 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44550->22 (11:19:09.709 PST) 208.16.206.17 (11:19:09.542 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60794->22 (11:19:09.542 PST) 208.16.145.46 (11:19:09.886 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54009->22 (11:19:09.886 PST) 208.22.87.74 (11:19:09.393 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45109->22 (11:19:09.393 PST) 208.19.38.93 (11:19:09.811 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49720->22 (11:19:09.811 PST) 208.4.181.29 (11:19:09.656 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47264->22 (11:19:09.656 PST) 208.22.87.26 (11:19:09.775 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42996->22 (11:19:09.775 PST) 208.16.230.241 (11:19:09.756 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38887->22 (11:19:09.756 PST) 208.22.87.94 (11:19:09.274 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56031->22 (11:19:09.274 PST) 208.22.87.101 (11:19:09.411 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44588->22 (11:19:09.411 PST) 208.22.87.62 (11:19:09.623 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44569->22 (11:19:09.623 PST) 208.19.38.90 (11:19:09.858 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56514->22 (11:19:09.858 PST) 208.20.1.215 (11:19:09.321 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60904->22 (11:19:09.321 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257189549.274 1257189549.275 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:23:09.370 PST Gen. Time: 11/02/2009 11:23:58.002 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.20.1.215 (11:23:58.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:23:58.002 PST) OUTBOUND SCAN 208.15.232.225 (11:23:09.936 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33707->22 (11:23:09.936 PST) 208.22.87.6 (11:23:09.663 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39289->22 (11:23:09.663 PST) 208.21.99.2 (11:23:09.423 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41094->22 (11:23:09.423 PST) 208.20.166.32 (11:23:09.570 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40471->22 (11:23:09.570 PST) 208.22.87.36 (11:23:09.776 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51316->22 (11:23:09.776 PST) 208.19.38.26 (11:23:09.754 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56682->22 (11:23:09.754 PST) 208.16.208.25 (11:23:09.885 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39120->22 (11:23:09.885 PST) 208.19.38.32 (11:23:09.785 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54230->22 (11:23:09.785 PST) 208.19.38.93 (11:23:09.703 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35151->22 (11:23:09.703 PST) 208.16.230.65 (11:23:09.455 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42858->22 (11:23:09.455 PST) 208.17.69.2 (11:23:09.676 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45845->22 (11:23:09.676 PST) 208.22.87.56 (11:23:09.836 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35206->22 (11:23:09.836 PST) 208.21.46.11 (11:23:09.532 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45907->22 (11:23:09.532 PST) 208.16.199.33 (11:23:09.637 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49506->22 (11:23:09.637 PST) 208.22.87.100 (11:23:09.370 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47319->22 (11:23:09.370 PST) 208.20.65.130 (11:23:09.491 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47833->22 (11:23:09.491 PST) 208.17.69.221 (11:23:09.614 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33264->22 (11:23:09.614 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257189789.370 1257189789.371 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:23:09.370 PST Gen. Time: 11/02/2009 11:27:09.435 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.20.1.215 (11:23:58.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:23:58.002 PST) 208.16.184.254 (11:25:28.016 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:25:28.016 PST) 208.17.183.57 (11:26:58.016 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:26:58.016 PST) OUTBOUND SCAN 208.15.232.225 (11:23:09.936 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33707->22 (11:23:09.936 PST) 208.22.87.6 (11:23:09.663 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39289->22 (11:23:09.663 PST) 208.21.99.2 (11:23:09.423 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41094->22 (11:23:09.423 PST) 208.20.166.32 (11:23:09.570 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40471->22 (11:23:09.570 PST) 208.22.87.36 (11:23:09.776 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51316->22 (11:23:09.776 PST) 208.19.38.26 (11:23:09.754 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56682->22 (11:23:09.754 PST) 208.16.208.25 (11:23:09.885 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39120->22 (11:23:09.885 PST) 208.19.38.32 (11:23:09.785 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54230->22 (11:23:09.785 PST) 208.19.38.93 (11:23:09.703 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35151->22 (11:23:09.703 PST) 208.16.230.65 (11:23:09.455 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42858->22 (11:23:09.455 PST) 208.17.69.2 (11:23:09.676 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45845->22 (11:23:09.676 PST) 208.22.87.56 (11:23:09.836 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35206->22 (11:23:09.836 PST) 208.21.46.11 (11:23:09.532 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45907->22 (11:23:09.532 PST) 208.16.199.33 (11:23:09.637 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49506->22 (11:23:09.637 PST) 208.22.87.100 (11:23:09.370 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47319->22 (11:23:09.370 PST) 208.20.65.130 (11:23:09.491 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47833->22 (11:23:09.491 PST) 208.17.69.221 (11:23:09.614 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33264->22 (11:23:09.614 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257189789.370 1257189789.371 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:27:09.546 PST Gen. Time: 11/02/2009 11:28:28.009 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.21.224.249 (11:28:28.009 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:28:28.009 PST) OUTBOUND SCAN 208.22.40.25 (11:27:11.070 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55264->22 (11:27:11.070 PST) 208.20.225.16 (11:27:11.459 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34589->22 (11:27:11.459 PST) 208.15.165.10 (11:27:10.926 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40943->22 (11:27:10.926 PST) 208.19.38.33 (11:27:09.546 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33153->22 (11:27:09.546 PST) 208.16.230.166 (11:27:10.142 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36533->22 (11:27:10.142 PST) 208.19.38.86 (11:27:10.488 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49765->22 (11:27:10.488 PST) 208.19.38.32 (11:27:11.235 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41136->22 (11:27:11.235 PST) 208.22.87.80 (11:27:09.616 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37343->22 (11:27:09.616 PST) 208.20.73.17 (11:27:10.857 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46342->22 (11:27:10.857 PST) 208.22.87.95 (11:27:09.968 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51178->22 (11:27:09.968 PST) 208.19.38.31 (11:27:11.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57678->22 (11:27:11.330 PST) 208.21.241.193 (11:27:09.831 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58742->22 (11:27:09.831 PST) 208.13.130.144 (11:27:11.393 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55358->22 (11:27:11.393 PST) 208.13.144.125 (11:27:10.696 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53228->22 (11:27:10.696 PST) 208.4.181.41 (11:27:10.233 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48548->22 (11:27:10.233 PST) 208.19.70.162 (11:27:09.746 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54485->22 (11:27:09.746 PST) 208.22.87.53 (11:27:10.368 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38304->22 (11:27:10.368 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257190029.546 1257190029.547 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:27:09.546 PST Gen. Time: 11/02/2009 11:31:09.576 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.16.230.166 (11:29:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:29:58.000 PST) 208.21.224.249 (11:28:28.009 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:28:28.009 PST) OUTBOUND SCAN 208.22.40.25 (11:27:11.070 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55264->22 (11:27:11.070 PST) 208.20.225.16 (11:27:11.459 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34589->22 (11:27:11.459 PST) 208.15.165.10 (11:27:10.926 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40943->22 (11:27:10.926 PST) 208.19.38.33 (11:27:09.546 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33153->22 (11:27:09.546 PST) 208.16.230.166 (11:27:10.142 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36533->22 (11:27:10.142 PST) 208.19.38.86 (11:27:10.488 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49765->22 (11:27:10.488 PST) 208.19.38.32 (11:27:11.235 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41136->22 (11:27:11.235 PST) 208.22.87.80 (11:27:09.616 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37343->22 (11:27:09.616 PST) 208.20.73.17 (11:27:10.857 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46342->22 (11:27:10.857 PST) 208.22.87.95 (11:27:09.968 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51178->22 (11:27:09.968 PST) 208.19.38.31 (11:27:11.330 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57678->22 (11:27:11.330 PST) 208.21.241.193 (11:27:09.831 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58742->22 (11:27:09.831 PST) 208.13.130.144 (11:27:11.393 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55358->22 (11:27:11.393 PST) 208.13.144.125 (11:27:10.696 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53228->22 (11:27:10.696 PST) 208.4.181.41 (11:27:10.233 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48548->22 (11:27:10.233 PST) 208.19.70.162 (11:27:09.746 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54485->22 (11:27:09.746 PST) 208.22.87.53 (11:27:10.368 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38304->22 (11:27:10.368 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257190029.546 1257190029.547 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:31:09.661 PST Gen. Time: 11/02/2009 11:31:28.004 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.22.87.4 (11:31:28.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:31:28.004 PST) OUTBOUND SCAN 208.19.38.81 (11:31:10.626 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51272->22 (11:31:10.626 PST) 208.16.225.99 (11:31:09.712 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43034->22 (11:31:09.712 PST) 208.16.145.47 (11:31:10.450 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58596->22 (11:31:10.450 PST) 208.17.188.16 (11:31:10.687 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33678->22 (11:31:10.687 PST) 208.19.38.34 (11:31:09.893 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43613->22 (11:31:09.893 PST) 208.17.94.198 (11:31:10.066 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39231->22 (11:31:10.066 PST) 208.22.87.97 (11:31:09.753 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44283->22 (11:31:09.753 PST) 208.20.225.15 (11:31:09.824 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48345->22 (11:31:09.824 PST) 208.22.87.50 (11:31:10.309 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52801->22 (11:31:10.309 PST) 208.22.87.73 (11:31:10.158 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46644->22 (11:31:10.158 PST) 208.19.202.30 (11:31:09.995 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36129->22 (11:31:09.995 PST) 208.22.87.10 (11:31:10.490 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42447->22 (11:31:10.490 PST) 208.20.225.189 (11:31:10.026 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48114->22 (11:31:10.026 PST) 208.22.87.94 (11:31:10.231 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55511->22 (11:31:10.231 PST) 208.21.46.11 (11:31:09.661 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36720->22 (11:31:09.661 PST) 208.19.190.170 (11:31:10.342 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57183->22 (11:31:10.342 PST) 208.20.166.41 (11:31:10.535 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49676->22 (11:31:10.535 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257190269.661 1257190269.662 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:31:09.661 PST Gen. Time: 11/02/2009 11:35:09.673 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.20.225.169 (11:32:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:32:58.000 PST) 208.22.87.4 (11:31:28.