Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 14:00:14.634 PDT Gen. Time: 03/27/2013 14:00:22.552 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.10.19.52 (14:00:22.552 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:22.552 PDT) OUTBOUND SCAN 128.10.19.52 (14:00:14.634 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38915->22 (14:00:14.634 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364418014.634 1364418014.635 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 14:00:14.634 PDT Gen. Time: 03/27/2013 14:09:54.264 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.10.19.52 (14:00:22.552 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:22.552 PDT) OUTBOUND SCAN 128.111.52.58 (14:01:13.131 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48796->22 (14:01:13.131 PDT) 128.208.4.197 (14:01:25.884 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44345->22 (14:01:25.884 PDT) 128.8.126.111 (14:00:32.604 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35932->22 (14:00:32.604 PDT) 128.10.19.52 (14:00:14.634 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38915->22 (14:00:14.634 PDT) 134.88.5.251 (2) (14:01:20.171 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49294->22 (14:01:20.171 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49294->22 (14:01:20.171 PDT) 155.246.12.164 (14:02:24.002 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51106->22 (14:02:24.002 PDT) 158.130.6.254 (14:01:34.743 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39422->22 (14:01:34.743 PDT) 165.91.55.8 (2) (14:02:13.816 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51223->22 (14:02:13.816 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51223->22 (14:02:13.816 PDT) 158.130.6.253 (14:01:58.704 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35397->22 (14:01:58.704 PDT) 204.123.28.56 (14:00:22.552 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40834->22 (14:00:22.552 PDT) 204.123.28.55 (14:02:35.468 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55422->22 (14:02:35.468 PDT) 152.3.138.7 (14:01:05.078 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57731->22 (14:01:05.078 PDT) 141.212.113.179 (2) (14:00:44.587 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46742->22 (14:00:44.587 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46742->22 (14:00:44.587 PDT) 128.252.19.18 (14:00:54.743 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45655->22 (14:00:54.743 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.52 (4) (14:00:46.657 PDT-14:05:18.642 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (28 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (14:02:16.818 PDT-14:05:18.642 PDT) 0->0 (14:00:46.657 PDT) tcpslice 1364418014.634 1364418318.643 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 15:06:30.558 PDT Gen. Time: 03/27/2013 15:07:18.775 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (15:07:18.775 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:07:18.775 PDT) OUTBOUND SCAN 128.111.52.58 (15:07:09.221 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48989->22 (15:07:09.221 PDT) 131.179.150.70 (2) (15:07:11.685 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43115->22 (15:07:11.685 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43115->22 (15:07:11.685 PDT) 158.130.6.254 (15:06:30.558 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39570->22 (15:06:30.558 PDT) 204.85.191.10 (15:07:06.207 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59880->22 (15:07:06.207 PDT) 192.52.240.214 (15:06:38.013 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35564->22 (15:06:38.013 PDT) 204.8.155.227 (2) (15:06:53.001 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35995->22 (15:06:53.001 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35995->22 (15:06:53.001 PDT) 129.82.12.188 (15:07:17.749 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52076->22 (15:07:17.749 PDT) 141.212.113.180 (15:06:59.217 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33873->22 (15:06:59.217 PDT) 152.3.138.7 (15:06:45.034 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57909->22 (15:06:45.034 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364421990.558 1364421990.559 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 15:06:30.558 PDT Gen. Time: 03/27/2013 15:14:56.784 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (15:07:18.775 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:07:18.775 PDT) OUTBOUND SCAN 128.111.52.58 (15:07:09.221 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48989->22 (15:07:09.221 PDT) 128.208.4.197 (15:07:38.973 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44558->22 (15:07:38.973 PDT) 131.179.150.70 (2) (15:07:11.685 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43115->22 (15:07:11.685 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43115->22 (15:07:11.685 PDT) 13.7.64.22 (2) (15:07:35.459 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58902->22 (15:07:35.459 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58902->22 (15:07:35.459 PDT) 158.130.6.254 (15:06:30.558 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39570->22 (15:06:30.558 PDT) 204.85.191.10 (15:07:06.207 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59880->22 (15:07:06.207 PDT) 192.52.240.214 (15:06:38.013 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35564->22 (15:06:38.013 PDT) 204.8.155.227 (2) (15:06:53.001 