Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 07:00:08.475 PST Gen. Time: 02/25/2013 07:00:16.566 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (07:00:16.566 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:00:16.566 PST) OUTBOUND SCAN 128.10.19.53 (07:00:08.475 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38183->22 (07:00:08.475 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361804408.475 1361804408.476 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 07:00:08.475 PST Gen. Time: 02/25/2013 07:09:06.553 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (07:00:16.566 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:00:16.566 PST) OUTBOUND SCAN 128.208.4.197 (2) (07:01:17.648 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46676->22 (07:01:17.648 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46676->22 (07:01:17.648 PST) 128.223.8.111 (07:00:53.866 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57940->22 (07:00:53.866 PST) 128.10.19.53 (07:00:08.475 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38183->22 (07:00:08.475 PST) 128.10.19.52 (07:01:36.901 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41638->22 (07:01:36.901 PST) 131.179.150.70 (2) (07:00:39.257 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54159->22 (07:00:39.257 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54159->22 (07:00:39.257 PST) 155.246.12.164 (07:01:47.694 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46454->22 (07:01:47.694 PST) 192.52.240.214 (07:00:16.566 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56050->22 (07:00:16.566 PST) 128.42.142.44 (07:01:01.713 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43458->22 (07:01:01.713 PST) 129.82.12.188 (07:02:14.514 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34431->22 (07:02:14.514 PST) 192.52.240.213 (07:02:04.246 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37744->22 (07:02:04.246 PST) 204.123.28.55 (2) (07:01:58.182 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46710->22 (07:01:58.182 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46710->22 (07:01:58.182 PST) 204.8.155.226 (07:00:29.546 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37946->22 (07:00:29.546 PST) 130.127.39.153 (07:01:08.084 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37685->22 (07:01:08.084 PST) 128.208.4.198 (07:01:26.152 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43823->22 (07:01:26.152 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.3.138.7 (3) (07:02:10.270 PST-07:05:10.111 PST) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (24 /24s) (# pkts S/M/O/I=0/39/0/0): 22:39, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (07:02:10.270 PST-07:05:10.111 PST) 204.123.28.56 (07:00:39.994 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:00:39.994 PST) tcpslice 1361804408.475 1361804710.112 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 08:05:16.398 PST Gen. Time: 02/25/2013 08:06:17.805 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (08:06:17.805 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:06:17.805 PST) OUTBOUND SCAN 128.111.52.58 (08:06:17.330 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55297->22 (08:06:17.330 PST) 158.130.6.254 (08:05:36.078 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51681->22 (08:05:36.078 PST) 128.42.142.45 (08:05:16.398 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33775->22 (08:05:16.398 PST) 192.52.240.214 (2) (08:05:44.157 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56417->22 (08:05:44.157 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56417->22 (08:05:44.157 PST) 204.123.28.56 (08:05:18.990 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41246->22 (08:05:18.990 PST) 204.8.155.227 (08:06:07.553 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58650->22 (08:06:07.553 PST) 141.212.113.180 (2) (08:06:14.282 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41271->22 (08:06:14.282 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41271->22 (08:06:14.282 PST) 152.3.138.7 (08:05:51.244 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54696->22 (08:05:51.244 PST) 130.127.39.152 (08:05:58.141 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44673->22 (08:05:58.141 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361808316.398 1361808316.399 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 08:05:16.398 PST Gen. Time: 02/25/2013 08:13:48.060 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (08:06:17.805 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:06:17.805 PST) OUTBOUND SCAN 128.111.52.58 (08:06:17.330 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55297->22 (08:06:17.330 PST) 128.10.19.53 (08:06:24.812 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38586->22 (08:06:24.812 PST) 131.179.150.70 (08:06:27.907 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54552->22 (08:06:27.907 PST) 158.130.6.254 (08:05:36.078 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51681->22 (08:05:36.078 PST) 128.42.142.45 (08:05:16.398 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33775->22 (08:05:16.398 PST) 192.52.240.214 (2) (08:05:44.157 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56417->22 (08:05:44.157 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56417->22 (08:05:44.157 PST) 204.123.28.56 (08:05:18.990 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41246->22 (08:05:18.990 PST) 204.8.155.227 (08:06:07.553 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58650->22 (08:06:07.553 PST) 129.82.12.188 (2) (08:06:33.357 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 34774->22 (08:06:33.357 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34774->22 (08:06:33.357 PST) 141.212.113.180 (2) (08:06:14.282 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41271->22 (08:06:14.282 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41271->22 (08:06:14.282 PST) 152.3.138.7 (08:05:51.244 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54696->22 (08:05:51.244 PST) 141.212.113.179 (08:06:47.526 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41006->22 (08:06:47.526 PST) 152.3.138.6 (08:06:40.467 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35849->22 (08:06:40.467 PST) 130.127.39.152 (08:05:58.141 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44673->22 (08:05:58.141 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (2) (08:07:35.379 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:07:35.379 PST) 0->0 (08:09:05.539 PST) tcpslice 1361808316.398 1361808316.399 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 08:24:52.701 PST Gen. Time: 02/25/2013 08:25:54.673 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (08:25:54.673 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:25:54.673 