Score: 0.8 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:04:23.837 PDT Gen. Time: 10/15/2011 09:04:23.837 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 188.173.222.221 (09:04:23.837 PDT) event=1:9910023 {tcp} E8[rb] BotHunter Malware propagation attack source, [] MAC_Src: 00:30:48:30:03:AF 445->4895 (09:04:23.837 PDT) tcpslice 1318694663.837 1318694663.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.14 Infector List: 188.173.222.221 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:04:23.837 PDT Gen. Time: 10/15/2011 09:06:09.984 PDT INBOUND SCAN EXPLOIT 188.173.222.221 (4) (09:04:25.097 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-4895 (09:04:25.097 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:30:48:30:03:AE 445<-4895 (09:04:25.097 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 445<-4895 (09:04:25.097 PDT) ------------------------- event=1:2648 {tcp} E2[rb] GPL SHELLCODE x86 NOOP, [] MAC_Dst: 00:30:48:30:03:AE 445<-4895 (09:04:25.097 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 188.173.222.221 (09:04:23.837 PDT) event=1:9910023 {tcp} E8[rb] BotHunter Malware propagation attack source, [] MAC_Src: 00:30:48:30:03:AF 445->4895 (09:04:23.837 PDT) tcpslice 1318694663.837 1318694663.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 66.249.67.182 Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:53:02.301 PDT Gen. Time: 10/15/2011 14:55:19.544 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.67.182 (14:55:19.544 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->64474 (14:55:19.544 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.67.182 (14:53:02.301 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->57057 (14:53:02.301 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318715582.301 1318715582.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 66.249.67.182 Peer Coord. List: Resource List: Observed Start: 10/15/2011 15:23:33.080 PDT Gen. Time: 10/15/2011 15:24:54.237 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.67.182 (15:24:54.237 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->42255 (15:24:54.237 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.67.182 (15:23:33.080 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->54992 (15:23:33.080 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318717413.080 1318717413.081 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 88.131.106.8 Peer Coord. List: Resource List: Observed Start: 10/15/2011 18:05:11.634 PDT Gen. Time: 10/15/2011 18:06:02.560 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 88.131.106.8 (18:05:11.634 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->21996 (18:05:11.634 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 67.195.112.51 (18:06:02.560 PDT) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->33865 (18:06:02.560 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318727111.634 1318727111.635 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================