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:31:28.004 PST) 208.22.87.36 (11:34:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:34:28.000 PST) OUTBOUND SCAN 208.19.38.81 (11:31:10.626 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51272->22 (11:31:10.626 PST) 208.16.225.99 (11:31:09.712 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43034->22 (11:31:09.712 PST) 208.16.145.47 (11:31:10.450 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58596->22 (11:31:10.450 PST) 208.17.188.16 (11:31:10.687 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33678->22 (11:31:10.687 PST) 208.19.38.34 (11:31:09.893 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43613->22 (11:31:09.893 PST) 208.17.94.198 (11:31:10.066 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39231->22 (11:31:10.066 PST) 208.22.87.97 (11:31:09.753 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44283->22 (11:31:09.753 PST) 208.20.225.15 (11:31:09.824 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48345->22 (11:31:09.824 PST) 208.22.87.50 (11:31:10.309 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52801->22 (11:31:10.309 PST) 208.22.87.73 (11:31:10.158 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46644->22 (11:31:10.158 PST) 208.19.202.30 (11:31:09.995 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36129->22 (11:31:09.995 PST) 208.22.87.10 (11:31:10.490 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42447->22 (11:31:10.490 PST) 208.20.225.189 (11:31:10.026 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48114->22 (11:31:10.026 PST) 208.22.87.94 (11:31:10.231 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55511->22 (11:31:10.231 PST) 208.21.46.11 (11:31:09.661 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36720->22 (11:31:09.661 PST) 208.19.190.170 (11:31:10.342 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57183->22 (11:31:10.342 PST) 208.20.166.41 (11:31:10.535 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49676->22 (11:31:10.535 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257190269.661 1257190269.662 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:35:09.707 PST Gen. Time: 11/02/2009 11:35:58.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.22.87.42 (11:35:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:35:58.000 PST) OUTBOUND SCAN 208.21.28.154 (11:35:10.064 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36279->22 (11:35:10.064 PST) 208.22.87.67 (11:35:09.871 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36152->22 (11:35:09.871 PST) 208.17.25.244 (11:35:10.107 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57211->22 (11:35:10.107 PST) 208.16.145.46 (11:35:09.777 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52557->22 (11:35:09.777 PST) 208.17.69.211 (11:35:09.971 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36620->22 (11:35:09.971 PST) 208.16.230.166 (11:35:09.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41511->22 (11:35:09.898 PST) 208.22.87.58 (11:35:09.741 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39084->22 (11:35:09.741 PST) 208.22.87.81 (11:35:09.748 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43061->22 (11:35:09.748 PST) 208.20.254.73 (11:35:10.196 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45449->22 (11:35:10.196 PST) 208.22.87.34 (11:35:10.121 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38081->22 (11:35:10.121 PST) 208.22.87.95 (11:35:10.189 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56051->22 (11:35:10.189 PST) 208.22.87.18 (11:35:09.829 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47211->22 (11:35:09.829 PST) 208.20.225.165 (11:35:10.038 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58135->22 (11:35:10.038 PST) 208.17.76.17 (11:35:10.160 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60507->22 (11:35:10.160 PST) 208.19.38.28 (11:35:09.931 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37444->22 (11:35:09.931 PST) 208.16.90.213 (11:35:10.112 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33893->22 (11:35:10.112 PST) 208.16.210.244 (11:35:09.707 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56696->22 (11:35:09.707 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257190509.707 1257190509.708 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:35:09.707 PST Gen. Time: 11/02/2009 11:39:09.736 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.22.87.42 (11:35:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:35:58.000 PST) 208.16.72.210 (11:37:28.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:37:28.001 PST) 208.22.87.84 (11:38:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:38:58.001 PST) OUTBOUND SCAN 208.21.28.154 (11:35:10.064 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36279->22 (11:35:10.064 PST) 208.22.87.67 (11:35:09.871 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36152->22 (11:35:09.871 PST) 208.17.25.244 (11:35:10.107 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57211->22 (11:35:10.107 PST) 208.16.145.46 (11:35:09.777 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52557->22 (11:35:09.777 PST) 208.17.69.211 (11:35:09.971 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36620->22 (11:35:09.971 PST) 208.16.230.166 (11:35:09.898 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41511->22 (11:35:09.898 PST) 208.22.87.58 (11:35:09.741 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39084->22 (11:35:09.741 PST) 208.22.87.81 (11:35:09.748 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43061->22 (11:35:09.748 PST) 208.20.254.73 (11:35:10.196 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45449->22 (11:35:10.196 PST) 208.22.87.34 (11:35:10.121 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38081->22 (11:35:10.121 PST) 208.22.87.95 (11:35:10.189 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56051->22 (11:35:10.189 PST) 208.22.87.18 (11:35:09.829 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47211->22 (11:35:09.829 PST) 208.20.225.165 (11:35:10.038 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58135->22 (11:35:10.038 PST) 208.17.76.17 (11:35:10.160 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60507->22 (11:35:10.160 PST) 208.19.38.28 (11:35:09.931 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37444->22 (11:35:09.931 PST) 208.16.90.213 (11:35:10.112 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33893->22 (11:35:10.112 PST) 208.16.210.244 (11:35:09.707 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56696->22 (11:35:09.707 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257190509.707 1257190509.708 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:39:09.798 PST Gen. Time: 11/02/2009 11:40:28.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.13.144.57 (11:40:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:40:28.000 PST) OUTBOUND SCAN 208.19.38.35 (11:39:10.036 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33404->22 (11:39:10.036 PST) 208.22.87.83 (11:39:09.808 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37913->22 (11:39:09.808 PST) 208.20.225.185 (11:39:10.222 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60645->22 (11:39:10.222 PST) 208.8.89.33 (11:39:09.798 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53343->22 (11:39:09.798 PST) 208.0.9.84 (11:39:10.547 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55412->22 (11:39:10.547 PST) 208.22.87.27 (11:39:10.150 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57972->22 (11:39:10.150 PST) 208.20.254.73 (11:39:09.838 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41070->22 (11:39:09.838 PST) 208.22.87.50 (11:39:09.853 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43763->22 (11:39:09.853 PST) 208.16.199.234 (11:39:10.336 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55191->22 (11:39:10.336 PST) 208.22.87.10 (11:39:09.985 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40022->22 (11:39:09.985 PST) 208.20.65.17 (11:39:09.916 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45628->22 (11:39:09.916 PST) 208.20.225.181 (11:39:09.946 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37228->22 (11:39:09.946 PST) 208.22.87.78 (11:39:10.254 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59528->22 (11:39:10.254 PST) 208.21.170.236 (11:39:10.530 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37985->22 (11:39:10.530 PST) 208.16.230.193 (11:39:10.473 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41954->22 (11:39:10.473 PST) 208.20.225.103 (11:39:10.091 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42899->22 (11:39:10.091 PST) 208.16.210.244 (11:39:10.421 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47015->22 (11:39:10.421 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257190749.798 1257190749.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:39:09.798 PST Gen. Time: 11/02/2009 11:43:09.845 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.13.130.82 (11:41:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:41:58.001 PST) 208.13.144.57 (11:40:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (17 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:40:28.000 PST) OUTBOUND SCAN 208.19.38.35 (11:39:10.036 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33404->22 (11:39:10.036 PST) 208.22.87.83 (11:39:09.808 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37913->22 (11:39:09.808 PST) 208.20.225.185 (11:39:10.222 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60645->22 (11:39:10.222 PST) 208.8.89.33 (11:39:09.798 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53343->22 (11:39:09.798 PST) 208.0.9.84 (11:39:10.547 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55412->22 (11:39:10.547 PST) 208.22.87.27 (11:39:10.150 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57972->22 (11:39:10.150 PST) 208.20.254.73 (11:39:09.838 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41070->22 (11:39:09.838 PST) 208.22.87.50 (11:39:09.853 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43763->22 (11:39:09.853 PST) 208.16.199.234 (11:39:10.336 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55191->22 (11:39:10.336 PST) 208.22.87.10 (11:39:09.985 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40022->22 (11:39:09.985 PST) 208.20.65.17 (11:39:09.916 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45628->22 (11:39:09.916 PST) 208.20.225.181 (11:39:09.946 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37228->22 (11:39:09.946 PST) 208.22.87.78 (11:39:10.254 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59528->22 (11:39:10.254 PST) 208.21.170.236 (11:39:10.530 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37985->22 (11:39:10.530 PST) 208.16.230.193 (11:39:10.473 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41954->22 (11:39:10.473 PST) 208.20.225.103 (11:39:10.091 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42899->22 (11:39:10.091 PST) 208.16.210.244 (11:39:10.421 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47015->22 (11:39:10.421 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257190749.798 1257190749.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:43:09.866 PST Gen. Time: 11/02/2009 11:43:28.003 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.20.1.200 (11:43:28.