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35995->22 (15:06:53.001 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35995->22 (15:06:53.001 PDT) 129.82.12.188 (15:07:17.749 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52076->22 (15:07:17.749 PDT) 141.212.113.180 (15:06:59.217 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33873->22 (15:06:59.217 PDT) 152.3.138.7 (15:06:45.034 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57909->22 (15:06:45.034 PDT) 141.212.113.179 (15:07:31.965 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46972->22 (15:07:31.965 PDT) 128.111.52.59 (15:07:41.492 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43828->22 (15:07:41.492 PDT) 152.3.138.6 (15:07:24.969 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44704->22 (15:07:24.969 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.179 (15:08:33.124 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:08:33.124 PDT) 131.193.34.38 (15:10:03.338 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (24 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:10:03.338 PDT) tcpslice 1364421990.558 1364421990.559 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 15:10:54.543 PDT Gen. Time: 03/27/2013 15:10:54.543 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.193.34.38 (15:10:54.543 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (28 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:10:54.543 PDT) tcpslice 1364422254.543 1364422254.544 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 15:26:00.565 PDT Gen. Time: 03/27/2013 15:26:54.390 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (15:26:54.390 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:26:54.390 PDT) OUTBOUND SCAN 128.111.52.58 (15:26:53.996 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49214->22 (15:26:53.996 PDT) 158.130.6.254 (15:26:16.179 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39795->22 (15:26:16.179 PDT) 204.85.191.10 (2) (15:26:51.029 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60105->22 (15:26:51.029 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60105->22 (15:26:51.029 PDT) 128.42.142.45 (15:26:00.565 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48564->22 (15:26:00.565 PDT) 192.52.240.214 (2) (15:26:23.109 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35789->22 (15:26:23.109 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35789->22 (15:26:23.109 PDT) 204.123.28.56 (15:26:03.285 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41239->22 (15:26:03.285 PDT) 204.8.155.227 (15:26:38.024 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36220->22 (15:26:38.024 PDT) 141.212.113.180 (15:26:44.135 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34098->22 (15:26:44.135 PDT) 152.3.138.7 (15:26:30.099 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58134->22 (15:26:30.099 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364423160.565 1364423160.566 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 15:26:00.565 PDT Gen. Time: 03/27/2013 15:34:27.903 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (15:26:54.390 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:26:54.390 PDT) OUTBOUND SCAN 128.111.52.58 (15:26:53.996 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49214->22 (15:26:53.996 PDT) 131.179.150.70 (15:26:56.084 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43340->22 (15:26:56.084 PDT) 13.7.64.22 (15:27:20.652 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59127->22 (15:27:20.652 PDT) 158.130.6.254 (15:26:16.179 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39795->22 (15:26:16.179 PDT) 204.85.191.10 (2) (15:26:51.029 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60105->22 (15:26:51.029 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60105->22 (15:26:51.029 PDT) 128.42.142.45 (15:26:00.565 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48564->22 (15:26:00.565 PDT) 192.52.240.214 (2) (15:26:23.109 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35789->22 (15:26:23.109 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35789->22 (15:26:23.109 PDT) 204.123.28.56 (15:26:03.285 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41239->22 (15:26:03.285 PDT) 204.8.155.227 (15:26:38.024 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36220->22 (15:26:38.024 PDT) 129.82.12.188 (15:27:02.530 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52301->22 (15:27:02.530 PDT) 141.212.113.180 (15:26:44.135 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34098->22 (15:26:44.135 PDT) 152.3.138.7 (15:26:30.099 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58134->22 (15:26:30.099 PDT) 141.212.113.179 (15:27:17.033 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47197->22 (15:27:17.033 PDT) 152.3.138.6 (2) (15:27:10.027 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44929->22 (15:27:10.027 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44929->22 (15:27:10.027 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.227 (15:27:59.495 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:27:59.495 PDT) 128.42.142.44 (15:29:29.446 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (24 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:29:29.446 PDT) tcpslice 1364423160.565 1364423160.566 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 15:30:48.379 PDT Gen. Time: 03/27/2013 15:30:48.379 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (15:30:48.379 