Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 14:00:09.340 PDT Gen. Time: 04/04/2013 14:00:19.149 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.208.4.198 (14:00:19.149 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:19.149 PDT) OUTBOUND SCAN 128.10.19.52 (14:00:09.340 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48862->22 (14:00:09.340 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365109209.340 1365109209.341 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 14:00:09.340 PDT Gen. Time: 04/04/2013 14:09:44.490 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.208.4.198 (14:00:19.149 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:19.149 PDT) OUTBOUND SCAN 128.8.126.111 (14:00:27.615 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45879->22 (14:00:27.615 PDT) 128.10.19.52 (3) (14:00:09.340 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48919->22 (14:01:50.697 PDT) ------------------------- event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48862->22 (14:00:09.340 PDT) 48919->22 (14:01:50.697 PDT) 72.36.112.79 (14:01:08.186 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33173->22 (14:01:08.186 PDT) 155.246.12.164 (14:02:12.497 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32825->22 (14:02:12.497 PDT) 165.91.55.9 (14:02:01.068 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34266->22 (14:02:01.068 PDT) 158.130.6.254 (14:01:39.437 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49374->22 (14:01:39.437 PDT) 204.123.28.56 (14:00:19.149 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50781->22 (14:00:19.149 PDT) 13.7.64.20 (14:01:22.644 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34581->22 (14:01:22.644 PDT) 152.3.138.7 (14:01:00.140 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39445->22 (14:01:00.140 PDT) 129.63.159.101 (2) (14:01:14.700 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47284->22 (14:01:14.700 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47284->22 (14:01:14.700 PDT) 141.212.113.179 (2) (14:00:40.480 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56689->22 (14:00:40.480 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56689->22 (14:00:40.480 PDT) 128.252.19.18 (14:00:50.867 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55602->22 (14:00:50.867 PDT) 128.208.4.198 (14:01:29.322 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54395->22 (14:01:29.322 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.179 (14:00:42.872 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:42.872 PDT) 141.212.113.180 (3) (14:02:12.497 PDT-14:05:12.667 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (29 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (14:02:12.497 PDT-14:05:12.667 PDT) tcpslice 1365109209.340 1365109512.668 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 14:11:37.939 PDT Gen. Time: 04/04/2013 14:11:37.939 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (14:11:37.939 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 47 IPs (30 /24s) (# pkts S/M/O/I=0/46/1/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA (14:11:37.939 PDT) tcpslice 1365109897.939 1365109897.940 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 15:06:19.090 PDT Gen. Time: 04/04/2013 15:07:29.360 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (15:07:29.360 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:07:29.360 PDT) OUTBOUND SCAN 72.36.112.79 (15:07:05.257 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33364->22 (15:07:05.257 PDT) 204.85.191.10 (15:07:27.785 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41612->22 (15:07:27.785 PDT) 158.130.6.254 (15:06:39.543 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49530->22 (15:06:39.543 PDT) 128.42.142.45 (15:06:19.090 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58299->22 (15:06:19.090 PDT) 192.52.240.214 (2) (15:06:46.775 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45524->22 (15:06:46.775 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45524->22 (15:06:46.775 PDT) 204.123.28.56 (15:06:21.847 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50974->22 (15:06:21.847 PDT) 204.8.155.227 (15:07:13.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45960->22 (15:07:13.454 PDT) 141.212.113.180 (2) (15:07:19.798 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43838->22 (15:07:19.798 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43838->22 (15:07:19.798 PDT) 152.3.138.7 (15:06:54.579 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39636->22 (15:06:54.579 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365113179.090 1365113179.091 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 15:06:19.090 PDT Gen. Time: 04/04/2013 15:15:47.141 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (15:07:29.360 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:07:29.360 PDT) OUTBOUND SCAN 128.111.52.58 (15:07:31.245 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58954->22 (15:07:31.245 PDT) 72.36.112.79 (15:07:05.257 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33364->22 (15:07:05.257 PDT) 131.179.150.70 (15:07:36.083 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53079->22 (15:07:36.083 PDT) 204.85.191.10 (15:07:27.785 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41612->22 (15:07:27.785 PDT) 158.130.6.254 (15:06:39.543 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49530->22 (15:06:39.543 PDT) 128.42.142.45 (15:06:19.090 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58299->22 (15:06:19.090 PDT) 192.52.240.214 (2) (15:06:46.775 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45524->22 (15:06:46.775 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45524->22 (15:06:46.775 PDT) 204.123.28.56 (15:06:21.847 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50974->22 (15:06:21.847 PDT) 204.8.155.227 (15:07:13.