Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 84.223.233.249 Peer Coord. List: Resource List: Observed Start: 01/07/2013 01:41:04.878 PST Gen. Time: 01/07/2013 01:41:28.022 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 84.223.233.249 (01:41:28.022 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->25289 (01:41:28.022 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 84.223.233.249 (4) (01:41:04.878 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->25155 (01:41:04.878 PST) 80->25177 (01:41:07.161 PST) 80->25192 (01:41:09.392 PST) 80->25227 (01:41:13.707 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357551664.878 1357551664.879 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 84.223.233.249 (9) Peer Coord. List: Resource List: Observed Start: 01/07/2013 01:41:04.878 PST Gen. Time: 01/07/2013 01:45:43.787 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 84.223.233.249 (9) (01:41:28.022 PST-01:41:28.462 PST) event=1:2002033 (9) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 9: 80->25289 (01:41:28.022 PST-01:41:28.462 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 84.223.233.249 (5) (01:41:04.878 PST) event=1:552123 (5) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->25155 (01:41:04.878 PST) 80->25177 (01:41:07.161 PST) 80->25192 (01:41:09.392 PST) 80->25227 (01:41:13.707 PST) 80->25370 (01:41:35.031 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357551664.878 1357551688.463 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 173.236.21.106 Peer Coord. List: Resource List: Observed Start: 01/07/2013 06:10:14.492 PST Gen. Time: 01/07/2013 06:10:25.260 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 173.236.21.106 (06:10:25.260 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->33805 (06:10:25.260 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.236.21.106 (4) (06:10:14.492 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->60597 (06:10:14.492 PST) 80->60822 (06:10:16.092 PST) 80->32787 (06:10:17.609 PST) 80->33394 (06:10:21.994 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357567814.492 1357567814.493 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 173.236.21.106 (17) Peer Coord. List: Resource List: Observed Start: 01/07/2013 06:10:14.492 PST Gen. Time: 01/07/2013 06:13:41.151 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 173.236.21.106 (17) (06:10:25.260 PST-06:10:51.615 PST) event=1:2002033 (17) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 8: 80->38303 (06:10:51.614 PST-06:10:51.615 PST) 9: 80->33805 (06:10:25.260 PST-06:10:25.261 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.236.21.106 (17) (06:10:14.492 PST) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->60597 (06:10:14.492 PST) 80->60822 (06:10:16.092 PST) 80->32787 (06:10:17.609 PST) 80->33394 (06:10:21.994 PST) 80->34384 (06:10:29.467 PST) 80->34700 (06:10:31.140 PST) 80->35052 (06:10:32.615 PST) 80->35422 (06:10:34.053 PST) 80->36832 (06:10:41.048 PST) 80->37079 (06:10:42.554 PST) 80->37294 (06:10:43.988 PST) 80->37900 (06:10:48.512 PST) 80->38906 (06:10:55.860 PST) 80->39117 (06:10:57.477 PST) 80->39326 (06:10:58.930 PST) 80->39560 (06:11:00.563 PST) 80->40492 (06:11:07.582 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357567814.492 1357567851.616 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================