Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 09:14:39.623 PST Gen. Time: 02/08/2013 09:14:42.843 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 140.46.248.117 (09:14:39.623 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:14:39.623 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 33.76.219.66 (09:14:42.843 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (09:14:42.843 PST) tcpslice 1360343679.623 1360343679.624 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 09:14:39.623 PST Gen. Time: 02/08/2013 09:18:16.420 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 140.46.248.117 (09:14:39.623 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:14:39.623 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 217.73.241.115 (09:17:43.638 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 136 IPs (136 /24s) (# pkts S/M/O/I=0/135/1/0): 445:135, [] MAC_Src: 00:21:1C:EE:14:00 (09:17:43.638 PST) 51.114.91.126 (09:16:12.694 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 80 IPs (80 /24s) (# pkts S/M/O/I=0/79/1/0): 445:79, [] MAC_Src: 00:21:1C:EE:14:00 (09:16:12.694 PST) 33.76.219.66 (09:14:42.843 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (09:14:42.843 PST) tcpslice 1360343679.623 1360343679.624 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 09:18:57.631 PST Gen. Time: 02/08/2013 09:18:57.631 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 217.73.241.115 (09:18:57.631 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 201 IPs (201 /24s) (# pkts S/M/O/I=0/200/1/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:18:57.631 PST) tcpslice 1360343937.631 1360343937.632 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 09:27:54.857 PST Gen. Time: 02/08/2013 09:28:02.807 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 24.104.97.106 (09:27:54.857 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (09:27:54.857 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 219.94.245.64 (09:28:02.807 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:28:02.807 PST) tcpslice 1360344474.857 1360344474.858 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 09:27:54.857 PST Gen. Time: 02/08/2013 09:31:21.051 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 24.104.97.106 (09:27:54.857 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (09:27:54.857 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 219.94.245.64 (09:28:02.807 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:28:02.807 PST) 130.43.253.114 (09:29:32.587 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 126 IPs (126 /24s) (# pkts S/M/O/I=0/126/0/0): 445:126, [] MAC_Src: 00:21:1C:EE:14:00 (09:29:32.587 PST) tcpslice 1360344474.857 1360344474.858 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 09:30:27.667 PST Gen. Time: 02/08/2013 09:30:27.667 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.43.253.114 (09:30:27.667 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:30:27.667 PST) tcpslice 1360344627.667 1360344627.668 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 09:40:00.641 PST Gen. Time: 02/08/2013 09:40:03.591 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 176.110.138.56 (09:40:00.641 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (09:40:00.641 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 176.110.138.56 (09:40:03.591 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (09:40:03.591 PST) tcpslice 1360345200.641 1360345200.642 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 09:40:00.641 PST Gen. Time: 02/08/2013 09:43:33.270 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 176.110.138.56 (09:40:00.641 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (09:40:00.641 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 28.73.18.65 (09:41:33.218 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 150 IPs (150 /24s) (# pkts S/M/O/I=0/150/0/0): 445:150, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:41:33.218 PST) 176.110.138.56 (09:40:03.591 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (09:40:03.591 PST) tcpslice 1360345200.641 1360345200.642 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 09:51:58.666 PST Gen. Time: 02/08/2013 09:52:07.752 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 179.34.190.10 (09:51:58.666 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (09:51:58.666 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 209.46.54.43 (09:52:07.752 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (09:52:07.752 PST) tcpslice 1360345918.666 1360345918.667 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 09:51:58.666 PST Gen. Time: 02/08/2013 09:55:47.523 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 179.34.190.10 (09:51:58.666 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (09:51:58.666 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 209.46.54.43 (09:52:07.752 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (09:52:07.752 PST) 186.3.192.1 (09:53:37.646 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 132 IPs (132 /24s) (# pkts S/M/O/I=0/132/0/0): 445:132, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:53:37.646 PST) tcpslice 1360345918.666 1360345918.667 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 09:54:32.598 PST Gen. Time: 02/08/2013 09:54:32.598 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.3.192.1 (09:54:32.598 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (09:54:32.598 PST) tcpslice 1360346072.598 1360346072.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 09:54:32.598 PST Gen. Time: 02/08/2013 10:04:01.553 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 188.60.177.111 (10:04:01.553 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (10:04:01.553 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.3.192.1 (09:54:32.598 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (09:54:32.598 PST) tcpslice 1360346072.598 1360346072.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:04:08.769 PST Gen. Time: 02/08/2013 10:04:08.769 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 188.60.177.111 (10:04:08.769 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (10:04:08.769 PST) tcpslice 1360346648.769 1360346648.770 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:04:08.769 PST Gen. Time: 02/08/2013 10:06:43.290 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 41.43.35.127 (10:05:38.523 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 145 IPs (145 /24s) (# pkts S/M/O/I=0/145/0/0): 445:145, [] MAC_Src: 00:21:1C:EE:14:00 (10:05:38.523 PST) 188.60.177.111 (10:04:08.769 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (10:04:08.769 PST) tcpslice 1360346648.769 1360346648.770 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:13:52.897 PST Gen. Time: 02/08/2013 10:13:52.897 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 33.14.136.123 (10:13:52.897 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 201 IPs (201 /24s) (# pkts S/M/O/I=0/200/1/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (10:13:52.897 PST) tcpslice 1360347232.897 1360347232.898 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:13:52.897 PST Gen. Time: 02/08/2013 10:18:01.190 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 64.57.68.123 (10:16:03.935 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:16:03.935 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 199.14.140.29 (10:17:41.765 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 138 IPs (138 /24s) (# pkts S/M/O/I=0/138/0/0): 445:138, [] MAC_Src: 00:21:1C:EE:14:00 (10:17:41.765 PST) 33.14.136.123 (10:13:52.897 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 201 IPs (201 /24s) (# pkts S/M/O/I=0/200/1/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (10:13:52.897 PST) 64.57.68.123 (10:16:11.688 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (10:16:11.688 PST) tcpslice 1360347232.897 1360347232.898 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:18:27.652 PST Gen. Time: 02/08/2013 10:18:27.652 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 62.112.3.29 (10:18:27.652 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:18:27.652 PST) tcpslice 1360347507.652 1360347507.653 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:18:27.652 PST Gen. Time: 02/08/2013 10:28:07.870 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 184.5.122.75 (10:28:07.870 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (10:28:07.870 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 62.112.3.29 (10:18:27.652 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:18:27.652 PST) tcpslice 1360347507.652 1360347507.653 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:28:23.592 PST Gen. Time: 02/08/2013 10:28:23.592 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 184.5.122.75 (10:28:23.592 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (10:28:23.592 PST) tcpslice 1360348103.592 1360348103.593 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:28:23.592 PST Gen. Time: 02/08/2013 10:32:24.153 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 184.5.122.75 (10:28:23.592 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (10:28:23.592 PST) 134.10.216.34 (10:29:53.715 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 140 IPs (140 /24s) (# pkts S/M/O/I=0/140/0/0): 445:140, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:29:53.715 PST) tcpslice 1360348103.592 1360348103.593 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:40:13.645 PST Gen. Time: 02/08/2013 10:40:19.661 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 198.74.103.18 (10:40:13.645 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (10:40:13.645 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.74.103.18 (10:40:19.661 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:40:19.661 PST) tcpslice 1360348813.645 1360348813.646 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:40:13.645 PST Gen. Time: 02/08/2013 10:43:35.406 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 198.74.103.18 (10:40:13.645 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (10:40:13.645 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.74.103.18 (10:40:19.661 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:40:19.661 PST) 26.1.86.17 (10:41:49.708 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 137 IPs (137 /24s) (# pkts S/M/O/I=0/137/0/0): 445:137, [] MAC_Src: 00:21:1C:EE:14:00 (10:41:49.708 PST) tcpslice 1360348813.645 1360348813.646 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:51:09.833 PST Gen. Time: 02/08/2013 10:51:16.680 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 171.62.198.100 (10:51:09.833 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (10:51:09.833 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 171.62.198.100 (10:51:16.680 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (10:51:16.680 PST) tcpslice 1360349469.833 1360349469.