Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.120 Peer Coord. List: Resource List: Observed Start: 02/25/2013 02:12:35.853 PST Gen. Time: 02/25/2013 02:22:42.309 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.120 (02:22:42.309 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->35596 (02:22:42.309 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.120 (8) (02:12:35.853 PST) event=1:552123 (8) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->62819 (02:12:35.853 PST) 80->36500 (02:16:16.112 PST) 80->59802 (02:17:11.318 PST) 80->47030 (02:18:34.051 PST) 80->65316 (02:19:57.191 PST) 80->44449 (02:20:24.382 PST) 80->47210 (02:21:19.428 PST) 80->42010 (02:22:14.713 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361787155.853 1361787155.854 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.120 Peer Coord. List: Resource List: Observed Start: 02/25/2013 02:12:35.853 PST Gen. Time: 02/25/2013 02:31:45.994 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.120 (02:22:42.309 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->35596 (02:22:42.309 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.120 (11) (02:12:35.853 PST) event=1:552123 (11) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->62819 (02:12:35.853 PST) 80->36500 (02:16:16.112 PST) 80->59802 (02:17:11.318 PST) 80->47030 (02:18:34.051 PST) 80->65316 (02:19:57.191 PST) 80->44449 (02:20:24.382 PST) 80->47210 (02:21:19.428 PST) 80->42010 (02:22:14.713 PST) 80->64634 (02:25:55.417 PST) 80->53048 (02:27:17.025 PST) 80->52012 (02:27:44.652 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361787155.853 1361787155.854 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.120 Peer Coord. List: Resource List: Observed Start: 02/25/2013 05:31:52.562 PST Gen. Time: 02/25/2013 05:44:39.827 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.120 (05:44:39.827 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->63123 (05:44:39.827 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.199.116.203 (05:39:37.709 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40693 (05:39:37.709 PST) 66.249.74.120 (11) (05:31:52.562 PST) event=1:552123 (11) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->53996 (05:31:52.562 PST) 80->62796 (05:33:42.047 PST) 80->55327 (05:34:11.586 PST) 80->52029 (05:35:00.320 PST) 80->64625 (05:35:31.654 PST) 80->58695 (05:36:03.038 PST) 80->63612 (05:37:05.922 PST) 80->51659 (05:37:37.485 PST) 80->42515 (05:39:39.041 PST) 80->43915 (05:40:06.067 PST) 80->54656 (05:41:34.687 PST) 208.115.111.66 (05:39:42.201 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->55251 (05:39:42.201 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361799112.562 1361799112.563 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.120 Peer Coord. List: Resource List: Observed Start: 02/25/2013 05:31:52.562 PST Gen. Time: 02/25/2013 05:51:29.645 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.120 (05:44:39.827 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->63123 (05:44:39.827 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.199.116.203 (05:39:37.709 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40693 (05:39:37.709 PST) 66.249.74.120 (12) (05:31:52.562 PST) event=1:552123 (12) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->53996 (05:31:52.562 PST) 80->62796 (05:33:42.047 PST) 80->55327 (05:34:11.586 PST) 80->52029 (05:35:00.320 PST) 80->64625 (05:35:31.654 PST) 80->58695 (05:36:03.038 PST) 80->63612 (05:37:05.922 PST) 80->51659 (05:37:37.485 PST) 80->42515 (05:39:39.041 PST) 80->43915 (05:40:06.067 PST) 80->54656 (05:41:34.687 PST) 80->63953 (05:47:29.145 PST) 208.115.111.66 (05:39:42.201 PST) event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->55251 (05:39:42.201 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361799112.562 1361799112.563 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.120 Peer Coord. List: Resource List: Observed Start: 02/25/2013 10:07:08.388 PST Gen. Time: 02/25/2013 10:16:53.847 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.120 (10:16:53.847 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->43576 (10:16:53.847 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.120 (8) (10:07:08.388 PST) event=1:552123 (8) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->65080 (10:07:08.388 PST) 80->57589 (10:08:07.473 PST) 80->48944 (10:09:06.611 PST) 80->38608 (10:11:04.839 PST) 80->37853 (10:12:03.994 PST) 80->44792 (10:13:03.117 PST) 80->48674 (10:13:32.750 PST) 80->49253 (10:15:01.315 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361815628.388 1361815628.389 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.120 Peer Coord. List: Resource List: Observed Start: 02/25/2013 10:07:08.388 PST Gen. Time: 02/25/2013 10:21:00.201 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.120 (10:16:53.847 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->43576 (10:16:53.847 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.120 (9) (10:07:08.388 PST) event=1:552123 (9) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->65080 (10:07:08.388 PST) 80->57589 (10:08:07.473 PST) 80->48944 (10:09:06.611 PST) 80->38608 (10:11:04.839 PST) 80->37853 (10:12:03.994 PST) 80->44792 (10:13:03.117 PST) 80->48674 (10:13:32.750 PST) 80->49253 (10:15:01.315 PST) 80->60687 (10:16:59.629 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1361815628.388 1361815628.389 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================