Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 14:00:09.057 PST Gen. Time: 01/09/2013 14:00:16.520 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.10.19.53 (14:00:16.520 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (7 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:16.520 PST) OUTBOUND SCAN 128.10.19.53 (14:00:09.057 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58077->22 (14:00:09.057 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357768809.057 1357768809.058 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 14:00:09.057 PST Gen. Time: 01/09/2013 14:09:29.083 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.10.19.53 (14:00:16.520 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (7 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:16.520 PST) OUTBOUND SCAN 128.10.19.53 (14:00:09.057 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58077->22 (14:00:09.057 PST) 128.10.19.52 (2) (14:02:15.692 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39684->22 (14:02:15.692 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39684->22 (14:02:15.692 PST) 158.130.6.254 (14:02:04.641 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58323->22 (14:02:04.641 PST) 13.7.64.22 (14:01:33.800 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44814->22 (14:01:33.800 PST) 128.84.154.45 (14:00:25.056 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37598->22 (14:00:25.056 PST) 128.42.142.45 (14:01:20.086 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38936->22 (14:01:20.086 PST) 198.133.224.149 (2) (14:00:35.273 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59362->22 (14:00:35.273 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59362->22 (14:00:35.273 PST) 128.151.65.101 (14:02:25.986 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40658->22 (14:02:25.986 PST) 128.112.139.97 (14:00:56.549 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60546->22 (14:00:56.549 PST) 192.52.240.213 (14:00:16.520 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44218->22 (14:00:16.520 PST) 204.123.28.55 (14:02:36.941 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52238->22 (14:02:36.941 PST) 130.127.39.153 (2) (14:01:25.436 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45012->22 (14:01:25.436 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45012->22 (14:01:25.436 PST) 152.3.138.6 (14:01:03.458 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53357->22 (14:01:03.458 PST) 128.208.4.198 (14:01:39.870 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39714->22 (14:01:39.870 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.147 (4) (14:00:40.812 PST-14:05:12.259 PST) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (26 /24s) (# pkts S/M/O/I=0/45/0/0): 22:45, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (14:02:11.057 PST-14:05:12.259 PST) 0->0 (14:00:40.812 PST) tcpslice 1357768809.057 1357769112.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 14:06:32.997 PST Gen. Time: 01/09/2013 14:06:32.997 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.147 (14:06:32.997 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (26 /24s) (# pkts S/M/O/I=0/45/0/0): 22:45, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:06:32.997 PST) tcpslice 1357769192.997 1357769192.998 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 15:07:15.572 PST Gen. Time: 01/09/2013 15:08:19.154 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (15:08:19.154 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:08:19.154 PST) OUTBOUND SCAN 131.179.150.72 (15:07:15.572 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52407->22 (15:07:15.572 PST) 158.130.6.254 (15:07:42.327 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58503->22 (15:07:42.327 PST) 128.42.142.45 (15:07:30.943 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39118->22 (15:07:30.943 PST) 192.52.240.214 (15:07:49.828 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54219->22 (15:07:49.828 PST) 204.123.28.56 (15:07:33.595 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50698->22 (15:07:33.595 PST) 204.8.155.227 (15:08:11.785 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52389->22 (15:08:11.785 PST) 141.212.113.180 (15:08:18.068 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51523->22 (15:08:18.068 PST) 152.3.138.7 (2) (15:07:57.047 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56034->22 (15:07:57.047 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56034->22 (15:07:57.047 PST) 130.127.39.152 (15:08:04.245 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36432->22 (15:08:04.245 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357772835.572 1357772835.573 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 15:07:15.572 PST Gen. Time: 01/09/2013 15:16:35.220 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (15:08:19.154 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:08:19.154 PST) OUTBOUND SCAN 128.111.52.58 (2) (15:08:20.836 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43327->22 (15:08:20.836 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43327->22 (15:08:20.836 PST) 128.10.19.53 (15:08:28.547 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58341->22 (15:08:28.547 PST) 131.179.150.72 (15:07:15.572 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52407->22 (15:07:15.572 PST) 131.179.150.70 (15:08:39.810 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44060->22 (15:08:39.810 PST) 158.130.6.254 (15:07:42.327 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58503->22 (15:07:42.327 PST) 128.151.65.102 (15:08:36.553 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39086->22 (15:08:36.553 PST) 128.42.142.45 (15:07:30.943 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39118->22 (15:07:30.943 PST) 192.52.240.214 (15:07:49.828 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54219->22 (15:07:49.828 PST) 204.123.28.56 (15:07:33.595 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50698->22 (15:07:33.595 PST) 204.8.155.227 (15:08:11.785 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52389->22 (15:08:11.785 PST) 129.82.12.188 (2) (15:08:45.654 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60119->22 (15:08:45.654 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60119->22 (15:08:45.654 PST) 141.212.113.180 (15:08:18.068 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51523->22 (15:08:18.068 PST) 152.3.138.7 (2) (15:07:57.047 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56034->22 (15:07:57.047 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56034->22 (15:07:57.047 PST) 130.127.39.152 (15:08:04.245 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36432->22 (15:08:04.245 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.114 (15:12:18.163 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (25 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:12:18.163 PST) 128.42.142.45 (2) (15:09:18.369 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:09:18.369 PST) 0->0 (15:10:48.008 PST) tcpslice 1357772835.572 1357772835.573 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 15:28:34.421 PST Gen. Time: 01/09/2013 15:29:32.939 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (15:29:32.939 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:29:32.939 PST) OUTBOUND SCAN 131.179.150.72 (15:28:34.421 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52643->22 (15:28:34.421 PST) 204.8.155.227 (15:29:31.635 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52627->22 (15:29:31.635 PST) 128.42.142.45 (15:28:49.172 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39354->22 (15:28:49.172 PST) 152.3.138.7 (15:29:16.642 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56272->22 (15:29:16.642 PST) 130.127.39.152 (2) (15:29:20.934 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36668->22 (15:29:20.934 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36670->22 (15:29:23.967 PST) 204.123.28.56 (15:28:52.419 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50936->22 (15:28:52.419 PST) 192.52.240.214 (15:29:09.576 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54457->22 (15:29:09.576 PST) 158.130.6.254 (15:29:02.226 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58741->22 (15:29:02.226 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357774114.421 1357774114.422 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 15:28:34.421 PST Gen. Time: 01/09/2013 15:37:39.092 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (15:29:32.939 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:29:32.939 PST) OUTBOUND SCAN 128.111.52.58 (15:29:40.596 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43565->22 (15:29:40.596 PST) 128.10.19.53 (2) (15:29:44.890 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58577->22 (15:29:44.890 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58579->22 (15:29:48.095 PST) 131.179.150.72 (15:28:34.421 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52643->22 (15:28:34.421 PST) 131.179.150.70 (15:30:00.175 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44298->22 (15:30:00.175 PST) 158.130.6.254 (15:29:02.226 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58741->22 (15:29:02.226 PST) 128.151.65.102 (15:29:56.944 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39324->22 (15:29:56.944 PST) 128.42.142.45 (15:28:49.172 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39354->22 (15:28:49.172 PST) 192.52.240.214 (15:29:09.576 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54457->22 (15:29:09.576 PST) 204.123.28.56 (15:28:52.419 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50936->22 (15:28:52.419 PST) 204.8.155.227 (15:29:31.635 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52627->22 (15:29:31.635 PST) 129.82.12.188 (15:30:05.412 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60357->22 (15:30:05.412 PST) 141.212.113.180 (15:29:37.926 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51761->22 (15:29:37.926 PST) 152.3.138.7 (15:29:16.642 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56272->22 (15:29:16.642 PST) 152.3.138.6 (15:30:09.469 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53850->22 (15:30:09.469 PST) 130.127.39.152 (2) (15:29:20.934 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36668->22 (15:29:20.934 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36670->22 (15:29:23.967 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.59 (2) (15:30:30.396 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:30:30.396 PST) 0->0 (15:32:00.044 PST) tcpslice 1357774114.421 1357774114.422 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 15:33:25.032 PST Gen. Time: 01/09/2013 15:33:25.032 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.112.139.97 (15:33:25.032 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:33:25.032 PST) tcpslice 1357774405.032 1357774405.033 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 15:49:06.972 PST Gen. Time: 01/09/2013 15:50:33.549 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (15:50:33.549 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:50:33.549 PST) OUTBOUND SCAN 131.179.150.72 (15:49:06.972 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52887->22 (15:49:06.972 PST) 158.130.6.254 (15:49:53.422 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58983->22 (15:49:53.422 PST) 128.42.142.45 (15:49:21.709 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39598->22 (15:49:21.709 PST) 192.52.240.214 (15:50:03.320 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54699->22 (15:50:03.320 PST) 204.123.28.56 (15:49:24.822 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51178->22 (15:49:24.822 PST) 204.8.155.227 (15:50:25.921 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52869->22 (15:50:25.921 PST) 141.212.113.180 (15:50:32.512 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52003->22 (15:50:32.512 PST) 152.3.138.7 (15:50:10.958 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56514->22 (15:50:10.958 PST) 130.127.39.152 (2) (15:50:18.344 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36912->22 (15:50:18.344 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36912->22 (15:50:18.344 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357775346.972 1357775346.973 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 15:49:06.972 PST Gen. Time: 01/09/2013 15:58:34.685 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (15:50:33.549 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:50:33.549 PST) OUTBOUND SCAN 128.111.52.58 (15:50:35.179 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43807->22 (15:50:35.179 PST) 128.10.19.53 (2) (15:50:42.534 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58821->22 (15:50:42.534 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58821->22 (15:50:42.534 PST) 131.179.150.72 (15:49:06.972 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52887->22 (15:49:06.972 PST) 131.179.150.70 (15:50:54.356 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44540->22 (15:50:54.356 PST) 158.130.6.254 (15:49:53.422 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58983->22 (15:49:53.422 PST) 128.151.65.102 (15:50:50.939 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39566->22 (15:50:50.939 PST) 128.42.142.45 (15:49:21.709 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39598->22 (15:49:21.709 PST) 192.52.240.214 (15:50:03.320 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54699->22 (15:50:03.320 PST) 204.123.28.56 (15:49:24.822 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51178->22 (15:49:24.822 PST) 204.8.155.227 (15:50:25.921 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52869->22 (15:50:25.921 PST) 129.82.12.188 (15:50:59.360 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60599->22 (15:50:59.360 PST) 141.212.113.180 (15:50:32.512 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52003->22 (15:50:32.512 PST) 152.3.138.7 (15:50:10.958 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56514->22 (15:50:10.958 PST) 152.3.138.6 (15:51:06.276 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54094->22 (15:51:06.276 PST) 130.127.39.152 (2) (15:50:18.344 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36912->22 (15:50:18.344 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36912->22 (15:50:18.344 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (15:54:45.145 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:54:45.145 PST) 13.7.64.22 (2) (15:51:30.728 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:51:30.728 PST) 0->0 (15:53:00.808 PST) tcpslice 1357775346.972 1357775346.973 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 15:58:35.723 PST Gen. Time: 01/09/2013 15:58:35.723 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (15:58:35.723 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:58:35.723 PST) tcpslice 1357775915.723 1357775915.