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45960->22 (15:07:13.454 PDT) 129.82.12.188 (2) (15:07:41.530 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33807->22 (15:07:41.530 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33807->22 (15:07:41.530 PDT) 141.212.113.180 (2) (15:07:19.798 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43838->22 (15:07:19.798 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43838->22 (15:07:19.798 PDT) 152.3.138.7 (15:06:54.579 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39636->22 (15:06:54.579 PDT) 141.212.113.179 (15:07:55.925 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56936->22 (15:07:55.925 PDT) 152.3.138.6 (15:07:48.550 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54668->22 (15:07:48.550 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (3) (15:08:29.240 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:08:29.240 PDT) 0->0 (15:10:00.156 PDT) 0->0 (15:11:30.262 PDT) tcpslice 1365113179.090 1365113179.091 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 15:26:52.601 PDT Gen. Time: 04/04/2013 15:28:35.931 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 72.36.112.79 (15:28:35.931 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:28:35.931 PDT) OUTBOUND SCAN 72.36.112.79 (15:28:06.946 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33600->22 (15:28:06.946 PDT) 204.85.191.10 (15:28:28.614 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41848->22 (15:28:28.614 PDT) 158.130.6.254 (15:27:43.779 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49766->22 (15:27:43.779 PDT) 128.42.142.45 (15:26:52.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58539->22 (15:26:52.601 PDT) 192.52.240.214 (15:27:52.705 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45760->22 (15:27:52.705 PDT) 204.123.28.56 (15:26:55.482 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51214->22 (15:26:55.482 PDT) 204.8.155.227 (2) (15:28:15.376 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46197->22 (15:28:17.034 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46196->22 (15:28:15.376 PDT) 141.212.113.180 (15:28:22.743 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44074->22 (15:28:22.743 PDT) 152.3.138.7 (15:27:59.721 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39872->22 (15:27:59.721 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365114412.601 1365114412.602 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 15:26:52.601 PDT Gen. Time: 04/04/2013 15:36:47.759 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 72.36.112.79 (15:28:35.931 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:28:35.931 PDT) OUTBOUND SCAN 128.111.52.58 (15:28:35.931 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59190->22 (15:28:35.931 PDT) 152.14.93.140 (15:29:00.459 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39825->22 (15:29:00.459 PDT) 72.36.112.79 (15:28:06.946 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33600->22 (15:28:06.946 PDT) 131.179.150.70 (2) (15:28:38.172 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53317->22 (15:28:38.596 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53316->22 (15:28:38.172 PDT) 204.85.191.10 (15:28:28.614 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41848->22 (15:28:28.614 PDT) 158.130.6.254 (15:27:43.779 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49766->22 (15:27:43.779 PDT) 128.42.142.45 (15:26:52.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58539->22 (15:26:52.601 PDT) 192.52.240.214 (15:27:52.705 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45760->22 (15:27:52.705 PDT) 204.123.28.56 (15:26:55.482 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51214->22 (15:26:55.482 PDT) 204.8.155.227 (2) (15:28:15.376 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46197->22 (15:28:17.034 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46196->22 (15:28:15.376 PDT) 129.82.12.188 (15:28:40.254 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34044->22 (15:28:40.254 PDT) 141.212.113.180 (15:28:22.743 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44074->22 (15:28:22.743 PDT) 152.3.138.7 (15:27:59.721 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39872->22 (15:27:59.721 PDT) 141.212.113.179 (15:28:53.024 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57173->22 (15:28:53.024 PDT) 152.3.138.6 (15:28:46.078 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54905->22 (15:28:46.078 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.79 (3) (15:29:30.798 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:29:30.798 PDT) 0->0 (15:31:00.187 PDT) 0->0 (15:32:30.550 PDT) tcpslice 1365114412.601 1365114412.602 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 