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:43:28.003 PST) OUTBOUND SCAN 208.22.87.75 (11:43:10.182 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60516->22 (11:43:10.182 PST) 208.22.87.82 (11:43:10.289 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34886->22 (11:43:10.289 PST) 208.16.230.166 (11:43:09.896 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47050->22 (11:43:09.896 PST) 208.22.87.88 (11:43:10.319 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53423->22 (11:43:10.319 PST) 208.22.87.34 (11:43:10.225 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52285->22 (11:43:10.225 PST) 208.12.107.133 (11:43:10.045 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36253->22 (11:43:10.045 PST) 208.19.38.85 (11:43:10.378 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49025->22 (11:43:10.378 PST) 208.21.200.2 (11:43:09.866 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37729->22 (11:43:09.866 PST) 208.19.38.15 (11:43:10.344 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45792->22 (11:43:10.344 PST) 208.22.87.40 (11:43:09.993 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42734->22 (11:43:09.993 PST) 208.21.174.194 (11:43:10.112 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42976->22 (11:43:10.112 PST) 208.22.87.32 (11:43:09.964 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49431->22 (11:43:09.964 PST) 208.22.87.100 (11:43:10.212 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55092->22 (11:43:10.212 PST) 208.21.28.148 (11:43:10.088 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38532->22 (11:43:10.088 PST) 208.22.87.92 (11:43:10.428 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50621->22 (11:43:10.428 PST) 208.22.87.38 (11:43:10.249 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34484->22 (11:43:10.249 PST) 208.17.83.3 (11:43:09.929 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52152->22 (11:43:09.929 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257190989.866 1257190989.867 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:43:09.866 PST Gen. Time: 11/02/2009 11:47:09.868 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.20.1.200 (11:43:28.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:43:28.003 PST) 208.16.230.179 (11:44:58.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:44:58.002 PST) 208.20.209.58 (11:46:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:46:28.000 PST) OUTBOUND SCAN 208.22.87.75 (11:43:10.182 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60516->22 (11:43:10.182 PST) 208.22.87.82 (11:43:10.289 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34886->22 (11:43:10.289 PST) 208.16.230.166 (11:43:09.896 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47050->22 (11:43:09.896 PST) 208.22.87.88 (11:43:10.319 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53423->22 (11:43:10.319 PST) 208.22.87.34 (11:43:10.225 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52285->22 (11:43:10.225 PST) 208.12.107.133 (11:43:10.045 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36253->22 (11:43:10.045 PST) 208.19.38.85 (11:43:10.378 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49025->22 (11:43:10.378 PST) 208.21.200.2 (11:43:09.866 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37729->22 (11:43:09.866 PST) 208.19.38.15 (11:43:10.344 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45792->22 (11:43:10.344 PST) 208.22.87.40 (11:43:09.993 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42734->22 (11:43:09.993 PST) 208.21.174.194 (11:43:10.112 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42976->22 (11:43:10.112 PST) 208.22.87.32 (11:43:09.964 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49431->22 (11:43:09.964 PST) 208.22.87.100 (11:43:10.212 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55092->22 (11:43:10.212 PST) 208.21.28.148 (11:43:10.088 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38532->22 (11:43:10.088 PST) 208.22.87.92 (11:43:10.428 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50621->22 (11:43:10.428 PST) 208.22.87.38 (11:43:10.249 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34484->22 (11:43:10.249 PST) 208.17.83.3 (11:43:09.929 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52152->22 (11:43:09.929 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257190989.866 1257190989.867 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:47:09.909 PST Gen. Time: 11/02/2009 11:47:58.001 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.22.87.72 (11:47:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:47:58.001 PST) OUTBOUND SCAN 208.21.28.100 (11:47:10.571 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54826->22 (11:47:10.571 PST) 208.21.99.2 (11:47:10.403 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53073->22 (11:47:10.403 PST) 208.19.38.34 (11:47:10.296 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50038->22 (11:47:10.296 PST) 208.22.87.67 (11:47:10.216 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45191->22 (11:47:10.216 PST) 208.22.87.58 (11:47:10.462 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46834->22 (11:47:10.462 PST) 208.22.87.12 (11:47:10.156 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55455->22 (11:47:10.156 PST) 208.21.28.98 (11:47:10.525 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51423->22 (11:47:10.525 PST) 208.22.87.18 (11:47:09.929 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49195->22 (11:47:09.929 PST) 208.19.38.31 (11:47:10.073 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58058->22 (11:47:10.073 PST) 208.22.87.25 (11:47:10.344 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45691->22 (11:47:10.344 PST) 208.19.21.20 (11:47:10.202 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55015->22 (11:47:10.202 PST) 208.17.183.65 (11:47:10.005 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45597->22 (11:47:10.005 PST) 208.16.230.193 (11:47:10.130 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57886->22 (11:47:10.130 PST) 208.20.225.103 (11:47:10.110 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56577->22 (11:47:10.110 PST) 208.20.160.190 (11:47:10.261 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39371->22 (11:47:10.261 PST) 208.22.87.92 (11:47:10.038 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51661->22 (11:47:10.038 PST) 208.22.87.23 (11:47:09.909 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41465->22 (11:47:09.909 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257191229.909 1257191229.910 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:47:09.909 PST Gen. Time: 11/02/2009 11:51:10.146 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.20.73.17 (11:51:08.374 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:51:08.374 PST) 208.19.94.1 (11:49:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:49:28.000 PST) 208.22.87.72 (11:47:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:47:58.001 PST) OUTBOUND SCAN 208.21.28.100 (11:47:10.571 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54826->22 (11:47:10.571 PST) 208.21.99.2 (11:47:10.403 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53073->22 (11:47:10.403 PST) 208.19.38.34 (11:47:10.296 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50038->22 (11:47:10.296 PST) 208.22.87.67 (11:47:10.216 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45191->22 (11:47:10.216 PST) 208.22.87.58 (11:47:10.462 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46834->22 (11:47:10.462 PST) 208.22.87.12 (11:47:10.156 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55455->22 (11:47:10.156 PST) 208.21.28.98 (11:47:10.525 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51423->22 (11:47:10.525 PST) 208.22.87.18 (11:47:09.929 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49195->22 (11:47:09.929 PST) 208.19.38.31 (11:47:10.073 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58058->22 (11:47:10.073 PST) 208.22.87.25 (11:47:10.344 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45691->22 (11:47:10.344 PST) 208.19.21.20 (11:47:10.202 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55015->22 (11:47:10.202 PST) 208.17.183.65 (11:47:10.005 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45597->22 (11:47:10.005 PST) 208.16.230.193 (11:47:10.130 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57886->22 (11:47:10.130 PST) 208.20.225.103 (11:47:10.110 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56577->22 (11:47:10.110 PST) 208.20.160.190 (11:47:10.261 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39371->22 (11:47:10.261 PST) 208.22.87.92 (11:47:10.038 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51661->22 (11:47:10.038 PST) 208.22.87.23 (11:47:09.909 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41465->22 (11:47:09.909 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257191229.909 1257191229.910 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:52:59.964 PST Gen. Time: 11/02/2009 11:56:35.706 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.83.20.130 (11:56:27.324 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:56:27.324 PST) 208.20.1.215 (11:52:59.964 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:52:59.964 PST) 208.21.28.108 (11:54:40.902 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:54:40.902 PST) OUTBOUND SCAN 208.24.34.141 (11:56:35.706 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40274->22 (11:56:35.706 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257191579.964 1257191579.965 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:52:59.964 PST Gen. Time: 11/02/2009 11:57:00.710 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.83.20.130 (11:56:27.324 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:56:27.324 PST) 208.20.1.215 (11:52:59.964 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:52:59.964 PST) 208.21.28.108 (11:54:40.902 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:54:40.902 PST) OUTBOUND SCAN 208.24.32.8 (11:56:35.715 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38452->22 (11:56:35.715 PST) 208.24.32.46 (11:56:35.715 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47889->22 (11:56:35.715 PST) 208.24.31.140 (11:56:35.712 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57991->22 (11:56:35.712 PST) 208.24.31.155 (11:56:35.713 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48517->22 (11:56:35.713 PST) 208.24.32.98 (11:56:35.717 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59862->22 (11:56:35.717 PST) 208.24.31.124 (11:56:35.715 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45495->22 (11:56:35.715 PST) 208.24.31.193 (11:56:35.713 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60050->22 (11:56:35.713 PST) 208.24.31.231 (11:56:35.714 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51168->22 (11:56:35.714 PST) 208.24.31.154 (11:56:35.720 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59295->22 (11:56:35.720 PST) 208.24.32.27 (11:56:35.715 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60688->22 (11:56:35.715 PST) 208.24.31.129 (11:56:35.716 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42691->22 (11:56:35.716 PST) 208.24.31.174 (11:56:35.713 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36226->22 (11:56:35.713 PST) 208.24.32.117 (11:56:35.717 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36188->22 (11:56:35.717 PST) 208.24.31.120 (11:56:35.712 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55806->22 (11:56:35.712 PST) 208.24.31.212 (11:56:35.714 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50905->22 (11:56:35.714 PST) 208.24.34.141 (11:56:35.706 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40274->22 (11:56:35.706 PST) 208.24.32.85 (11:56:35.716 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35434->22 (11:56:35.716 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257191579.964 1257191579.965 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:57:00.710 PST Gen. Time: 11/02/2009 11:57:58.704 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.24.97.86 (11:57:58.704 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:57:58.704 PST) OUTBOUND SCAN 208.24.54.149 (11:57:00.722 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40266->22 (11:57:00.722 PST) 208.24.54.41 (11:57:00.719 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57970->22 (11:57:00.719 PST) 208.24.53.166 (11:57:00.719 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45384->22 (11:57:00.719 PST) 208.24.53.219 (11:57:00.712 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60240->22 (11:57:00.712 PST) 208.24.53.165 (11:57:00.711 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57767->22 (11:57:00.711 PST) 208.24.54.77 (11:57:00.720 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43908->22 (11:57:00.720 PST) 208.24.54.23 (11:57:00.719 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39925->22 (11:57:00.719 PST) 208.24.54.0 (11:57:00.712 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60897->22 (11:57:00.712 PST) 208.24.54.130 (11:57:00.721 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55653->22 (11:57:00.721 PST) 208.24.53.201 (11:57:00.711 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42612->22 (11:57:00.711 PST) 208.24.53.147 (11:57:00.710 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48172->22 (11:57:00.710 PST) 208.24.53.177 (11:57:00.721 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33144->22 (11:57:00.721 PST) 208.24.54.59 (11:57:00.720 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58919->22 (11:57:00.720 PST) 208.24.53.146 (11:57:00.715 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33048->22 (11:57:00.715 PST) 208.24.54.112 (11:57:00.721 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32890->22 (11:57:00.721 PST) 208.24.53.237 (11:57:00.712 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56847->22 (11:57:00.712 PST) 208.24.53.183 (11:57:00.711 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36223->22 (11:57:00.711 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257191820.710 1257191820.711 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 11:57:00.710 PST Gen. Time: 11/02/2009 12:01:00.712 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.24.243.189 (12:00:58.698 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:00:58.698 PST) 208.24.170.151 (11:59:28.701 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:59:28.701 PST) 208.24.97.86 (11:57:58.704 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (11:57:58.704 PST) OUTBOUND SCAN 208.24.54.149 (11:57:00.722 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40266->22 (11:57:00.722 PST) 208.24.54.41 (11:57:00.719 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57970->22 (11:57:00.719 PST) 208.24.53.166 (11:57:00.719 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45384->22 (11:57:00.719 PST) 208.24.53.219 (11:57:00.712 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60240->22 (11:57:00.712 PST) 208.24.53.165 (11:57:00.711 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57767->22 (11:57:00.711 PST) 208.24.54.77 (11:57:00.720 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43908->22 (11:57:00.720 PST) 208.24.54.23 (11:57:00.719 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39925->22 (11:57:00.719 PST) 208.24.54.0 (11:57:00.712 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60897->22 (11:57:00.712 PST) 208.24.54.130 (11:57:00.721 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55653->22 (11:57:00.721 PST) 208.24.53.201 (11:57:00.711 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42612->22 (11:57:00.711 PST) 208.24.53.147 (11:57:00.710 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48172->22 (11:57:00.710 PST) 208.24.53.177 (11:57:00.721 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33144->22 (11:57:00.721 PST) 208.24.54.59 (11:57:00.720 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58919->22 (11:57:00.720 PST) 208.24.53.146 (11:57:00.715 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33048->22 (11:57:00.715 PST) 208.24.54.112 (11:57:00.721 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32890->22 (11:57:00.721 PST) 208.24.53.237 (11:57:00.712 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56847->22 (11:57:00.712 PST) 208.24.53.183 (11:57:00.711 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36223->22 (11:57:00.711 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257191820.710 1257191820.711 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:01:00.715 PST Gen. Time: 11/02/2009 12:02:28.069 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.24.226.76 (12:02:28.069 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:02:28.069 PST) OUTBOUND SCAN 208.24.243.249 (12:01:01.700 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60751->22 (12:01:01.700 PST) 208.24.246.10 (12:01:00.730 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45059->22 (12:01:00.730 PST) 208.24.246.70 (12:01:00.741 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46300->22 (12:01:00.741 PST) 208.24.243.209 (12:01:01.699 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56096->22 (12:01:01.699 PST) 208.24.243.239 (12:01:01.699 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37904->22 (12:01:01.699 PST) 208.24.245.225 (12:01:00.723 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37977->22 (12:01:00.723 PST) 208.24.246.30 (12:01:00.733 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54295->22 (12:01:00.733 PST) 208.24.243.191 (12:01:01.698 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59408->22 (12:01:01.698 PST) 208.24.246.90 (12:01:00.745 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43322->22 (12:01:00.745 PST) 208.24.245.185 (12:01:00.715 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39504->22 (12:01:00.715 PST) 208.24.243.229 (12:01:01.699 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42750->22 (12:01:01.699 PST) 208.24.245.245 (12:01:00.726 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46998->22 (12:01:00.726 PST) 208.24.243.197 (12:01:01.698 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56824->22 (12:01:01.698 PST) 208.24.246.50 (12:01:00.737 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51152->22 (12:01:00.737 PST) 208.24.243.219 (12:01:01.699 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48087->22 (12:01:01.699 PST) 208.24.246.110 (12:01:00.749 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42472->22 (12:01:00.749 PST) 208.24.245.205 (12:01:00.719 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60792->22 (12:01:00.719 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257192060.715 1257192060.716 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:05:01.688 PST Gen. Time: 11/02/2009 12:05:28.269 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.24.218.99 (12:05:28.269 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:05:28.269 PST) OUTBOUND SCAN 208.25.171.203 (12:05:01.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37956->22 (12:05:01.690 PST) 208.25.169.1 (12:05:01.689 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55541->22 (12:05:01.689 PST) 208.25.169.85 (12:05:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45881->22 (12:05:01.692 PST) 208.25.169.16 (12:05:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51824->22 (12:05:01.691 PST) 208.25.171.240 (12:05:01.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35480->22 (12:05:01.690 PST) 208.25.169.92 (12:05:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56320->22 (12:05:01.692 PST) 208.25.169.38 (12:05:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41688->22 (12:05:01.691 PST) 208.25.169.53 (12:05:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33664->22 (12:05:01.692 PST) 208.25.169.45 (12:05:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48390->22 (12:05:01.691 PST) 208.25.169.75 (12:05:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45722->22 (12:05:01.692 PST) 208.25.171.222 (12:05:01.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46836->22 (12:05:01.690 PST) 208.25.168.246 (12:05:01.689 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43619->22 (12:05:01.689 PST) 208.25.169.28 (12:05:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37285->22 (12:05:01.691 PST) 208.25.168.238 (12:05:01.689 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52366->22 (12:05:01.689 PST) 208.25.169.66 (12:05:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45438->22 (12:05:01.692 PST) 208.25.168.229 (12:05:01.688 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54969->22 (12:05:01.688 PST) 208.25.168.220 (12:05:01.688 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43577->22 (12:05:01.688 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257192301.688 1257192301.689 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:05:01.688 PST Gen. Time: 11/02/2009 12:09:01.688 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.24.226.76 (12:08:28.002 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:08:28.002 PST) 208.24.218.99 (12:05:28.269 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:05:28.269 PST) 208.25.198.65 (12:06:58.082 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:06:58.082 PST) OUTBOUND SCAN 208.25.171.203 (12:05:01.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37956->22 (12:05:01.690 PST) 208.25.169.1 (12:05:01.689 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55541->22 (12:05:01.689 PST) 208.25.169.85 (12:05:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45881->22 (12:05:01.692 PST) 208.25.169.16 (12:05:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51824->22 (12:05:01.691 PST) 208.25.171.240 (12:05:01.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35480->22 (12:05:01.690 PST) 208.25.169.92 (12:05:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56320->22 (12:05:01.692 PST) 208.25.169.38 (12:05:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41688->22 (12:05:01.691 PST) 208.25.169.53 (12:05:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33664->22 (12:05:01.692 PST) 208.25.169.45 (12:05:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48390->22 (12:05:01.691 PST) 208.25.169.75 (12:05:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45722->22 (12:05:01.692 PST) 208.25.171.222 (12:05:01.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46836->22 (12:05:01.690 PST) 208.25.168.246 (12:05:01.689 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43619->22 (12:05:01.689 PST) 208.25.169.28 (12:05:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37285->22 (12:05:01.691 PST) 208.25.168.238 (12:05:01.689 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52366->22 (12:05:01.689 PST) 208.25.169.66 (12:05:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45438->22 (12:05:01.692 PST) 208.25.168.229 (12:05:01.688 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54969->22 (12:05:01.688 PST) 208.25.168.220 (12:05:01.688 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43577->22 (12:05:01.688 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257192301.688 1257192301.689 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:09:01.688 PST Gen. Time: 11/02/2009 12:09:58.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.25.178.5 (12:09:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:09:58.000 PST) OUTBOUND SCAN 208.26.98.114 (12:09:01.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36886->22 (12:09:01.690 PST) 208.26.99.57 (12:09:01.694 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48436->22 (12:09:01.694 PST) 208.26.98.60 (12:09:01.689 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41079->22 (12:09:01.689 PST) 208.26.99.3 (12:09:01.693 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45139->22 (12:09:01.693 PST) 208.26.98.204 (12:09:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45626->22 (12:09:01.691 PST) 208.26.98.150 (12:09:01.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51141->22 (12:09:01.690 PST) 208.26.98.96 (12:09:01.689 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45235->22 (12:09:01.689 PST) 208.26.99.39 (12:09:01.693 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56548->22 (12:09:01.693 PST) 208.26.98.42 (12:09:01.688 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55638->22 (12:09:01.688 PST) 208.26.98.240 (12:09:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38472->22 (12:09:01.692 PST) 208.26.98.186 (12:09:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48652->22 (12:09:01.691 PST) 208.26.98.132 (12:09:01.