Score:            1.1 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    <unobserved>
Egg Source List:  199.59.150.9, 199.59.149.232, 199.59.150.41, 199.59.148.87, 199.59.148.20
C & C List:       199.255.189.160 (2), 88.212.196.87 (3)
Peer Coord. List: 68.71.55.18 (3)
Resource List:    <unobserved>
Observed Start:   01/08/2013 18:57:29.062 PST
Gen. Time:        01/09/2013 03:12:41.043 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    199.59.150.9 (3) (19:00:48.303 PST-19:01:18.305 PST)
       event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          38128<-80 (19:03:18.339 PST)
          2: 38102<-80 (19:00:48.303 PST-19:01:18.305 PST)
       
    199.59.149.232 (5) (18:59:08.466 PST-19:48:52.263 PST)
       event=1:2013036 (5) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 37403<-80 (19:48:22.261 PST-19:48:52.263 PST)
          55261<-80 (18:59:56.905 PST)
          55676<-80 (19:06:08.608 PST)
          51686<-80 (18:59:08.466 PST)
       
    199.59.150.41 (8) (18:57:29.062 PST-19:05:50.583 PST)
       event=1:2013036 (8) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          44676<-80 (18:57:29.062 PST)
          3: 50334<-80 (19:04:14.685 PST-19:04:59.683 PST)
          2: 45522<-80 (19:05:20.583 PST-19:05:50.583 PST)
          2: 56250<-80 (19:02:30.090 PST-19:03:00.090 PST)
       
    199.59.148.87 (6) (18:58:17.449 PST-19:47:56.023 PST)
       event=1:2013036 (6) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 42023<-80 (19:47:26.021 PST-19:47:56.023 PST)
          35274<-80 (18:58:17.449 PST)
          32997<-80 (19:46:40.411 PST)
          2: 35304<-80 (19:06:57.662 PST-19:07:27.669 PST)
       
    199.59.148.20 (19:49:02.667 PST)
       event=1:2013036 {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          47037<-80 (19:49:02.667 PST)
       
C and C TRAFFIC
    199.255.189.160 (2) (19:46:25.323 PST)
       event=1:2012801 (2) {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/biz/ishta-music-company-san-francisco?start=0&sort_by=date_desc&rpp=40] MAC_Src: 00:21:5A:08:EC:40
          42155->80 (19:46:25.323 PST)
          42155->80 (19:46:25.364 PST)
       
C and C TRAFFIC (RBN)
    88.212.196.87 (3) (19:37:08.001 PST)
       event=1:3810007 (3) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40
          55061->80 (19:37:08.001 PST)
          52031->80 (22:35:42.818 PST)
          32791->80 (01:01:53.490 PST)
       
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    68.71.55.18 (3) (19:27:06.991 PST)
       event=1:1100010 (3) {tcp} E7[info] P2P .torrent metafile request, [] MAC_Src: 00:21:5A:08:EC:40
          35119->80 (19:27:06.991 PST)
          58860->80 (22:28:42.725 PST)
          43383->80 (00:55:15.714 PST)
       
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1357700249.062 1357703332.264 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================