15:52:01.550 PDT Gen. Time: 04/04/2013 15:52:48.930 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (15:52:48.930 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:52:48.930 PDT) OUTBOUND SCAN 204.85.191.10 (15:52:47.396 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42088->22 (15:52:47.396 PDT) 204.8.155.227 (15:52:32.663 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46436->22 (15:52:32.663 PDT) 72.36.112.79 (2) (15:52:25.020 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33840->22 (15:52:25.020 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33840->22 (15:52:25.020 PDT) 152.3.138.7 (15:52:16.765 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40112->22 (15:52:16.765 PDT) 141.212.113.180 (15:52:39.359 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44314->22 (15:52:39.359 PDT) 192.52.240.214 (15:52:09.007 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46000->22 (15:52:09.007 PDT) 158.130.6.254 (15:52:01.550 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50006->22 (15:52:01.550 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365115921.550 1365115921.551 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 15:52:01.550 PDT Gen. Time: 04/04/2013 16:00:36.484 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (15:52:48.930 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:52:48.930 PDT) OUTBOUND SCAN 128.111.52.58 (2) (15:52:50.755 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59430->22 (15:52:50.755 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59430->22 (15:52:50.755 PDT) 152.14.93.140 (15:53:19.904 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40065->22 (15:53:19.904 PDT) 72.36.112.79 (2) (15:52:25.020 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33840->22 (15:52:25.020 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33840->22 (15:52:25.020 PDT) 131.179.150.70 (15:52:53.010 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53556->22 (15:52:53.010 PDT) 13.7.64.22 (15:53:23.472 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41115->22 (15:53:23.472 PDT) 158.130.6.254 (15:52:01.550 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50006->22 (15:52:01.550 PDT) 204.85.191.10 (15:52:47.396 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42088->22 (15:52:47.396 PDT) 192.52.240.214 (15:52:09.007 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46000->22 (15:52:09.007 PDT) 204.8.155.227 (15:52:32.663 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46436->22 (15:52:32.663 PDT) 129.82.12.188 (15:52:58.507 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34284->22 (15:52:58.507 PDT) 141.212.113.180 (15:52:39.359 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44314->22 (15:52:39.359 PDT) 152.3.138.7 (15:52:16.765 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40112->22 (15:52:16.765 PDT) 141.212.113.179 (2) (15:53:12.897 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57413->22 (15:53:12.897 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57413->22 (15:53:12.897 PDT) 152.3.138.6 (15:53:05.501 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55145->22 (15:53:05.501 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (15:53:44.475 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:53:44.475 PDT) 204.123.28.55 (2) (15:55:14.027 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (23 /24s) (# pkts S/M/O/I=0/32/0/0): 22:32, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:55:14.027 PDT) 0->0 (15:56:44.948 PDT) tcpslice 1365115921.550 1365115921.551 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 16:01:44.745 PDT Gen. Time: 04/04/2013 16:01:44.745 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (16:01:44.745 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (29 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:01:44.745 PDT) tcpslice 1365116504.745 1365116504.746 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 16:01:44.745 PDT Gen. Time: 04/04/2013 16:05:41.505 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.193.34.38 (16:05:35.757 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (8 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:05:35.757 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (2) (16:01:44.745 PDT-16:03:15.939 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (29 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (16:01:44.745 PDT-16:03:15.939 PDT) tcpslice 1365116504.745 1365116595.940 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 16:12:07.320 PDT Gen. Time: 04/04/2013 16:13:31.364 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 13.7.64.22 (16:13:31.364 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 16 IPs (14 /24s) (# pkts S/M/O/I=0/15/1/0): 22:15, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:13:31.364 PDT) OUTBOUND SCAN 128.42.142.45 (16:12:07.320 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59015->22 (16:12:07.320 PDT) 204.123.28.56 (16:12:10.236 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51690->22 (16:12:10.236 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365117127.320 1365117127.