Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.102
Infector List:    <unobserved>
Egg Source List:  199.59.149.232, 199.59.150.41, 199.59.148.87, 199.59.148.20
C & C List:       199.255.189.160
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   01/16/2013 00:53:57.938 PST
Gen. Time:        01/16/2013 16:57:23.348 PST


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    199.59.149.232 (5) (00:56:27.514 PST-00:57:52.078 PST)
       event=1:2013036 (5) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          33690<-80 (01:03:03.630 PST)
          2: 53377<-80 (00:56:27.514 PST-00:56:57.516 PST)
          2: 42766<-80 (00:57:22.077 PST-00:57:52.078 PST)
       
    199.59.150.41 (6) (00:58:11.791 PST-01:02:08.847 PST)
       event=1:2013036 (6) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 53988<-80 (00:59:07.341 PST-00:59:37.348 PST)
          2: 34642<-80 (01:01:38.840 PST-01:02:08.847 PST)
          2: 51696<-80 (00:58:11.791 PST-00:58:41.792 PST)
       
    199.59.148.87 (2) (00:53:57.938 PST)
       event=1:2013036 (2) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          35099<-80 (01:00:49.379 PST)
          46431<-80 (00:53:57.938 PST)
       
    199.59.148.20 (4) (00:55:40.735 PST-01:00:24.137 PST)
       event=1:2013036 (4) {tcp} E3[rb] ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby, [] MAC_Src: 00:21:1C:EE:14:00
          2: 35113<-80 (00:55:40.735 PST-00:56:10.736 PST)
          2: 56728<-80 (00:59:54.134 PST-01:00:24.137 PST)
       
C and C TRAFFIC
    199.255.189.160 (16:57:23.348 PST)
       event=1:2012801 {tcp} E4[rb] ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup, [/filtered_reviews/91tq8ElTgfhg1dJbJoo8NQ/ajax_captcha_post] MAC_Src: 00:21:5A:08:EC:40
          37374->80 (16:57:23.348 PST)
       
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    <unobserved>
    
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1358326437.938 1358326928.848 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102'

============================== SEPARATOR ================================