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (28 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:30:48.379 PDT) tcpslice 1364423448.379 1364423448.380 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 15:45:53.812 PDT Gen. Time: 03/27/2013 15:46:47.385 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (15:46:47.385 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:46:47.385 PDT) OUTBOUND SCAN 128.111.52.58 (15:46:46.982 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49439->22 (15:46:46.982 PDT) 158.130.6.254 (15:46:09.089 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40020->22 (15:46:09.089 PDT) 204.85.191.10 (2) (15:46:43.996 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60330->22 (15:46:43.996 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60330->22 (15:46:43.996 PDT) 128.42.142.45 (15:45:53.812 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48789->22 (15:45:53.812 PDT) 192.52.240.214 (2) (15:46:16.216 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36014->22 (15:46:16.216 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36014->22 (15:46:16.216 PDT) 204.123.28.56 (15:45:56.662 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41464->22 (15:45:56.662 PDT) 204.8.155.227 (15:46:31.106 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36445->22 (15:46:31.106 PDT) 141.212.113.180 (15:46:37.317 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34323->22 (15:46:37.317 PDT) 152.3.138.7 (15:46:23.318 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58359->22 (15:46:23.318 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364424353.812 1364424353.813 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 15:45:53.812 PDT Gen. Time: 03/27/2013 15:54:48.163 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (15:46:47.385 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:46:47.385 PDT) OUTBOUND SCAN 128.111.52.58 (15:46:46.982 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49439->22 (15:46:46.982 PDT) 131.179.150.70 (15:46:50.237 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43565->22 (15:46:50.237 PDT) 13.7.64.22 (15:47:13.277 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59352->22 (15:47:13.277 PDT) 158.130.6.254 (15:46:09.089 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40020->22 (15:46:09.089 PDT) 204.85.191.10 (2) (15:46:43.996 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60330->22 (15:46:43.996 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60330->22 (15:46:43.996 PDT) 128.42.142.45 (15:45:53.812 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48789->22 (15:45:53.812 PDT) 192.52.240.214 (2) (15:46:16.216 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36014->22 (15:46:16.216 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36014->22 (15:46:16.216 PDT) 204.123.28.56 (15:45:56.662 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41464->22 (15:45:56.662 PDT) 204.8.155.227 (15:46:31.106 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36445->22 (15:46:31.106 PDT) 129.82.12.188 (15:46:55.747 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52526->22 (15:46:55.747 PDT) 141.212.113.180 (15:46:37.317 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34323->22 (15:46:37.317 PDT) 152.3.138.7 (15:46:23.318 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58359->22 (15:46:23.318 PDT) 141.212.113.179 (15:47:09.824 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47422->22 (15:47:09.824 PDT) 152.3.138.6 (2) (15:47:03.187 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45154->22 (15:47:03.187 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45154->22 (15:47:03.187 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (15:49:21.356 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (24 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:49:21.356 PDT) 128.208.4.197 (15:47:50.615 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:47:50.615 PDT) tcpslice 1364424353.812 1364424353.813 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 15:50:34.569 PDT Gen. Time: 03/27/2013 15:50:34.569 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.18 (15:50:34.569 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (28 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:50:34.569 PDT) tcpslice 1364424634.569 1364424634.570 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 16:05:34.567 PDT Gen. Time: 03/27/2013 16:05:40.355 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (16:05:34.567 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (7 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:05:34.567 PDT) OUTBOUND SCAN 128.42.142.45 (16:05:40.355 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49014->22 (16:05:40.355 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364425534.567 1364425534.568 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 16:05:34.567 PDT Gen. Time: 03/27/2013 16:09:45.131 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (16:05:34.567 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (7 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:05:34.567 PDT) 139.78.141.243 (2) (16:07:06.850 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 14 IPs (11 /24s) (# pkts S/M/O/I=0/14/0/0): 22:14, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:07:06.850 PDT) 0->0 (16:09:37.378 PDT) OUTBOUND SCAN 128.42.142.45 (16:05:40.355 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49014->22 (16:05:40.355 PDT) 204.123.28.56 (16:05:43.208 