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 16:16:01.892 PDT Gen. Time: 04/04/2013 16:17:53.546 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 13.7.64.22 (2) (16:16:01.892 PDT-16:17:51.076 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 16 IPs (14 /24s) (# pkts S/M/O/I=0/15/1/0): 22:15, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (16:16:01.892 PDT-16:17:51.076 PDT) OUTBOUND SCAN 158.130.6.254 (16:17:53.546 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50242->22 (16:17:53.546 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365117361.892 1365117471.077 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 16:16:01.892 PDT Gen. Time: 04/04/2013 16:26:53.905 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 13.7.64.22 (2) (16:16:01.892 PDT-16:17:51.076 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 16 IPs (14 /24s) (# pkts S/M/O/I=0/15/1/0): 22:15, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (16:16:01.892 PDT-16:17:51.076 PDT) OUTBOUND SCAN 128.111.52.58 (16:18:40.991 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59666->22 (16:18:40.991 PDT) 152.14.93.140 (2) (16:19:07.605 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40299->22 (16:19:07.605 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40301->22 (16:19:10.372 PDT) 72.36.112.79 (16:18:15.904 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34076->22 (16:18:15.904 PDT) 131.179.150.70 (2) (16:18:42.355 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53790->22 (16:18:42.355 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53792->22 (16:18:43.251 PDT) 13.7.64.22 (16:19:14.046 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41351->22 (16:19:14.046 PDT) 158.130.6.254 (16:17:53.546 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50242->22 (16:17:53.546 PDT) 204.85.191.10 (16:18:37.480 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42324->22 (16:18:37.480 PDT) 192.52.240.214 (16:18:00.546 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46236->22 (16:18:00.546 PDT) 204.8.155.227 (2) (16:18:20.986 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46670->22 (16:18:20.986 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46672->22 (16:18:24.116 PDT) 129.82.12.188 (16:18:49.336 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34520->22 (16:18:49.336 PDT) 141.212.113.180 (16:18:30.416 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44550->22 (16:18:30.416 PDT) 152.3.138.7 (16:18:07.497 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40348->22 (16:18:07.497 PDT) 141.212.113.179 (16:19:03.396 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57649->22 (16:19:03.396 PDT) 152.3.138.6 (16:18:56.330 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55381->22 (16:18:56.330 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (3) (16:18:31.461 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (19 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:18:31.461 PDT) 0->0 (16:20:01.388 PDT) 0->0 (16:21:31.726 PDT) tcpslice 1365117361.892 1365117471.077 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 16:22:59.325 PDT Gen. Time: 04/04/2013 16:22:59.325 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (16:22:59.325 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 47 IPs (30 /24s) (# pkts S/M/O/I=0/46/1/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:22:59.325 PDT) tcpslice 1365117779.325 1365117779.326 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 16:38:05.247 PDT Gen. Time: 04/04/2013 16:40:31.963 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (16:40:31.963 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (10 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:40:31.963 PDT) OUTBOUND SCAN 204.8.155.227 (16:40:24.501 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46912->22 (16:40:24.501 PDT) 128.42.142.45 (16:38:05.247 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59251->22 (16:38:05.247 PDT) 72.36.112.79 (2) (16:40:16.569 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 34316->22 (16:40:16.569 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34316->22 (16:40:16.569 PDT) 152.3.138.7 (16:40:03.051 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40588->22 (16:40:03.051 PDT) 204.123.28.56 (16:38:08.311 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51926->22 (16:38:08.311 PDT) 141.212.113.180 (16:40:30.912 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44790->22 (16:40:30.912 PDT) 192.52.240.214 (16:39:53.955 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46476->22 (16:39:53.955 PDT) 158.130.6.254 (16:39:46.735 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50482->22 (16:39:46.735 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365118685.247 1365118685.248 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 16:38:05.247 PDT Gen. Time: 04/04/2013 16:48:50.468 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (16:40:31.963 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (10 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:40:31.963 PDT) OUTBOUND SCAN 128.111.52.58 (2) (16:40:41.971 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59906->22 (16:40:41.971 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59906->22 (16:40:41.971 PDT) 72.36.112.79 (2) (16:40:16.569 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 34316->22 (16:40:16.569 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34316->22 (16:40:16.569 PDT) 131.179.150.70 (16:40:44.238 