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:51:09.833 PST Gen. Time: 02/08/2013 10:54:39.037 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 171.62.198.100 (10:51:09.833 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (10:51:09.833 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 71.38.51.50 (10:52:46.478 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 142 IPs (142 /24s) (# pkts S/M/O/I=0/142/0/0): 445:142, [] MAC_Src: 00:21:1C:EE:14:00 (10:52:46.478 PST) 171.62.198.100 (10:51:16.680 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (10:51:16.680 PST) tcpslice 1360349469.833 1360349469.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:53:34.604 PST Gen. Time: 02/08/2013 10:53:34.604 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 97.119.196.54 (10:53:34.604 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (10:53:34.604 PST) tcpslice 1360349614.604 1360349614.605 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 10:53:34.604 PST Gen. Time: 02/08/2013 11:03:06.706 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.57.221.32 (11:03:06.706 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:03:06.706 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 97.119.196.54 (10:53:34.604 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (10:53:34.604 PST) tcpslice 1360349614.604 1360349614.605 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:03:15.608 PST Gen. Time: 02/08/2013 11:03:15.608 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.57.221.32 (11:03:15.608 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (11:03:15.608 PST) tcpslice 1360350195.608 1360350195.609 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:03:15.608 PST Gen. Time: 02/08/2013 11:06:14.327 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.57.221.32 (11:03:15.608 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (11:03:15.608 PST) 135.42.132.66 (11:04:45.706 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 140 IPs (140 /24s) (# pkts S/M/O/I=0/140/0/0): 445:140, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:04:45.706 PST) tcpslice 1360350195.608 1360350195.609 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:05:36.734 PST Gen. Time: 02/08/2013 11:05:36.734 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 43.116.125.23 (11:05:36.734 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (11:05:36.734 PST) tcpslice 1360350336.734 1360350336.735 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:15:10.736 PST Gen. Time: 02/08/2013 11:15:18.619 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 65.51.155.86 (11:15:10.736 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (11:15:10.736 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 62.24.149.14 (11:15:18.619 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (11:15:18.619 PST) tcpslice 1360350910.736 1360350910.737 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:15:10.736 PST Gen. Time: 02/08/2013 11:19:43.816 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 65.51.155.86 (11:15:10.736 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (11:15:10.736 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 62.24.149.14 (11:15:18.619 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (11:15:18.619 PST) 87.110.205.92 (11:16:48.587 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 132 IPs (132 /24s) (# pkts S/M/O/I=0/132/0/0): 445:132, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:16:48.587 PST) tcpslice 1360350910.736 1360350910.737 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:17:38.691 PST Gen. Time: 02/08/2013 11:17:38.691 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 170.15.34.115 (11:17:38.691 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (11:17:38.691 PST) tcpslice 1360351058.691 1360351058.692 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:17:38.691 PST Gen. Time: 02/08/2013 11:27:11.619 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 61.119.89.97 (11:27:11.619 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:27:11.619 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 170.15.34.115 (11:17:38.691 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (11:17:38.691 PST) tcpslice 1360351058.691 1360351058.692 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:27:16.743 PST Gen. Time: 02/08/2013 11:27:16.743 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 61.119.89.97 (11:27:16.743 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (11:27:16.743 PST) tcpslice 1360351636.743 1360351636.744 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:27:16.743 PST Gen. Time: 02/08/2013 11:30:43.059 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.4.203.24 (11:28:46.634 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 155 IPs (155 /24s) (# pkts S/M/O/I=0/155/0/0): 445:155, [] MAC_Src: 00:21:1C:EE:14:00 (11:28:46.634 PST) 61.119.89.97 (11:27:16.743 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (11:27:16.743 PST) tcpslice 1360351636.743 1360351636.744 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:39:23.263 PST Gen. Time: 02/08/2013 11:39:33.642 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 48.44.41.15 (11:39:23.263 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (11:39:23.263 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 81.62.178.37 (11:39:33.642 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (11:39:33.642 PST) tcpslice 1360352363.263 1360352363.264 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:39:23.263 PST Gen. Time: 02/08/2013 11:42:46.097 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 48.44.41.15 (11:39:23.263 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (11:39:23.263 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 81.62.178.37 (11:39:33.642 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (11:39:33.642 PST) 195.83.189.61 (11:41:03.624 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 131 IPs (131 /24s) (# pkts S/M/O/I=0/131/0/0): 445:131, [] MAC_Src: 00:21:1C:EE:14:00 (11:41:03.624 PST) tcpslice 1360352363.263 1360352363.264 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:42:10.888 PST Gen. Time: 02/08/2013 11:42:10.888 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 195.83.189.61 (11:42:10.888 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:42:10.888 PST) tcpslice 1360352530.888 1360352530.889 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:42:10.888 PST Gen. Time: 02/08/2013 11:51:17.741 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 175.113.194.124 (11:51:17.741 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (11:51:17.741 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 195.83.189.61 (11:42:10.888 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:42:10.888 PST) tcpslice 1360352530.888 1360352530.889 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:51:26.721 PST Gen. Time: 02/08/2013 11:51:26.721 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 42.73.179.113 (11:51:26.721 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (11:51:26.721 PST) tcpslice 1360353086.721 1360353086.722 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 11:51:26.721 PST Gen. Time: 02/08/2013 11:55:34.687 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 86.5.185.3 (11:52:56.009 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 154 IPs (154 /24s) (# pkts S/M/O/I=0/154/0/0): 445:154, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:52:56.009 PST) 42.73.179.113 (11:51:26.721 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (11:51:26.721 PST) tcpslice 1360353086.721 1360353086.722 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:03:22.855 PST Gen. Time: 02/08/2013 12:03:29.582 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 25.101.110.44 (12:03:22.855 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:03:22.855 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 71.54.28.103 (12:03:29.582 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (12:03:29.582 PST) tcpslice 1360353802.855 1360353802.856 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:04:59.754 PST Gen. Time: 02/08/2013 12:04:59.754 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 104.56.121.65 (12:04:59.754 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 128 IPs (128 /24s) (# pkts S/M/O/I=0/128/0/0): 445:128, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:04:59.754 PST) tcpslice 1360353899.754 1360353899.755 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:04:59.754 PST Gen. Time: 02/08/2013 12:08:32.440 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 207.58.179.24 (12:06:31.140 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 182 IPs (182 /24s) (# pkts S/M/O/I=0/182/0/0): 445:182, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:06:31.140 PST) 104.56.121.65 (12:04:59.754 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 128 IPs (128 /24s) (# pkts S/M/O/I=0/128/0/0): 445:128, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:04:59.754 PST) tcpslice 1360353899.754 1360353899.755 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:15:26.783 PST Gen. Time: 02/08/2013 12:15:38.696 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 92.36.188.20 (12:15:26.783 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (12:15:26.783 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 92.36.188.20 (12:15:38.696 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:15:38.696 PST) tcpslice 1360354526.783 1360354526.784 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:15:26.783 PST Gen. Time: 02/08/2013 12:19:05.615 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 92.36.188.20 (12:15:26.783 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (12:15:26.783 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 81.97.27.44 (12:17:08.727 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 149 IPs (149 /24s) (# pkts S/M/O/I=0/149/0/0): 445:149, [] MAC_Src: 00:21:1C:EE:14:00 (12:17:08.727 PST) 92.36.188.20 (12:15:38.696 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:15:38.696 PST) tcpslice 1360354526.783 1360354526.784 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:27:32.939 PST Gen. Time: 02/08/2013 12:27:42.934 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 146.60.137.95 (12:27:32.939 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (12:27:32.939 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 83.110.153.26 (12:27:42.934 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:27:42.934 PST) tcpslice 1360355252.939 1360355252.940 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:27:32.939 PST Gen. Time: 02/08/2013 12:30:41.867 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 146.60.137.95 (12:27:32.939 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (12:27:32.939 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 173.34.71.22 (12:29:13.708 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 108 IPs (108 /24s) (# pkts S/M/O/I=0/107/0/1): 445:107, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:29:13.708 PST) 83.110.153.26 (12:27:42.934 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:27:42.934 PST) tcpslice 1360355252.939 1360355252.940 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:30:45.541 PST Gen. Time: 02/08/2013 12:30:45.541 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 122.17.53.44 (12:30:45.541 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 184 IPs (184 /24s) (# pkts S/M/O/I=0/183/0/1): 445:183, [] MAC_Src: 