PST) OUTBOUND SCAN 128.111.52.58 (08:25:54.261 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55555->22 (08:25:54.261 PST) 158.130.6.254 (08:25:11.112 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51944->22 (08:25:11.112 PST) 128.42.142.45 (08:24:52.701 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34037->22 (08:24:52.701 PST) 192.52.240.214 (2) (08:25:21.713 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56675->22 (08:25:21.713 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56675->22 (08:25:21.713 PST) 204.123.28.56 (08:24:55.590 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41508->22 (08:24:55.590 PST) 204.8.155.227 (08:25:43.859 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58909->22 (08:25:43.859 PST) 141.212.113.180 (2) (08:25:51.365 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41529->22 (08:25:51.365 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41529->22 (08:25:51.365 PST) 152.3.138.7 (08:25:28.921 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54955->22 (08:25:28.921 PST) 130.127.39.152 (08:25:35.770 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44932->22 (08:25:35.770 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361809492.701 1361809492.702 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 08:24:52.701 PST Gen. Time: 02/25/2013 08:33:23.054 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (08:25:54.673 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:25:54.673 PST) OUTBOUND SCAN 128.111.52.58 (08:25:54.261 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55555->22 (08:25:54.261 PST) 128.10.19.53 (08:26:02.181 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38844->22 (08:26:02.181 PST) 131.179.150.70 (08:26:05.186 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54810->22 (08:26:05.186 PST) 158.130.6.254 (08:25:11.112 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51944->22 (08:25:11.112 PST) 128.42.142.45 (08:24:52.701 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34037->22 (08:24:52.701 PST) 192.52.240.214 (2) (08:25:21.713 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56675->22 (08:25:21.713 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56675->22 (08:25:21.713 PST) 204.123.28.56 (08:24:55.590 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41508->22 (08:24:55.590 PST) 204.8.155.227 (08:25:43.859 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58909->22 (08:25:43.859 PST) 129.82.12.188 (2) (08:26:11.080 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35035->22 (08:26:11.080 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35035->22 (08:26:11.080 PST) 141.212.113.180 (2) (08:25:51.365 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41529->22 (08:25:51.365 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41529->22 (08:25:51.365 PST) 152.3.138.7 (08:25:28.921 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54955->22 (08:25:28.921 PST) 141.212.113.179 (08:26:25.274 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41266->22 (08:26:25.274 PST) 152.3.138.6 (08:26:18.217 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36109->22 (08:26:18.217 PST) 130.127.39.152 (08:25:35.770 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44932->22 (08:25:35.770 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (08:28:43.601 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (22 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:28:43.601 PST) 129.82.12.188 (08:27:13.703 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:27:13.703 PST) tcpslice 1361809492.701 1361809492.702 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 08:44:29.247 PST Gen. Time: 02/25/2013 08:45:43.497 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.127.39.152 (08:45:43.497 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:45:43.497 PST) OUTBOUND SCAN 128.111.52.58 (08:45:41.676 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55820->22 (08:45:41.676 PST) 158.130.6.254 (08:44:48.244 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52207->22 (08:44:48.244 PST) 128.42.142.45 (08:44:29.247 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34303->22 (08:44:29.247 PST) 192.52.240.214 (2) (08:45:04.235 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56938->22 (08:45:04.235 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56938->22 (08:45:04.235 PST) 204.123.28.56 (08:44:32.060 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41774->22 (08:44:32.060 PST) 204.8.155.227 (08:45:26.015 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59174->22 (08:45:26.015 PST) 141.212.113.180 (2) (08:45:34.200 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41794->22 (08:45:34.200 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41794->22 (08:45:34.200 PST) 152.3.138.7 (08:45:11.627 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55217->22 (08:45:11.627 PST) 130.127.39.152 (08:45:18.787 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45194->22 (08:45:18.787 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361810669.247 1361810669.248 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 08:44:29.247 PST Gen. Time: 02/25/2013 08:53:55.296 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.127.39.152 (08:45:43.497 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:45:43.497 PST) OUTBOUND SCAN 128.111.52.58 (08:45:41.676 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55820->22 (08:45:41.676 PST) 128.10.19.53 (08:45:45.614 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39109->22 (08:45:45.614 PST) 131.179.150.70 (08:45:54.217 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55075->22 (08:45:54.217 PST) 158.130.6.254 (08:44:48.244 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52207->22 (08:44:48.244 PST) 128.42.142.45 (08:44:29.247 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34303->22 (08:44:29.247 PST) 192.52.240.214 (2) (08:45:04.235 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56938->22 (08:45:04.235 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56938->22 (08:45:04.235 PST) 204.123.28.56 (08:44:32.060 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41774->22 (08:44:32.060 PST) 204.8.155.227 (08:45:26.015 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59174->22 (08:45:26.015 PST) 129.82.12.188 (2) (08:45:58.007 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35298->22 (08:45:58.007 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35298->22 (08:45:58.007 PST) 141.212.113.180 (2) (08:45:34.200 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41794->22 (08:45:34.200 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41794->22 (08:45:34.200 PST) 152.3.138.7 (08:45:11.627 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55217->22 (08:45:11.627 PST) 