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54032->22 (16:40:44.238 PDT) 204.85.191.10 (16:40:38.811 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42564->22 (16:40:38.811 PDT) 158.130.6.254 (16:39:46.735 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50482->22 (16:39:46.735 PDT) 128.42.142.45 (16:38:05.247 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59251->22 (16:38:05.247 PDT) 192.52.240.214 (16:39:53.955 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46476->22 (16:39:53.955 PDT) 204.123.28.56 (16:38:08.311 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51926->22 (16:38:08.311 PDT) 204.8.155.227 (16:40:24.501 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46912->22 (16:40:24.501 PDT) 129.82.12.188 (16:40:49.710 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34760->22 (16:40:49.710 PDT) 141.212.113.180 (16:40:30.912 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44790->22 (16:40:30.912 PDT) 152.3.138.7 (16:40:03.051 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40588->22 (16:40:03.051 PDT) 141.212.113.179 (2) (16:41:03.964 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57889->22 (16:41:03.964 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57889->22 (16:41:03.964 PDT) 152.3.138.6 (16:40:56.594 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55621->22 (16:40:56.594 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.63.159.101 (2) (16:44:22.541 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (29 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:44:22.541 PDT) 0->0 (16:48:00.949 PDT) 128.111.52.59 (2) (16:41:21.301 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:41:21.301 PDT) 0->0 (16:42:52.159 PDT) tcpslice 1365118685.247 1365118685.248 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 16:49:35.191 PDT Gen. Time: 04/04/2013 16:49:35.191 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.63.159.101 (16:49:35.191 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 47 IPs (30 /24s) (# pkts S/M/O/I=0/46/1/0): 22:46, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:49:35.191 PDT) tcpslice 1365119375.191 1365119375.192 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 16:59:55.784 PDT Gen. Time: 04/04/2013 17:00:53.302 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (17:00:53.302 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:00:53.302 PDT) OUTBOUND SCAN 72.36.112.79 (17:00:30.805 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34556->22 (17:00:30.805 PDT) 204.85.191.10 (17:00:51.912 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42804->22 (17:00:51.912 PDT) 158.130.6.254 (17:00:07.990 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50722->22 (17:00:07.990 PDT) 128.42.142.45 (16:59:55.784 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59491->22 (16:59:55.784 PDT) 192.52.240.214 (2) (17:00:14.913 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46716->22 (17:00:14.913 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46716->22 (17:00:14.913 PDT) 204.123.28.56 (16:59:58.605 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52166->22 (16:59:58.605 PDT) 204.8.155.227 (17:00:38.475 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47152->22 (17:00:38.475 PDT) 141.212.113.180 (2) (17:00:44.807 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45030->22 (17:00:44.807 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45030->22 (17:00:44.807 PDT) 152.3.138.7 (17:00:22.106 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40828->22 (17:00:22.106 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365119995.784 1365119995.785 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 16:59:55.784 PDT Gen. Time: 04/04/2013 17:09:28.558 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (17:00:53.302 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:00:53.302 PDT) OUTBOUND SCAN 128.111.52.58 (17:00:55.101 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60146->22 (17:00:55.101 PDT) 72.36.112.79 (17:00:30.805 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34556->22 (17:00:30.805 PDT) 131.179.150.70 (17:00:57.284 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54272->22 (17:00:57.284 PDT) 204.85.191.10 (17:00:51.912 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42804->22 (17:00:51.912 PDT) 158.130.6.254 (17:00:07.990 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50722->22 (17:00:07.990 PDT) 128.42.142.45 (16:59:55.784 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59491->22 (16:59:55.784 PDT) 192.52.240.214 (2) (17:00:14.913 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46716->22 (17:00:14.913 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46716->22 (17:00:14.913 PDT) 204.123.28.56 (16:59:58.605 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52166->22 (16:59:58.605 PDT) 204.8.155.227 (17:00:38.475 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47152->22 (17:00:38.475 PDT) 129.82.12.188 (2) (17:01:02.737 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35000->22 (17:01:02.737 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35000->22 (17:01:02.737 PDT) 141.212.113.180 (2) (17:00:44.807 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45030->22 (17:00:44.807 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45030->22 (17:00:44.807 PDT) 