00:21:1C:EE:14:00 (12:30:45.541 PST) tcpslice 1360355445.541 1360355445.542 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:39:33.956 PST Gen. Time: 02/08/2013 12:39:41.733 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 64.66.24.106 (12:39:33.956 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:39:33.956 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 64.66.24.106 (12:39:41.733 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:39:41.733 PST) tcpslice 1360355973.956 1360355973.957 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:39:33.956 PST Gen. Time: 02/08/2013 12:43:16.038 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 64.66.24.106 (12:39:33.956 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:39:33.956 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 64.66.24.106 (12:39:41.733 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:39:41.733 PST) 61.120.6.116 (12:41:12.645 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 131 IPs (131 /24s) (# pkts S/M/O/I=0/131/0/0): 445:131, [] MAC_Src: 00:21:1C:EE:14:00 (12:41:12.645 PST) tcpslice 1360355973.956 1360355973.957 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:50:12.233 PST Gen. Time: 02/08/2013 12:50:12.233 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 61.120.6.116 (12:50:12.233 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 201 IPs (201 /24s) (# pkts S/M/O/I=0/200/1/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (12:50:12.233 PST) tcpslice 1360356612.233 1360356612.234 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:51:33.004 PST Gen. Time: 02/08/2013 12:51:41.747 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 77.43.47.34 (12:51:33.004 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (12:51:33.004 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 77.43.47.34 (12:51:41.747 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (12:51:41.747 PST) tcpslice 1360356693.004 1360356693.005 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:51:33.004 PST Gen. Time: 02/08/2013 12:56:14.323 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 77.43.47.34 (12:51:33.004 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (12:51:33.004 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 77.43.47.34 (12:51:41.747 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (12:51:41.747 PST) 30.52.182.117 (12:53:11.358 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 175 IPs (175 /24s) (# pkts S/M/O/I=0/175/0/0): 445:175, [] MAC_Src: 00:21:1C:EE:14:00 (12:53:11.358 PST) tcpslice 1360356693.004 1360356693.005 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:59:38.672 PST Gen. Time: 02/08/2013 12:59:49.594 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 210.83.228.127 (12:59:38.672 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (12:59:38.672 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 207.70.180.42 (12:59:49.594 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (12:59:49.594 PST) tcpslice 1360357178.672 1360357178.673 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 12:59:38.672 PST Gen. Time: 02/08/2013 13:03:16.779 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 99.23.113.30 (13:03:16.779 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (13:03:16.779 PST) 210.83.228.127 (12:59:38.672 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (12:59:38.672 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 95.8.253.17 (13:01:19.722 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 142 IPs (142 /24s) (# pkts S/M/O/I=0/142/0/0): 445:142, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:01:19.722 PST) 207.70.180.42 (12:59:49.594 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (12:59:49.594 PST) tcpslice 1360357178.672 1360357178.673 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 13:03:22.678 PST Gen. Time: 02/08/2013 13:03:22.678 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 99.23.113.30 (13:03:22.678 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (13:03:22.678 PST) tcpslice 1360357402.678 1360357402.679 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 13:03:22.678 PST Gen. Time: 02/08/2013 13:07:36.523 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 119.19.72.76 (13:04:52.767 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 141 IPs (141 /24s) (# pkts S/M/O/I=0/141/0/0): 445:141, [] MAC_Src: 00:21:1C:EE:14:00 (13:04:52.767 PST) 99.23.113.30 (13:03:22.678 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (13:03:22.678 PST) tcpslice 1360357402.678 1360357402.679 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 13:15:21.694 PST Gen. Time: 02/08/2013 13:15:31.694 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 199.48.155.24 (13:15:21.694 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (13:15:21.694 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 199.48.155.24 (13:15:31.694 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (13:15:31.694 PST) tcpslice 1360358121.694 1360358121.695 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 13:15:21.694 PST Gen. Time: 02/08/2013 13:19:55.228 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 199.48.155.24 (13:15:21.694 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (13:15:21.694 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 199.48.155.24 (13:15:31.694 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (13:15:31.694 PST) 85.113.200.97 (13:17:01.695 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 132 IPs (132 /24s) (# pkts S/M/O/I=0/132/0/0): 445:132, [] MAC_Src: 00:21:1C:EE:14:00 (13:17:01.695 PST) tcpslice 1360358121.694 1360358121.695 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 13:17:54.870 PST Gen. Time: 02/08/2013 13:17:54.870 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 95.75.96.9 (13:17:54.870 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (13:17:54.870 PST) tcpslice 1360358274.870 1360358274.871 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 13:27:20.837 PST Gen. Time: 02/08/2013 13:27:31.906 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.38.6.70 (13:27:20.837 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (13:27:20.837 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 208.38.6.70 (13:27:31.906 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (13:27:31.906 PST) tcpslice 1360358840.837 1360358840.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 13:27:20.837 PST Gen. Time: 02/08/2013 13:31:14.333 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 208.38.6.70 (13:27:20.837 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (13:27:20.837 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 178.83.254.13 (13:29:01.621 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 143 IPs (143 /24s) (# pkts S/M/O/I=0/143/0/0): 445:143, [] MAC_Src: 00:21:1C:EE:14:00 (13:29:01.621 PST) 208.38.6.70 (13:27:31.906 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (13:27:31.906 PST) tcpslice 1360358840.837 1360358840.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 13:29:52.963 PST Gen. Time: 02/08/2013 13:29:52.963 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 83.94.124.105 (13:29:52.963 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:29:52.963 PST) tcpslice 1360358992.963 1360358992.964 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 13:39:20.617 PST Gen. Time: 02/08/2013 13:39:24.970 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 195.30.178.101 (13:39:20.617 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:39:20.617 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 195.30.178.101 (13:39:24.970 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:39:24.970 PST) tcpslice 1360359560.617 1360359560.618 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 13:39:20.617 PST Gen. Time: 02/08/2013 13:43:26.832 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 195.30.178.101 (13:39:20.617 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:39:20.617 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 195.30.178.101 (13:39:24.970 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:39:24.970 PST) 131.14.77.112 (13:40:54.752 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 140 IPs (140 /24s) (# pkts S/M/O/I=0/140/0/0): 445:140, [] MAC_Src: 00:21:1C:EE:14:00 (13:40:54.752 PST) tcpslice 1360359560.617 1360359560.618 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 13:41:44.905 PST Gen. Time: 02/08/2013 13:41:44.905 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 33.95.229.41 (13:41:44.905 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:41:44.905 PST) tcpslice 1360359704.905 1360359704.906 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 13:51:28.806 PST Gen. Time: 02/08/2013 13:51:35.914 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 113.53.71.52 (13:51:28.806 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (13:51:28.806 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 113.53.71.52 (13:51:35.914 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (13:51:35.914 PST) tcpslice 1360360288.806 1360360288.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 13:51:28.806 PST Gen. Time: 02/08/2013 13:56:01.727 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 113.53.71.52 (13:51:28.806 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (13:51:28.806 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 51.125.197.106 (13:53:05.035 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 155 IPs (154 /24s) (# pkts S/M/O/I=0/155/0/0): 445:155, [] MAC_Src: 00:21:1C:EE:14:00 (13:53:05.035 PST) 113.53.71.52 (13:51:35.914 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (13:51:35.914 PST) tcpslice 1360360288.806 1360360288.