Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.100
Infector List:    <unobserved>
Egg Source List:  199.59.150.9, 199.59.149.232, 199.59.150.41, 199.59.148.87, 199.59.148.20
C & C List:       199.255.189.160
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   01/16/2013 00:54:14.192 PST
Gen. Time:        01/16/2013 09:27:03.618 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    199.59.150.9 (3) (00:54:14.192 PST-00:54:59.197 PST)
       event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          3: 32853<-80 (00:54:14.192 PST-00:54:59.197 PST)
       
    199.59.149.232 (00:55:39.898 PST)
       event=1:2013036 {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          57399<-80 (00:55:39.898 PST)
       
    199.59.150.41 (6) (00:56:26.810 PST-01:03:32.857 PST)
       event=1:2013036 (6) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 45509<-80 (00:56:26.810 PST-00:56:56.810 PST)
          2: 37616<-80 (01:03:02.857 PST-01:03:32.857 PST)
          47546<-80 (00:57:21.287 PST)
          53098<-80 (01:00:48.519 PST)
       
    199.59.148.87 (4) (00:58:11.016 PST-01:00:23.375 PST)
       event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 36082<-80 (00:59:53.369 PST-01:00:23.375 PST)
          34009<-80 (00:58:11.016 PST)
          33572<-80 (01:03:59.266 PST)
       
    199.59.148.20 (3) (00:59:06.525 PST-00:59:36.527 PST)
       event=1:2013036 (3) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 45295<-80 (00:59:06.525 PST-00:59:36.527 PST)
          42080<-80 (01:01:38.042 PST)
       
C and C TRAFFIC
    199.255.189.160 (09:27:03.618 PST)
       event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/filtered_reviews/Rg5oDRbHbZrmJ_qq7V8KEg?fsid=4gQ4QbEyDzI1Lg10M5zPVw&filtered_start=0] MAC_Src: 00:21:5A:08:BB:0C
          54107->80 (09:27:03.618 PST)
       
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1358326454.192 1358327012.858 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100'

============================== SEPARATOR ================================