152.3.138.7 (17:00:22.106 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40828->22 (17:00:22.106 PDT) 141.212.113.179 (17:01:19.426 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58129->22 (17:01:19.426 PDT) 152.3.138.6 (17:01:11.801 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55861->22 (17:01:11.801 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.227 (17:01:51.695 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:01:51.695 PDT) 213.180.150.14 (17:04:52.325 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (28 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:04:52.325 PDT) 165.91.55.8 (17:03:22.680 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (21 /24s) (# pkts S/M/O/I=0/30/0/0): 22:30, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:03:22.680 PDT) tcpslice 1365119995.784 1365119995.785 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 17:20:33.374 PDT Gen. Time: 04/04/2013 17:21:37.279 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.208.4.198 (17:21:37.279 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:21:37.279 PDT) OUTBOUND SCAN 204.8.155.227 (17:21:29.515 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47392->22 (17:21:29.515 PDT) 128.42.142.45 (17:20:33.374 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59731->22 (17:20:33.374 PDT) 72.36.112.79 (17:21:21.577 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34796->22 (17:21:21.577 PDT) 152.3.138.7 (17:21:08.027 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41068->22 (17:21:08.027 PDT) 204.123.28.56 (17:20:36.417 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52406->22 (17:20:36.417 PDT) 141.212.113.180 (2) (17:21:36.102 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45270->22 (17:21:36.102 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45270->22 (17:21:36.102 PDT) 192.52.240.214 (2) (17:21:00.442 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46956->22 (17:21:00.442 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46956->22 (17:21:00.442 PDT) 158.130.6.254 (17:20:53.088 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50962->22 (17:20:53.088 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365121233.374 1365121233.375 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 17:20:33.374 PDT Gen. Time: 04/04/2013 17:29:59.257 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.208.4.198 (17:21:37.279 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:21:37.279 PDT) OUTBOUND SCAN 128.111.52.58 (17:21:47.344 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60386->22 (17:21:47.344 PDT) 72.36.112.79 (17:21:21.577 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34796->22 (17:21:21.577 PDT) 131.179.150.70 (17:21:49.512 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54512->22 (17:21:49.512 PDT) 204.85.191.10 (17:21:43.849 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43044->22 (17:21:43.849 PDT) 158.130.6.254 (17:20:53.088 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50962->22 (17:20:53.088 PDT) 128.42.142.45 (17:20:33.374 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59731->22 (17:20:33.374 PDT) 192.52.240.214 (2) (17:21:00.442 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46956->22 (17:21:00.442 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46956->22 (17:21:00.442 PDT) 204.123.28.56 (17:20:36.417 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52406->22 (17:20:36.417 PDT) 204.8.155.227 (17:21:29.515 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47392->22 (17:21:29.515 PDT) 129.82.12.188 (2) (17:21:55.723 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35240->22 (17:21:55.723 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35240->22 (17:21:55.723 PDT) 141.212.113.180 (2) (17:21:36.102 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45270->22 (17:21:36.102 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45270->22 (17:21:36.102 PDT) 152.3.138.7 (17:21:08.027 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41068->22 (17:21:08.027 PDT) 141.212.113.179 (17:22:10.050 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58369->22 (17:22:10.050 PDT) 152.3.138.6 (17:22:02.724 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56101->22 (17:22:02.724 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.198 (4) (17:22:34.113 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:22:34.113 PDT) 0->0 (17:24:05.357 PDT) 0->0 (17:25:36.751 PDT) 0->0 (17:27:14.136 PDT) tcpslice 1365121233.374 1365121233.375 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 17:30:00.797 PDT Gen. Time: 04/04/2013 17:30:00.797 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.198 (17:30:00.797 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (29 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:30:00.797 PDT) tcpslice 1365121800.797 1365121800.