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:03:32.919 PST Gen. Time: 02/08/2013 14:03:45.807 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 198.74.47.33 (14:03:32.919 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (14:03:32.919 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.74.47.33 (14:03:45.807 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:03:45.807 PST) tcpslice 1360361012.919 1360361012.920 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:03:32.919 PST Gen. Time: 02/08/2013 14:06:15.240 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 198.74.47.33 (14:03:32.919 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (14:03:32.919 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.74.47.33 (14:03:45.807 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:03:45.807 PST) 126.68.76.82 (14:05:15.684 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 151 IPs (151 /24s) (# pkts S/M/O/I=0/151/0/0): 445:151, [] MAC_Src: 00:21:1C:EE:14:00 (14:05:15.684 PST) tcpslice 1360361012.919 1360361012.920 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:15:35.831 PST Gen. Time: 02/08/2013 14:15:47.659 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 52.107.116.10 (14:15:35.831 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:15:35.831 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 159.86.248.117 (14:15:47.659 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (14:15:47.659 PST) tcpslice 1360361735.831 1360361735.832 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:15:35.831 PST Gen. Time: 02/08/2013 14:19:51.197 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 52.107.116.10 (14:15:35.831 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:15:35.831 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 185.118.215.68 (14:17:18.664 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 144 IPs (144 /24s) (# pkts S/M/O/I=0/144/0/0): 445:144, [] MAC_Src: 00:21:1C:EE:14:00 (14:17:18.664 PST) 159.86.248.117 (14:15:47.659 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (14:15:47.659 PST) tcpslice 1360361735.831 1360361735.832 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:18:04.769 PST Gen. Time: 02/08/2013 14:18:04.769 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 134.61.164.103 (14:18:04.769 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:18:04.769 PST) tcpslice 1360361884.769 1360361884.770 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:18:04.769 PST Gen. Time: 02/08/2013 14:27:38.825 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 94.127.17.38 (14:27:38.825 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (14:27:38.825 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 134.61.164.103 (14:18:04.769 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:18:04.769 PST) tcpslice 1360361884.769 1360361884.770 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:27:46.728 PST Gen. Time: 02/08/2013 14:27:46.728 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 149.26.55.100 (14:27:46.728 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (14:27:46.728 PST) tcpslice 1360362466.728 1360362466.729 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:27:46.728 PST Gen. Time: 02/08/2013 14:31:51.439 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 21.20.172.118 (14:29:16.834 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 154 IPs (154 /24s) (# pkts S/M/O/I=0/154/0/0): 445:154, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:29:16.834 PST) 149.26.55.100 (14:27:46.728 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (14:27:46.728 PST) tcpslice 1360362466.728 1360362466.729 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:39:38.711 PST Gen. Time: 02/08/2013 14:39:43.756 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 42.41.76.66 (14:39:38.711 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:39:38.711 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 88.85.123.89 (14:39:43.756 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:39:43.756 PST) tcpslice 1360363178.711 1360363178.712 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:39:38.711 PST Gen. Time: 02/08/2013 14:43:36.532 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 42.41.76.66 (14:39:38.711 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:39:38.711 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 21.20.94.27 (14:41:13.717 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 160 IPs (160 /24s) (# pkts S/M/O/I=0/160/0/0): 445:160, [] MAC_Src: 00:21:1C:EE:14:00 (14:41:13.717 PST) 88.85.123.89 (14:39:43.756 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:39:43.756 PST) tcpslice 1360363178.711 1360363178.712 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:48:17.709 PST Gen. Time: 02/08/2013 14:48:17.709 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 21.20.94.27 (14:48:17.709 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 201 IPs (201 /24s) (# pkts S/M/O/I=0/200/1/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:48:17.709 PST) tcpslice 1360363697.709 1360363697.710 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:51:41.634 PST Gen. Time: 02/08/2013 14:51:48.942 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 107.11.44.84 (14:51:41.634 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (14:51:41.634 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 107.11.44.84 (14:51:48.942 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:51:48.942 PST) tcpslice 1360363901.634 1360363901.635 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:51:41.634 PST Gen. Time: 02/08/2013 14:55:03.129 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 107.11.44.84 (14:51:41.634 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (14:51:41.634 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 95.85.71.35 (14:53:18.730 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 147 IPs (147 /24s) (# pkts S/M/O/I=0/147/0/0): 445:147, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:53:18.730 PST) 107.11.44.84 (14:51:48.942 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:51:48.942 PST) tcpslice 1360363901.634 1360363901.635 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 14:54:05.854 PST Gen. Time: 02/08/2013 14:54:05.854 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 179.92.102.7 (14:54:05.854 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:54:05.854 PST) tcpslice 1360364045.854 1360364045.855 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 15:03:42.717 PST Gen. Time: 02/08/2013 15:03:50.000 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 69.80.185.9 (15:03:42.717 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (15:03:42.717 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 66.83.225.78 (15:03:50.000 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:03:50.000 PST) tcpslice 1360364622.717 1360364622.718 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 15:03:42.717 PST Gen. Time: 02/08/2013 15:07:30.683 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 69.80.185.9 (15:03:42.717 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (15:03:42.717 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 71.97.102.118 (15:05:20.782 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 166 IPs (166 /24s) (# pkts S/M/O/I=0/166/0/0): 445:166, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:05:20.782 PST) 66.83.225.78 (15:03:50.000 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:03:50.000 PST) tcpslice 1360364622.717 1360364622.718 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 15:15:44.955 PST Gen. Time: 02/08/2013 15:15:49.876 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 184.48.231.43 (15:15:44.955 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (15:15:44.955 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 184.48.231.43 (15:15:49.876 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (15:15:49.876 PST) tcpslice 1360365344.955 1360365344.956 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 15:15:44.955 PST Gen. Time: 02/08/2013 15:19:45.193 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 184.48.231.43 (15:15:44.955 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (15:15:44.955 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 21.85.56.40 (15:17:19.310 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 154 IPs (154 /24s) (# pkts S/M/O/I=0/154/0/0): 445:154, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:17:19.310 PST) 184.48.231.43 (15:15:49.876 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (15:15:49.876 PST) tcpslice 1360365344.955 1360365344.956 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 15:27:51.753 PST Gen. Time: 02/08/2013 15:27:58.612 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 169.120.158.62 (15:27:51.753 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (15:27:51.753 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 149.13.34.58 (15:27:58.612 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (15:27:58.612 PST) tcpslice 1360366071.753 1360366071.754 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 15:27:51.753 PST Gen. Time: 02/08/2013 15:31:14.333 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 169.120.158.62 (15:27:51.753 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (15:27:51.753 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 149.13.34.58 (15:27:58.612 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (15:27:58.612 PST) 90.106.122.106 (15:29:28.956 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 141 IPs (141 /24s) (# pkts S/M/O/I=0/141/0/0): 445:141, [] MAC_Src: 00:21:1C:EE:14:00 (15:29:28.956 PST) tcpslice 1360366071.753 1360366071.754 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 15:30:14.664 PST Gen. Time: 02/08/2013 15:30:14.664 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 90.106.122.106 (15:30:14.664 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (15:30:14.664 PST) tcpslice 1360366214.664 1360366214.665 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 15:39:54.779 PST Gen. Time: 02/08/2013 15:40:00.602 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 191.56.47.83 (15:39:54.779 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (15:39:54.779 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 191.56.47.83 (15:40:00.602 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (15:40:00.602 PST) tcpslice 1360366794.779 1360366794.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 15:39:54.779 PST Gen. Time: 02/08/2013 15:42:56.823 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 191.56.47.83 (15:39:54.779 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (15:39:54.779 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 191.56.47.83 (15:40:00.602 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (15:40:00.602 PST) 125.27.91.71 (15:41:30.135 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 161 IPs (161 /24s) (# pkts S/M/O/I=0/161/0/0): 445:161, [] MAC_Src: 00:21:1C:EE:14:00 (15:41:30.135 PST) tcpslice 1360366794.779 1360366794.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 15:54:50.920 PST Gen. Time: 02/08/2013 15:54:56.707 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 118.95.87.1 (15:54:50.920 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (15:54:50.920 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 118.95.87.1 (15:54:56.707 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (15:54:56.707 PST) tcpslice 1360367690.920 1360367690.921 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 15:54:50.920 PST Gen. Time: 02/08/2013 15:57:27.301 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 118.95.87.1 (15:54:50.920 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (15:54:50.920 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 62.24.181.111 (15:56:26.076 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 172 IPs (172 /24s) (# pkts S/M/O/I=0/172/0/0): 445:172, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:56:26.076 PST) 118.95.87.1 (15:54:56.707 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (15:54:56.707 PST) tcpslice 1360367690.920 1360367690.921 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 16:06:54.722 PST Gen. Time: 02/08/2013 16:07:02.706 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 164.122.236.53 (16:06:54.722 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (16:06:54.722 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 164.98.70.117 (16:07:02.706 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (16:07:02.706 PST) tcpslice 1360368414.722 1360368414.