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36846->22 (12:09:01.690 PST) 208.26.98.78 (12:09:01.689 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38037->22 (12:09:01.689 PST) 208.26.99.21 (12:09:01.693 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35960->22 (12:09:01.693 PST) 208.26.98.24 (12:09:01.688 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50842->22 (12:09:01.688 PST) 208.26.98.222 (12:09:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52145->22 (12:09:01.692 PST) 208.26.98.168 (12:09:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35469->22 (12:09:01.691 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257192541.688 1257192541.689 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:09:01.688 PST Gen. Time: 11/02/2009 12:13:01.838 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.24.117.10 (12:12:58.003 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:12:58.003 PST) 208.25.12.250 (12:11:28.027 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:11:28.027 PST) 208.25.178.5 (12:09:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:09:58.000 PST) OUTBOUND SCAN 208.26.98.114 (12:09:01.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36886->22 (12:09:01.690 PST) 208.26.99.57 (12:09:01.694 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48436->22 (12:09:01.694 PST) 208.26.98.60 (12:09:01.689 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41079->22 (12:09:01.689 PST) 208.26.99.3 (12:09:01.693 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45139->22 (12:09:01.693 PST) 208.26.98.204 (12:09:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45626->22 (12:09:01.691 PST) 208.26.98.150 (12:09:01.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51141->22 (12:09:01.690 PST) 208.26.98.96 (12:09:01.689 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45235->22 (12:09:01.689 PST) 208.26.99.39 (12:09:01.693 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 56548->22 (12:09:01.693 PST) 208.26.98.42 (12:09:01.688 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55638->22 (12:09:01.688 PST) 208.26.98.240 (12:09:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38472->22 (12:09:01.692 PST) 208.26.98.186 (12:09:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48652->22 (12:09:01.691 PST) 208.26.98.132 (12:09:01.690 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36846->22 (12:09:01.690 PST) 208.26.98.78 (12:09:01.689 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38037->22 (12:09:01.689 PST) 208.26.99.21 (12:09:01.693 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35960->22 (12:09:01.693 PST) 208.26.98.24 (12:09:01.688 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50842->22 (12:09:01.688 PST) 208.26.98.222 (12:09:01.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52145->22 (12:09:01.692 PST) 208.26.98.168 (12:09:01.691 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35469->22 (12:09:01.691 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257192541.688 1257192541.689 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:13:02.106 PST Gen. Time: 11/02/2009 12:14:28.010 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.26.192.253 (12:14:28.010 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:14:28.010 PST) OUTBOUND SCAN 208.27.20.24 (12:13:02.672 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50626->22 (12:13:02.672 PST) 208.27.22.254 (12:13:02.671 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36607->22 (12:13:02.671 PST) 208.27.19.240 (12:13:02.671 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41264->22 (12:13:02.671 PST) 208.27.20.14 (12:13:02.672 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59975->22 (12:13:02.672 PST) 208.27.20.52 (12:13:02.673 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57572->22 (12:13:02.673 PST) 208.27.22.184 (12:13:02.670 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58140->22 (12:13:02.670 PST) 208.27.19.246 (12:13:02.672 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 32955->22 (12:13:02.672 PST) 208.27.22.221 (12:13:02.671 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54338->22 (12:13:02.671 PST) 208.27.20.35 (12:13:02.672 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34095->22 (12:13:02.672 PST) 208.26.65.238 (12:13:02.106 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47011->22 (12:13:02.106 PST) 208.27.22.235 (12:13:02.671 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53814->22 (12:13:02.671 PST) 208.26.157.253 (12:13:02.556 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38828->22 (12:13:02.556 PST) 208.27.22.166 (12:13:02.670 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47914->22 (12:13:02.670 PST) 208.27.20.41 (12:13:02.672 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39918->22 (12:13:02.672 PST) 208.27.22.165 (12:13:02.670 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36966->22 (12:13:02.670 PST) 208.27.20.2 (12:13:02.672 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39664->22 (12:13:02.672 PST) 208.25.178.6 (12:13:02.401 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54518->22 (12:13:02.401 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257192782.106 1257192782.107 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:13:02.106 PST Gen. Time: 11/02/2009 12:17:02.340 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.25.241.16 (12:15:58.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:15:58.005 PST) 208.26.192.253 (12:14:28.010 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:14:28.010 PST) OUTBOUND SCAN 208.27.20.24 (12:13:02.672 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 50626->22 (12:13:02.672 PST) 208.27.22.254 (12:13:02.671 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36607->22 (12:13:02.671 PST) 208.27.19.240 (12:13:02.671 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41264->22 (12:13:02.671 PST) 208.27.20.14 (12:13:02.672 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59975->22 (12:13:02.672 PST) 208.27.20.52 (12:13:02.673 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57572->22 (12:13:02.673 PST) 208.27.22.184 (12:13:02.670 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58140->22 (12:13:02.670 PST) 208.27.19.246 (12:13:02.672 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 32955->22 (12:13:02.672 PST) 208.27.22.221 (12:13:02.671 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54338->22 (12:13:02.671 PST) 208.27.20.35 (12:13:02.672 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34095->22 (12:13:02.672 PST) 208.26.65.238 (12:13:02.106 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47011->22 (12:13:02.106 PST) 208.27.22.235 (12:13:02.671 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53814->22 (12:13:02.671 PST) 208.26.157.253 (12:13:02.556 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38828->22 (12:13:02.556 PST) 208.27.22.166 (12:13:02.670 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47914->22 (12:13:02.670 PST) 208.27.20.41 (12:13:02.672 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39918->22 (12:13:02.672 PST) 208.27.22.165 (12:13:02.670 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36966->22 (12:13:02.670 PST) 208.27.20.2 (12:13:02.672 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39664->22 (12:13:02.672 PST) 208.25.178.6 (12:13:02.401 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54518->22 (12:13:02.401 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257192782.106 1257192782.107 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:17:02.624 PST Gen. Time: 11/02/2009 12:17:28.036 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.25.178.246 (12:17:28.036 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:17:28.036 PST) OUTBOUND SCAN 208.27.216.26 (12:17:02.664 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55468->22 (12:17:02.664 PST) 208.27.218.158 (12:17:02.662 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52667->22 (12:17:02.662 PST) 208.27.218.119 (12:17:02.659 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42109->22 (12:17:02.659 PST) 208.27.215.227 (12:17:02.662 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43456->22 (12:17:02.662 PST) 208.27.218.95 (12:17:02.663 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50907->22 (12:17:02.663 PST) 208.27.218.102 (12:17:02.659 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55453->22 (12:17:02.659 PST) 208.27.218.140 (12:17:02.661 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55602->22 (12:17:02.661 PST) 208.27.215.210 (12:17:02.661 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60460->22 (12:17:02.661 PST) 208.27.216.15 (12:17:02.664 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37473->22 (12:17:02.664 PST) 208.27.218.85 (12:17:02.658 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36163->22 (12:17:02.658 PST) 208.27.218.100 (12:17:02.664 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38282->22 (12:17:02.664 PST) 208.27.218.161 (12:17:02.662 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53732->22 (12:17:02.662 PST) 208.27.218.176 (12:17:02.663 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59507->22 (12:17:02.663 PST) 208.27.218.84 (12:17:02.661 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37783->22 (12:17:02.661 PST) 208.27.215.246 (12:17:02.663 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57968->22 (12:17:02.663 PST) 208.27.215.253 (12:17:02.663 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53902->22 (12:17:02.663 PST) 208.26.113.169 (12:17:02.624 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43459->22 (12:17:02.624 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257193022.624 1257193022.625 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 1.6 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:17:02.624 PST Gen. Time: 11/02/2009 12:21:02.647 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.25.178.246 (12:17:28.036 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:17:28.036 PST) 208.26.113.164 (12:18:58.013 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:18:58.013 PST) 208.25.6.200 (12:20:28.016 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:20:28.016 PST) OUTBOUND SCAN 208.27.216.26 (12:17:02.664 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55468->22 (12:17:02.664 PST) 208.27.218.158 (12:17:02.662 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52667->22 (12:17:02.662 PST) 208.27.218.119 (12:17:02.659 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 42109->22 (12:17:02.659 PST) 208.27.215.227 (12:17:02.662 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43456->22 (12:17:02.662 PST) 208.27.218.95 (12:17:02.663 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50907->22 (12:17:02.663 PST) 208.27.218.102 (12:17:02.659 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55453->22 (12:17:02.659 PST) 208.27.218.140 (12:17:02.661 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55602->22 (12:17:02.661 PST) 208.27.215.210 (12:17:02.661 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60460->22 (12:17:02.661 PST) 208.27.216.15 (12:17:02.664 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37473->22 (12:17:02.664 PST) 208.27.218.85 (12:17:02.658 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36163->22 (12:17:02.658 PST) 208.27.218.100 (12:17:02.664 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38282->22 (12:17:02.664 PST) 208.27.218.161 (12:17:02.662 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53732->22 (12:17:02.662 PST) 208.27.218.176 (12:17:02.663 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59507->22 (12:17:02.663 PST) 208.27.218.84 (12:17:02.661 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37783->22 (12:17:02.661 PST) 208.27.215.246 (12:17:02.663 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57968->22 (12:17:02.663 PST) 208.27.215.253 (12:17:02.663 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53902->22 (12:17:02.663 PST) 208.26.113.169 (12:17:02.624 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43459->22 (12:17:02.624 PST) ATTACK PREP PEER COORDINATION DECLARE BOT 208.28.98.208 (12:20:08.664 PST) event=1:3810005 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:0E:39:E0:94:00 47634->22 (12:20:08.664 PST) tcpslice 1257193022.624 1257193022.625 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:21:02.648 PST Gen. Time: 11/02/2009 12:21:58.008 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.25.247.120 (12:21:58.008 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:21:58.008 PST) OUTBOUND SCAN 208.28.138.68 (12:21:02.648 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34046->22 (12:21:02.648 PST) 208.28.138.106 (12:21:02.