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 17:41:08.371 PDT Gen. Time: 04/04/2013 17:41:49.615 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (17:41:49.615 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:41:49.615 PDT) OUTBOUND SCAN 128.42.142.45 (17:41:08.371 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59971->22 (17:41:08.371 PDT) 72.36.112.79 (17:41:47.999 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35036->22 (17:41:47.999 PDT) 152.3.138.7 (17:41:39.050 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41308->22 (17:41:39.050 PDT) 204.123.28.56 (17:41:11.148 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52646->22 (17:41:11.148 PDT) 192.52.240.214 (2) (17:41:31.442 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47196->22 (17:41:31.442 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47196->22 (17:41:31.442 PDT) 158.130.6.254 (17:41:24.087 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51202->22 (17:41:24.087 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365122468.371 1365122468.372 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 17:41:08.371 PDT Gen. Time: 04/04/2013 17:50:37.721 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (17:41:49.615 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:41:49.615 PDT) OUTBOUND SCAN 128.111.52.58 (17:42:13.932 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60626->22 (17:42:13.932 PDT) 72.36.112.79 (17:41:47.999 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35036->22 (17:41:47.999 PDT) 131.179.150.70 (17:42:16.146 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54752->22 (17:42:16.146 PDT) 204.85.191.10 (17:42:10.306 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43284->22 (17:42:10.306 PDT) 158.130.6.254 (17:41:24.087 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51202->22 (17:41:24.087 PDT) 128.42.142.45 (17:41:08.371 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59971->22 (17:41:08.371 PDT) 192.52.240.214 (2) (17:41:31.442 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47196->22 (17:41:31.442 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47196->22 (17:41:31.442 PDT) 204.123.28.56 (17:41:11.148 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52646->22 (17:41:11.148 PDT) 204.8.155.227 (17:41:55.861 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47632->22 (17:41:55.861 PDT) 129.82.12.188 (2) (17:42:21.927 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35480->22 (17:42:21.927 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35480->22 (17:42:21.927 PDT) 141.212.113.180 (2) (17:42:02.333 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45510->22 (17:42:02.333 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45510->22 (17:42:02.333 PDT) 152.3.138.7 (17:41:39.050 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41308->22 (17:41:39.050 PDT) 141.212.113.179 (17:42:36.831 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58609->22 (17:42:36.831 PDT) 152.3.138.6 (17:42:29.169 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56341->22 (17:42:29.169 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (3) (17:43:01.676 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:43:01.676 PDT) 0->0 (17:44:32.217 PDT) 0->0 (17:46:02.429 PDT) tcpslice 1365122468.371 1365122468.372 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 17:46:53.276 PDT Gen. Time: 04/04/2013 17:46:53.276 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (17:46:53.276 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (29 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:46:53.276 PDT) tcpslice 1365122813.276 1365122813.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 18:01:59.482 PDT Gen. Time: 04/04/2013 18:02:35.420 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 72.36.112.79 (18:02:35.420 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:02:35.420 PDT) OUTBOUND SCAN 128.42.142.45 (18:01:59.482 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60211->22 (18:01:59.482 PDT) 152.3.138.7 (18:02:33.840 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41548->22 (18:02:33.840 PDT) 204.123.28.56 (18:02:02.144 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52886->22 (18:02:02.144 PDT) 192.52.240.214 (2) (18:02:23.339 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47436->22 (18:02:23.339 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47436->22 (18:02:23.339 PDT) 158.130.6.254 (18:02:15.843 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51442->22 (18:02:15.843 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365123719.482 1365123719.483 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 18:01:59.482 PDT Gen. Time: 04/04/2013 18:11:47.322 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 72.36.112.79 (18:02:35.420 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:02:35.420 PDT) OUTBOUND SCAN 128.111.52.58 (18:03:09.162 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60866->22 (18:03:09.162 PDT) 72.36.112.79 (18:02:42.936 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35276->22 (18:02:42.936 PDT) 131.179.150.70 (18:03:11.324 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54992->22 (18:03:11.324 PDT) 204.85.191.10 (18:03:05.920 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43524->22 (18:03:05.920 PDT) 158.130.6.254 (18:02:15.843 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51442->22 (18:02:15.843 PDT) 128.42.142.45 (18:01:59.482 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60211->22 (18:01:59.482 PDT) 192.52.240.214 (2) (18:02:23.339 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47436->22 (18:02:23.339 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47436->22 (18:02:23.339 PDT) 204.123.28.56 (18:02:02.144 