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 16:06:54.722 PST Gen. Time: 02/08/2013 16:10:31.231 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 164.122.236.53 (16:06:54.722 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (16:06:54.722 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 164.98.70.117 (16:07:02.706 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (16:07:02.706 PST) 19.32.23.68 (16:08:32.003 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 140 IPs (140 /24s) (# pkts S/M/O/I=0/140/0/0): 445:140, [] MAC_Src: 00:21:1C:EE:14:00 (16:08:32.003 PST) tcpslice 1360368414.722 1360368414.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 16:18:57.038 PST Gen. Time: 02/08/2013 16:19:00.873 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 50.95.50.108 (16:18:57.038 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (16:18:57.038 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 148.126.14.85 (16:19:00.873 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (16:19:00.873 PST) tcpslice 1360369137.038 1360369137.039 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 16:18:57.038 PST Gen. Time: 02/08/2013 16:22:02.667 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 50.95.50.108 (16:18:57.038 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (16:18:57.038 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 212.11.213.74 (16:20:30.847 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 156 IPs (156 /24s) (# pkts S/M/O/I=0/156/0/0): 445:156, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:20:30.847 PST) 148.126.14.85 (16:19:00.873 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (16:19:00.873 PST) tcpslice 1360369137.038 1360369137.039 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 16:30:59.858 PST Gen. Time: 02/08/2013 16:31:09.874 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 43.88.27.62 (16:30:59.858 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:30:59.858 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 43.88.27.62 (16:31:09.874 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (16:31:09.874 PST) tcpslice 1360369859.858 1360369859.859 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 16:30:59.858 PST Gen. Time: 02/08/2013 16:35:02.407 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 43.88.27.62 (16:30:59.858 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:30:59.858 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 43.88.27.62 (16:31:09.874 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (16:31:09.874 PST) 68.109.209.94 (16:32:39.796 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 147 IPs (147 /24s) (# pkts S/M/O/I=0/147/0/0): 445:147, [] MAC_Src: 00:21:1C:EE:14:00 (16:32:39.796 PST) tcpslice 1360369859.858 1360369859.859 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 16:43:04.987 PST Gen. Time: 02/08/2013 16:43:14.722 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 69.70.202.100 (16:43:04.987 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (16:43:04.987 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 69.70.202.100 (16:43:14.722 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (16:43:14.722 PST) tcpslice 1360370584.987 1360370584.988 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 16:43:04.987 PST Gen. Time: 02/08/2013 16:44:52.828 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 69.70.202.100 (16:43:04.987 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (16:43:04.987 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 69.70.202.100 (16:43:14.722 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (16:43:14.722 PST) 56.65.244.27 (16:44:44.133 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 174 IPs (174 /24s) (# pkts S/M/O/I=0/174/0/0): 445:174, [] MAC_Src: 00:21:1C:EE:14:00 (16:44:44.133 PST) tcpslice 1360370584.987 1360370584.988 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 16:55:06.025 PST Gen. Time: 02/08/2013 16:55:11.946 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 83.103.192.8 (16:55:06.025 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:55:06.025 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 83.103.192.8 (16:55:11.946 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:55:11.946 PST) tcpslice 1360371306.025 1360371306.026 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 16:55:06.025 PST Gen. Time: 02/08/2013 16:59:13.069 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 83.103.192.8 (16:55:06.025 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:55:06.025 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.90.45.30 (16:59:13.069 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 202 IPs (202 /24s) (# pkts S/M/O/I=0/200/2/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:59:13.069 PST) 206.41.155.91 (16:56:41.820 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 163 IPs (163 /24s) (# pkts S/M/O/I=0/163/0/0): 445:163, [] MAC_Src: 00:21:1C:EE:14:00 (16:56:41.820 PST) 83.103.192.8 (16:55:11.946 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:55:11.946 PST) tcpslice 1360371306.025 1360371306.026 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 17:07:09.850 PST Gen. Time: 02/08/2013 17:07:18.827 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 107.13.22.86 (17:07:09.850 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (17:07:09.850 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 103.119.21.88 (17:07:18.827 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (17:07:18.827 PST) tcpslice 1360372029.850 1360372029.851 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 17:07:09.850 PST Gen. Time: 02/08/2013 17:10:00.060 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 107.13.22.86 (17:07:09.850 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (17:07:09.850 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 103.119.21.88 (17:07:18.827 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (17:07:18.827 PST) 156.55.40.79 (17:08:48.867 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 148 IPs (148 /24s) (# pkts S/M/O/I=0/148/0/0): 445:148, [] MAC_Src: 00:21:1C:EE:14:00 (17:08:48.867 PST) tcpslice 1360372029.850 1360372029.851 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 17:09:34.018 PST Gen. Time: 02/08/2013 17:09:34.018 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 156.55.40.79 (17:09:34.018 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:09:34.018 PST) tcpslice 1360372174.018 1360372174.019 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 17:19:09.796 PST Gen. Time: 02/08/2013 17:19:15.846 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 97.117.243.58 (17:19:09.796 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (17:19:09.796 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 94.60.192.42 (17:19:15.846 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:19:15.846 PST) tcpslice 1360372749.796 1360372749.797 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 17:19:09.796 PST Gen. Time: 02/08/2013 17:22:17.751 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 97.117.243.58 (17:19:09.796 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (17:19:09.796 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 25.80.207.16 (17:20:45.798 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 145 IPs (145 /24s) (# pkts S/M/O/I=0/145/0/0): 445:145, [] MAC_Src: 00:21:1C:EE:14:00 (17:20:45.798 PST) 94.60.192.42 (17:19:15.846 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:19:15.846 PST) tcpslice 1360372749.796 1360372749.797 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 17:31:17.913 PST Gen. Time: 02/08/2013 17:31:25.845 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 86.30.58.61 (17:31:17.913 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (17:31:17.913 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 62.25.190.88 (17:31:25.845 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (17:31:25.845 PST) tcpslice 1360373477.913 1360373477.914 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 17:31:17.913 PST Gen. Time: 02/08/2013 17:34:20.337 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 86.30.58.61 (17:31:17.913 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (17:31:17.913 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 39.110.115.70 (17:32:55.851 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 155 IPs (155 /24s) (# pkts S/M/O/I=0/155/0/0): 445:155, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:32:55.851 PST) 62.25.190.88 (17:31:25.845 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (17:31:25.845 PST) tcpslice 1360373477.913 1360373477.914 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 17:43:20.809 PST Gen. Time: 02/08/2013 17:43:27.966 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 142.18.71.30 (17:43:20.809 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (17:43:20.809 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 142.18.71.30 (17:43:27.966 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (17:43:27.966 PST) tcpslice 1360374200.809 1360374200.810 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 17:43:20.809 PST Gen. Time: 02/08/2013 17:46:14.325 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 142.18.71.30 (17:43:20.809 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (17:43:20.809 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.26.149.113 (17:44:57.775 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 178 IPs (178 /24s) (# pkts S/M/O/I=0/178/0/0): 445:178, [] MAC_Src: 00:21:1C:EE:14:00 (17:44:57.775 PST) 142.18.71.30 (17:43:27.966 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (17:43:27.966 PST) tcpslice 1360374200.809 1360374200.810 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 17:55:19.782 PST Gen. Time: 02/08/2013 17:55:25.119 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 54.77.169.126 (17:55:19.782 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (17:55:19.782 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 213.41.223.111 (17:55:25.119 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (17:55:25.119 PST) tcpslice 1360374919.782 1360374919.783 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 17:55:19.782 PST Gen. Time: 02/08/2013 18:00:00.209 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 54.77.169.126 (17:55:19.782 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (17:55:19.782 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 213.41.223.111 (17:55:25.119 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (17:55:25.119 PST) 80.76.26.102 (17:56:55.784 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 138 IPs (138 /24s) (# pkts S/M/O/I=0/138/0/0): 445:138, [] MAC_Src: 00:21:1C:EE:14:00 (17:56:55.784 PST) tcpslice 1360374919.782 1360374919.783 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 17:57:45.117 PST Gen. Time: 02/08/2013 17:57:45.117 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 80.76.26.102 (17:57:45.117 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (17:57:45.117 PST) tcpslice 1360375065.117 1360375065.118 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 17:57:45.117 PST Gen. Time: 02/08/2013 18:07:24.028 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 207.8.118.36 (18:07:24.028 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:07:24.028 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 80.76.26.102 (17:57:45.117 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (17:57:45.117 PST) tcpslice 1360375065.117 1360375065.118 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 18:07:35.798 PST Gen. Time: 02/08/2013 18:07:35.798 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 207.8.118.36 (18:07:35.798 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (18:07:35.798 PST) tcpslice 1360375655.798 1360375655.