Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 69.64.34.49 Peer Coord. List: Resource List: Observed Start: 01/04/2013 00:22:18.448 PST Gen. Time: 01/04/2013 00:24:47.199 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 69.64.34.49 (00:24:47.199 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->57857 (00:24:47.199 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 69.64.34.49 (10) (00:22:18.448 PST-00:24:43.162 PST) event=1:552123 (10) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 3: 80->57093 (00:22:59.432 PST-00:23:07.530 PST) 5: 80->57857 (00:23:43.923 PST-00:24:43.162 PST) 2: 80->51452 (00:22:18.448 PST-00:22:32.927 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357287738.448 1357287883.163 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 173.236.21.106 Peer Coord. List: Resource List: Observed Start: 01/04/2013 00:38:18.743 PST Gen. Time: 01/04/2013 00:38:49.743 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 173.236.21.106 (00:38:49.743 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->54999 (00:38:49.743 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.236.21.106 (7) (00:38:18.743 PST) event=1:552123 (7) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->44459 (00:38:18.743 PST) 80->46388 (00:38:24.432 PST) 80->47063 (00:38:26.372 PST) 80->50337 (00:38:35.871 PST) 80->50996 (00:38:37.770 PST) 80->51650 (00:38:39.651 PST) 80->53673 (00:38:45.781 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357288698.743 1357288698.744 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 173.236.21.106 (17) Peer Coord. List: Resource List: Observed Start: 01/04/2013 00:38:18.743 PST Gen. Time: 01/04/2013 00:43:16.724 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 173.236.21.106 (17) (00:38:49.743 PST-00:39:25.045 PST) event=1:2002033 (17) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 8: 80->38631 (00:39:25.044 PST-00:39:25.045 PST) 9: 80->54999 (00:38:49.743 PST-00:38:49.744 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.236.21.106 (17) (00:38:18.743 PST) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->44459 (00:38:18.743 PST) 80->46388 (00:38:24.432 PST) 80->47063 (00:38:26.372 PST) 80->50337 (00:38:35.871 PST) 80->50996 (00:38:37.770 PST) 80->51650 (00:38:39.651 PST) 80->53673 (00:38:45.781 PST) 80->58144 (00:38:59.094 PST) 80->58754 (00:39:00.993 PST) 80->33659 (00:39:10.475 PST) 80->34346 (00:39:12.414 PST) 80->35011 (00:39:14.454 PST) 80->37346 (00:39:21.037 PST) 80->41979 (00:39:34.426 PST) 80->42594 (00:39:36.289 PST) 80->45781 (00:39:45.843 PST) 80->46411 (00:39:47.748 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357288698.743 1357288765.046 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================