141.212.113.179 (08:46:15.318 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41529->22 (08:46:15.318 PST) 152.3.138.6 (08:46:07.014 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36372->22 (08:46:07.014 PST) 130.127.39.152 (08:45:18.787 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45194->22 (08:45:18.787 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.127.39.152 (08:47:13.423 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:47:13.423 PST) 204.123.28.55 (08:48:44.184 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (21 /24s) (# pkts S/M/O/I=0/32/0/0): 22:32, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:48:44.184 PST) tcpslice 1361810669.247 1361810669.248 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 08:49:52.055 PST Gen. Time: 02/25/2013 08:49:52.055 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (08:49:52.055 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (24 /24s) (# pkts S/M/O/I=0/39/0/0): 22:39, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:49:52.055 PST) tcpslice 1361810992.055 1361810992.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 09:03:17.891 PST Gen. Time: 02/25/2013 09:04:57.867 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.213 (2) (09:03:17.891 PST) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (8 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:03:17.891 PST) 0->0 (09:04:52.045 PST) OUTBOUND SCAN 128.42.142.45 (09:04:57.867 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34561->22 (09:04:57.867 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361811797.891 1361811797.892 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 09:03:17.891 PST Gen. Time: 02/25/2013 09:14:38.141 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.213 (2) (09:03:17.891 PST) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (8 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:03:17.891 PST) 0->0 (09:04:52.045 PST) OUTBOUND SCAN 128.111.52.58 (09:06:07.274 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56080->22 (09:06:07.274 PST) 128.10.19.53 (09:06:18.242 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39369->22 (09:06:18.242 PST) 131.179.150.70 (09:06:22.117 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55335->22 (09:06:22.117 PST) 158.130.6.254 (09:05:22.805 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52468->22 (09:05:22.805 PST) 128.42.142.45 (09:04:57.867 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34561->22 (09:04:57.867 PST) 192.52.240.214 (2) (09:05:30.665 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57200->22 (09:05:30.665 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57200->22 (09:05:30.665 PST) 204.123.28.56 (09:05:00.614 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42032->22 (09:05:00.614 PST) 204.8.155.227 (09:05:53.184 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59434->22 (09:05:53.184 PST) 129.82.12.188 (2) (09:06:30.458 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35557->22 (09:06:30.458 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35557->22 (09:06:30.458 PST) 141.212.113.180 (2) (09:06:03.714 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42054->22 (09:06:03.714 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42054->22 (09:06:03.714 PST) 152.3.138.7 (09:05:37.836 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55479->22 (09:05:37.836 PST) 141.212.113.179 (09:06:49.089 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41789->22 (09:06:49.089 PST) 152.3.138.6 (09:06:38.330 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36631->22 (09:06:38.330 PST) 130.127.39.152 (09:05:45.271 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45456->22 (09:05:45.271 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.52.240.213 (6) (09:05:06.539 PST-09:13:33.167 PST) event=777:7777008 (6) {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (24 /24s) (# pkts S/M/O/I=0/39/0/0): 22:39, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (09:11:35.407 PST-09:13:33.167 PST) 0->0 (09:08:06.283 PST) 0->0 (09:09:36.844 PST) 0->0 (09:05:06.539 PST) 0->0 (09:06:36.880 PST) tcpslice 1361811797.891 1361812413.168 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 09:15:21.199 PST Gen. Time: 02/25/2013 09:15:21.199 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.52.240.213 (09:15:21.199 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (24 /24s) (# pkts S/M/O/I=0/39/0/0): 22:39, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:15:21.199 PST) tcpslice 1361812521.199 1361812521.200 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 09:19:48.722 PST Gen. Time: 02/25/2013 09:19:48.722 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.52.240.213 (09:19:48.722 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (24 /24s) (# pkts S/M/O/I=0/39/0/0): 22:39, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:19:48.722 PST) tcpslice 1361812788.722 1361812788.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 14:00:15.051 PST Gen. Time: 02/25/2013 14:00:21.759 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.10.19.53 (14:00:21.759 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:21.759 PST) OUTBOUND SCAN 128.10.19.53 (14:00:15.051 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50925->22 (14:00:15.051 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361829615.051 1361829615.052 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 14:00:15.051 PST Gen. Time: 02/25/2013 14:08:46.766 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.10.19.53 (14:00:21.759 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:21.759 PST) OUTBOUND SCAN 128.208.4.197 (2) (14:01:04.900 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49322->22 (14:01:04.900 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49322->22 (14:01:04.900 PST) 128.223.8.111 (14:00:46.717 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47504->22 (14:00:46.717 PST) 128.10.19.53 (14:00:15.051 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50925->22 (14:00:15.051 PST) 128.10.19.52 (14:01:22.723 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55626->22 (14:01:22.723 PST) 131.179.150.70 (2) (14:00:39.348 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38119->22 (14:00:39.348 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38119->22 (14:00:39.348 PST) 155.246.12.164 (14:01:33.160 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55650->22 (14:01:33.160 PST) 192.52.240.214 (14:00:21.759 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57329->22 (14:00:21.759 PST) 128.42.142.44 (14:00:53.402 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42785->22 (14:00:53.402 PST) 129.82.12.188 (14:02:00.663 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57032->22 (14:02:00.663 PST) 192.52.240.213 (14:01:50.209 