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41689->22 (16:05:43.208 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364425534.567 1364425534.568 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 16:10:11.601 PDT Gen. Time: 03/27/2013 16:11:08.076 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 139.78.141.243 (16:11:08.076 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (16 /24s) (# pkts S/M/O/I=0/20/0/0): 22:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:11:08.076 PDT) OUTBOUND SCAN 128.111.52.58 (16:10:50.644 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49664->22 (16:10:50.644 PDT) 131.179.150.70 (2) (16:10:52.744 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43790->22 (16:10:52.744 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43790->22 (16:10:52.744 PDT) 158.130.6.254 (16:10:11.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40245->22 (16:10:11.601 PDT) 204.85.191.10 (16:10:47.608 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60555->22 (16:10:47.608 PDT) 192.52.240.214 (16:10:18.880 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36239->22 (16:10:18.880 PDT) 204.8.155.227 (2) (16:10:34.353 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36670->22 (16:10:34.353 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36670->22 (16:10:34.353 PDT) 129.82.12.188 (16:10:59.088 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52751->22 (16:10:59.088 PDT) 141.212.113.180 (16:10:40.884 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34548->22 (16:10:40.884 PDT) 152.3.138.7 (16:10:26.231 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58584->22 (16:10:26.231 PDT) 152.3.138.6 (16:11:06.611 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45379->22 (16:11:06.611 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364425811.601 1364425811.602 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 16:10:11.601 PDT Gen. Time: 03/27/2013 16:18:43.268 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 139.78.141.243 (16:11:08.076 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (16 /24s) (# pkts S/M/O/I=0/20/0/0): 22:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:11:08.076 PDT) OUTBOUND SCAN 128.111.52.58 (16:10:50.644 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49664->22 (16:10:50.644 PDT) 128.208.4.197 (16:11:21.782 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45233->22 (16:11:21.782 PDT) 131.179.150.70 (2) (16:10:52.744 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43790->22 (16:10:52.744 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43790->22 (16:10:52.744 PDT) 13.7.64.22 (2) (16:11:18.237 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59577->22 (16:11:18.237 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59577->22 (16:11:18.237 PDT) 158.130.6.254 (16:10:11.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40245->22 (16:10:11.601 PDT) 204.85.191.10 (16:10:47.608 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60555->22 (16:10:47.608 PDT) 192.52.240.214 (16:10:18.880 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36239->22 (16:10:18.880 PDT) 204.8.155.227 (2) (16:10:34.353 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36670->22 (16:10:34.353 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36670->22 (16:10:34.353 PDT) 129.82.12.188 (16:10:59.088 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52751->22 (16:10:59.088 PDT) 141.212.113.180 (16:10:40.884 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34548->22 (16:10:40.884 PDT) 152.3.138.7 (16:10:26.231 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58584->22 (16:10:26.231 PDT) 141.212.113.179 (16:11:14.308 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47647->22 (16:11:14.308 PDT) 128.111.52.59 (16:11:24.452 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44503->22 (16:11:24.452 PDT) 152.3.138.6 (16:11:06.611 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45379->22 (16:11:06.611 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (3) (16:12:46.061 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (24 /24s) (# pkts S/M/O/I=0/32/0/0): 22:32, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:12:46.061 PDT) 0->0 (16:14:16.737 PDT) 0->0 (16:15:48.642 PDT) 139.78.141.243 (16:11:15.568 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:11:15.568 PDT) tcpslice 1364425811.601 1364425811.602 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 16:22:02.030 PDT Gen. Time: 03/27/2013 16:22:02.030 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (16:22:02.030 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (28 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:22:02.030 PDT) tcpslice 1364426522.030 1364426522.031 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 16:28:20.840 PDT Gen. Time: 03/27/2013 16:28:20.840 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (16:28:20.840 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (28 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:28:20.840 PDT) tcpslice 1364426900.840 1364426900.841 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 16:28:20.840 PDT Gen. Time: 03/27/2013 16:39:35.383 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (16:30:57.468 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49889->22 (16:30:57.468 PDT) 131.179.150.70 (16:30:59.613 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44015->22 (16:30:59.613 PDT) 13.7.64.22 (16:31:25.053 