Score: 1.1 (>= 0.8) Infected Target: 192.168.1.251 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/19/2013 09:49:59.752 PST Gen. Time: 01/19/2013 09:49:59.919 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.2.65.124 (09:49:59.752 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (09:49:59.752 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.166.41.241 (09:49:59.919 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:30:48:30:03:AF 0->0 (09:49:59.919 PST) tcpslice 1358617799.752 1358617799.753 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.251' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.251 Infector List: 203.142.24.209 Egg Source List: C & C List: Peer Coord. List: Resource List: 203.142.24.209 Observed Start: 01/19/2013 09:49:59.752 PST Gen. Time: 01/19/2013 09:53:45.170 PST INBOUND SCAN EXPLOIT 203.142.24.209 (09:50:17.264 PST) event=1:22000346 {tcp} E2[rb] ET ATTACK_RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:30:48:30:03:AE 7097<-3305 (09:50:17.264 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.2.65.124 (09:49:59.752 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (09:49:59.752 PST) OUTBOUND SCAN ATTACK PREP 203.142.24.209 (09:50:17.071 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:30:48:30:03:AF 7097->3305 (09:50:17.071 PST) PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.166.41.241 (2) (09:49:59.919 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:30:48:30:03:AF 0->0 (09:49:59.919 PST) 0->0 (09:53:36.257 PST) tcpslice 1358617799.752 1358617799.753 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.251' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.251 Infector List: 203.142.24.209 Egg Source List: C & C List: Peer Coord. List: Resource List: 203.142.24.209 Observed Start: 01/19/2013 10:33:37.160 PST Gen. Time: 01/19/2013 10:33:38.300 PST INBOUND SCAN EXPLOIT 203.142.24.209 (10:33:38.300 PST) event=1:22000346 {tcp} E2[rb] ET ATTACK_RESPONSE IRC - Name response on non-std port, [] MAC_Dst: 00:30:48:30:03:AE 7097<-3305 (10:33:38.300 PST) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 203.142.24.209 (10:33:37.160 PST) event=1:2000352 {tcp} E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port, [] MAC_Src: 00:30:48:30:03:AF 7097->3305 (10:33:37.160 PST) PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1358620417.160 1358620417.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.251' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.251 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/19/2013 13:23:10.921 PST Gen. Time: 01/19/2013 13:23:11.007 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.147.16.197 (13:23:10.921 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (13:23:10.921 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.87.202.7 (13:23:11.007 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (13:23:11.007 PST) tcpslice 1358630590.921 1358630590.922 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.251' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.251 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/19/2013 18:34:38.416 PST Gen. Time: 01/19/2013 18:34:38.532 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.189.131.88 (18:34:38.416 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (18:34:38.416 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.122.246.235 (18:34:38.532 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (18:34:38.532 PST) tcpslice 1358649278.416 1358649278.417 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.251' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.251 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/19/2013 18:40:00.570 PST Gen. Time: 01/19/2013 18:40:00.570 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.122.246.235 (18:40:00.570 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:25, 135, [] MAC_Src: 00:30:48:30:03:AF 0->0 (18:40:00.570 PST) tcpslice 1358649600.570 1358649600.571 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.251' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.251 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/19/2013 20:09:25.878 PST Gen. Time: 01/19/2013 20:09:26.226 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.246.214.152 (20:09:25.878 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (20:09:25.878 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.246.214.152 (20:09:26.226 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (20:09:26.226 PST) tcpslice 1358654965.878 1358654965.879 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.251' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.251 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/19/2013 20:19:31.340 PST Gen. Time: 01/19/2013 20:19:31.423 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.105.100.181 (20:19:31.340 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:30:48:30:03:AF 0->0 (20:19:31.340 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.187.31.35 (20:19:31.423 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:30:48:30:03:AF 0->0 (20:19:31.423 PST) tcpslice 1358655571.340 1358655571.341 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.251' ============================== SEPARATOR ================================