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41218->22 (14:01:50.209 PST) 204.123.28.55 (2) (14:01:44.356 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52216->22 (14:01:44.356 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52216->22 (14:01:44.356 PST) 204.8.155.226 (14:00:31.556 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53930->22 (14:00:31.556 PST) 130.127.39.153 (14:00:58.634 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35165->22 (14:00:58.634 PST) 128.208.4.198 (14:01:13.287 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43546->22 (14:01:13.287 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.53 (14:00:39.911 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:39.911 PST) 13.7.64.22 (2) (14:02:11.511 PST-14:03:41.405 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (24 /24s) (# pkts S/M/O/I=0/39/0/0): 22:39, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (14:02:11.511 PST-14:03:41.405 PST) tcpslice 1361829615.051 1361829821.406 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 14:04:49.830 PST Gen. Time: 02/25/2013 14:04:49.830 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (14:04:49.830 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (24 /24s) (# pkts S/M/O/I=0/39/0/0): 22:39, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:04:49.830 PST) tcpslice 1361829889.830 1361829889.831 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 15:04:56.538 PST Gen. Time: 02/25/2013 15:05:49.138 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (15:05:49.138 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:05:49.138 PST) OUTBOUND SCAN 128.111.52.58 (15:05:48.755 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49720->22 (15:05:48.755 PST) 158.130.6.254 (15:05:09.395 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35209->22 (15:05:09.395 PST) 128.42.142.45 (15:04:56.538 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33831->22 (15:04:56.538 PST) 192.52.240.214 (2) (15:05:17.659 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57515->22 (15:05:17.659 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57515->22 (15:05:17.659 PST) 204.123.28.56 (15:04:59.201 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51090->22 (15:04:59.201 PST) 204.8.155.227 (15:05:39.777 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50646->22 (15:05:39.777 PST) 141.212.113.180 (2) (15:05:46.016 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47060->22 (15:05:46.016 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47060->22 (15:05:46.016 PST) 152.3.138.7 (15:05:24.749 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41501->22 (15:05:24.749 PST) 130.127.39.152 (15:05:32.099 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59706->22 (15:05:32.099 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361833496.538 1361833496.539 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 15:04:56.538 PST Gen. Time: 02/25/2013 15:13:14.126 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (15:05:49.138 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:05:49.138 PST) OUTBOUND SCAN 128.111.52.58 (15:05:48.755 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49720->22 (15:05:48.755 PST) 128.10.19.53 (15:05:55.130 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51146->22 (15:05:55.130 PST) 131.179.150.70 (15:05:58.227 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38330->22 (15:05:58.227 PST) 158.130.6.254 (15:05:09.395 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35209->22 (15:05:09.395 PST) 128.42.142.45 (15:04:56.538 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33831->22 (15:04:56.538 PST) 192.52.240.214 (2) (15:05:17.659 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57515->22 (15:05:17.659 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57515->22 (15:05:17.659 PST) 204.123.28.56 (15:04:59.201 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51090->22 (15:04:59.201 PST) 204.8.155.227 (15:05:39.777 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50646->22 (15:05:39.777 PST) 129.82.12.188 (2) (15:06:03.779 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57196->22 (15:06:03.779 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57196->22 (15:06:03.779 PST) 141.212.113.180 (2) (15:05:46.016 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47060->22 (15:05:46.016 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47060->22 (15:05:46.016 PST) 152.3.138.7 (15:05:24.749 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41501->22 (15:05:24.749 PST) 141.212.113.179 (15:06:17.731 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42664->22 (15:06:17.731 PST) 152.3.138.6 (15:06:10.744 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46014->22 (15:06:10.744 PST) 130.127.39.152 (15:05:32.099 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59706->22 (15:05:32.099 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (2) (15:06:59.449 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:06:59.449 PST) 0->0 (15:08:29.100 PST) tcpslice 1361833496.538 1361833496.539 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 15:24:16.428 PST Gen. Time: 02/25/2013 15:25:07.527 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.7 (15:25:07.527 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:25:07.527 PST) OUTBOUND SCAN 128.111.52.58 (15:25:07.040 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49927->22 (15:25:07.040 PST) 158.130.6.254 (15:24:28.480 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35416->22 (15:24:28.480 PST) 128.42.142.45 (15:24:16.428 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34038->22 (15:24:16.428 PST) 192.52.240.214 (2) (15:24:35.636 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57722->22 (15:24:35.636 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57722->22 (15:24:35.636 PST) 204.123.28.56 (15:24:19.040 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51297->22 (15:24:19.040 PST) 204.8.155.227 (15:24:57.586 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50853->22 (15:24:57.586 PST) 141.212.113.180 (2) (15:25:04.053 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47267->22 (15:25:04.053 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47267->22 (15:25:04.053 PST) 152.3.138.7 (15:24:43.020 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41708->22 (15:24:43.020 PST) 130.127.39.152 (15:24:49.879 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59913->22 (15:24:49.879 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361834656.428 1361834656.429 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 15:24:16.428 PST Gen. Time: 02/25/2013 15:32:34.490 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.7 (15:25:07.527 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:25:07.527 PST) OUTBOUND SCAN 