Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 14:00:10.406 PST Gen. Time: 01/26/2013 14:00:16.814 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.10.19.53 (14:00:16.814 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (7 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:16.814 PST) OUTBOUND SCAN 128.10.19.53 (14:00:10.406 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57155->22 (14:00:10.406 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359237610.406 1359237610.407 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 14:00:10.406 PST Gen. Time: 01/26/2013 14:09:53.180 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.10.19.53 (14:00:16.814 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (7 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:16.814 PST) OUTBOUND SCAN 128.112.139.18 (14:00:58.966 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47819->22 (14:00:58.966 PST) 128.208.4.197 (14:02:32.519 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38659->22 (14:02:32.519 PST) 128.10.19.53 (14:00:10.406 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57155->22 (14:00:10.406 PST) 128.10.19.52 (14:02:50.800 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51180->22 (14:02:50.800 PST) 131.179.150.70 (2) (14:00:39.239 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37884->22 (14:00:39.239 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37884->22 (14:00:39.239 PST) 155.246.12.164 (2) (14:03:01.968 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 32965->22 (14:03:04.433 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32964->22 (14:03:01.968 PST) 192.52.240.214 (14:00:18.269 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37791->22 (14:00:18.269 PST) 204.123.28.55 (14:03:14.420 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37729->22 (14:03:14.420 PST) 204.8.155.226 (14:00:29.722 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36999->22 (14:00:29.722 PST) 152.3.138.7 (14:01:05.304 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35198->22 (14:01:05.304 PST) 128.8.126.98 (14:01:14.212 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55245->22 (14:01:14.212 PST) 128.36.233.153 (14:01:38.998 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55072->22 (14:01:38.998 PST) 128.208.4.198 (14:02:41.409 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56046->22 (14:02:41.409 PST) 130.127.39.152 (2) (14:01:21.784 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58594->22 (14:01:21.784 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58594->22 (14:01:21.784 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.179 (14:00:39.239 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:39.239 PST) 141.212.113.180 (4) (14:02:29.162 PST-14:07:01.035 PST) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (14:03:59.902 PST-14:07:01.035 PST) 0->0 (14:02:29.162 PST) tcpslice 1359237610.406 1359238021.036 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 15:07:56.536 PST Gen. Time: 01/26/2013 15:09:09.440 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (15:09:09.440 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:09:09.440 PST) OUTBOUND SCAN 131.179.150.72 (15:07:56.536 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46936->22 (15:07:56.536 PST) 158.130.6.254 (15:08:28.555 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57542->22 (15:08:28.555 PST) 128.42.142.45 (15:08:12.470 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55264->22 (15:08:12.470 PST) 192.52.240.214 (15:08:35.731 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37996->22 (15:08:35.731 PST) 204.123.28.56 (15:08:15.974 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55672->22 (15:08:15.974 PST) 204.8.155.227 (15:09:01.808 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56124->22 (15:09:01.808 PST) 141.212.113.180 (15:09:08.258 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59854->22 (15:09:08.258 PST) 152.3.138.7 (2) (15:08:43.756 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35385->22 (15:08:43.756 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35386->22 (15:08:45.195 PST) 130.127.39.152 (15:08:54.033 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58778->22 (15:08:54.033 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359241676.536 1359241676.537 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 15:07:56.536 PST Gen. Time: 01/26/2013 15:19:01.700 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (15:09:09.440 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:09:09.440 PST) OUTBOUND SCAN 128.111.52.58 (2) (15:09:10.879 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47623->22 (15:09:10.879 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47624->22 (15:09:11.302 PST) 128.10.19.53 (15:09:19.389 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57396->22 (15:09:19.389 PST) 131.179.150.72 (15:07:56.536 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46936->22 (15:07:56.536 PST) 131.179.150.70 (15:09:23.968 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38115->22 (15:09:23.968 PST) 158.130.6.254 (15:08:28.555 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57542->22 (15:08:28.555 PST) 128.42.142.45 (15:08:12.470 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55264->22 (15:08:12.470 PST) 192.52.240.214 (15:08:35.731 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37996->22 (15:08:35.731 PST) 204.123.28.56 (15:08:15.974 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55672->22 (15:08:15.974 PST) 204.8.155.227 (15:09:01.808 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56124->22 (15:09:01.808 PST) 129.82.12.188 (15:09:29.697 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40810->22 (15:09:29.697 PST) 141.212.113.180 (15:09:08.258 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59854->22 (15:09:08.258 PST) 152.3.138.7 (2) (15:08:43.756 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35385->22 (15:08:43.756 