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48452->22 (12:21:02.650 PST) 208.28.138.159 (12:21:02.651 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45798->22 (12:21:02.651 PST) 208.28.141.81 (12:21:02.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60062->22 (12:21:02.650 PST) 208.28.138.128 (12:21:02.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39683->22 (12:21:02.650 PST) 208.28.138.188 (12:21:02.653 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35057->22 (12:21:02.653 PST) 208.28.141.64 (12:21:02.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33556->22 (12:21:02.650 PST) 208.28.138.96 (12:21:02.649 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39949->22 (12:21:02.649 PST) 208.28.138.149 (12:21:02.651 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36949->22 (12:21:02.651 PST) 208.28.138.140 (12:21:02.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35319->22 (12:21:02.650 PST) 208.28.138.86 (12:21:02.649 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38442->22 (12:21:02.649 PST) 208.28.141.92 (12:21:02.652 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38616->22 (12:21:02.652 PST) 208.28.138.78 (12:21:02.648 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43368->22 (12:21:02.648 PST) 208.28.141.84 (12:21:02.651 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40938->22 (12:21:02.651 PST) 208.28.138.116 (12:21:02.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47433->22 (12:21:02.650 PST) 208.28.141.45 (12:21:02.649 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37991->22 (12:21:02.649 PST) 208.28.138.176 (12:21:02.651 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44721->22 (12:21:02.651 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257193262.648 1257193262.649 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:21:02.648 PST Gen. Time: 11/02/2009 12:25:02.655 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.25.178.5 (12:23:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:23:28.000 PST) 208.25.247.120 (12:21:58.008 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:21:58.008 PST) 208.27.113.173 (12:24:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:24:58.000 PST) OUTBOUND SCAN 208.28.138.68 (12:21:02.648 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34046->22 (12:21:02.648 PST) 208.28.138.106 (12:21:02.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48452->22 (12:21:02.650 PST) 208.28.138.159 (12:21:02.651 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45798->22 (12:21:02.651 PST) 208.28.141.81 (12:21:02.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60062->22 (12:21:02.650 PST) 208.28.138.128 (12:21:02.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39683->22 (12:21:02.650 PST) 208.28.138.188 (12:21:02.653 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35057->22 (12:21:02.653 PST) 208.28.141.64 (12:21:02.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33556->22 (12:21:02.650 PST) 208.28.138.96 (12:21:02.649 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39949->22 (12:21:02.649 PST) 208.28.138.149 (12:21:02.651 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36949->22 (12:21:02.651 PST) 208.28.138.140 (12:21:02.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35319->22 (12:21:02.650 PST) 208.28.138.86 (12:21:02.649 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 38442->22 (12:21:02.649 PST) 208.28.141.92 (12:21:02.652 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 38616->22 (12:21:02.652 PST) 208.28.138.78 (12:21:02.648 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43368->22 (12:21:02.648 PST) 208.28.141.84 (12:21:02.651 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40938->22 (12:21:02.651 PST) 208.28.138.116 (12:21:02.650 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47433->22 (12:21:02.650 PST) 208.28.141.45 (12:21:02.649 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37991->22 (12:21:02.649 PST) 208.28.138.176 (12:21:02.651 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44721->22 (12:21:02.651 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257193262.648 1257193262.649 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:25:02.744 PST Gen. Time: 11/02/2009 12:26:28.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.27.69.13 (12:26:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:26:28.000 PST) OUTBOUND SCAN 208.28.184.22 (12:25:02.962 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60271->22 (12:25:02.962 PST) 208.29.56.136 (12:25:03.639 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35400->22 (12:25:03.639 PST) 208.28.184.44 (12:25:03.458 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54997->22 (12:25:03.458 PST) 208.29.56.196 (12:25:03.642 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41207->22 (12:25:03.642 PST) 208.28.202.203 (12:25:02.810 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60091->22 (12:25:02.810 PST) 208.28.69.249 (12:25:03.633 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54036->22 (12:25:03.633 PST) 208.29.53.165 (12:25:03.643 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43512->22 (12:25:03.643 PST) 208.29.56.179 (12:25:03.641 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55414->22 (12:25:03.641 PST) 208.29.53.172 (12:25:03.643 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36632->22 (12:25:03.643 PST) 208.29.56.140 (12:25:03.637 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41117->22 (12:25:03.637 PST) 208.28.184.217 (12:25:02.864 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44842->22 (12:25:02.864 PST) 208.28.184.201 (12:25:03.380 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47382->22 (12:25:03.380 PST) 208.28.64.254 (2) (12:25:03.105 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52475->22 (12:25:03.105 PST) 52495->22 (12:25:03.291 PST) 208.27.35.204 (12:25:02.744 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48791->22 (12:25:02.744 PST) 208.29.56.161 (12:25:03.641 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36870->22 (12:25:03.641 PST) 208.28.184.38 (12:25:03.171 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37101->22 (12:25:03.171 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257193502.744 1257193502.745 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:25:02.744 PST Gen. Time: 11/02/2009 12:29:02.806 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.27.69.13 (12:26:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:26:28.000 PST) 208.26.195.69 (12:27:58.004 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:27:58.004 PST) OUTBOUND SCAN 208.28.184.22 (12:25:02.962 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60271->22 (12:25:02.962 PST) 208.29.56.136 (12:25:03.639 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35400->22 (12:25:03.639 PST) 208.28.184.44 (12:25:03.458 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54997->22 (12:25:03.458 PST) 208.29.56.196 (12:25:03.642 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41207->22 (12:25:03.642 PST) 208.28.202.203 (12:25:02.810 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 60091->22 (12:25:02.810 PST) 208.28.69.249 (12:25:03.633 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 54036->22 (12:25:03.633 PST) 208.29.53.165 (12:25:03.643 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43512->22 (12:25:03.643 PST) 208.29.56.179 (12:25:03.641 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55414->22 (12:25:03.641 PST) 208.29.53.172 (12:25:03.643 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36632->22 (12:25:03.643 PST) 208.29.56.140 (12:25:03.637 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41117->22 (12:25:03.637 PST) 208.28.184.217 (12:25:02.864 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 44842->22 (12:25:02.864 PST) 208.28.184.201 (12:25:03.380 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47382->22 (12:25:03.380 PST) 208.28.64.254 (2) (12:25:03.105 PST) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52475->22 (12:25:03.105 PST) 52495->22 (12:25:03.291 PST) 208.27.35.204 (12:25:02.744 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48791->22 (12:25:02.744 PST) 208.29.56.161 (12:25:03.641 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36870->22 (12:25:03.641 PST) 208.28.184.38 (12:25:03.171 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37101->22 (12:25:03.171 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257193502.744 1257193502.745 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:29:02.878 PST Gen. Time: 11/02/2009 12:29:28.012 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.28.128.203 (12:29:28.012 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:29:28.012 PST) OUTBOUND SCAN 208.28.69.252 (12:29:03.009 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60928->22 (12:29:03.009 PST) 208.29.249.100 (12:29:03.631 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46423->22 (12:29:03.631 PST) 208.28.184.28 (12:29:03.073 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48556->22 (12:29:03.073 PST) 208.26.65.35 (12:29:02.936 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47081->22 (12:29:02.936 PST) 208.28.154.156 (12:29:03.357 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52731->22 (12:29:03.357 PST) 208.27.113.172 (12:29:03.586 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33281->22 (12:29:03.586 PST) 208.25.178.79 (12:29:03.317 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57941->22 (12:29:03.317 PST) 208.29.249.51 (12:29:03.629 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41779->22 (12:29:03.629 PST) 208.29.249.66 (12:29:03.632 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54595->22 (12:29:03.632 PST) 208.28.0.178 (12:29:03.476 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52169->22 (12:29:03.476 PST) 208.28.184.63 (12:29:02.878 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53664->22 (12:29:02.878 PST) 208.27.127.166 (12:29:03.241 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52258->22 (12:29:03.241 PST) 208.29.249.50 (12:29:03.629 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46303->22 (12:29:03.629 PST) 208.26.113.163 (12:29:03.185 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56236->22 (12:29:03.185 PST) 208.27.113.161 (12:29:03.527 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52959->22 (12:29:03.527 PST) 208.29.249.56 (12:29:03.630 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60193->22 (12:29:03.630 PST) 208.26.113.8 (12:29:03.154 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54432->22 (12:29:03.154 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257193742.878 1257193742.879 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:29:02.878 PST Gen. Time: 11/02/2009 12:33:02.953 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.29.146.245 (12:30:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:30:58.001 PST) 208.29.144.253 (12:32:28.010 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:32:28.010 PST) 208.28.128.203 (12:29:28.012 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:29:28.012 PST) OUTBOUND SCAN 208.28.69.252 (12:29:03.009 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60928->22 (12:29:03.009 PST) 208.29.249.100 (12:29:03.631 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46423->22 (12:29:03.631 PST) 208.28.184.28 (12:29:03.073 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48556->22 (12:29:03.073 PST) 208.26.65.35 (12:29:02.936 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47081->22 (12:29:02.936 PST) 208.28.154.156 (12:29:03.357 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52731->22 (12:29:03.357 PST) 208.27.113.172 (12:29:03.586 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33281->22 (12:29:03.586 PST) 208.25.178.79 (12:29:03.317 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 57941->22 (12:29:03.317 PST) 