Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 173.31.74.145 Peer Coord. List: Resource List: Observed Start: 03/09/2013 06:19:33.829 PST Gen. Time: 03/09/2013 06:20:13.159 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 173.31.74.145 (06:20:13.159 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->5485 (06:20:13.159 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.31.74.145 (4) (06:19:33.829 PST-06:19:38.524 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->5485 (06:20:10.419 PST) 3: 80->8395 (06:19:33.829 PST-06:19:38.524 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362838773.829 1362838778.525 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 173.31.74.145 (17) Peer Coord. List: Resource List: Observed Start: 03/09/2013 06:19:33.829 PST Gen. Time: 03/09/2013 06:28:49.399 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 173.31.74.145 (17) (06:20:13.159 PST-06:22:28.286 PST) event=1:2002033 (17) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 6: 80->34014 (06:22:28.081 PST-06:22:28.286 PST) 80->25326 (06:22:25.693 PST) 10: 80->5485 (06:20:13.159 PST-06:20:15.690 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.31.74.145 (19) (06:19:33.829 PST-06:24:43.684 PST) event=1:552123 (19) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 4: 80->22677 (06:20:52.976 PST-06:21:08.329 PST) 80->13279 (06:23:00.748 PST) 80->32857 (06:23:59.608 PST) 3: 80->62855 (06:24:37.800 PST-06:24:43.684 PST) 3: 80->8395 (06:19:33.829 PST-06:19:38.524 PST) 80->25326 (06:22:23.465 PST) 2: 80->40123 (06:23:22.238 PST-06:23:25.020 PST) 3: 80->52591 (06:22:00.139 PST-06:22:07.557 PST) 80->5485 (06:20:10.419 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362838773.829 1362839083.685 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 158.255.213.231 Peer Coord. List: Resource List: Observed Start: 03/09/2013 22:36:30.960 PST Gen. Time: 03/09/2013 22:36:48.724 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 158.255.213.231 (22:36:48.724 PST) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->44338 (22:36:48.724 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 158.255.213.231 (4) (22:36:30.960 PST) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->42504 (22:36:30.960 PST) 80->42805 (22:36:34.423 PST) 80->43163 (22:36:37.770 PST) 80->43832 (22:36:43.565 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362897390.960 1362897390.961 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 158.255.213.231 (9) Peer Coord. List: Resource List: Observed Start: 03/09/2013 22:36:30.960 PST Gen. Time: 03/09/2013 22:40:42.246 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 158.255.213.231 (9) (22:36:48.724 PST-22:36:48.763 PST) event=1:2002033 (9) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 9: 80->44338 (22:36:48.724 PST-22:36:48.763 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 158.255.213.231 (5) (22:36:30.960 PST) event=1:552123 (5) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->42504 (22:36:30.960 PST) 80->42805 (22:36:34.423 PST) 80->43163 (22:36:37.770 PST) 80->43832 (22:36:43.565 PST) 80->45206 (22:36:57.186 PST) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1362897390.960 1362897408.764 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================