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35386->22 (15:08:45.195 PST) 152.3.138.6 (2) (15:09:35.259 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54649->22 (15:09:35.259 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54650->22 (15:09:36.667 PST) 130.127.39.152 (15:08:54.033 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58778->22 (15:08:54.033 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.53 (3) (15:10:13.973 PST) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:10:13.973 PST) 0->0 (15:11:49.048 PST) 0->0 (15:13:22.662 PST) tcpslice 1359241676.536 1359241676.537 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 15:14:43.742 PST Gen. Time: 01/26/2013 15:14:43.742 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.53 (15:14:43.742 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (25 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:14:43.742 PST) tcpslice 1359242083.742 1359242083.743 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 15:30:26.761 PST Gen. Time: 01/26/2013 15:31:37.973 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (15:31:37.973 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:31:37.973 PST) OUTBOUND SCAN 131.179.150.72 (15:30:26.761 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47163->22 (15:30:26.761 PST) 158.130.6.254 (15:30:57.846 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57769->22 (15:30:57.846 PST) 128.42.142.45 (15:30:42.049 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55491->22 (15:30:42.049 PST) 192.52.240.214 (15:31:06.033 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38224->22 (15:31:06.033 PST) 204.123.28.56 (15:30:44.598 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55899->22 (15:30:44.598 PST) 204.8.155.227 (15:31:30.473 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56351->22 (15:31:30.473 PST) 141.212.113.180 (15:31:36.841 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60081->22 (15:31:36.841 PST) 152.3.138.7 (2) (15:31:13.831 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35614->22 (15:31:13.831 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35614->22 (15:31:13.831 PST) 130.127.39.152 (15:31:22.813 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59005->22 (15:31:22.813 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359243026.761 1359243026.762 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 15:30:26.761 PST Gen. Time: 01/26/2013 15:39:53.365 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (15:31:37.973 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:31:37.973 PST) OUTBOUND SCAN 128.111.52.58 (2) (15:31:39.702 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47851->22 (15:31:39.702 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47851->22 (15:31:39.702 PST) 128.10.19.53 (15:31:52.421 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57623->22 (15:31:52.421 PST) 131.179.150.72 (15:30:26.761 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47163->22 (15:30:26.761 PST) 131.179.150.70 (15:31:57.850 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38342->22 (15:31:57.850 PST) 158.130.6.254 (15:30:57.846 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57769->22 (15:30:57.846 PST) 128.42.142.45 (15:30:42.049 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55491->22 (15:30:42.049 PST) 192.52.240.214 (15:31:06.033 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38224->22 (15:31:06.033 PST) 204.123.28.56 (15:30:44.598 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55899->22 (15:30:44.598 PST) 204.8.155.227 (15:31:30.473 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56351->22 (15:31:30.473 PST) 129.82.12.188 (15:32:03.825 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41037->22 (15:32:03.825 PST) 141.212.113.180 (15:31:36.841 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60081->22 (15:31:36.841 PST) 152.3.138.7 (2) (15:31:13.831 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35614->22 (15:31:13.831 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35614->22 (15:31:13.831 PST) 152.3.138.6 (2) (15:32:11.008 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54877->22 (15:32:11.008 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54877->22 (15:32:11.008 PST) 130.127.39.152 (15:31:22.813 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59005->22 (15:31:22.813 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 158.130.6.254 (2) (15:32:47.742 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:32:47.742 PST) 0->0 (15:34:17.157 PST) tcpslice 1359243026.761 1359243026.762 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 15:35:40.726 PST Gen. Time: 01/26/2013 15:35:40.726 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.8.126.98 (15:35:40.726 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (25 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:35:40.726 PST) tcpslice 1359243340.726 1359243340.727 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 15:56:28.287 PST Gen. Time: 01/26/2013 15:57:02.358 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.72 (15:57:02.358 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:57:02.358 PST) OUTBOUND SCAN 204.8.155.227 (15:57:00.883 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56576->22 (15:57:00.883 PST) 152.3.138.7 (15:56:44.206 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35839->22 (15:56:44.206 PST) 130.127.39.152 (2) (15:56:52.906 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59230->22 (15:56:52.906 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59230->22 (15:56:52.906 PST) 192.52.240.214 (15:56:35.864 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38449->22 (15:56:35.864 PST) 158.130.6.254 (15:56:28.287 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57995->22 (15:56:28.287 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359244588.287 1359244588.288 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 15:56:28.287 PST Gen. Time: 01/26/2013 16:04:23.755 