208.29.249.51 (12:29:03.629 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 41779->22 (12:29:03.629 PST) 208.29.249.66 (12:29:03.632 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54595->22 (12:29:03.632 PST) 208.28.0.178 (12:29:03.476 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52169->22 (12:29:03.476 PST) 208.28.184.63 (12:29:02.878 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 53664->22 (12:29:02.878 PST) 208.27.127.166 (12:29:03.241 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52258->22 (12:29:03.241 PST) 208.29.249.50 (12:29:03.629 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46303->22 (12:29:03.629 PST) 208.26.113.163 (12:29:03.185 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56236->22 (12:29:03.185 PST) 208.27.113.161 (12:29:03.527 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52959->22 (12:29:03.527 PST) 208.29.249.56 (12:29:03.630 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60193->22 (12:29:03.630 PST) 208.26.113.8 (12:29:03.154 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 54432->22 (12:29:03.154 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257193742.878 1257193742.879 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:33:03.010 PST Gen. Time: 11/02/2009 12:33:58.001 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.29.195.15 (12:33:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:33:58.001 PST) OUTBOUND SCAN 208.26.113.161 (12:33:03.487 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58820->22 (12:33:03.487 PST) 208.29.194.29 (12:33:03.082 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37300->22 (12:33:03.082 PST) 208.28.69.252 (12:33:03.191 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36603->22 (12:33:03.191 PST) 208.27.117.154 (12:33:03.457 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35443->22 (12:33:03.457 PST) 208.30.166.41 (12:33:03.619 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58918->22 (12:33:03.619 PST) 208.30.166.56 (12:33:03.620 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36805->22 (12:33:03.620 PST) 208.30.163.34 (12:33:03.626 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 32946->22 (12:33:03.626 PST) 208.30.163.56 (12:33:03.626 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43629->22 (12:33:03.626 PST) 208.30.166.62 (12:33:03.622 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48835->22 (12:33:03.622 PST) 208.27.119.69 (12:33:03.308 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59487->22 (12:33:03.308 PST) 208.30.163.47 (12:33:03.626 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37514->22 (12:33:03.626 PST) 208.29.201.126 (12:33:03.153 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56495->22 (12:33:03.153 PST) 208.28.41.216 (12:33:03.251 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48602->22 (12:33:03.251 PST) 208.29.200.82 (12:33:03.010 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39027->22 (12:33:03.010 PST) 208.27.113.161 (12:33:03.597 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36733->22 (12:33:03.597 PST) 208.28.88.12 (12:33:03.565 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49789->22 (12:33:03.565 PST) 208.29.168.223 (12:33:03.382 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52924->22 (12:33:03.382 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257193983.010 1257193983.011 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:33:03.010 PST Gen. Time: 11/02/2009 12:37:03.028 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.28.202.203 (12:35:28.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:35:28.001 PST) 208.29.201.126 (12:36:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:36:58.001 PST) 208.29.195.15 (12:33:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:33:58.001 PST) OUTBOUND SCAN 208.26.113.161 (12:33:03.487 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58820->22 (12:33:03.487 PST) 208.29.194.29 (12:33:03.082 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37300->22 (12:33:03.082 PST) 208.28.69.252 (12:33:03.191 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36603->22 (12:33:03.191 PST) 208.27.117.154 (12:33:03.457 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35443->22 (12:33:03.457 PST) 208.30.166.41 (12:33:03.619 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 58918->22 (12:33:03.619 PST) 208.30.166.56 (12:33:03.620 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36805->22 (12:33:03.620 PST) 208.30.163.34 (12:33:03.626 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 32946->22 (12:33:03.626 PST) 208.30.163.56 (12:33:03.626 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43629->22 (12:33:03.626 PST) 208.30.166.62 (12:33:03.622 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48835->22 (12:33:03.622 PST) 208.27.119.69 (12:33:03.308 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59487->22 (12:33:03.308 PST) 208.30.163.47 (12:33:03.626 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 37514->22 (12:33:03.626 PST) 208.29.201.126 (12:33:03.153 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56495->22 (12:33:03.153 PST) 208.28.41.216 (12:33:03.251 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48602->22 (12:33:03.251 PST) 208.29.200.82 (12:33:03.010 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 39027->22 (12:33:03.010 PST) 208.27.113.161 (12:33:03.597 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36733->22 (12:33:03.597 PST) 208.28.88.12 (12:33:03.565 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49789->22 (12:33:03.565 PST) 208.29.168.223 (12:33:03.382 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 52924->22 (12:33:03.382 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257193983.010 1257193983.011 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:37:03.050 PST Gen. Time: 11/02/2009 12:38:28.001 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.28.184.201 (12:38:28.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:38:28.001 PST) OUTBOUND SCAN 208.28.34.12 (12:37:03.581 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46919->22 (12:37:03.581 PST) 208.31.90.254 (12:37:03.070 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48975->22 (12:37:03.070 PST) 208.29.194.13 (12:37:03.501 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46778->22 (12:37:03.501 PST) 208.29.187.248 (12:37:03.050 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53189->22 (12:37:03.050 PST) 208.31.91.12 (12:37:03.205 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51549->22 (12:37:03.205 PST) 208.27.113.158 (12:37:03.285 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36920->22 (12:37:03.285 PST) 208.31.91.4 (12:37:03.133 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59261->22 (12:37:03.133 PST) 208.29.238.2 (12:37:03.235 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39548->22 (12:37:03.235 PST) 208.28.69.249 (12:37:03.208 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43078->22 (12:37:03.208 PST) 208.28.69.248 (12:37:03.548 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47530->22 (12:37:03.548 PST) 208.29.168.195 (12:37:03.421 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59791->22 (12:37:03.421 PST) 208.31.91.32 (12:37:03.613 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48717->22 (12:37:03.613 PST) 208.31.91.24 (12:37:03.249 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60534->22 (12:37:03.249 PST) 208.30.80.173 (12:37:03.374 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47005->22 (12:37:03.374 PST) 208.29.168.231 (12:37:03.454 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44630->22 (12:37:03.454 PST) 208.29.194.160 (12:37:03.342 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48251->22 (12:37:03.342 PST) 208.29.16.165 (12:37:03.155 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44696->22 (12:37:03.155 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257194223.050 1257194223.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:37:03.050 PST Gen. Time: 11/02/2009 12:41:03.058 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.28.184.48 (12:39:58.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:39:58.000 PST) 208.28.184.201 (12:38:28.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:38:28.001 PST) OUTBOUND SCAN 208.28.34.12 (12:37:03.581 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46919->22 (12:37:03.581 PST) 208.31.90.254 (12:37:03.070 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48975->22 (12:37:03.070 PST) 208.29.194.13 (12:37:03.501 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 46778->22 (12:37:03.501 PST) 208.29.187.248 (12:37:03.050 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53189->22 (12:37:03.050 PST) 208.31.91.12 (12:37:03.205 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 51549->22 (12:37:03.205 PST) 208.27.113.158 (12:37:03.285 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36920->22 (12:37:03.285 PST) 208.31.91.4 (12:37:03.133 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59261->22 (12:37:03.133 PST) 208.29.238.2 (12:37:03.235 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39548->22 (12:37:03.235 PST) 208.28.69.249 (12:37:03.208 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43078->22 (12:37:03.208 PST) 208.28.69.248 (12:37:03.548 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47530->22 (12:37:03.548 PST) 208.29.168.195 (12:37:03.421 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 59791->22 (12:37:03.421 PST) 208.31.91.32 (12:37:03.613 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48717->22 (12:37:03.613 PST) 208.31.91.24 (12:37:03.249 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60534->22 (12:37:03.249 PST) 208.30.80.173 (12:37:03.374 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 47005->22 (12:37:03.374 PST) 208.29.168.231 (12:37:03.454 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44630->22 (12:37:03.454 PST) 208.29.194.160 (12:37:03.342 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 48251->22 (12:37:03.342 PST) 208.29.16.165 (12:37:03.155 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 44696->22 (12:37:03.155 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257194223.050 1257194223.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:41:03.095 PST Gen. Time: 11/02/2009 12:41:28.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.29.195.17 (12:41:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:41:28.000 PST) OUTBOUND SCAN 208.29.217.98 (12:41:03.095 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59726->22 (12:41:03.095 PST) 208.29.194.21 (12:41:03.123 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37511->22 (12:41:03.123 PST) 208.28.184.6 (12:41:03.337 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43610->22 (12:41:03.337 PST) 208.25.247.120 (12:41:03.163 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45842->22 (12:41:03.163 PST) 208.28.202.204 (12:41:03.534 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35908->22 (12:41:03.534 PST) 208.31.35.64 (12:41:03.426 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57914->22 (12:41:03.426 PST) 208.32.16.219 (12:41:03.602 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59231->22 (12:41:03.602 PST) 208.27.35.207 (12:41:03.561 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55498->22 (12:41:03.561 PST) 208.26.20.253 (12:41:03.603 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59293->22 (12:41:03.603 PST) 208.32.17.1 (12:41:03.603 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43560->22 (12:41:03.603 PST) 208.31.142.26 (12:41:03.302 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36320->22 (12:41:03.302 PST) 208.27.69.34 (12:41:03.405 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46533->22 (12:41:03.405 PST) 208.30.80.173 (12:41:03.243 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52010->22 (12:41:03.243 PST) 208.29.194.23 (12:41:03.474 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35867->22 (12:41:03.474 PST) 208.32.16.238 (12:41:03.603 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32936->22 (12:41:03.603 PST) 208.28.184.15 (12:41:03.196 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33688->22 (12:41:03.196 PST) 208.27.113.137 (12:41:03.507 