Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 173.208.150.250 Peer Coord. List: Resource List: Observed Start: 04/10/2013 01:07:26.352 PDT Gen. Time: 04/10/2013 01:08:10.573 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 173.208.150.250 (01:08:10.573 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->55586 (01:08:10.573 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.208.150.250 (7) (01:07:26.352 PDT) event=1:552123 (7) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->49535 (01:07:26.352 PDT) 80->50798 (01:07:35.568 PDT) 80->51127 (01:07:38.159 PDT) 80->52840 (01:07:50.397 PDT) 80->53169 (01:07:52.969 PDT) 80->53539 (01:07:55.541 PDT) 80->54981 (01:08:05.898 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365581246.352 1365581246.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 173.208.150.250 (17) Peer Coord. List: Resource List: Observed Start: 04/10/2013 01:07:26.352 PDT Gen. Time: 04/10/2013 01:13:10.167 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 173.208.150.250 (17) (01:08:10.573 PDT-01:08:57.402 PDT) event=1:2002033 (17) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 9: 80->55586 (01:08:10.573 PDT-01:08:10.682 PDT) 8: 80->33194 (01:08:57.222 PDT-01:08:57.402 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.208.150.250 (17) (01:07:26.352 PDT) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->49535 (01:07:26.352 PDT) 80->50798 (01:07:35.568 PDT) 80->51127 (01:07:38.159 PDT) 80->52840 (01:07:50.397 PDT) 80->53169 (01:07:52.969 PDT) 80->53539 (01:07:55.541 PDT) 80->54981 (01:08:05.898 PDT) 80->57073 (01:08:21.873 PDT) 80->57320 (01:08:24.182 PDT) 80->58866 (01:08:36.043 PDT) 80->59180 (01:08:38.629 PDT) 80->59517 (01:08:41.207 PDT) 80->60811 (01:08:51.144 PDT) 80->34813 (01:09:09.677 PDT) 80->35128 (01:09:12.203 PDT) 80->36423 (01:09:23.214 PDT) 80->36746 (01:09:25.859 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1365581246.352 1365581337.403 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================