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.72 (15:57:02.358 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:57:02.358 PST) OUTBOUND SCAN 128.111.52.58 (15:57:10.642 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48076->22 (15:57:10.642 PST) 128.208.4.197 (15:57:52.354 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39340->22 (15:57:52.354 PST) 128.10.19.53 (2) (15:57:18.540 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57848->22 (15:57:18.540 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57848->22 (15:57:18.540 PST) 131.179.150.70 (15:57:23.452 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38567->22 (15:57:23.452 PST) 13.7.64.22 (15:57:47.401 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50880->22 (15:57:47.401 PST) 158.130.6.254 (15:56:28.287 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57995->22 (15:56:28.287 PST) 192.52.240.214 (15:56:35.864 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38449->22 (15:56:35.864 PST) 204.8.155.227 (15:57:00.883 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56576->22 (15:57:00.883 PST) 129.82.12.188 (15:57:29.201 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41262->22 (15:57:29.201 PST) 141.212.113.180 (15:57:07.637 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60306->22 (15:57:07.637 PST) 152.3.138.7 (15:56:44.206 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35839->22 (15:56:44.206 PST) 141.212.113.179 (2) (15:57:43.423 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 34570->22 (15:57:43.423 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34570->22 (15:57:43.423 PST) 152.3.138.6 (15:57:36.733 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55102->22 (15:57:36.733 PST) 130.127.39.152 (2) (15:56:52.906 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59230->22 (15:56:52.906 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59230->22 (15:56:52.906 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (5) (15:58:02.761 PST-16:04:12.692 PST) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (16:01:03.293 PST-16:04:12.692 PST) 0->0 (15:59:33.205 PST) 0->0 (15:58:02.761 PST) tcpslice 1359244588.287 1359245052.693 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 16:05:45.186 PST Gen. Time: 01/26/2013 16:05:45.186 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (16:05:45.186 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:05:45.186 PST) tcpslice 1359245145.186 1359245145.187 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 16:09:21.250 PST Gen. Time: 01/26/2013 16:09:21.250 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (16:09:21.250 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:09:21.250 PST) tcpslice 1359245361.250 1359245361.251 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 16:14:22.306 PST Gen. Time: 01/26/2013 16:14:22.306 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (16:14:22.306 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:14:22.306 PST) tcpslice 1359245662.306 1359245662.307 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 16:14:22.306 PST Gen. Time: 01/26/2013 16:26:00.315 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (16:19:14.250 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48300->22 (16:19:14.250 PST) 128.10.19.53 (16:19:18.020 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58072->22 (16:19:18.020 PST) 131.179.150.72 (16:16:49.933 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47616->22 (16:16:49.933 PST) 131.179.150.70 (2) (16:19:25.215 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38790->22 (16:19:25.215 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38791->22 (16:19:26.069 PST) 158.130.6.254 (16:18:07.933 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58220->22 (16:18:07.933 PST) 128.42.142.45 (16:17:05.409 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55944->22 (16:17:05.409 PST) 192.52.240.214 (16:18:35.976 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38673->22 (16:18:35.976 PST) 204.123.28.56 (16:17:07.988 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56352->22 (16:17:07.988 PST) 204.8.155.227 (2) (16:18:59.242 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56799->22 (16:18:59.242 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56800->22 (16:19:01.010 PST) 129.82.12.188 (16:19:30.302 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41486->22 (16:19:30.302 PST) 141.212.113.180 (16:19:08.513 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60530->22 (16:19:08.513 PST) 152.3.138.7 (16:18:44.477 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36063->22 (16:18:44.477 PST) 141.212.113.179 (16:19:44.168 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34794->22 (16:19:44.168 PST) 152.3.138.6 (16:19:36.789 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55326->22 (16:19:36.789 PST) 130.127.39.152 (16:18:52.180 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59454->22 (16:18:52.180 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (7) (16:14:22.306 PST-16:24:00.391 PST) event=777:7777008 (7) {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 7: 0->0 (16:14:22.306 PST-16:24:00.391 PST) tcpslice 1359245662.306 1359246240.392 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 16:39:04.956 PST Gen. Time: 01/26/2013 16:40:16.962 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (16:40:16.962 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:40:16.962 PST) OUTBOUND SCAN 131.179.150.72 (16:39:04.956 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47843->22 (16:39:04.956 PST) 204.8.155.227 (16:40:15.488 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57030->22 (16:40:15.488 PST) 128.42.142.45 (16:39:20.888 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56171->22 (16:39:20.888 PST) 152.3.138.7 (2) (16:39:58.856 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36293->22 (16:39:58.856 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36293->22 (16:39:58.856 PST) 130.127.39.152 (16:40:07.359 