Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.120 Peer Coord. List: Resource List: Observed Start: 02/15/2013 16:59:32.276 PST Gen. Time: 02/15/2013 17:06:41.763 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.120 (17:06:41.763 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->63474 (17:06:41.763 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.120 (14) (16:59:32.276 PST) event=1:552123 (14) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40019 (16:59:32.276 PST) 80->39487 (17:00:36.572 PST) 80->45115 (17:00:47.324 PST) 80->57075 (17:01:19.505 PST) 80->59276 (17:01:30.186 PST) 80->60759 (17:02:02.394 PST) 80->58307 (17:02:23.881 PST) 80->52204 (17:03:28.300 PST) 80->52818 (17:03:39.046 PST) 80->41931 (17:03:49.773 PST) 80->35706 (17:04:11.284 PST) 80->34101 (17:04:56.916 PST) 80->46509 (17:05:47.998 PST) 80->43496 (17:05:58.743 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360976372.276 1360976372.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.120 Peer Coord. List: Resource List: Observed Start: 02/15/2013 16:59:32.276 PST Gen. Time: 02/15/2013 17:11:51.645 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.120 (17:06:41.763 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->63474 (17:06:41.763 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.120 (16) (16:59:32.276 PST) event=1:552123 (16) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40019 (16:59:32.276 PST) 80->39487 (17:00:36.572 PST) 80->45115 (17:00:47.324 PST) 80->57075 (17:01:19.505 PST) 80->59276 (17:01:30.186 PST) 80->60759 (17:02:02.394 PST) 80->58307 (17:02:23.881 PST) 80->52204 (17:03:28.300 PST) 80->52818 (17:03:39.046 PST) 80->41931 (17:03:49.773 PST) 80->35706 (17:04:11.284 PST) 80->34101 (17:04:56.916 PST) 80->46509 (17:05:47.998 PST) 80->43496 (17:05:58.743 PST) 80->48083 (17:07:03.226 PST) 80->38452 (17:09:08.737 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360976372.276 1360976372.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.120 Peer Coord. List: Resource List: Observed Start: 02/15/2013 17:24:19.759 PST Gen. Time: 02/15/2013 17:27:24.384 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.120 (17:27:24.384 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->36091 (17:27:24.384 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.120 (2) (17:24:19.759 PST) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->34866 (17:24:19.759 PST) 80->43938 (17:26:11.696 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1360977859.759 1360977859.760 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================