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 16:03:45.400 PST Gen. Time: 01/09/2013 16:03:45.400 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (16:03:45.400 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:03:45.400 PST) tcpslice 1357776225.400 1357776225.401 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 16:06:45.568 PST Gen. Time: 01/09/2013 16:06:45.568 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (16:06:45.568 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:06:45.568 PST) tcpslice 1357776405.568 1357776405.569 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 16:06:45.568 PST Gen. Time: 01/09/2013 16:17:59.850 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (16:11:12.439 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44048->22 (16:11:12.439 PST) 128.10.19.53 (2) (16:11:16.686 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59060->22 (16:11:16.686 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59062->22 (16:11:20.419 PST) 131.179.150.72 (16:10:05.895 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53128->22 (16:10:05.895 PST) 131.179.150.70 (16:11:34.685 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44781->22 (16:11:34.685 PST) 158.130.6.254 (16:10:33.098 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59224->22 (16:10:33.098 PST) 128.151.65.102 (16:11:31.015 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39807->22 (16:11:31.015 PST) 128.42.142.45 (16:10:20.972 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39839->22 (16:10:20.972 PST) 192.52.240.214 (16:10:40.197 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54940->22 (16:10:40.197 PST) 204.123.28.56 (16:10:23.336 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51419->22 (16:10:23.336 PST) 204.8.155.227 (16:11:03.130 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53110->22 (16:11:03.130 PST) 129.82.12.188 (16:11:39.861 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60840->22 (16:11:39.861 PST) 141.212.113.180 (16:11:09.597 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52244->22 (16:11:09.597 PST) 152.3.138.7 (16:10:47.365 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56755->22 (16:10:47.365 PST) 152.3.138.6 (16:11:43.962 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54333->22 (16:11:43.962 PST) 130.127.39.152 (2) (16:10:52.106 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37151->22 (16:10:52.106 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37153->22 (16:10:55.076 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (8) (16:06:45.568 PST-16:17:57.598 PST) event=777:7777008 (8) {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 8: 0->0 (16:06:45.568 PST-16:17:57.598 PST) tcpslice 1357776405.568 1357777077.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 16:20:28.126 PST Gen. Time: 01/09/2013 16:20:28.126 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (16:20:28.126 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:20:28.126 PST) tcpslice 1357777228.126 1357777228.127 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 16:24:13.918 PST Gen. Time: 01/09/2013 16:24:13.918 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (16:24:13.918 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:24:13.918 PST) tcpslice 1357777453.918 1357777453.919 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 16:30:26.296 PST Gen. Time: 01/09/2013 16:30:26.296 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (16:30:26.296 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:30:26.296 PST) tcpslice 1357777826.296 1357777826.297 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 16:30:26.296 PST Gen. Time: 01/09/2013 16:39:13.489 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (16:32:16.137 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44289->22 (16:32:16.137 PST) 128.10.19.53 (2) (16:32:20.040 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59301->22 (16:32:20.040 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59303->22 (16:32:23.636 PST) 131.179.150.72 (16:31:08.743 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53369->22 (16:31:08.743 PST) 131.179.150.70 (16:32:35.710 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45022->22 (16:32:35.710 PST) 158.130.6.254 (16:31:36.035 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59465->22 (16:31:36.035 PST) 128.151.65.102 (16:32:32.230 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40048->22 (16:32:32.230 PST) 128.42.142.45 (16:31:23.566 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40080->22 (16:31:23.566 PST) 192.52.240.214 (16:31:43.079 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55181->22 (16:31:43.079 PST) 204.123.28.56 (16:31:26.918 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51660->22 (16:31:26.918 PST) 204.8.155.227 (16:32:06.724 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53351->22 (16:32:06.724 PST) 129.82.12.188 (16:32:41.219 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32848->22 (16:32:41.219 PST) 141.212.113.180 (16:32:13.390 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52485->22 (16:32:13.390 PST) 152.3.138.7 (16:31:50.353 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56996->22 (16:31:50.353 PST) 152.3.138.6 (16:32:45.169 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54574->22 (16:32:45.169 PST) 130.127.39.152 (2) (16:31:55.230 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37392->22 (16:31:55.230 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37394->22 (16:31:58.978 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (5) (16:30:26.296 