Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 173.242.125.191 Peer Coord. List: Resource List: Observed Start: 02/24/2013 21:31:52.460 PST Gen. Time: 02/24/2013 21:32:13.805 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 173.242.125.191 (21:32:13.805 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->49059 (21:32:13.805 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.242.125.191 (6) (21:31:52.460 PST) event=1:552123 (6) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->45392 (21:31:52.460 PST) 80->45723 (21:31:53.941 PST) 80->47222 (21:32:01.778 PST) 80->47467 (21:32:03.403 PST) 80->47724 (21:32:05.187 PST) 80->48539 (21:32:10.294 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361770312.460 1361770312.461 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 173.242.125.191 (9) Peer Coord. List: Resource List: Observed Start: 02/24/2013 21:31:52.460 PST Gen. Time: 02/24/2013 21:36:32.080 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 173.242.125.191 (9) (21:32:13.805 PST-21:32:13.806 PST) event=1:2002033 (9) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 9: 80->49059 (21:32:13.805 PST-21:32:13.806 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.242.125.191 (10) (21:31:52.460 PST) event=1:552123 (10) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->45392 (21:31:52.460 PST) 80->45723 (21:31:53.941 PST) 80->47222 (21:32:01.778 PST) 80->47467 (21:32:03.403 PST) 80->47724 (21:32:05.187 PST) 80->48539 (21:32:10.294 PST) 80->49758 (21:32:19.097 PST) 80->50362 (21:32:22.676 PST) 80->50672 (21:32:24.320 PST) 80->51803 (21:32:31.848 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361770312.460 1361770333.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 173.242.125.191 Peer Coord. List: Resource List: Observed Start: 02/24/2013 21:39:04.891 PST Gen. Time: 02/24/2013 21:39:37.008 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 173.242.125.191 (21:39:37.008 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->36863 (21:39:37.008 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.242.125.191 (3) (21:39:04.891 PST) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->58931 (21:39:04.891 PST) 80->59250 (21:39:06.639 PST) 80->35244 (21:39:28.613 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361770744.891 1361770744.892 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 173.242.125.191 (17) Peer Coord. List: Resource List: Observed Start: 02/24/2013 21:39:04.891 PST Gen. Time: 02/24/2013 21:44:46.559 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 173.242.125.191 (17) (21:39:37.008 PST-21:40:46.109 PST) event=1:2002033 (17) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 9: 80->36863 (21:39:37.008 PST-21:39:37.009 PST) 8: 80->51135 (21:40:46.108 PST-21:40:46.109 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.242.125.191 (10) (21:39:04.891 PST) event=1:552123 (10) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->58931 (21:39:04.891 PST) 80->59250 (21:39:06.639 PST) 80->35244 (21:39:28.613 PST) 80->40341 (21:39:55.989 PST) 80->41542 (21:40:01.922 PST) 80->41899 (21:40:03.780 PST) 80->46983 (21:40:27.949 PST) 80->47586 (21:40:30.564 PST) 80->47970 (21:40:32.425 PST) 80->49817 (21:40:40.209 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361770744.891 1361770846.110 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================