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59684->22 (16:40:07.359 PST) 204.123.28.56 (16:39:23.420 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56579->22 (16:39:23.420 PST) 192.52.240.214 (16:39:51.316 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38903->22 (16:39:51.316 PST) 158.130.6.254 (16:39:43.873 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58449->22 (16:39:43.873 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359247144.956 1359247144.957 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 16:39:04.956 PST Gen. Time: 01/26/2013 16:48:34.662 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (16:40:16.962 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:40:16.962 PST) OUTBOUND SCAN 128.111.52.58 (2) (16:40:25.522 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48530->22 (16:40:25.522 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48530->22 (16:40:25.522 PST) 128.10.19.53 (16:40:33.755 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58302->22 (16:40:33.755 PST) 131.179.150.72 (16:39:04.956 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47843->22 (16:39:04.956 PST) 131.179.150.70 (16:40:38.244 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39021->22 (16:40:38.244 PST) 158.130.6.254 (16:39:43.873 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58449->22 (16:39:43.873 PST) 128.42.142.45 (16:39:20.888 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56171->22 (16:39:20.888 PST) 192.52.240.214 (16:39:51.316 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38903->22 (16:39:51.316 PST) 204.123.28.56 (16:39:23.420 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56579->22 (16:39:23.420 PST) 204.8.155.227 (16:40:15.488 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57030->22 (16:40:15.488 PST) 129.82.12.188 (16:40:44.264 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41716->22 (16:40:44.264 PST) 141.212.113.180 (16:40:22.529 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60760->22 (16:40:22.529 PST) 152.3.138.7 (2) (16:39:58.856 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36293->22 (16:39:58.856 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36293->22 (16:39:58.856 PST) 152.3.138.6 (2) (16:40:51.644 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55556->22 (16:40:51.644 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55556->22 (16:40:51.644 PST) 130.127.39.152 (16:40:07.359 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59684->22 (16:40:07.359 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.112.139.97 (16:44:22.573 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=1/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:44:22.573 PST) 128.111.52.59 (2) (16:41:20.427 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=1/20/0/0): 22:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:41:20.427 PST) 0->0 (16:42:51.180 PST) tcpslice 1359247144.956 1359247144.957 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 17:00:21.420 PST Gen. Time: 01/26/2013 17:02:53.580 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (17:02:53.580 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:02:53.580 PST) OUTBOUND SCAN 131.179.150.72 (17:00:21.420 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48068->22 (17:00:21.420 PST) 128.42.142.45 (17:00:36.935 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56396->22 (17:00:36.935 PST) 152.3.138.7 (17:01:44.440 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36517->22 (17:01:44.440 PST) 130.127.39.152 (2) (17:02:02.157 PST) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59906->22 (17:02:02.157 PST) 59909->22 (17:02:45.925 PST) 204.123.28.56 (17:00:39.465 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56804->22 (17:00:39.465 PST) 192.52.240.214 (17:01:32.808 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39128->22 (17:01:32.808 PST) 158.130.6.254 (17:00:55.043 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58674->22 (17:00:55.043 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359248421.420 1359248421.421 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 17:00:21.420 PST Gen. Time: 01/26/2013 17:12:11.435 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (2) (17:02:53.580 PST) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:02:53.580 PST) 0->0 (17:04:23.456 PST) OUTBOUND SCAN 128.111.52.58 (17:03:10.070 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48755->22 (17:03:10.070 PST) 128.10.19.53 (2) (17:03:22.041 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58525->22 (17:03:22.041 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58527->22 (17:03:42.173 PST) 131.179.150.72 (17:00:21.420 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48068->22 (17:00:21.420 PST) 131.179.150.70 (17:03:50.639 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39246->22 (17:03:50.639 PST) 158.130.6.254 (17:00:55.043 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58674->22 (17:00:55.043 PST) 128.42.142.45 (17:00:36.935 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56396->22 (17:00:36.935 PST) 192.52.240.214 (17:01:32.808 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39128->22 (17:01:32.808 PST) 204.123.28.56 (17:00:39.465 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56804->22 (17:00:39.465 PST) 204.8.155.227 (17:03:00.154 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57255->22 (17:03:00.154 PST) 129.82.12.188 (17:03:57.264 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41941->22 (17:03:57.264 PST) 141.212.113.180 (17:03:06.900 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60985->22 (17:03:06.900 PST) 152.3.138.7 (17:01:44.440 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36517->22 (17:01:44.440 PST) 141.212.113.179 (17:04:09.834 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35247->22 (17:04:09.834 PST) 152.3.138.6 (17:04:05.521 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55781->22 (17:04:05.521 PST) 130.127.39.152 (2) (17:02:02.157 