Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    <unobserved>
Egg Source List:  199.59.150.9, 199.59.150.41, 199.59.148.87, 199.59.148.20
C & C List:       199.255.189.160
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   01/14/2013 10:09:49.031 PST
Gen. Time:        01/14/2013 13:21:34.733 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    199.59.150.9 (4) (10:09:49.031 PST-10:15:31.147 PST)
       event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          51220<-80 (10:09:49.031 PST)
          51519<-80 (10:11:23.029 PST)
          2: 54671<-80 (10:15:01.143 PST-10:15:31.147 PST)
       
    199.59.150.41 (4) (10:10:41.120 PST-10:11:11.121 PST)
       event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 58268<-80 (10:10:41.120 PST-10:11:11.121 PST)
          48152<-80 (10:18:01.684 PST)
          57765<-80 (10:13:23.481 PST)
       
    199.59.148.87 (7) (10:12:30.868 PST-10:17:40.371 PST)
       event=1:2013036 (7) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 34094<-80 (10:16:31.521 PST-10:17:01.529 PST)
          2: 33537<-80 (10:17:10.373 PST-10:17:40.371 PST)
          2: 52661<-80 (10:14:05.707 PST-10:14:35.707 PST)
          57477<-80 (10:12:30.868 PST)
       
    199.59.148.20 (2) (10:15:40.158 PST-10:16:10.148 PST)
       event=1:2013036 (2) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 54557<-80 (10:15:40.158 PST-10:16:10.148 PST)
       
C and C TRAFFIC
    199.255.189.160 (13:21:34.733 PST)
       event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/filtered_reviews/best-cab-san-francisco?fsid=nvBk1EULThN0CwZYQ-S0iA&filtered_start=10] MAC_Src: 00:21:5A:08:EC:40
          34999->80 (13:21:34.733 PST)
       
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1358186989.031 1358187460.372 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================