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45878->22 (12:41:03.507 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257194463.095 1257194463.096 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:41:03.095 PST Gen. Time: 11/02/2009 12:45:03.115 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.29.195.17 (12:41:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:41:28.000 PST) 208.30.40.98 (12:44:28.000 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:44:28.000 PST) 208.29.194.14 (12:42:58.010 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:42:58.010 PST) OUTBOUND SCAN 208.29.217.98 (12:41:03.095 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59726->22 (12:41:03.095 PST) 208.29.194.21 (12:41:03.123 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 37511->22 (12:41:03.123 PST) 208.28.184.6 (12:41:03.337 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 43610->22 (12:41:03.337 PST) 208.25.247.120 (12:41:03.163 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45842->22 (12:41:03.163 PST) 208.28.202.204 (12:41:03.534 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 35908->22 (12:41:03.534 PST) 208.31.35.64 (12:41:03.426 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57914->22 (12:41:03.426 PST) 208.32.16.219 (12:41:03.602 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59231->22 (12:41:03.602 PST) 208.27.35.207 (12:41:03.561 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 55498->22 (12:41:03.561 PST) 208.26.20.253 (12:41:03.603 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 59293->22 (12:41:03.603 PST) 208.32.17.1 (12:41:03.603 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 43560->22 (12:41:03.603 PST) 208.31.142.26 (12:41:03.302 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 36320->22 (12:41:03.302 PST) 208.27.69.34 (12:41:03.405 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 46533->22 (12:41:03.405 PST) 208.30.80.173 (12:41:03.243 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 52010->22 (12:41:03.243 PST) 208.29.194.23 (12:41:03.474 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 35867->22 (12:41:03.474 PST) 208.32.16.238 (12:41:03.603 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 32936->22 (12:41:03.603 PST) 208.28.184.15 (12:41:03.196 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33688->22 (12:41:03.196 PST) 208.27.113.137 (12:41:03.507 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 45878->22 (12:41:03.507 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257194463.095 1257194463.096 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:45:03.183 PST Gen. Time: 11/02/2009 12:45:58.012 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.28.184.161 (12:45:58.012 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:45:58.012 PST) OUTBOUND SCAN 208.29.195.18 (12:45:03.490 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42078->22 (12:45:03.490 PST) 208.27.35.2 (12:45:03.356 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49851->22 (12:45:03.356 PST) 208.32.208.12 (12:45:03.592 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41712->22 (12:45:03.592 PST) 208.32.206.248 (12:45:03.590 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58133->22 (12:45:03.590 PST) 208.30.50.97 (12:45:03.415 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60485->22 (12:45:03.415 PST) 208.29.144.253 (12:45:03.384 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33293->22 (12:45:03.384 PST) 208.25.179.53 (12:45:03.183 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50332->22 (12:45:03.183 PST) 208.32.206.238 (12:45:03.590 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58681->22 (12:45:03.590 PST) 208.29.194.25 (12:45:03.286 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49073->22 (12:45:03.286 PST) 208.28.41.25 (12:45:03.535 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56563->22 (12:45:03.535 PST) 208.28.41.216 (12:45:03.441 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42259->22 (12:45:03.441 PST) 208.32.207.249 (12:45:03.592 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45394->22 (12:45:03.592 PST) 208.30.48.146 (12:45:03.575 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51871->22 (12:45:03.575 PST) 208.30.172.4 (12:45:03.277 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34368->22 (12:45:03.277 PST) 208.27.119.66 (12:45:03.314 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60085->22 (12:45:03.314 PST) 208.32.207.232 (12:45:03.591 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33262->22 (12:45:03.591 PST) 208.29.16.165 (12:45:03.235 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40376->22 (12:45:03.235 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257194703.183 1257194703.184 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:45:03.183 PST Gen. Time: 11/02/2009 12:49:03.267 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.28.184.161 (12:45:58.012 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:45:58.012 PST) 208.27.69.203 (12:47:28.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:47:28.001 PST) 208.26.113.163 (12:48:58.001 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:48:58.001 PST) OUTBOUND SCAN 208.29.195.18 (12:45:03.490 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42078->22 (12:45:03.490 PST) 208.27.35.2 (12:45:03.356 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 49851->22 (12:45:03.356 PST) 208.32.208.12 (12:45:03.592 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 41712->22 (12:45:03.592 PST) 208.32.206.248 (12:45:03.590 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58133->22 (12:45:03.590 PST) 208.30.50.97 (12:45:03.415 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60485->22 (12:45:03.415 PST) 208.29.144.253 (12:45:03.384 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 33293->22 (12:45:03.384 PST) 208.25.179.53 (12:45:03.183 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 50332->22 (12:45:03.183 PST) 208.32.206.238 (12:45:03.590 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58681->22 (12:45:03.590 PST) 208.29.194.25 (12:45:03.286 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 49073->22 (12:45:03.286 PST) 208.28.41.25 (12:45:03.535 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 56563->22 (12:45:03.535 PST) 208.28.41.216 (12:45:03.441 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 42259->22 (12:45:03.441 PST) 208.32.207.249 (12:45:03.592 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45394->22 (12:45:03.592 PST) 208.30.48.146 (12:45:03.575 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 51871->22 (12:45:03.575 PST) 208.30.172.4 (12:45:03.277 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 34368->22 (12:45:03.277 PST) 208.27.119.66 (12:45:03.314 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60085->22 (12:45:03.314 PST) 208.32.207.232 (12:45:03.591 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33262->22 (12:45:03.591 PST) 208.29.16.165 (12:45:03.235 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 40376->22 (12:45:03.235 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257194703.183 1257194703.184 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:49:03.425 PST Gen. Time: 11/02/2009 12:50:28.005 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.29.194.24 (12:50:28.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:50:28.005 PST) OUTBOUND SCAN 208.33.134.35 (12:49:03.584 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55859->22 (12:49:03.584 PST) 208.29.194.21 (12:49:04.129 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39635->22 (12:49:04.129 PST) 208.27.35.2 (12:49:03.727 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48074->22 (12:49:03.727 PST) 208.27.117.154 (12:49:03.887 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58053->22 (12:49:03.887 PST) 208.33.134.26 (12:49:03.582 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47132->22 (12:49:03.582 PST) 208.24.226.76 (12:49:04.098 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40761->22 (12:49:04.098 PST) 208.33.131.19 (12:49:03.581 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53146->22 (12:49:03.581 PST) 208.29.194.26 (12:49:04.125 PST) event=1:2006546 {tcp} E5[rb] ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack (20 in 60 secs)!, [] MAC_Src: 00:0E:39:E0:94:00 50506->22 (12:49:04.125 PST) 208.28.184.203 (12:49:03.425 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55833->22 (12:49:03.425 PST) 208.28.202.202 (12:49:03.944 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55614->22 (12:49:03.944 PST) 208.27.69.196 (12:49:03.834 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33525->22 (12:49:03.834 PST) 208.29.146.245 (12:49:03.975 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45887->22 (12:49:03.975 PST) 208.27.69.34 (12:49:03.588 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34824->22 (12:49:03.588 PST) 208.31.36.89 (12:49:03.501 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57603->22 (12:49:03.501 PST) 208.28.38.178 (12:49:03.706 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58253->22 (12:49:03.706 PST) 208.33.134.29 (12:49:03.585 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60438->22 (12:49:03.585 PST) 208.32.14.137 (12:49:04.043 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36527->22 (12:49:04.043 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257194943.425 1257194943.426 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================ Infected Target: 192.168.1.151 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/02/2009 12:49:03.425 PST Gen. Time: 11/02/2009 12:53:05.853 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.29.194.24 (12:50:28.005 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:50:28.005 PST) 208.32.173.146 (12:52:36.565 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (18 /24s) (# pkts S/M/O/I=0/0/65535/46): 22:65535, 6667:14, 16697:2, 37051:2, 39366:2, 215, 216, 217, 218, 219, 220, 221, [] MAC_Src: 00:0E:39:E0:94:00 0->0 (12:52:36.565 PST) OUTBOUND SCAN 208.33.134.35 (12:49:03.584 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55859->22 (12:49:03.584 PST) 208.29.194.21 (12:49:04.129 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 39635->22 (12:49:04.129 PST) 208.27.35.2 (12:49:03.727 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 48074->22 (12:49:03.727 PST) 208.27.117.154 (12:49:03.887 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58053->22 (12:49:03.887 PST) 208.33.134.26 (12:49:03.582 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 47132->22 (12:49:03.582 PST) 208.24.226.76 (12:49:04.098 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 40761->22 (12:49:04.098 PST) 208.33.131.19 (12:49:03.581 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 53146->22 (12:49:03.581 PST) 208.29.194.26 (12:49:04.125 PST) event=1:2006546 {tcp} E5[rb] ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack (20 in 60 secs)!, [] MAC_Src: 00:0E:39:E0:94:00 50506->22 (12:49:04.125 PST) 208.28.184.203 (12:49:03.425 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55833->22 (12:49:03.425 PST) 208.28.202.202 (12:49:03.944 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 55614->22 (12:49:03.944 PST) 208.27.69.196 (12:49:03.834 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 33525->22 (12:49:03.834 PST) 208.29.146.245 (12:49:03.975 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 45887->22 (12:49:03.975 PST) 208.27.69.34 (12:49:03.588 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 34824->22 (12:49:03.588 PST) 208.31.36.89 (12:49:03.501 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 57603->22 (12:49:03.501 PST) 208.28.38.178 (12:49:03.706 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 58253->22 (12:49:03.706 PST) 208.33.134.29 (12:49:03.585 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:A0:8E:BB:59:15 60438->22 (12:49:03.585 PST) 208.32.14.137 (12:49:04.043 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:0E:39:E0:94:00 36527->22 (12:49:04.043 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1257194943.425 1257194943.426 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.151' ============================== SEPARATOR ================================