128.111.52.58 (15:25:07.040 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49927->22 (15:25:07.040 PST) 128.10.19.53 (15:25:13.553 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51353->22 (15:25:13.553 PST) 131.179.150.70 (15:25:16.684 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38537->22 (15:25:16.684 PST) 158.130.6.254 (15:24:28.480 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35416->22 (15:24:28.480 PST) 128.42.142.45 (15:24:16.428 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34038->22 (15:24:16.428 PST) 192.52.240.214 (2) (15:24:35.636 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57722->22 (15:24:35.636 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57722->22 (15:24:35.636 PST) 204.123.28.56 (15:24:19.040 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51297->22 (15:24:19.040 PST) 204.8.155.227 (15:24:57.586 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50853->22 (15:24:57.586 PST) 129.82.12.188 (2) (15:25:23.636 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57403->22 (15:25:23.636 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57403->22 (15:25:23.636 PST) 141.212.113.180 (2) (15:25:04.053 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47267->22 (15:25:04.053 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47267->22 (15:25:04.053 PST) 152.3.138.7 (15:24:43.020 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41708->22 (15:24:43.020 PST) 141.212.113.179 (15:25:39.936 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42871->22 (15:25:39.936 PST) 152.3.138.6 (15:25:32.971 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46221->22 (15:25:32.971 PST) 130.127.39.152 (15:24:49.879 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59913->22 (15:24:49.879 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.3.138.7 (2) (15:26:27.996 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:26:27.996 PST) 0->0 (15:27:57.014 PST) tcpslice 1361834656.428 1361834656.429 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 15:43:41.104 PST Gen. Time: 02/25/2013 15:44:32.239 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (15:44:32.239 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:44:32.239 PST) OUTBOUND SCAN 128.111.52.58 (15:44:31.809 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50137->22 (15:44:31.809 PST) 158.130.6.254 (15:43:53.589 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35626->22 (15:43:53.589 PST) 128.42.142.45 (15:43:41.104 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34247->22 (15:43:41.104 PST) 192.52.240.214 (2) (15:44:00.811 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57932->22 (15:44:00.811 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57932->22 (15:44:00.811 PST) 204.123.28.56 (15:43:43.751 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51506->22 (15:43:43.751 PST) 204.8.155.227 (15:44:22.767 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51063->22 (15:44:22.767 PST) 141.212.113.180 (2) (15:44:29.002 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47477->22 (15:44:29.002 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47477->22 (15:44:29.002 PST) 152.3.138.7 (15:44:08.005 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41918->22 (15:44:08.005 PST) 130.127.39.152 (15:44:15.153 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60123->22 (15:44:15.153 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361835821.104 1361835821.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 15:43:41.104 PST Gen. Time: 02/25/2013 15:51:55.977 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (15:44:32.239 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:44:32.239 PST) OUTBOUND SCAN 128.111.52.58 (15:44:31.809 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50137->22 (15:44:31.809 PST) 128.10.19.53 (15:44:38.895 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51563->22 (15:44:38.895 PST) 131.179.150.70 (15:44:41.953 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38747->22 (15:44:41.953 PST) 158.130.6.254 (15:43:53.589 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35626->22 (15:43:53.589 PST) 128.42.142.45 (15:43:41.104 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34247->22 (15:43:41.104 PST) 192.52.240.214 (2) (15:44:00.811 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57932->22 (15:44:00.811 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57932->22 (15:44:00.811 PST) 204.123.28.56 (15:43:43.751 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51506->22 (15:43:43.751 PST) 204.8.155.227 (15:44:22.767 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51063->22 (15:44:22.767 PST) 129.82.12.188 (2) (15:44:47.149 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57613->22 (15:44:47.149 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57613->22 (15:44:47.149 PST) 141.212.113.180 (2) (15:44:29.002 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47477->22 (15:44:29.002 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47477->22 (15:44:29.002 PST) 152.3.138.7 (15:44:08.005 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41918->22 (15:44:08.005 PST) 141.212.113.179 (15:45:01.355 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43081->22 (15:45:01.355 PST) 152.3.138.6 (15:44:54.152 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46431->22 (15:44:54.152 PST) 130.127.39.152 (15:44:15.153 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60123->22 (15:44:15.153 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (15:47:18.110 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (22 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:47:18.110 PST) 129.82.12.188 (15:45:48.776 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:45:48.776 PST) tcpslice 1361835821.104 1361835821.