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59802->22 (16:31:25.053 PDT) 158.130.6.254 (16:30:18.091 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40470->22 (16:30:18.091 PDT) 204.85.191.10 (2) (16:30:54.488 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60780->22 (16:30:54.488 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60780->22 (16:30:54.488 PDT) 128.42.142.45 (16:29:56.364 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49239->22 (16:29:56.364 PDT) 192.52.240.214 (2) (16:30:25.652 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36464->22 (16:30:25.652 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36464->22 (16:30:25.652 PDT) 204.123.28.56 (16:29:59.129 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41914->22 (16:29:59.129 PDT) 204.8.155.227 (16:30:40.712 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36895->22 (16:30:40.712 PDT) 129.82.12.188 (16:31:06.103 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52976->22 (16:31:06.103 PDT) 141.212.113.180 (16:30:47.524 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34773->22 (16:30:47.524 PDT) 152.3.138.7 (16:30:32.718 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58809->22 (16:30:32.718 PDT) 141.212.113.179 (16:31:21.370 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47872->22 (16:31:21.370 PDT) 152.3.138.6 (2) (16:31:13.892 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45604->22 (16:31:13.892 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45604->22 (16:31:13.892 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (5) (16:28:20.840 PDT-16:34:21.254 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (28 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (16:28:20.840 PDT-16:34:21.254 PDT) tcpslice 1364426900.840 1364427261.255 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 16:35:40.523 PDT Gen. Time: 03/27/2013 16:35:40.523 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (16:35:40.523 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (28 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:35:40.523 PDT) tcpslice 1364427340.523 1364427340.524 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 16:50:46.753 PDT Gen. Time: 03/27/2013 16:51:40.561 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (16:51:40.561 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:51:40.561 PDT) OUTBOUND SCAN 204.85.191.10 (2) (16:51:39.300 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 32772->22 (16:51:39.300 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32772->22 (16:51:39.300 PDT) 204.8.155.227 (16:51:25.866 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37120->22 (16:51:25.866 PDT) 128.42.142.45 (16:50:46.753 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49464->22 (16:50:46.753 PDT) 152.3.138.7 (16:51:17.874 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59034->22 (16:51:17.874 PDT) 204.123.28.56 (16:50:49.468 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42139->22 (16:50:49.468 PDT) 141.212.113.180 (16:51:32.311 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34998->22 (16:51:32.311 PDT) 192.52.240.214 (2) (16:51:10.676 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36689->22 (16:51:10.676 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36689->22 (16:51:10.676 PDT) 158.130.6.254 (16:51:03.219 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40695->22 (16:51:03.219 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364428246.753 1364428246.754 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 16:50:46.753 PDT Gen. Time: 03/27/2013 16:59:41.257 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (16:51:40.561 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:51:40.561 PDT) OUTBOUND SCAN 128.111.52.58 (16:51:42.272 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50114->22 (16:51:42.272 PDT) 131.179.150.70 (16:51:44.908 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44240->22 (16:51:44.908 PDT) 13.7.64.22 (16:52:08.866 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60027->22 (16:52:08.866 PDT) 158.130.6.254 (16:51:03.219 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40695->22 (16:51:03.219 PDT) 204.85.191.10 (2) (16:51:39.300 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 32772->22 (16:51:39.300 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32772->22 (16:51:39.300 PDT) 128.42.142.45 (16:50:46.753 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49464->22 (16:50:46.753 PDT) 192.52.240.214 (2) (16:51:10.676 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36689->22 (16:51:10.676 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36689->22 (16:51:10.676 PDT) 204.123.28.56 (16:50:49.468 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42139->22 (16:50:49.468 PDT) 204.8.155.227 (16:51:25.866 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37120->22 (16:51:25.866 PDT) 129.82.12.188 (16:51:50.600 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53201->22 (16:51:50.600 PDT) 141.212.113.180 (16:51:32.311 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34998->22 (16:51:32.311 PDT) 152.3.138.7 (16:51:17.874 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59034->22 (16:51:17.874 PDT) 141.212.113.179 (16:52:05.153 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48097->22 (16:52:05.153 PDT) 152.3.138.6 (2) (16:51:58.130 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45829->22 (16:51:58.130 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45829->22 (16:51:58.130 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.147 (2) (16:54:00.496 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (23 /24s) (# pkts S/M/O/I=0/32/0/0): 22:32, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:54:00.496 PDT) 0->0 (16:55:30.163 PDT) 204.123.28.56 (16:52:30.058 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:52:30.058 PDT) tcpslice 1364428246.753 1364428246.754 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 17:10:49.842 PDT Gen. Time: 03/27/2013 17:14:07.167 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (17:14:07.167 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:14:07.167 PDT) OUTBOUND SCAN 204.8.155.227 (17:13:57.697 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37344->22 (17:13:57.697 PDT) 128.42.142.45 (17:10:49.842 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49689->22 (17:10:49.842 PDT) 152.3.138.7 (17:13:49.720 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59258->22 (17:13:49.720 PDT) 204.123.28.56 (17:10:52.795 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42364->22 (17:10:52.795 PDT) 141.212.113.180 (2) (17:14:04.914 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35222->22 (17:14:04.914 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35222->22 (17:14:04.914 PDT) 192.52.240.214 (17:13:40.236 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36913->22 (17:13:40.236 PDT) 158.130.6.254 (17:12:42.247 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40919->22 (17:12:42.247 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364429449.842 1364429449.843 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 17:10:49.842 PDT Gen. Time: 03/27/2013 17:22:43.703 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (17:14:07.167 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:14:07.167 PDT) OUTBOUND SCAN 128.111.52.58 (17:14:16.237 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50338->22 (17:14:16.237 PDT) 128.208.4.197 (17:14:47.241 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45907->22 (17:14:47.241 PDT) 131.179.150.70 (17:14:18.793 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44464->22 (17:14:18.793 PDT) 13.7.64.22 (17:14:43.855 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60251->22 (17:14:43.855 PDT) 158.130.6.254 (17:12:42.247 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40919->22 (17:12:42.247 PDT) 204.85.191.10 (17:14:12.109 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32996->22 (17:14:12.109 PDT) 128.42.142.45 (17:10:49.842 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49689->22 (17:10:49.842 PDT) 192.52.240.214 (17:13:40.236 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36913->22 (17:13:40.236 PDT) 204.123.28.56 (17:10:52.795 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42364->22 (17:10:52.795 PDT) 204.8.155.227 (17:13:57.697 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37344->22 (17:13:57.697 PDT) 129.82.12.188 (2) (17:14:24.746 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53425->22 (17:14:24.746 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53425->22 (17:14:24.746 PDT) 141.212.113.180 (2) (17:14:04.914 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35222->22 (17:14:04.914 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35222->22 (17:14:04.914 PDT) 152.3.138.7 (17:13:49.720 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59258->22 (17:13:49.720 PDT) 141.212.113.179 (17:14:39.476 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48321->22 (17:14:39.476 PDT) 152.3.138.6 (17:14:32.284 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46053->22 (17:14:32.284 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.227 (3) (17:15:15.419 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:15:15.419 PDT) 0->0 (17:16:46.340 PDT) 0->0 (17:18:17.721 PDT) tcpslice 1364429449.842 1364429449.843 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 17:33:54.989 PDT Gen. Time: 03/27/2013 17:34:54.054 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (17:34:54.054 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:34:54.054 PDT) OUTBOUND SCAN 128.111.52.58 (17:34:53.656 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50564->22 (17:34:53.656 PDT) 158.130.6.254 (17:34:14.205 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41145->22 (17:34:14.205 PDT) 204.85.191.10 (2) (17:34:50.599 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33222->22 (17:34:50.599 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33222->22 (17:34:50.599 PDT) 128.42.142.45 (17:33:54.989 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49914->22 (17:33:54.989 PDT) 192.52.240.214 (2) (17:34:22.011 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37139->22 (17:34:22.011 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37139->22 (17:34:22.011 PDT) 204.123.28.56 (17:33:57.784 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42589->22 (17:33:57.784 PDT) 204.8.155.227 (17:34:37.272 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37570->22 (17:34:37.272 PDT) 141.212.113.180 (17:34:43.694 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35448->22 (17:34:43.694 PDT) 152.3.138.7 (17:34:29.194 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59484->22 (17:34:29.194 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364430834.989 1364430834.990 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 17:33:54.989 PDT Gen. Time: 03/27/2013 17:43:22.830 