Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.14
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       184.154.48.82
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   03/27/2013 00:23:53.465 PDT
Gen. Time:        03/27/2013 00:24:19.432 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    184.154.48.82 (00:24:19.432 PDT)
       event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->38522 (00:24:19.432 PDT)
       
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    184.154.48.82 (6) (00:23:53.465 PDT)
       event=1:552123 (6) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->41849 (00:23:53.465 PDT)
          80->43822 (00:23:55.423 PDT)
          80->53420 (00:24:05.172 PDT)
          80->55303 (00:24:07.099 PDT)
          80->57142 (00:24:09.054 PDT)
          80->34810 (00:24:15.283 PDT)
       
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1364369033.465 1364369033.466 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14'

============================== SEPARATOR ================================
Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.14
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       184.154.48.82 (17)
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   03/27/2013 00:23:53.465 PDT
Gen. Time:        03/27/2013 00:29:31.525 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    184.154.48.82 (17) (00:24:19.432 PDT-00:24:19.433 PDT)
       event=1:2002033 (17) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          17: 80->38522 (00:24:19.432 PDT-00:24:19.433 PDT)
       
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    184.154.48.82 (17) (00:23:53.465 PDT)
       event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->41849 (00:23:53.465 PDT)
          80->43822 (00:23:55.423 PDT)
          80->53420 (00:24:05.172 PDT)
          80->55303 (00:24:07.099 PDT)
          80->57142 (00:24:09.054 PDT)
          80->34810 (00:24:15.283 PDT)
          80->43969 (00:24:25.164 PDT)
          80->47296 (00:24:28.997 PDT)
          80->49015 (00:24:31.005 PDT)
          80->56913 (00:24:40.740 PDT)
          80->58480 (00:24:42.687 PDT)
          80->59971 (00:24:44.621 PDT)
          80->36553 (00:24:50.856 PDT)
          80->44171 (00:25:00.690 PDT)
          80->47155 (00:25:04.556 PDT)
          80->48692 (00:25:06.543 PDT)
          80->56687 (00:25:16.566 PDT)
       
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1364369033.465 1364369059.434 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14'

============================== SEPARATOR ================================