PST) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59906->22 (17:02:02.157 PST) 59909->22 (17:02:45.925 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.52.240.214 (2) (17:04:25.772 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:04:25.772 PST) 0->0 (17:06:03.607 PST) 204.123.28.55 (17:07:33.173 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (23 /24s) (# pkts S/M/O/I=0/36/0/0): 22:36, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:07:33.173 PST) tcpslice 1359248421.420 1359248421.421 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 17:13:28.485 PST Gen. Time: 01/26/2013 17:13:28.485 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (17:13:28.485 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (25 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:13:28.485 PST) tcpslice 1359249208.485 1359249208.486 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 20:00:10.598 PST Gen. Time: 01/26/2013 20:00:15.759 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.208.4.198 (20:00:15.759 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (7 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (20:00:15.759 PST) OUTBOUND SCAN 128.10.19.53 (20:00:10.598 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58723->22 (20:00:10.598 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359259210.598 1359259210.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 20:00:10.598 PST Gen. Time: 01/26/2013 20:10:03.483 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.208.4.198 (20:00:15.759 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (7 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (20:00:15.759 PST) OUTBOUND SCAN 128.112.139.18 (20:00:51.431 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49387->22 (20:00:51.431 PST) 128.208.4.197 (20:01:20.062 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40227->22 (20:01:20.062 PST) 128.10.19.53 (20:00:10.598 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58723->22 (20:00:10.598 PST) 128.10.19.52 (20:01:40.634 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52748->22 (20:01:40.634 PST) 131.179.150.70 (2) (20:00:33.742 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39452->22 (20:00:33.742 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39452->22 (20:00:33.742 PST) 155.246.12.164 (2) (20:01:51.837 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 34532->22 (20:01:51.837 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34532->22 (20:01:51.837 PST) 158.130.6.254 (20:01:28.963 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58952->22 (20:01:28.963 PST) 192.52.240.214 (20:00:17.503 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39359->22 (20:00:17.503 PST) 204.123.28.56 (20:02:00.704 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57107->22 (20:02:00.704 PST) 192.52.240.213 (20:02:09.078 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48146->22 (20:02:09.078 PST) 204.8.155.226 (20:00:26.687 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38567->22 (20:00:26.687 PST) 152.3.138.7 (20:00:58.929 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36766->22 (20:00:58.929 PST) 128.8.126.98 (20:01:05.940 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56813->22 (20:01:05.940 PST) 130.127.39.152 (2) (20:01:11.829 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60162->22 (20:01:11.829 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60162->22 (20:01:11.829 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.112.139.18 (3) (20:02:04.123 PST-20:05:13.804 PST) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (20:02:04.123 PST-20:05:13.804 PST) 192.52.240.214 (20:00:33.742 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (20:00:33.742 PST) tcpslice 1359259210.598 1359259513.805 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 20:06:01.578 PST Gen. Time: 01/26/2013 20:06:01.578 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.112.139.18 (20:06:01.578 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (20:06:01.578 PST) tcpslice 1359259561.578 1359259561.579 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 21:06:45.803 PST Gen. Time: 01/26/2013 21:10:55.974 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (21:10:55.974 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:10:55.974 PST) OUTBOUND SCAN 131.179.150.72 (21:06:45.803 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48503->22 (21:06:45.803 PST) 158.130.6.254 (2) (21:08:27.583 PST) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59107->22 (21:08:27.583 PST) 59109->22 (21:09:45.902 PST) 128.42.142.45 (21:07:01.224 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56831->22 (21:07:01.224 PST) 192.52.240.214 (21:10:23.619 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39563->22 (21:10:23.619 PST) 204.123.28.56 (21:07:03.492 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57239->22 (21:07:03.492 PST) 204.8.155.227 (21:10:48.196 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57690->22 (21:10:48.196 PST) 141.212.113.180 (21:10:54.721 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33187->22 (21:10:54.721 PST) 152.3.138.7 (21:10:31.998 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36953->22 (21:10:31.998 PST) 130.127.39.152 (21:10:40.562 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60344->22 (21:10:40.562 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359263205.803 1359263205.804 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 21:06:45.803 PST Gen. Time: 01/26/2013 21:17:56.294 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (21:10:55.974 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:10:55.974 PST) OUTBOUND SCAN 128.111.52.58 (21:10:57.628 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49190->22 (21:10:57.628 PST) 128.10.19.53 (21:11:06.125 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58962->22 (21:11:06.125 PST) 131.179.150.72 (21:06:45.803 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48503->22 (21:06:45.803 PST) 131.179.150.70 (2) (21:11:08.474 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39678->22 (21:11:08.474 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39681->22 (21:11:10.451 PST) 158.130.6.254 (2) (21:08:27.583 PST) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59107->22 (21:08:27.583 PST) 59109->22 (21:09:45.902 PST) 128.42.142.45 (21:07:01.224 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56831->22 (21:07:01.224 PST) 192.52.240.214 (21:10:23.619 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39563->22 (21:10:23.619 PST) 204.123.28.56 (21:07:03.492 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57239->22 (21:07:03.492 PST) 204.8.155.227 (21:10:48.196 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57690->22 (21:10:48.196 PST) 129.82.12.188 (21:11:16.646 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42376->22 (21:11:16.646 PST) 141.212.113.180 (21:10:54.721 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33187->22 (21:10:54.721 PST) 152.3.138.7 (21:10:31.998 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36953->22 (21:10:31.998 PST) 141.212.113.179 (21:11:34.217 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35684->22 (21:11:34.217 PST) 152.3.138.6 (21:11:27.706 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56216->22 (21:11:27.706 PST) 130.127.39.152 (21:10:40.562 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60344->22 (21:10:40.562 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (21:12:07.559 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:12:07.559 PST) 131.193.34.38 (21:13:37.586 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (21 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:13:37.586 PST) tcpslice 1359263205.803 1359263205.804 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 21:21:57.426 PST Gen. Time: 01/26/2013 21:21:57.426 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.193.34.38 (21:21:57.426 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/43/1/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA (21:21:57.426 PST) tcpslice 1359264117.426 1359264117.427 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 21:30:42.313 PST Gen. Time: 01/26/2013 21:31:54.361 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (21:31:54.361 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:31:54.361 PST) OUTBOUND SCAN 131.179.150.72 (21:30:42.313 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48729->22 (21:30:42.313 PST) 158.130.6.254 (21:31:16.080 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59335->22 (21:31:16.080 PST) 128.42.142.45 (21:30:57.443 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57057->22 (21:30:57.443 PST) 192.52.240.214 (21:31:23.847 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39789->22 (21:31:23.847 PST) 204.123.28.56 (21:30:59.791 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57465->22 (21:30:59.791 PST) 204.8.155.227 (21:31:47.025 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57916->22 (21:31:47.025 PST) 141.212.113.180 (21:31:53.301 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33413->22 (21:31:53.301 PST) 152.3.138.7 (21:31:31.055 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37179->22 (21:31:31.055 PST) 130.127.39.152 (2) (21:31:34.215 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60567->22 (21:31:34.215 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60570->22 (21:31:39.225 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359264642.313 1359264642.314 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 21:30:42.313 PST Gen. Time: 01/26/2013 21:39:32.352 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (21:31:54.361 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:31:54.361 PST) OUTBOUND SCAN 128.111.52.58 (21:31:56.020 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49416->22 (21:31:56.020 PST) 128.10.19.53 (2) (21:31:58.335 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59185->22 (21:31:58.335 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59188->22 (21:32:03.686 PST) 131.179.150.72 (21:30:42.313 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48729->22 (21:30:42.313 PST) 131.179.150.70 (21:32:07.943 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39907->22 (21:32:07.943 PST) 158.130.6.254 (21:31:16.080 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59335->22 (21:31:16.080 PST) 128.42.142.45 (21:30:57.443 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57057->22 (21:30:57.443 PST) 192.52.240.214 (21:31:23.847 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39789->22 (21:31:23.847 PST) 204.123.28.56 (21:30:59.791 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57465->22 (21:30:59.791 PST) 204.8.155.227 (21:31:47.025 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57916->22 (21:31:47.025 PST) 129.82.12.188 (21:32:13.657 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42602->22 (21:32:13.657 PST) 141.212.113.180 (21:31:53.301 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33413->22 (21:31:53.301 PST) 152.3.138.7 (21:31:31.055 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37179->22 (21:31:31.055 PST) 141.212.113.179 (21:32:23.241 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35907->22 (21:32:23.241 PST) 152.3.138.6 (21:32:20.679 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56442->22 (21:32:20.679 PST) 130.127.39.152 (2) (21:31:34.215 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60567->22 (21:31:34.215 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60570->22 (21:31:39.225 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (2) (21:32:58.372 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:32:58.372 PST) 0->0 (21:34:29.610 PST) 128.223.8.111 (21:35:59.234 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (25 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:35:59.234 PST) tcpslice 1359264642.313 1359264642.314 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 21:51:44.694 PST