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (17:34:54.054 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:34:54.054 PDT) OUTBOUND SCAN 128.111.52.58 (17:34:53.656 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50564->22 (17:34:53.656 PDT) 131.179.150.70 (17:34:55.871 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44690->22 (17:34:55.871 PDT) 13.7.64.22 (17:35:20.733 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60477->22 (17:35:20.733 PDT) 158.130.6.254 (17:34:14.205 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41145->22 (17:34:14.205 PDT) 204.85.191.10 (2) (17:34:50.599 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33222->22 (17:34:50.599 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33222->22 (17:34:50.599 PDT) 128.42.142.45 (17:33:54.989 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49914->22 (17:33:54.989 PDT) 192.52.240.214 (2) (17:34:22.011 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37139->22 (17:34:22.011 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37139->22 (17:34:22.011 PDT) 204.123.28.56 (17:33:57.784 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42589->22 (17:33:57.784 PDT) 204.8.155.227 (17:34:37.272 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37570->22 (17:34:37.272 PDT) 129.82.12.188 (17:35:02.092 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53651->22 (17:35:02.092 PDT) 141.212.113.180 (17:34:43.694 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35448->22 (17:34:43.694 PDT) 152.3.138.7 (17:34:29.194 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59484->22 (17:34:29.194 PDT) 141.212.113.179 (17:35:17.038 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48547->22 (17:35:17.038 PDT) 152.3.138.6 (2) (17:35:09.999 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46279->22 (17:35:09.999 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46279->22 (17:35:09.999 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (3) (17:37:32.692 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (23 /24s) (# pkts S/M/O/I=0/31/0/0): 22:31, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:37:32.692 PDT) 0->0 (17:39:02.014 PDT) 0->0 (17:40:40.304 PDT) 141.212.113.180 (17:36:01.541 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:36:01.541 PDT) tcpslice 1364430834.989 1364430834.990 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 17:54:29.327 PDT Gen. Time: 03/27/2013 17:55:28.172 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (17:55:28.172 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:55:28.172 PDT) OUTBOUND SCAN 128.111.52.58 (17:55:27.786 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50789->22 (17:55:27.786 PDT) 158.130.6.254 (17:54:47.960 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41370->22 (17:54:47.960 PDT) 204.85.191.10 (2) (17:55:24.735 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33447->22 (17:55:24.735 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33447->22 (17:55:24.735 PDT) 128.42.142.45 (17:54:29.327 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50139->22 (17:54:29.327 PDT) 192.52.240.214 (2) (17:54:55.263 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37364->22 (17:54:55.263 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37364->22 (17:54:55.263 PDT) 204.123.28.56 (17:54:32.235 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42814->22 (17:54:32.235 PDT) 204.8.155.227 (17:55:10.471 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37795->22 (17:55:10.471 PDT) 141.212.113.180 (17:55:16.974 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35673->22 (17:55:16.974 PDT) 152.3.138.7 (17:55:02.543 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59709->22 (17:55:02.543 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364432069.327 1364432069.328 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 17:54:29.327 PDT Gen. Time: 03/27/2013 18:03:20.919 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (17:55:28.172 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:55:28.172 PDT) OUTBOUND SCAN 128.111.52.58 (17:55:27.786 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50789->22 (17:55:27.786 PDT) 131.179.150.70 (17:55:30.972 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44915->22 (17:55:30.972 PDT) 13.7.64.22 (17:55:55.847 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60702->22 (17:55:55.847 PDT) 158.130.6.254 (17:54:47.960 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41370->22 (17:54:47.960 PDT) 204.85.191.10 (2) (17:55:24.735 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33447->22 (17:55:24.735 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33447->22 (17:55:24.735 PDT) 128.42.142.45 (17:54:29.327 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50139->22 (17:54:29.327 PDT) 192.52.240.214 (2) (17:54:55.263 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37364->22 (17:54:55.263 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37364->22 (17:54:55.263 PDT) 204.123.28.56 (17:54:32.235 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42814->22 (17:54:32.235 PDT) 204.8.155.227 (17:55:10.471 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37795->22 (17:55:10.471 PDT) 129.82.12.188 (17:55:37.278 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53876->22 (17:55:37.278 PDT) 141.212.113.180 (17:55:16.974 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35673->22 (17:55:16.974 PDT) 152.3.138.7 (17:55:02.543 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59709->22 (17:55:02.543 PDT) 141.212.113.179 (17:55:52.149 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48772->22 (17:55:52.149 PDT) 152.3.138.6 (2) (17:55:44.930 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46504->22 (17:55:44.930 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46504->22 (17:55:44.930 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.56 (3) (17:56:34.700 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:56:34.700 PDT) 0->0 (17:58:04.459 PDT) 0->0 (18:02:05.525 PDT) tcpslice 1364432069.327 1364432069.328 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 18:03:38.608 PDT Gen. Time: 03/27/2013 18:03:38.608 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.56 (18:03:38.608 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (28 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:03:38.608 PDT) tcpslice 1364432618.608 1364432618.609 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 18:04:55.013 PDT Gen. Time: 03/27/2013 18:04:55.013 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.56 (18:04:55.013 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (28 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:04:55.013 PDT) tcpslice 1364432695.013 1364432695.014 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 18:14:24.313 PDT Gen. Time: 03/27/2013 18:15:25.935 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (18:15:25.935 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:15:25.935 PDT) OUTBOUND SCAN 204.85.191.10 (2) (18:15:24.227 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33672->22 (18:15:24.227 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33672->22 (18:15:24.227 PDT) 204.8.155.227 (18:15:09.306 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38020->22 (18:15:09.306 PDT) 128.42.142.45 (18:14:24.313 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50364->22 (18:14:24.313 PDT) 152.3.138.7 (18:15:00.863 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59934->22 (18:15:00.863 PDT) 204.123.28.56 (18:14:27.300 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43039->22 (18:14:27.300 PDT) 141.212.113.180 (18:15:16.633 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35898->22 (18:15:16.633 PDT) 192.52.240.214 (2) (18:14:53.335 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37589->22 (18:14:53.335 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37589->22 (18:14:53.335 PDT) 158.130.6.254 (18:14:44.983 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41595->22 (18:14:44.983 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1364433264.313 1364433264.314 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 18:14:24.313 PDT Gen. Time: 03/27/2013 18:24:29.482 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (18:15:25.935 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:15:25.935 PDT) OUTBOUND SCAN 128.111.52.58 (18:15:28.743 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51014->22 (18:15:28.743 PDT) 131.179.150.70 (18:15:31.698 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45140->22 (18:15:31.698 PDT) 13.7.64.22 (18:15:58.307 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60927->22 (18:15:58.307 PDT) 158.130.6.254 (18:14:44.983 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41595->22 (18:14:44.983 PDT) 204.85.191.10 (2) (18:15:24.227 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33672->22 (18:15:24.227 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33672->22 (18:15:24.227 PDT) 128.42.142.45 (18:14:24.313 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50364->22 (18:14:24.313 PDT) 192.52.240.214 (2) (18:14:53.335 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37589->22 (18:14:53.335 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37589->22 (18:14:53.335 PDT) 204.123.28.56 (18:14:27.300 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43039->22 (18:14:27.300 PDT) 204.8.155.227 (18:15:09.306 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38020->22 (18:15:09.306 PDT) 129.82.12.188 (18:15:38.711 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54101->22 (18:15:38.711 PDT) 141.212.113.180 (18:15:16.633 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35898->22 (18:15:16.633 PDT) 152.3.138.7 (18:15:00.863 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59934->22 (18:15:00.863 PDT) 141.212.113.179 (18:15:54.198 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48997->22 (18:15:54.198 PDT) 152.3.138.6 (2) (18:15:46.731 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46729->22 (18:15:46.731 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46729->22 (18:15:46.731 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.63.159.101 (2) (18:18:15.037 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (23 /24s) (# pkts S/M/O/I=0/32/0/0): 22:32, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:18:15.037 PDT) 0->0 (18:19:45.530 PDT) 204.123.28.56 (18:16:43.789 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:16:43.789 PDT) tcpslice 1364433264.313 1364433264.314 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/27/2013 18:20:30.378 PDT Gen. Time: 03/27/2013 18:20:30.378 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.63.159.101 (18:20:30.378 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (28 /24s) (# pkts S/M/O/I=0/43/0/0): 22:43, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:20:30.378 PDT) tcpslice 1364433630.378 1364433630.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================