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 16:02:23.620 PST Gen. Time: 02/25/2013 16:03:02.369 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.8.126.111 (16:02:23.620 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (9 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:02:23.620 PST) OUTBOUND SCAN 128.42.142.45 (16:03:02.369 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34453->22 (16:03:02.369 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361836943.620 1361836943.621 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 16:02:23.620 PST Gen. Time: 02/25/2013 16:11:22.613 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.8.126.111 (16:02:23.620 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (9 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:02:23.620 PST) OUTBOUND SCAN 128.111.52.58 (16:03:54.750 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50342->22 (16:03:54.750 PST) 128.10.19.53 (16:04:02.906 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51768->22 (16:04:02.906 PST) 131.179.150.70 (16:04:06.062 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38952->22 (16:04:06.062 PST) 158.130.6.254 (16:03:15.665 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35831->22 (16:03:15.665 PST) 128.42.142.45 (16:03:02.369 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34453->22 (16:03:02.369 PST) 192.52.240.214 (2) (16:03:23.161 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58137->22 (16:03:23.161 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58137->22 (16:03:23.161 PST) 204.123.28.56 (16:03:04.933 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51712->22 (16:03:04.933 PST) 204.8.155.227 (16:03:45.237 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51268->22 (16:03:45.237 PST) 129.82.12.188 (2) (16:04:11.243 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57818->22 (16:04:11.243 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57818->22 (16:04:11.243 PST) 141.212.113.180 (2) (16:03:51.871 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47682->22 (16:03:51.871 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47682->22 (16:03:51.871 PST) 152.3.138.7 (16:03:30.227 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42123->22 (16:03:30.227 PST) 141.212.113.179 (16:04:25.717 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43286->22 (16:04:25.717 PST) 152.3.138.6 (16:04:18.312 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46636->22 (16:04:18.312 PST) 130.127.39.152 (16:03:37.241 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60328->22 (16:03:37.241 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.45 (5) (16:03:32.069 PST-16:10:58.049 PST) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (25 /24s) (# pkts S/M/O/I=0/38/1/0): 22:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:06:32.365 PST) 0->0 (16:05:02.156 PST) 0->0 (16:03:32.069 PST) 2: 0->0 (16:08:27.521 PST-16:10:58.049 PST) tcpslice 1361836943.620 1361837458.050 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 16:13:28.577 PST Gen. Time: 02/25/2013 16:13:28.577 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.45 (16:13:28.577 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (25 /24s) (# pkts S/M/O/I=0/39/1/0): 22:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:13:28.577 PST) tcpslice 1361837608.577 1361837608.578 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 16:20:26.593 PST Gen. Time: 02/25/2013 16:20:26.593 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.45 (16:20:26.593 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (25 /24s) (# pkts S/M/O/I=0/39/1/0): 22:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:20:26.593 PST) tcpslice 1361838026.593 1361838026.594 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 16:20:26.593 PST Gen. Time: 02/25/2013 16:31:06.148 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (16:23:29.760 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50549->22 (16:23:29.760 PST) 128.10.19.53 (16:23:36.955 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51975->22 (16:23:36.955 PST) 131.179.150.70 (16:23:40.275 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39159->22 (16:23:40.275 PST) 158.130.6.254 (16:22:49.549 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36038->22 (16:22:49.549 PST) 128.42.142.45 (16:22:29.374 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34660->22 (16:22:29.374 PST) 192.52.240.214 (2) (16:22:57.630 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58344->22 (16:22:57.630 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58344->22 (16:22:57.630 PST) 204.123.28.56 (16:22:31.996 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51919->22 (16:22:31.996 PST) 204.8.155.227 (16:23:19.918 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51475->22 (16:23:19.918 PST) 129.82.12.188 (2) (16:23:45.971 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58025->22 (16:23:45.971 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58025->22 (16:23:45.971 PST) 141.212.113.180 (2) (16:23:26.503 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47889->22 (16:23:26.503 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47889->22 (16:23:26.503 PST) 152.3.138.7 (16:23:04.897 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42330->22 (16:23:04.897 PST) 141.212.113.179 (16:24:00.349 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43493->22 (16:24:00.349 PST) 152.3.138.6 (16:23:53.276 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46843->22 (16:23:53.276 PST) 130.127.39.152 (16:23:12.006 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60535->22 (16:23:12.006 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.45 (5) (16:20:26.593 PST-16:26:54.570 PST) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (25 /24s) (# pkts S/M/O/I=0/39/1/0): 22:39, [] MAC_Src: 00:21:1C:EE:14:00 5: 0->0 (16:20:26.593 PST-16:26:54.570 PST) tcpslice 1361838026.593 1361838414.571 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 16:36:17.255 PST Gen. Time: 02/25/2013 16:36:17.255 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.45 (16:36:17.255 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (25 /24s) (# pkts S/M/O/I=0/39/1/0): 22:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:36:17.255 PST) tcpslice 1361838977.255 1361838977.256 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 16:42:06.925 PST Gen. Time: 02/25/2013 16:42:06.925 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.45 (16:42:06.925 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (25 /24s) (# pkts S/M/O/I=0/39/1/0): 22:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:42:06.925 PST) tcpslice 1361839326.925 1361839326.926 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 16:42:06.925 PST Gen. Time: 02/25/2013 16:50:50.534 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (16:43:06.839 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50759->22 (16:43:06.839 PST) 128.10.19.53 (16:43:13.630 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52185->22 (16:43:13.630 PST) 131.179.150.70 (16:43:16.799 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39369->22 (16:43:16.799 PST) 158.130.6.254 (16:42:28.033 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36248->22 (16:42:28.033 PST) 128.42.142.45 (16:42:12.956 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34870->22 (16:42:12.956 PST) 192.52.240.214 (2) (16:42:35.218 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58554->22 (16:42:35.218 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58554->22 (16:42:35.218 PST) 204.123.28.56 (16:42:16.521 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52129->22 (16:42:16.521 PST) 204.8.155.227 (16:42:57.323 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51685->22 (16:42:57.323 PST) 129.82.12.188 (2) (16:43:22.212 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58235->22 (16:43:22.212 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58235->22 (16:43:22.212 PST) 141.212.113.180 (2) (16:43:03.909 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48099->22 (16:43:03.909 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48099->22 (16:43:03.909 PST) 152.3.138.7 (16:42:42.393 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42540->22 (16:42:42.393 PST) 141.212.113.179 (16:43:36.698 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43703->22 (16:43:36.698 PST) 152.3.138.6 (16:43:29.453 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47053->22 (16:43:29.453 PST) 130.127.39.152 (16:42:49.518 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60745->22 (16:42:49.518 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.45 (4) (16:42:06.925 PST-16:46:38.382 PST) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (25 /24s) (# pkts S/M/O/I=0/39/1/0): 22:39, [] MAC_Src: 00:21:1C:EE:14:00 4: 0->0 (16:42:06.925 PST-16:46:38.382 PST) tcpslice 1361839326.925 1361839598.383 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 16:50:55.507 PST Gen. Time: 02/25/2013 16:50:55.507 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.45 (16:50:55.507 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (25 /24s) (# pkts S/M/O/I=0/39/1/0): 22:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:50:55.507 PST) tcpslice 1361839855.507 1361839855.508 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 17:01:58.046 PST Gen. Time: 02/25/2013 17:02:56.719 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (17:02:56.719 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:02:56.719 PST) OUTBOUND SCAN 128.111.52.58 (17:02:56.335 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50964->22 (17:02:56.335 PST) 158.130.6.254 (17:02:15.384 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36453->22 (17:02:15.384 PST) 128.42.142.45 (17:01:58.046 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35075->22 (17:01:58.046 PST) 192.52.240.214 (2) (17:02:23.011 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58759->22 (17:02:23.011 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58759->22 (17:02:23.011 PST) 204.123.28.56 (17:02:00.710 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52334->22 (17:02:00.710 PST) 204.8.155.227 (17:02:47.212 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51890->22 (17:02:47.212 PST) 141.212.113.180 (2) (17:02:53.546 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48304->22 (17:02:53.546 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48304->22 (17:02:53.546 PST) 152.3.138.7 (17:02:32.269 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42745->22 (17:02:32.269 PST) 130.127.39.152 (17:02:39.367 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60950->22 (17:02:39.367 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361840518.046 1361840518.047 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 17:01:58.046 PST Gen. Time: 02/25/2013 17:10:34.830 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (17:02:56.719 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:02:56.719 PST) OUTBOUND SCAN 128.111.52.58 (17:02:56.335 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50964->22 (17:02:56.335 PST) 128.10.19.53 (17:03:03.145 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52390->22 (17:03:03.145 PST) 131.179.150.70 (17:03:06.538 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39574->22 (17:03:06.538 PST) 158.130.6.254 (17:02:15.384 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36453->22 (17:02:15.384 PST) 128.42.142.45 (17:01:58.046 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35075->22 (17:01:58.046 PST) 192.52.240.214 (2) (17:02:23.011 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58759->22 (17:02:23.011 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58759->22 (17:02:23.011 PST) 204.123.28.56 (17:02:00.710 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52334->22 (17:02:00.710 PST) 204.8.155.227 (17:02:47.212 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51890->22 (17:02:47.212 PST) 129.82.12.188 (2) (17:03:11.920 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58440->22 (17:03:11.920 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58440->22 (17:03:11.920 PST) 141.212.113.180 (2) (17:02:53.546 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48304->22 (17:02:53.546 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48304->22 (17:02:53.546 PST) 152.3.138.7 (17:02:32.269 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42745->22 (17:02:32.269 PST) 141.212.113.179 (17:03:26.167 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43908->22 (17:03:26.167 PST) 152.3.138.6 (17:03:19.097 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47258->22 (17:03:19.097 PST) 130.127.39.152 (17:02:39.367 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60950->22 (17:02:39.367 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (17:08:17.277 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (25 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:08:17.277 PST) 204.8.155.227 (2) (17:03:56.621 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:03:56.621 PST) 0->0 (17:05:27.899 PST) tcpslice 1361840518.046 1361840518.047 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 17:21:43.421 PST Gen. Time: 02/25/2013 17:22:38.974 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.127.39.152 (17:22:38.974 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/0/1): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:22:38.974 PST) OUTBOUND SCAN 204.8.155.227 (17:22:31.323 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52098->22 (17:22:31.323 PST) 128.42.142.45 (17:21:43.421 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35283->22 (17:21:43.421 PST) 152.3.138.7 (17:22:16.173 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42953->22 (17:22:16.173 PST) 130.127.39.152 (17:22:23.294 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32925->22 (17:22:23.294 PST) 204.123.28.56 (17:21:45.991 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52542->22 (17:21:45.991 PST) 141.212.113.180 (2) (17:22:37.821 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48512->22 (17:22:37.821 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48512->22 (17:22:37.821 PST) 192.52.240.214 (2) (17:22:08.904 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58967->22 (17:22:08.904 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58967->22 (17:22:08.904 PST) 158.130.6.254 (17:22:00.370 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36661->22 (17:22:00.370 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361841703.421 1361841703.422 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 