Score: 1.1 (>= 0.8) Infected Target: 192.168.1.154 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/10/2013 00:54:08.461 PST Gen. Time: 01/10/2013 00:54:08.590 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.153.144.100 (00:54:08.461 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (00:54:08.461 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.153.144.100 (00:54:08.590 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (00:54:08.590 PST) tcpslice 1357808048.461 1357808048.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.154 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/10/2013 03:54:35.069 PST Gen. Time: 01/10/2013 03:54:35.293 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.80.56.181 (03:54:35.069 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (03:54:35.069 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.80.56.181 (03:54:35.293 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (03:54:35.293 PST) tcpslice 1357818875.069 1357818875.070 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.154 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/10/2013 05:59:22.376 PST Gen. Time: 01/10/2013 05:59:22.507 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.28.117.0 (05:59:22.376 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 135:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (05:59:22.376 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.141.25.161 (05:59:22.507 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 135:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (05:59:22.507 PST) tcpslice 1357826362.376 1357826362.377 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.154 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/10/2013 06:24:32.903 PST Gen. Time: 01/10/2013 06:24:33.044 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.195.185.53 (06:24:32.903 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (06:24:32.903 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.134.66.105 (06:24:33.044 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (06:24:33.044 PST) tcpslice 1357827872.903 1357827872.904 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.154 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/10/2013 11:09:46.811 PST Gen. Time: 01/10/2013 11:09:47.073 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.21.98.23 (11:09:46.811 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (11:09:46.811 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.69.179.109 (11:09:47.073 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (11:09:47.073 PST) tcpslice 1357844986.811 1357844986.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.154 Infector List: 81.183.117.228 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/10/2013 11:09:46.811 PST Gen. Time: 01/10/2013 11:13:35.658 PST INBOUND SCAN EXPLOIT 81.183.117.228 (14) (11:09:48.081 PST-11:09:48.374 PST) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:30:48:30:03:AE 445<-39321 (11:09:48.393 PST) ------------------------- event=1:22000046 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k), [] MAC_Dst: 00:30:48:30:03:AE 445<-39321 (11:09:48.393 PST) ------------------------- event=1:22314 (5) {tcp} E2[rb] GPL SHELLCODE x86 0x90 NOOP unicode, [] MAC_Dst: 00:30:48:30:03:AE 5: 445<-39321 (11:09:48.081 PST-11:09:48.374 PST) ------------------------- event=1:22514 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:30:48:30:03:AE 2: 445<-39321 (11:09:48.081 PST-11:09:48.352 PST) ------------------------- event=1:2653 (5) {tcp} E2[rb] GPL SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 5: 445<-39321 (11:09:48.081 PST-11:09:48.374 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.21.98.23 (11:09:46.811 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (11:09:46.811 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.69.179.109 (11:09:47.073 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (11:09:47.073 PST) tcpslice 1357844986.811 1357844988.375 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.154 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/10/2013 17:30:34.850 PST Gen. Time: 01/10/2013 17:30:35.115 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.222.168.124 (17:30:34.850 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (17:30:34.850 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.169.78.206 (17:30:35.115 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (17:30:35.115 PST) tcpslice 1357867834.850 1357867834.851 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.154 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/10/2013 20:15:32.027 PST Gen. Time: 01/10/2013 20:15:32.172 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.159.47.238 (20:15:32.027 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 135:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (20:15:32.027 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.181.112.170 (20:15:32.172 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 135:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (20:15:32.172 PST) tcpslice 1357877732.027 1357877732.028 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.154 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/10/2013 20:35:19.644 PST Gen. Time: 01/10/2013 20:35:19.827 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.193.134.31 (20:35:19.644 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 135:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (20:35:19.644 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.233.158.153 (20:35:19.827 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 135:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (20:35:19.827 PST) tcpslice 1357878919.644 1357878919.645 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.154 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/10/2013 21:55:26.797 PST Gen. Time: 01/10/2013 21:55:27.031 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.134.164.203 (21:55:26.797 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 135:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (21:55:26.797 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.243.41.116 (21:55:27.031 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 135:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (21:55:27.031 PST) tcpslice 1357883726.797 1357883726.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.154 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/10/2013 22:26:01.063 PST Gen. Time: 01/10/2013 22:26:01.371 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.180.39.57 (22:26:01.063 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 135:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (22:26:01.063 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.180.39.57 (22:26:01.371 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 135:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (22:26:01.371 PST) tcpslice 1357885561.063 1357885561.064 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.154' ============================== SEPARATOR ================================