PST-16:39:13.489 PST) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (16:30:26.296 PST-16:39:13.489 PST) tcpslice 1357777826.296 1357778353.490 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 16:40:57.205 PST Gen. Time: 01/09/2013 16:40:57.205 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (16:40:57.205 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:40:57.205 PST) tcpslice 1357778457.205 1357778457.206 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 16:44:27.737 PST Gen. Time: 01/09/2013 16:44:27.737 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (16:44:27.737 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:44:27.737 PST) tcpslice 1357778667.737 1357778667.738 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 16:49:23.550 PST Gen. Time: 01/09/2013 16:49:23.550 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (16:49:23.550 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:49:23.550 PST) tcpslice 1357778963.550 1357778963.551 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 16:49:23.550 PST Gen. Time: 01/09/2013 17:00:14.193 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (16:53:00.902 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44529->22 (16:53:00.902 PST) 128.10.19.53 (2) (16:53:04.907 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59541->22 (16:53:04.907 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59543->22 (16:53:08.463 PST) 131.179.150.72 (16:51:50.794 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53609->22 (16:51:50.794 PST) 131.179.150.70 (16:53:20.547 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45262->22 (16:53:20.547 PST) 158.130.6.254 (16:52:21.380 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59705->22 (16:52:21.380 PST) 128.151.65.102 (16:53:17.059 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40288->22 (16:53:17.059 PST) 128.42.142.45 (16:52:05.609 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40320->22 (16:52:05.609 PST) 192.52.240.214 (16:52:28.604 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55421->22 (16:52:28.604 PST) 204.123.28.56 (16:52:08.687 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51900->22 (16:52:08.687 PST) 204.8.155.227 (16:52:51.477 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53591->22 (16:52:51.477 PST) 129.82.12.188 (16:53:26.468 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33088->22 (16:53:26.468 PST) 141.212.113.180 (16:52:58.044 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52725->22 (16:52:58.044 PST) 152.3.138.7 (16:52:35.827 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57236->22 (16:52:35.827 PST) 152.3.138.6 (16:53:30.499 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54814->22 (16:53:30.499 PST) 130.127.39.152 (2) (16:52:40.292 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37632->22 (16:52:40.292 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37634->22 (16:52:43.598 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (5) (16:49:23.550 PST-16:55:38.502 PST) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (16:49:23.550 PST-16:55:38.502 PST) tcpslice 1357778963.550 1357779338.503 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 17:05:44.441 PST Gen. Time: 01/09/2013 17:05:44.441 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (17:05:44.441 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:05:44.441 PST) tcpslice 1357779944.441 1357779944.442 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 17:09:08.584 PST Gen. Time: 01/09/2013 17:09:08.584 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (17:09:08.584 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:09:08.584 PST) tcpslice 1357780148.584 1357780148.585 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 17:09:08.584 PST Gen. Time: 01/09/2013 17:22:01.011 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (17:13:52.095 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44769->22 (17:13:52.095 PST) 128.10.19.53 (2) (17:13:57.928 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59782->22 (17:13:57.928 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59783->22 (17:13:59.629 PST) 131.179.150.72 (17:12:38.839 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53849->22 (17:12:38.839 PST) 131.179.150.70 (17:14:11.752 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45502->22 (17:14:11.752 PST) 158.130.6.254 (17:13:12.761 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59945->22 (17:13:12.761 PST) 128.151.65.102 (17:14:08.308 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40528->22 (17:14:08.308 PST) 128.42.142.45 (17:12:53.887 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40560->22 (17:12:53.887 PST) 192.52.240.214 (17:13:19.952 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55661->22 (17:13:19.952 PST) 204.123.28.56 (17:12:56.215 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52140->22 (17:12:56.215 PST) 204.8.155.227 (17:13:42.884 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53831->22 (17:13:42.884 PST) 129.82.12.188 (17:14:17.350 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33328->22 (17:14:17.350 PST) 141.212.113.180 (17:13:49.357 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52965->22 (17:13:49.357 PST) 152.3.138.7 (17:13:27.259 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57476->22 (17:13:27.259 PST) 152.3.138.6 (17:14:23.093 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55055->22 (17:14:23.093 PST) 130.127.39.152 (2) (17:13:33.474 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37873->22 (17:13:33.474 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37874->22 (17:13:34.913 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (5) (17:09:08.584 PST-17:16:27.732 PST) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (27 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (17:09:08.584 PST-17:16:27.732 PST) tcpslice 1357780148.584 1357780587.733 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 17:26:23.862 PST Gen. Time: 01/09/2013 17:26:23.862 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.18.220.50 (17:26:23.862 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 47 IPs (28 /24s) (# pkts S/M/O/I=0/46/0/1): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:26:23.862 PST) tcpslice 1357781183.862 1357781183.863 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 17:33:35.267 PST Gen. Time: 01/09/2013 17:34:40.733 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (17:34:40.733 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:34:40.733 PST) OUTBOUND SCAN 131.179.150.72 (17:33:35.267 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54087->22 (17:33:35.267 PST) 158.130.6.254 (17:34:02.541 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60183->22 (17:34:02.541 PST) 128.42.142.45 (17:33:50.239 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40798->22 (17:33:50.239 PST) 192.52.240.214 (17:34:09.841 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55899->22 (17:34:09.841 PST) 204.123.28.56 (17:33:52.570 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52378->22 (17:33:52.570 PST) 204.8.155.227 (17:34:32.942 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54069->22 (17:34:32.942 PST) 141.212.113.180 (17:34:39.564 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53203->22 (17:34:39.564 PST) 152.3.138.7 (17:34:17.199 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57714->22 (17:34:17.199 PST) 130.127.39.152 (2) (17:34:25.055 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38112->22 (17:34:25.055 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38112->22 (17:34:25.055 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1357781615.267 1357781615.268 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/09/2013 17:33:35.267 PST Gen. Time: 01/09/2013 17:41:05.586 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (17:34:40.733 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:34:40.733 PST) OUTBOUND SCAN 128.111.52.58 (17:34:42.457 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45007->22 (17:34:42.457 PST) 128.10.19.53 (2) (17:34:50.387 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60021->22 (17:34:50.387 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60021->22 (17:34:50.387 PST) 131.179.150.72 (17:33:35.267 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54087->22 (17:33:35.267 PST) 131.179.150.70 (17:35:02.874 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45740->22 (17:35:02.874 PST) 158.130.6.254 (17:34:02.541 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60183->22 (17:34:02.541 PST) 128.151.65.102 (17:34:59.357 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40766->22 (17:34:59.357 PST) 128.42.142.45 (17:33:50.239 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40798->22 (17:33:50.239 PST) 192.52.240.214 (17:34:09.841 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55899->22 (17:34:09.841 PST) 204.123.28.56 (17:33:52.570 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52378->22 (17:33:52.570 PST) 204.8.155.227 (17:34:32.942 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54069->22 (17:34:32.942 PST) 129.82.12.188 (17:35:08.074 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33566->22 (17:35:08.074 PST) 141.212.113.180 (17:34:39.564 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53203->22 (17:34:39.564 PST) 152.3.138.7 (17:34:17.199 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57714->22 (17:34:17.199 PST) 152.3.138.6 (17:35:15.313 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55294->22 (17:35:15.313 PST) 130.127.39.152 (2) (17:34:25.055 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38112->22 (17:34:25.055 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38112->22 (17:34:25.055 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.147 (2) (17:37:11.850 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (22 /24s) (# pkts S/M/O/I=0/32/0/0): 22:32, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:37:11.850 PST) 0->0 (17:38:42.288 PST) 204.123.28.56 (17:35:40.706 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:35:40.706 PST) tcpslice 1357781615.267 1357781615.268 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================