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 18:07:35.798 PST Gen. Time: 02/08/2013 18:11:14.344 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 51.4.174.31 (18:09:05.102 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 147 IPs (147 /24s) (# pkts S/M/O/I=0/147/0/0): 445:147, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:09:05.102 PST) 207.8.118.36 (18:07:35.798 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (18:07:35.798 PST) tcpslice 1360375655.798 1360375655.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 18:19:28.797 PST Gen. Time: 02/08/2013 18:19:37.027 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 98.89.7.70 (18:19:28.797 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:19:28.797 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 98.89.7.70 (18:19:37.027 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (18:19:37.027 PST) tcpslice 1360376368.797 1360376368.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 18:19:28.797 PST Gen. Time: 02/08/2013 18:23:19.303 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 98.89.7.70 (18:19:28.797 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:19:28.797 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 98.89.7.70 (18:19:37.027 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (18:19:37.027 PST) 173.89.215.57 (18:21:07.706 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 160 IPs (160 /24s) (# pkts S/M/O/I=0/160/0/0): 445:160, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:21:07.706 PST) tcpslice 1360376368.797 1360376368.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 18:31:28.859 PST Gen. Time: 02/08/2013 18:31:36.954 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 147.62.201.5 (18:31:28.859 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (18:31:28.859 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 147.62.201.5 (18:31:36.954 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (18:31:36.954 PST) tcpslice 1360377088.859 1360377088.860 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 18:31:28.859 PST Gen. Time: 02/08/2013 18:35:12.575 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 147.62.201.5 (18:31:28.859 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (18:31:28.859 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 99.97.73.79 (18:33:06.594 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 160 IPs (160 /24s) (# pkts S/M/O/I=0/160/0/0): 445:160, [] MAC_Src: 00:21:1C:EE:14:00 (18:33:06.594 PST) 147.62.201.5 (18:31:36.954 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (18:31:36.954 PST) tcpslice 1360377088.859 1360377088.860 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 18:43:36.949 PST Gen. Time: 02/08/2013 18:43:46.947 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 85.7.251.122 (18:43:36.949 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:43:36.949 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 85.7.251.122 (18:43:46.947 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (18:43:46.947 PST) tcpslice 1360377816.949 1360377816.950 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 18:43:36.949 PST Gen. Time: 02/08/2013 18:46:14.390 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 85.7.251.122 (18:43:36.949 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:43:36.949 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 178.60.245.127 (18:45:16.006 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 177 IPs (177 /24s) (# pkts S/M/O/I=0/177/0/0): 445:177, [] MAC_Src: 00:21:1C:EE:14:00 (18:45:16.006 PST) 85.7.251.122 (18:43:46.947 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (18:43:46.947 PST) tcpslice 1360377816.949 1360377816.950 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 18:55:38.809 PST Gen. Time: 02/08/2013 18:55:46.784 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 174.66.102.35 (18:55:38.809 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:55:38.809 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 174.66.102.35 (18:55:46.784 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (18:55:46.784 PST) tcpslice 1360378538.809 1360378538.810 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 18:55:38.809 PST Gen. Time: 02/08/2013 18:59:05.155 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 174.66.102.35 (18:55:38.809 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:55:38.809 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 205.48.102.45 (18:57:16.056 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 142 IPs (142 /24s) (# pkts S/M/O/I=0/142/0/0): 445:142, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:57:16.056 PST) 174.66.102.35 (18:55:46.784 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (18:55:46.784 PST) tcpslice 1360378538.809 1360378538.810 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 19:07:40.001 PST Gen. Time: 02/08/2013 19:07:50.741 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 74.84.25.127 (19:07:40.001 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:07:40.001 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 196.29.221.108 (19:07:50.741 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (19:07:50.741 PST) tcpslice 1360379260.001 1360379260.002 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 19:07:40.001 PST Gen. Time: 02/08/2013 19:10:27.192 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 74.84.25.127 (19:07:40.001 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:07:40.001 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 196.29.221.108 (19:07:50.741 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (19:07:50.741 PST) 144.69.122.5 (19:09:20.901 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 149 IPs (149 /24s) (# pkts S/M/O/I=0/149/0/0): 445:149, [] MAC_Src: 00:21:1C:EE:14:00 (19:09:20.901 PST) tcpslice 1360379260.001 1360379260.002 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 19:19:44.927 PST Gen. Time: 02/08/2013 19:19:53.825 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 163.66.169.122 (19:19:44.927 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (19:19:44.927 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 163.66.169.122 (19:19:53.825 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:19:53.825 PST) tcpslice 1360379984.927 1360379984.928 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 19:19:44.927 PST Gen. Time: 02/08/2013 19:23:08.012 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 163.66.169.122 (19:19:44.927 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (19:19:44.927 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 163.66.169.122 (19:19:53.825 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:19:53.825 PST) 103.127.74.114 (19:21:23.005 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 163 IPs (163 /24s) (# pkts S/M/O/I=0/163/0/0): 445:163, [] MAC_Src: 00:21:1C:EE:14:00 (19:21:23.005 PST) tcpslice 1360379984.927 1360379984.928 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 19:31:44.049 PST Gen. Time: 02/08/2013 19:31:49.995 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 110.67.75.113 (19:31:44.049 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (19:31:44.049 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 174.116.184.48 (19:31:49.995 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (19:31:49.995 PST) tcpslice 1360380704.049 1360380704.050 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 19:31:44.049 PST Gen. Time: 02/08/2013 19:36:14.336 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 110.67.75.113 (19:31:44.049 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (19:31:44.049 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 174.116.184.48 (19:31:49.995 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (19:31:49.995 PST) 64.44.220.92 (19:33:19.880 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 147 IPs (147 /24s) (# pkts S/M/O/I=0/147/0/0): 445:147, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:33:19.880 PST) tcpslice 1360380704.049 1360380704.050 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 19:43:47.890 PST Gen. Time: 02/08/2013 19:43:54.936 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 109.105.159.101 (19:43:47.890 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (19:43:47.890 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 109.105.159.101 (19:43:54.936 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (19:43:54.936 PST) tcpslice 1360381427.890 1360381427.891 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 19:43:47.890 PST Gen. Time: 02/08/2013 19:46:10.815 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 109.105.159.101 (19:43:47.890 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (19:43:47.890 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 76.57.12.17 (19:45:24.855 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 164 IPs (164 /24s) (# pkts S/M/O/I=0/164/0/0): 445:164, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:45:24.855 PST) 109.105.159.101 (19:43:54.936 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (19:43:54.936 PST) tcpslice 1360381427.890 1360381427.891 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 19:55:52.020 PST Gen. Time: 02/08/2013 19:55:56.988 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 19.19.6.112 (19:55:52.020 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (19:55:52.020 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 19.19.6.112 (19:55:56.988 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (19:55:56.988 PST) tcpslice 1360382152.020 1360382152.021 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 19:55:52.020 PST Gen. Time: 02/08/2013 19:58:54.290 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 19.19.6.112 (19:55:52.020 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (19:55:52.020 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 84.49.88.102 (19:57:26.101 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 175 IPs (175 /24s) (# pkts S/M/O/I=0/175/0/0): 445:175, [] MAC_Src: 00:21:1C:EE:14:00 (19:57:26.101 PST) 19.19.6.112 (19:55:56.988 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (19:55:56.988 PST) tcpslice 1360382152.020 1360382152.021 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:03:53.788 PST Gen. Time: 02/08/2013 20:04:01.910 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 199.78.219.7 (20:03:53.788 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (20:03:53.788 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 199.78.219.7 (20:04:01.910 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:04:01.910 PST) tcpslice 1360382633.788 1360382633.789 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:03:53.788 PST Gen. Time: 02/08/2013 20:06:54.216 