Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/27/2013 10:58:08.815 PST Gen. Time: 01/27/2013 10:58:08.815 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.90.29.124 (10:58:08.815 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:58:08.815 PST) tcpslice 1359313088.815 1359313088.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/27/2013 10:58:08.815 PST Gen. Time: 01/27/2013 11:01:48.962 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.90.29.124 (10:58:08.815 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:58:08.815 PST) 200.117.116.46 (10:59:45.920 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:59:45.920 PST) tcpslice 1359313088.815 1359313088.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/27/2013 11:07:09.885 PST Gen. Time: 01/27/2013 11:07:09.885 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.117.116.46 (11:07:09.885 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:07:09.885 PST) tcpslice 1359313629.885 1359313629.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/27/2013 11:07:09.885 PST Gen. Time: 01/27/2013 11:10:56.195 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.117.116.46 (2) (11:07:09.885 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:07:09.885 PST) 0->0 (11:10:23.747 PST) tcpslice 1359313629.885 1359313629.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/27/2013 11:14:38.956 PST Gen. Time: 01/27/2013 11:14:38.956 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.117.116.46 (11:14:38.956 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:14:38.956 PST) tcpslice 1359314078.956 1359314078.957 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/27/2013 11:19:49.796 PST Gen. Time: 01/27/2013 11:19:49.796 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.117.116.46 (11:19:49.796 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:19:49.796 PST) tcpslice 1359314389.796 1359314389.797 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/27/2013 11:24:00.844 PST Gen. Time: 01/27/2013 11:24:00.844 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.117.116.46 (11:24:00.844 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:24:00.844 PST) tcpslice 1359314640.844 1359314640.845 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/27/2013 11:31:33.955 PST Gen. Time: 01/27/2013 11:31:33.955 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.117.116.46 (11:31:33.955 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 (11:31:33.955 PST) tcpslice 1359315093.955 1359315093.956 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/27/2013 11:31:33.955 PST Gen. Time: 01/27/2013 11:35:38.025 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.117.116.46 (3) (11:31:33.955 PST) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 (11:31:33.955 PST) 0->0 (11:33:22.977 PST) 0->0 (11:35:29.786 PST) tcpslice 1359315093.955 1359315093.956 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 01/27/2013 11:41:54.032 PST Gen. Time: 01/27/2013 11:41:54.032 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.117.116.46 (11:41:54.032 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 (11:41:54.032 PST) tcpslice 1359315714.032 1359315714.033 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================