Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.120 Peer Coord. List: Resource List: Observed Start: 02/23/2013 07:27:27.398 PST Gen. Time: 02/23/2013 07:36:15.315 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.120 (07:36:15.315 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->49481 (07:36:15.315 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 208.115.113.83 (07:31:27.040 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->37506 (07:31:27.040 PST) 66.249.74.120 (5) (07:29:57.179 PST) event=1:552123 (5) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->53648 (07:29:57.179 PST) 80->49125 (07:31:02.862 PST) 80->49688 (07:32:57.570 PST) 80->54315 (07:34:10.224 PST) 80->49481 (07:36:15.004 PST) 173.199.114.83 (2) (07:27:27.398 PST) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->37815 (07:27:27.398 PST) 80->45051 (07:28:48.961 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361633247.398 1361633247.399 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.120 (2) Peer Coord. List: Resource List: Observed Start: 02/23/2013 07:27:27.398 PST Gen. Time: 02/23/2013 07:42:44.943 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.120 (2) (07:36:15.315 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->49481 (07:36:15.315 PST-07:36:15.315 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 208.115.113.83 (07:31:27.040 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->37506 (07:31:27.040 PST) 66.249.74.120 (6) (07:29:57.179 PST) event=1:552123 (6) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->53648 (07:29:57.179 PST) 80->49125 (07:31:02.862 PST) 80->49688 (07:32:57.570 PST) 80->54315 (07:34:10.224 PST) 80->49481 (07:36:15.004 PST) 80->44566 (07:38:44.784 PST) 173.199.114.83 (2) (07:27:27.398 PST) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->37815 (07:27:27.398 PST) 80->45051 (07:28:48.961 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361633247.398 1361633775.316 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.120 Peer Coord. List: Resource List: Observed Start: 02/23/2013 09:12:14.844 PST Gen. Time: 02/23/2013 09:27:27.144 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.120 (09:27:27.144 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->44946 (09:27:27.144 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.120 (8) (09:16:06.210 PST) event=1:552123 (8) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->36479 (09:16:06.210 PST) 80->39850 (09:18:35.980 PST) 80->52972 (09:22:20.662 PST) 80->60405 (09:22:32.271 PST) 80->63849 (09:24:00.498 PST) 80->42962 (09:24:37.364 PST) 80->61950 (09:27:21.651 PST) 80->44946 (09:27:26.780 PST) 173.199.114.83 (2) (09:12:14.844 PST) event=1:552123 (2) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->34808 (09:12:14.844 PST) 80->58235 (09:19:26.952 PST) 208.115.111.66 (09:16:43.014 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40293 (09:16:43.014 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361639534.844 1361639534.845 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.120 (2) Peer Coord. List: Resource List: Observed Start: 02/23/2013 09:12:14.844 PST Gen. Time: 02/23/2013 09:36:44.753 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.120 (2) (09:27:27.144 PST-09:27:27.145 PST) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->44946 (09:27:27.144 PST-09:27:27.145 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.120 (10) (09:16:06.210 PST) event=1:552123 (10) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->36479 (09:16:06.210 PST) 80->39850 (09:18:35.980 PST) 80->52972 (09:22:20.662 PST) 80->60405 (09:22:32.271 PST) 80->63849 (09:24:00.498 PST) 80->42962 (09:24:37.364 PST) 80->61950 (09:27:21.651 PST) 80->44946 (09:27:26.780 PST) 80->37624 (09:30:39.921 PST) 80->51637 (09:31:29.859 PST) 173.199.114.83 (3) (09:12:14.844 PST) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->34808 (09:12:14.844 PST) 80->58235 (09:19:26.952 PST) 80->55244 (09:32:44.571 PST) 208.115.111.66 (09:16:43.014 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40293 (09:16:43.014 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361639534.844 1361640447.146 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================