Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:53:26.151 PDT Gen. Time: 07/17/2012 08:53:26.151 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (08:53:26.151 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (08:53:26.151 PDT) DECLARE BOT tcpslice 1342540406.151 1342540406.152 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: 64.131.89.22 C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:53:26.151 PDT Gen. Time: 07/17/2012 08:59:02.586 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 64.131.89.22 (3) (08:56:30.463 PDT) event=1:2009295 (3) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/pdfm7/check_purchase_permission?product=os.win] MAC_Src: 00:01:64:FF:CE:EA 50236->80 (08:56:30.463 PDT) 50237->80 (08:56:30.760 PDT) 50238->80 (08:56:30.808 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (08:53:26.151 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (08:53:26.151 PDT) DECLARE BOT tcpslice 1342540406.151 1342540406.152 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:09:45.684 PDT Gen. Time: 07/17/2012 09:09:45.684 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (09:09:45.684 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (09:09:45.684 PDT) DECLARE BOT tcpslice 1342541385.684 1342541385.685 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:26:09.641 PDT Gen. Time: 07/17/2012 09:26:09.641 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (09:26:09.641 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (09:26:09.641 PDT) DECLARE BOT tcpslice 1342542369.641 1342542369.642 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:11:45.531 PDT Gen. Time: 07/17/2012 10:11:45.531 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (10:11:45.531 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (10:11:45.531 PDT) DECLARE BOT tcpslice 1342545105.531 1342545105.532 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:28:29.333 PDT Gen. Time: 07/17/2012 11:28:29.333 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (11:28:29.333 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (11:28:29.333 PDT) DECLARE BOT tcpslice 1342549709.333 1342549709.334 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:43:33.293 PDT Gen. Time: 07/17/2012 11:43:33.293 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (11:43:33.293 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (11:43:33.293 PDT) DECLARE BOT tcpslice 1342550613.293 1342550613.294 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:13:49.232 PDT Gen. Time: 07/17/2012 12:13:49.232 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (12:13:49.232 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (12:13:49.232 PDT) DECLARE BOT tcpslice 1342552429.232 1342552429.233 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:16:13.065 PDT Gen. Time: 07/17/2012 13:16:13.065 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (13:16:13.065 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (13:16:13.065 PDT) DECLARE BOT tcpslice 1342556173.065 1342556173.066 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:29:53.034 PDT Gen. Time: 07/17/2012 13:29:53.034 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (13:29:53.034 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (13:29:53.034 PDT) DECLARE BOT tcpslice 1342556993.034 1342556993.035 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:13:56.622 PDT Gen. Time: 07/17/2012 14:13:56.622 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (14:13:56.622 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (14:13:56.622 PDT) DECLARE BOT tcpslice 1342559636.622 1342559636.623 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:30:04.589 PDT Gen. Time: 07/17/2012 14:30:04.589 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (14:30:04.589 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (14:30:04.589 PDT) DECLARE BOT tcpslice 1342560604.589 1342560604.590 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:46:16.548 PDT Gen. Time: 07/17/2012 14:46:16.548 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (14:46:16.548 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (14:46:16.548 PDT) DECLARE BOT tcpslice 1342561576.548 1342561576.549 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:33:44.535 PDT Gen. Time: 07/17/2012 15:33:44.535 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (15:33:44.535 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (15:33:44.535 PDT) DECLARE BOT tcpslice 1342564424.535 1342564424.536 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:49:00.509 PDT Gen. Time: 07/17/2012 15:49:00.509 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (15:49:00.509 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (15:49:00.509 PDT) DECLARE BOT tcpslice 1342565340.509 1342565340.510 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:19:12.418 PDT Gen. Time: 07/17/2012 16:19:12.418 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (16:19:12.418 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (16:19:12.418 PDT) DECLARE BOT tcpslice 1342567152.418 1342567152.419 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.71 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:27:51.630 PDT Gen. Time: 07/17/2012 18:27:51.630 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 67.215.242.139 (18:27:51.630 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:01:64:FF:CE:EA 52833->6881 (18:27:51.630 PDT) DECLARE BOT tcpslice 1342574871.630 1342574871.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.71' ============================== SEPARATOR ================================