Gen. Time: 01/26/2013 21:53:08.268 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (21:53:08.268 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:53:08.268 PST) OUTBOUND SCAN 131.179.150.72 (21:51:44.694 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48955->22 (21:51:44.694 PST) 158.130.6.254 (21:52:26.130 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59561->22 (21:52:26.130 PST) 128.42.142.45 (21:52:00.565 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57283->22 (21:52:00.565 PST) 192.52.240.214 (21:52:34.564 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40015->22 (21:52:34.564 PST) 204.123.28.56 (21:52:03.338 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57691->22 (21:52:03.338 PST) 204.8.155.227 (21:52:59.789 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58142->22 (21:52:59.789 PST) 141.212.113.180 (21:53:06.970 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33639->22 (21:53:06.970 PST) 152.3.138.7 (2) (21:52:42.488 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37405->22 (21:52:42.488 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37405->22 (21:52:42.488 PST) 130.127.39.152 (21:52:51.384 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60796->22 (21:52:51.384 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359265904.694 1359265904.695 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 21:51:44.694 PST Gen. Time: 01/26/2013 22:01:37.825 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (21:53:08.268 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:53:08.268 PST) OUTBOUND SCAN 128.111.52.58 (2) (21:53:10.444 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49642->22 (21:53:10.444 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49642->22 (21:53:10.444 PST) 128.10.19.53 (21:53:18.649 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59414->22 (21:53:18.649 PST) 131.179.150.72 (21:51:44.694 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48955->22 (21:51:44.694 PST) 131.179.150.70 (21:53:23.425 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40133->22 (21:53:23.425 PST) 158.130.6.254 (21:52:26.130 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59561->22 (21:52:26.130 PST) 128.42.142.45 (21:52:00.565 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57283->22 (21:52:00.565 PST) 192.52.240.214 (21:52:34.564 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40015->22 (21:52:34.564 PST) 204.123.28.56 (21:52:03.338 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57691->22 (21:52:03.338 PST) 204.8.155.227 (21:52:59.789 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58142->22 (21:52:59.789 PST) 129.82.12.188 (21:53:29.948 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42828->22 (21:53:29.948 PST) 141.212.113.180 (21:53:06.970 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33639->22 (21:53:06.970 PST) 152.3.138.7 (2) (21:52:42.488 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37405->22 (21:52:42.488 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37405->22 (21:52:42.488 PST) 152.3.138.6 (2) (21:53:39.093 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56668->22 (21:53:39.093 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56668->22 (21:53:39.093 PST) 130.127.39.152 (21:52:51.384 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60796->22 (21:52:51.384 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.56 (21:54:10.686 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:54:10.686 PST) 204.123.28.55 (3) (21:55:40.083 PST) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (21 /24s) (# pkts S/M/O/I=0/31/0/0): 22:31, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:55:40.083 PST) 0->0 (21:57:11.809 PST) 0->0 (22:01:20.602 PST) tcpslice 1359265904.694 1359265904.695 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 22:02:53.218 PST Gen. Time: 01/26/2013 22:02:53.218 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (22:02:53.218 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:02:53.218 PST) tcpslice 1359266573.218 1359266573.219 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 22:08:09.823 PST Gen. Time: 01/26/2013 22:08:09.823 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (22:08:09.823 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:08:09.823 PST) tcpslice 1359266889.823 1359266889.824 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 22:11:55.617 PST Gen. Time: 01/26/2013 22:11:55.617 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (22:11:55.617 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:11:55.617 PST) tcpslice 1359267115.617 1359267115.618 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 22:11:55.617 PST Gen. Time: 01/26/2013 22:23:07.478 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (22:14:45.545 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49868->22 (22:14:45.545 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49868->22 (22:14:45.545 PST) 128.10.19.53 (22:14:54.082 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59640->22 (22:14:54.082 PST) 131.179.150.72 (22:13:19.355 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49181->22 (22:13:19.355 PST) 131.179.150.70 (22:14:59.513 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40359->22 (22:14:59.513 PST) 158.130.6.254 (22:13:57.993 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59787->22 (22:13:57.993 PST) 128.42.142.45 (22:13:35.813 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57509->22 (22:13:35.813 PST) 192.52.240.214 (22:14:06.223 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40241->22 (22:14:06.223 PST) 204.123.28.56 (22:13:38.730 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57917->22 (22:13:38.730 PST) 204.8.155.227 (22:14:34.257 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58368->22 (22:14:34.257 PST) 129.82.12.188 (22:15:06.447 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43054->22 (22:15:06.447 PST) 141.212.113.180 (22:14:41.944 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33865->22 (22:14:41.944 PST) 152.3.138.7 (2) (22:14:14.321 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37631->22 (22:14:14.321 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37631->22 (22:14:14.321 PST) 152.3.138.6 (2) (22:15:14.728 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56894->22 (22:15:14.728 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56894->22 (22:15:14.728 PST) 130.127.39.152 (22:14:25.748 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32789->22 (22:14:25.748 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (5) (22:11:55.617 PST-22:18:07.415 PST) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (22:11:55.617 PST-22:18:07.415 PST) tcpslice 1359267115.617 1359267487.416 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 22:19:35.042 PST Gen. Time: 01/26/2013 22:19:35.042 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (22:19:35.042 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (26 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:19:35.042 PST) tcpslice 1359267575.042 1359267575.043 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 22:35:19.121 PST Gen. Time: 01/26/2013 22:36:13.880 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (22:36:13.880 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:36:13.880 PST) OUTBOUND SCAN 131.179.150.72 (22:35:19.121 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49407->22 (22:35:19.121 PST) 128.42.142.45 (22:35:35.659 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57735->22 (22:35:35.659 PST) 152.3.138.7 (2) (22:36:10.816 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37856->22 (22:36:10.816 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37857->22 (22:36:12.406 PST) 204.123.28.56 (22:35:38.481 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58143->22 (22:35:38.481 PST) 192.52.240.214 (22:36:04.269 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40467->22 (22:36:04.269 PST) 158.130.6.254 (22:35:55.545 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60013->22 (22:35:55.545 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359268519.121 1359268519.122 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 22:35:19.121 PST Gen. Time: 01/26/2013 22:44:55.877 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (22:36:13.880 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:36:13.880 PST) OUTBOUND SCAN 128.111.52.58 (2) (22:36:45.700 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50093->22 (22:36:45.700 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50094->22 (22:36:46.236 PST) 128.10.19.53 (22:36:54.669 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59866->22 (22:36:54.669 PST) 131.179.150.72 (22:35:19.121 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49407->22 (22:35:19.121 PST) 131.179.150.70 (22:37:02.134 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40585->22 (22:37:02.134 PST) 158.130.6.254 (22:35:55.545 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60013->22 (22:35:55.545 PST) 128.42.142.45 (22:35:35.659 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57735->22 (22:35:35.659 PST) 192.52.240.214 (22:36:04.269 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40467->22 (22:36:04.269 PST) 204.123.28.56 (22:35:38.481 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58143->22 (22:35:38.481 PST) 204.8.155.227 (22:36:34.533 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58594->22 (22:36:34.533 PST) 129.82.12.188 (22:37:08.135 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43280->22 (22:37:08.135 PST) 141.212.113.180 (22:36:42.820 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34091->22 (22:36:42.820 PST) 152.3.138.7 (2) (22:36:10.816 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37856->22 (22:36:10.816 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37857->22 (22:36:12.406 PST) 152.3.138.6 (2) (22:37:16.831 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57119->22 (22:37:16.831 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57120->22 (22:37:18.390 PST) 130.127.39.152 (22:36:23.240 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33015->22 (22:36:23.240 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.227 (2) (22:37:39.819 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:37:39.819 PST) 0->0 (22:39:10.295 PST) 128.8.126.98 (22:40:41.612 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (25 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:40:41.612 PST) tcpslice 1359268519.121 1359268519.122 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/26/2013 22:56:54.886 PST Gen. Time: 01/26/2013 22:58:15.714 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (22:58:15.714 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:58:15.714 PST) OUTBOUND SCAN 131.179.150.72 (22:56:54.886 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49632->22 (22:56:54.886 PST) 158.130.6.254 (22:57:33.217 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60238->22 (22:57:33.217 PST) 128.42.142.45 (22:57:10.807 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57960->22 (22:57:10.807 PST) 192.52.240.214 (22:57:41.355 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40692->22 (22:57:41.355 PST) 204.123.28.56 (22:57:13.666 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58368->22 (22:57:13.666 PST) 204.8.155.227 (22:58:07.288 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58819->22 (22:58:07.288 PST) 141.212.113.180 (22:58:14.566 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34316->22 (22:58:14.566 PST) 152.3.138.7 (2) (22:57:49.334 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38082->22 (22:57:49.334 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38082->22 (22:57:49.334 PST) 130.127.39.152 (22:57:58.627 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33240->22 (22:57:58.627 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1359269814.886 1359269814.887 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================