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 199.78.219.7 (20:03:53.788 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (20:03:53.788 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 199.78.219.7 (20:04:01.910 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:04:01.910 PST) 77.28.56.113 (20:05:31.094 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 176 IPs (176 /24s) (# pkts S/M/O/I=0/176/0/0): 445:176, [] MAC_Src: 00:21:1C:EE:14:00 (20:05:31.094 PST) tcpslice 1360382633.788 1360382633.789 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:11:21.181 PST Gen. Time: 02/08/2013 20:11:21.181 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 77.28.56.113 (20:11:21.181 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 201 IPs (201 /24s) (# pkts S/M/O/I=0/200/0/1): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (20:11:21.181 PST) tcpslice 1360383081.181 1360383081.182 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:11:21.181 PST Gen. Time: 02/08/2013 20:15:53.864 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 194.91.213.98 (20:15:53.864 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:15:53.864 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 77.28.56.113 (20:11:21.181 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 201 IPs (201 /24s) (# pkts S/M/O/I=0/200/0/1): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (20:11:21.181 PST) tcpslice 1360383081.181 1360383081.182 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:16:02.098 PST Gen. Time: 02/08/2013 20:16:02.098 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 194.91.213.98 (20:16:02.098 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (20:16:02.098 PST) tcpslice 1360383362.098 1360383362.099 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:16:02.098 PST Gen. Time: 02/08/2013 20:19:31.108 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 194.91.213.98 (20:16:02.098 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (20:16:02.098 PST) 113.35.241.13 (20:17:32.026 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 178 IPs (178 /24s) (# pkts S/M/O/I=0/178/0/0): 445:178, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:17:32.026 PST) tcpslice 1360383362.098 1360383362.099 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:23:57.985 PST Gen. Time: 02/08/2013 20:24:02.869 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 211.5.166.48 (20:23:57.985 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (20:23:57.985 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 139.126.219.62 (20:24:02.869 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (20:24:02.869 PST) tcpslice 1360383837.985 1360383837.986 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:23:57.985 PST Gen. Time: 02/08/2013 20:28:07.407 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 211.5.166.48 (20:23:57.985 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (20:23:57.985 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 48.16.31.85 (20:25:33.001 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 173 IPs (173 /24s) (# pkts S/M/O/I=0/173/0/0): 445:173, [] MAC_Src: 00:21:1C:EE:14:00 (20:25:33.001 PST) 139.126.219.62 (20:24:02.869 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (20:24:02.869 PST) tcpslice 1360383837.985 1360383837.986 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:32:01.850 PST Gen. Time: 02/08/2013 20:32:09.066 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 148.12.148.4 (20:32:01.850 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (20:32:01.850 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 86.13.30.48 (20:32:09.066 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:32:09.066 PST) tcpslice 1360384321.850 1360384321.851 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:32:01.850 PST Gen. Time: 02/08/2013 20:36:12.236 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 148.12.148.4 (20:32:01.850 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (20:32:01.850 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 83.56.201.45 (20:33:39.007 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 157 IPs (157 /24s) (# pkts S/M/O/I=0/157/0/0): 445:157, [] MAC_Src: 00:21:1C:EE:14:00 (20:33:39.007 PST) 86.13.30.48 (20:32:09.066 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:32:09.066 PST) tcpslice 1360384321.850 1360384321.851 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:40:08.050 PST Gen. Time: 02/08/2013 20:40:08.050 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 104.111.97.83 (20:40:08.050 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 201 IPs (201 /24s) (# pkts S/M/O/I=0/200/1/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:40:08.050 PST) tcpslice 1360384808.050 1360384808.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:40:08.050 PST Gen. Time: 02/08/2013 20:44:03.086 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 42.58.32.74 (20:44:03.086 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (20:44:03.086 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 104.111.97.83 (20:40:08.050 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 201 IPs (201 /24s) (# pkts S/M/O/I=0/200/1/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:40:08.050 PST) tcpslice 1360384808.050 1360384808.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:44:11.911 PST Gen. Time: 02/08/2013 20:44:11.911 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.12.207.51 (20:44:11.911 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (20:44:11.911 PST) tcpslice 1360385051.911 1360385051.912 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:45:41.002 PST Gen. Time: 02/08/2013 20:45:41.002 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 188.92.190.40 (20:45:41.002 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 183 IPs (183 /24s) (# pkts S/M/O/I=0/183/0/0): 445:183, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:45:41.002 PST) tcpslice 1360385141.002 1360385141.003 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:52:05.977 PST Gen. Time: 02/08/2013 20:52:13.887 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 178.6.77.59 (20:52:05.977 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (20:52:05.977 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 164.101.25.87 (20:52:13.887 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (20:52:13.887 PST) tcpslice 1360385525.977 1360385525.978 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 20:52:05.977 PST Gen. Time: 02/08/2013 20:56:14.341 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 178.6.77.59 (20:52:05.977 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (20:52:05.977 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 124.60.173.77 (20:53:43.174 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 156 IPs (156 /24s) (# pkts S/M/O/I=0/156/0/0): 445:156, [] MAC_Src: 00:21:1C:EE:14:00 (20:53:43.174 PST) 164.101.25.87 (20:52:13.887 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (20:52:13.887 PST) tcpslice 1360385525.977 1360385525.978 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:04:08.821 PST Gen. Time: 02/08/2013 21:04:15.953 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 222.39.69.87 (21:04:08.821 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (21:04:08.821 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 222.39.69.87 (21:04:15.953 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (21:04:15.953 PST) tcpslice 1360386248.821 1360386248.822 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:04:08.821 PST Gen. Time: 02/08/2013 21:06:57.515 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 222.39.69.87 (21:04:08.821 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (21:04:08.821 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 222.39.69.87 (21:04:15.953 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (21:04:15.953 PST) 25.110.8.115 (21:05:45.097 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 177 IPs (177 /24s) (# pkts S/M/O/I=0/177/0/0): 445:177, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:05:45.097 PST) tcpslice 1360386248.821 1360386248.822 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:08:50.716 PST Gen. Time: 02/08/2013 21:08:50.716 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 19.91.145.89 (21:08:50.716 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 201 IPs (201 /24s) (# pkts S/M/O/I=1/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:08:50.716 PST) tcpslice 1360386530.716 1360386530.717 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:08:50.716 PST Gen. Time: 02/08/2013 21:12:16.036 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 184.81.240.69 (21:12:09.950 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:12:09.950 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 54.102.216.44 (21:12:16.036 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (21:12:16.036 PST) 19.91.145.89 (21:08:50.716 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 201 IPs (201 /24s) (# pkts S/M/O/I=1/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:08:50.716 PST) tcpslice 1360386530.716 1360386530.717 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:13:46.825 PST Gen. Time: 02/08/2013 21:13:46.825 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 106.52.203.15 (21:13:46.825 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 182 IPs (182 /24s) (# pkts S/M/O/I=0/182/0/0): 445:182, [] MAC_Src: 00:21:1C:EE:14:00 (21:13:46.825 PST) tcpslice 1360386826.825 1360386826.826 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:20:10.006 PST Gen. Time: 02/08/2013 21:20:18.169 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 172.94.71.33 (21:20:10.006 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (21:20:10.006 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 29.109.115.37 (21:20:18.169 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:20:18.169 PST) tcpslice 1360387210.006 1360387210.007 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:20:10.006 PST Gen. Time: 02/08/2013 21:24:08.131 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 172.94.71.33 (21:20:10.006 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (21:20:10.006 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.13.2.93 (21:21:48.898 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 165 IPs (165 /24s) (# pkts S/M/O/I=0/165/0/0): 445:165, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:21:48.898 PST) 29.109.115.37 (21:20:18.169 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:20:18.169 PST) tcpslice 1360387210.006 1360387210.007 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:32:15.902 PST Gen. Time: 02/08/2013 21:32:22.249 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 27.97.176.77 (21:32:15.902 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (21:32:15.902 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 118.9.238.55 (21:32:22.249 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:32:22.249 PST) tcpslice 1360387935.902 1360387935.903 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:32:15.902 PST Gen. Time: 02/08/2013 21:36:14.348 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 27.97.176.77 (21:32:15.902 