17:21:43.421 PST Gen. Time: 02/25/2013 17:28:37.709 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 130.127.39.152 (17:22:38.974 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/0/1): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:22:38.974 PST) OUTBOUND SCAN 128.111.52.58 (17:22:40.930 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51172->22 (17:22:40.930 PST) 128.10.19.53 (17:22:48.110 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52598->22 (17:22:48.110 PST) 131.179.150.70 (17:22:51.375 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39782->22 (17:22:51.375 PST) 158.130.6.254 (17:22:00.370 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36661->22 (17:22:00.370 PST) 128.42.142.45 (17:21:43.421 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35283->22 (17:21:43.421 PST) 192.52.240.214 (2) (17:22:08.904 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58967->22 (17:22:08.904 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58967->22 (17:22:08.904 PST) 204.123.28.56 (17:21:45.991 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52542->22 (17:21:45.991 PST) 204.8.155.227 (17:22:31.323 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52098->22 (17:22:31.323 PST) 129.82.12.188 (2) (17:22:56.870 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58648->22 (17:22:56.870 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58648->22 (17:22:56.870 PST) 141.212.113.180 (2) (17:22:37.821 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48512->22 (17:22:37.821 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48512->22 (17:22:37.821 PST) 152.3.138.7 (17:22:16.173 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42953->22 (17:22:16.173 PST) 141.212.113.179 (17:23:12.710 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44116->22 (17:23:12.710 PST) 152.3.138.6 (17:23:05.438 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47466->22 (17:23:05.438 PST) 130.127.39.152 (17:22:23.294 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32925->22 (17:22:23.294 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.127.39.152 (2) (17:23:33.002 PST) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/20/0/1): 22:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:23:33.002 PST) 0->0 (17:25:03.965 PST) tcpslice 1361841703.421 1361841703.422 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 17:26:14.987 PST Gen. Time: 02/25/2013 17:26:14.987 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.127.39.152 (17:26:14.987 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (25 /24s) (# pkts S/M/O/I=0/39/0/1): 22:39, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:26:14.987 PST) tcpslice 1361841974.987 1361841974.988 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 17:41:21.461 PST Gen. Time: 02/25/2013 17:42:26.389 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (17:42:26.389 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:42:26.389 PST) OUTBOUND SCAN 128.10.19.53 (2) (17:42:17.286 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52797->22 (17:42:17.286 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52797->22 (17:42:17.286 PST) 158.130.6.254 (17:41:38.093 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36870->22 (17:41:38.093 PST) 128.42.142.45 (17:41:21.461 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35492->22 (17:41:21.461 PST) 192.52.240.214 (2) (17:41:46.379 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59176->22 (17:41:46.379 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59176->22 (17:41:46.379 PST) 204.123.28.56 (17:41:24.340 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52751->22 (17:41:24.340 PST) 204.8.155.227 (17:42:09.534 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52307->22 (17:42:09.534 PST) 152.3.138.7 (17:41:53.866 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43162->22 (17:41:53.866 PST) 152.3.138.6 (17:42:24.921 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47655->22 (17:42:24.921 PST) 130.127.39.152 (17:42:01.164 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33134->22 (17:42:01.164 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361842881.461 1361842881.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.46 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 02/25/2013 17:41:21.461 PST Gen. Time: 02/25/2013 17:48:05.978 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.252.19.18 (17:43:56.846 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 19 IPs (13 /24s) (# pkts S/M/O/I=0/19/0/0): 22:19, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:43:56.846 PST) 204.8.155.227 (17:42:26.389 PST) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:42:26.389 PST) OUTBOUND SCAN 128.10.19.53 (2) (17:42:17.286 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52797->22 (17:42:17.286 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52797->22 (17:42:17.286 PST) 155.246.12.164 (2) (17:42:47.603 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57490->22 (17:42:47.603 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57490->22 (17:42:47.603 PST) 13.7.64.22 (17:42:29.586 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34758->22 (17:42:29.586 PST) 158.130.6.254 (17:41:38.093 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36870->22 (17:41:38.093 PST) 128.42.142.45 (17:41:21.461 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35492->22 (17:41:21.461 PST) 192.52.240.214 (2) (17:41:46.379 PST) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59176->22 (17:41:46.379 PST) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59176->22 (17:41:46.379 PST) 128.42.142.44 (17:43:17.154 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44665->22 (17:43:17.154 PST) 128.84.154.44 (17:43:10.582 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40011->22 (17:43:10.582 PST) 204.123.28.56 (17:41:24.340 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52751->22 (17:41:24.340 PST) 204.8.155.227 (17:42:09.534 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52307->22 (17:42:09.534 PST) 192.52.240.213 (17:42:37.552 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43043->22 (17:42:37.552 PST) 152.3.138.7 (17:41:53.866 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43162->22 (17:41:53.866 PST) 152.3.138.6 (17:42:24.921 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47655->22 (17:42:24.921 PST) 130.127.39.152 (17:42:01.164 PST) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33134->22 (17:42:01.164 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.18 (17:44:04.823 PST) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:44:04.823 PST) tcpslice 1361842881.461 1361842881.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.46' ============================== SEPARATOR ================================