Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  199.59.149.232, 199.59.150.9, 199.59.150.41, 199.59.148.87, 199.59.148.20
C & C List:       216.239.36.25, 199.255.189.60
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   01/13/2013 01:36:31.228 PST
Gen. Time:        01/14/2013 06:37:08.079 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    199.59.149.232 (01:38:44.886 PST)
       event=1:2013036 {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          56517<-80 (01:38:44.886 PST)
       
    199.59.150.9 (6) (01:39:37.879 PST-01:40:49.368 PST)
       event=1:2013036 (6) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          35146<-80 (01:39:37.879 PST)
          46322<-80 (01:42:57.257 PST)
          2: 58775<-80 (01:40:19.364 PST-01:40:49.368 PST)
          43978<-80 (11:39:30.676 PST)
          39037<-80 (11:41:15.096 PST)
       
    199.59.150.41 (7) (01:38:06.300 PST-01:44:56.459 PST)
       event=1:2013036 (7) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          46228<-80 (01:43:31.708 PST)
          2: 43530<-80 (01:44:26.453 PST-01:44:56.459 PST)
          2: 34955<-80 (01:38:06.300 PST-01:38:36.306 PST)
          38733<-80 (11:38:29.354 PST)
          60024<-80 (11:40:24.858 PST)
       
    199.59.148.87 (4) (01:36:31.228 PST-01:37:44.307 PST)
       event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          48471<-80 (01:36:31.228 PST)
          49911<-80 (01:36:35.210 PST)
          2: 32968<-80 (01:37:14.305 PST-01:37:44.307 PST)
       
    199.59.148.20 (4) (01:41:10.792 PST-01:41:40.793 PST)
       event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 56622<-80 (01:41:10.792 PST-01:41:40.793 PST)
          56269<-80 (01:41:49.898 PST)
          51722<-80 (11:38:38.774 PST)
       
C and C TRAFFIC
    216.239.36.25 (23:28:40.211 PST)
       event=1:2007962 {tcp} E4[rb] ET TROJAN Vipdataend C&C Traffic Checkin, [] MAC_Src: 00:21:5A:08:BB:0C
          37876->3306 (23:28:40.211 PST)
       
    199.255.189.60 (11:38:06.673 PST)
       event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/filtered_reviews/500-club-san-francisco?fsid=gGkuEn5pzPfh3DmypRmMnA&filtered_start=10] MAC_Src: 00:21:5A:08:BB:0C
          52260->80 (11:38:06.673 PST)
       
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1358069791.228 1358070296.460 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================