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (21:32:15.902 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 118.9.238.55 (21:32:22.249 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:32:22.249 PST) 108.95.147.107 (21:33:52.839 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 176 IPs (176 /24s) (# pkts S/M/O/I=0/176/0/0): 445:176, [] MAC_Src: 00:21:1C:EE:14:00 (21:33:52.839 PST) tcpslice 1360387935.902 1360387935.903 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:40:17.929 PST Gen. Time: 02/08/2013 21:40:21.843 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 52.36.56.104 (21:40:17.929 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (21:40:17.929 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 199.34.93.22 (21:40:21.843 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (21:40:21.843 PST) tcpslice 1360388417.929 1360388417.930 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:40:17.929 PST Gen. Time: 02/08/2013 21:42:15.367 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 52.36.56.104 (21:40:17.929 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (21:40:17.929 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 188.1.93.110 (21:41:51.844 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 167 IPs (167 /24s) (# pkts S/M/O/I=0/167/0/0): 445:167, [] MAC_Src: 00:21:1C:EE:14:00 (21:41:51.844 PST) 199.34.93.22 (21:40:21.843 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (21:40:21.843 PST) tcpslice 1360388417.929 1360388417.930 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:48:18.846 PST Gen. Time: 02/08/2013 21:48:24.088 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 21.58.111.117 (21:48:18.846 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (21:48:18.846 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 202.72.63.5 (21:48:24.088 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (21:48:24.088 PST) tcpslice 1360388898.846 1360388898.847 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:48:18.846 PST Gen. Time: 02/08/2013 21:51:14.351 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 21.58.111.117 (21:48:18.846 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (21:48:18.846 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 20.92.156.117 (21:49:55.009 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 192 IPs (192 /24s) (# pkts S/M/O/I=0/192/0/0): 445:192, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:49:55.009 PST) 202.72.63.5 (21:48:24.088 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (21:48:24.088 PST) tcpslice 1360388898.846 1360388898.847 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:56:22.006 PST Gen. Time: 02/08/2013 21:56:30.014 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 102.7.252.80 (21:56:22.006 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (21:56:22.006 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 89.120.95.105 (21:56:30.014 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:56:30.014 PST) tcpslice 1360389382.006 1360389382.007 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 21:56:22.006 PST Gen. Time: 02/08/2013 22:01:14.348 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 102.7.252.80 (21:56:22.006 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (21:56:22.006 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 89.120.95.105 (21:56:30.014 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:56:30.014 PST) 56.18.254.76 (21:58:00.084 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 195 IPs (195 /24s) (# pkts S/M/O/I=0/195/0/0): 445:195, [] MAC_Src: 00:21:1C:EE:14:00 (21:58:00.084 PST) tcpslice 1360389382.006 1360389382.007 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:04:20.837 PST Gen. Time: 02/08/2013 22:04:27.255 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 36.110.175.86 (22:04:20.837 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (22:04:20.837 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 22.112.8.53 (22:04:27.255 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (22:04:27.255 PST) tcpslice 1360389860.837 1360389860.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:04:20.837 PST Gen. Time: 02/08/2013 22:07:33.440 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 36.110.175.86 (22:04:20.837 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (22:04:20.837 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 22.112.8.53 (22:04:27.255 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (22:04:27.255 PST) 79.10.97.20 (22:05:57.076 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 172 IPs (172 /24s) (# pkts S/M/O/I=0/172/0/0): 445:172, [] MAC_Src: 00:21:1C:EE:14:00 (22:05:57.076 PST) tcpslice 1360389860.837 1360389860.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:12:23.860 PST Gen. Time: 02/08/2013 22:12:29.872 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 63.126.120.12 (22:12:23.860 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (22:12:23.860 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 63.126.120.12 (22:12:29.872 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (22:12:29.872 PST) tcpslice 1360390343.860 1360390343.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:13:54.075 PST Gen. Time: 02/08/2013 22:13:54.075 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.68.163.118 (22:13:54.075 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (22:13:54.075 PST) tcpslice 1360390434.075 1360390434.076 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:13:54.075 PST Gen. Time: 02/08/2013 22:20:25.859 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 76.55.72.67 (22:20:25.859 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (22:20:25.859 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.68.163.118 (22:13:54.075 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (200 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (22:13:54.075 PST) tcpslice 1360390434.075 1360390434.076 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:20:35.814 PST Gen. Time: 02/08/2013 22:20:35.814 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 76.55.72.67 (22:20:35.814 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (22:20:35.814 PST) tcpslice 1360390835.814 1360390835.815 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:20:35.814 PST Gen. Time: 02/08/2013 22:25:03.333 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 76.55.72.67 (22:20:35.814 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (22:20:35.814 PST) 158.104.30.24 (22:22:05.047 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 184 IPs (184 /24s) (# pkts S/M/O/I=0/184/0/0): 445:184, [] MAC_Src: 00:21:1C:EE:14:00 (22:22:05.047 PST) tcpslice 1360390835.814 1360390835.815 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:28:27.973 PST Gen. Time: 02/08/2013 22:28:36.894 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.30.140.1 (22:28:27.973 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (22:28:27.973 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 193.30.140.1 (22:28:36.894 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (22:28:36.894 PST) tcpslice 1360391307.973 1360391307.974 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:28:27.973 PST Gen. Time: 02/08/2013 22:32:34.521 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 193.30.140.1 (22:28:27.973 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (22:28:27.973 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 193.30.140.1 (22:28:36.894 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (22:28:36.894 PST) 85.5.83.101 (22:30:06.895 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 195 IPs (195 /24s) (# pkts S/M/O/I=0/195/0/0): 445:195, [] MAC_Src: 00:21:1C:EE:14:00 (22:30:06.895 PST) tcpslice 1360391307.973 1360391307.974 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:36:28.982 PST Gen. Time: 02/08/2013 22:36:33.023 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 56.46.178.72 (22:36:28.982 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (22:36:28.982 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 56.46.178.72 (22:36:33.023 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (22:36:33.023 PST) tcpslice 1360391788.982 1360391788.983 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:36:28.982 PST Gen. Time: 02/08/2013 22:40:13.885 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 56.46.178.72 (22:36:28.982 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (22:36:28.982 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 56.46.178.72 (22:36:33.023 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (22:36:33.023 PST) 157.53.211.14 (22:38:03.129 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 191 IPs (191 /24s) (# pkts S/M/O/I=0/191/0/0): 445:191, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (22:38:03.129 PST) tcpslice 1360391788.982 1360391788.983 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:44:33.006 PST Gen. Time: 02/08/2013 22:44:35.917 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 108.117.51.21 (22:44:33.006 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (22:44:33.006 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 34.61.3.3 (22:44:35.917 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (22:44:35.917 PST) tcpslice 1360392273.006 1360392273.007 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:44:33.006 PST Gen. Time: 02/08/2013 22:48:35.507 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 108.117.51.21 (22:44:33.006 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (22:44:33.006 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 158.64.172.14 (22:46:05.010 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 177 IPs (177 /24s) (# pkts S/M/O/I=0/177/0/0): 445:177, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (22:46:05.010 PST) 34.61.3.3 (22:44:35.917 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (22:44:35.917 PST) tcpslice 1360392273.006 1360392273.007 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:52:34.061 PST Gen. Time: 02/08/2013 22:52:39.950 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 101.9.13.29 (22:52:34.061 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (22:52:34.061 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 101.9.13.29 (22:52:39.950 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (22:52:39.950 PST) tcpslice 1360392754.061 1360392754.062 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.77 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/08/2013 22:52:34.061 PST Gen. Time: 02/08/2013 22:56:14.361 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 101.9.13.29 (22:52:34.061 PST) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (22:52:34.061 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 52.64.100.71 (22:54:09.097 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 195 IPs (195 /24s) (# pkts S/M/O/I=0/195/0/0): 445:195, [] MAC_Src: 00:21:1C:EE:14:00 (22:54:09.097 PST) 101.9.13.29 (22:52:39.950 PST) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (22:52:39.950 PST) tcpslice 1360392754.061 1360392754.062 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.77' ============================== SEPARATOR ================================