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52886->22 (18:02:02.144 PDT) 204.8.155.227 (18:02:50.763 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47872->22 (18:02:50.763 PDT) 129.82.12.188 (2) (18:03:16.727 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35720->22 (18:03:16.727 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35720->22 (18:03:16.727 PDT) 141.212.113.180 (2) (18:02:57.418 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45750->22 (18:02:57.418 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45750->22 (18:02:57.418 PDT) 152.3.138.7 (18:02:33.840 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41548->22 (18:02:33.840 PDT) 141.212.113.179 (18:03:31.429 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58849->22 (18:03:31.429 PDT) 152.3.138.6 (18:03:23.691 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56581->22 (18:03:23.691 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.85.191.10 (3) (18:03:39.960 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (18 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:03:39.960 PDT) 0->0 (18:05:10.840 PDT) 0->0 (18:06:40.073 PDT) tcpslice 1365123719.482 1365123719.483 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 18:07:46.762 PDT Gen. Time: 04/04/2013 18:07:46.762 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.85.191.10 (18:07:46.762 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (29 /24s) (# pkts S/M/O/I=0/46/0/0): 22:46, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:07:46.762 PDT) tcpslice 1365124066.762 1365124066.763 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 18:22:52.798 PDT Gen. Time: 04/04/2013 18:24:14.916 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.179 (18:24:14.916 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (7 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:24:14.916 PDT) OUTBOUND SCAN 72.36.112.79 (2) (18:23:27.808 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35506->22 (18:23:27.808 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35506->22 (18:23:27.808 PDT) 72.36.112.78 (18:24:13.240 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54602->22 (18:24:13.240 PDT) 158.130.6.254 (18:23:18.465 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51682->22 (18:23:18.465 PDT) 128.42.142.45 (18:22:52.798 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60451->22 (18:22:52.798 PDT) 165.91.55.8 (18:23:54.951 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35260->22 (18:23:54.951 PDT) 204.123.28.56 (18:22:55.868 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53126->22 (18:22:55.868 PDT) 128.42.142.44 (2) (18:24:05.072 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35048->22 (18:24:05.072 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35048->22 (18:24:05.072 PDT) 141.212.113.180 (18:23:34.406 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45975->22 (18:23:34.406 PDT) 141.212.113.179 (18:23:42.074 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59049->22 (18:23:42.074 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365124972.798 1365124972.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/04/2013 18:22:52.798 PDT Gen. Time: 04/04/2013 18:29:33.423 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.179 (18:24:14.916 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (7 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:24:14.916 PDT) OUTBOUND SCAN 128.10.19.52 (18:24:45.122 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51282->22 (18:24:45.122 PDT) 72.36.112.79 (2) (18:23:27.808 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35506->22 (18:23:27.808 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35506->22 (18:23:27.808 PDT) 72.36.112.78 (18:24:13.240 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54602->22 (18:24:13.240 PDT) 158.130.6.254 (18:23:18.465 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51682->22 (18:23:18.465 PDT) 128.42.142.45 (18:22:52.798 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60451->22 (18:22:52.798 PDT) 131.193.34.38 (2) (18:24:31.306 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59229->22 (18:24:31.306 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59229->22 (18:24:31.306 PDT) 165.91.55.8 (18:23:54.951 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35260->22 (18:23:54.951 PDT) 204.123.28.56 (18:22:55.868 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53126->22 (18:22:55.868 PDT) 128.42.142.44 (2) (18:24:05.072 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35048->22 (18:24:05.072 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35048->22 (18:24:05.072 PDT) 141.212.113.180 (18:23:34.406 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45975->22 (18:23:34.406 PDT) 204.123.28.55 (18:24:24.337 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39474->22 (18:24:24.337 PDT) 128.252.19.19 (18:24:21.466 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45889->22 (18:24:21.466 PDT) 198.133.224.147 (18:24:38.493 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58817->22 (18:24:38.493 PDT) 141.212.113.179 (18:23:42.074 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59049->22 (18:23:42.074 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365124972.798 1365124972.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================