Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.230 Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:04:08.728 PDT Gen. Time: 04/22/2013 09:04:58.540 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.230 (09:04:58.540 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->49776 (09:04:58.540 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.230 (5) (09:04:08.728 PDT) event=1:552123 (5) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->50734 (09:04:08.728 PDT) 80->33869 (09:04:17.017 PDT) 80->55088 (09:04:25.286 PDT) 80->44279 (09:04:33.591 PDT) 80->37262 (09:04:50.174 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366646648.728 1366646648.729 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.230 (2) Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:04:08.728 PDT Gen. Time: 04/22/2013 09:21:28.367 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.230 (2) (09:04:58.540 PDT) event=1:2002033 (2) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 2: 80->49776 (09:04:58.540 PDT-09:04:58.540 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.230 (17) (09:04:08.728 PDT) event=1:552123 (17) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->50734 (09:04:08.728 PDT) 80->33869 (09:04:17.017 PDT) 80->55088 (09:04:25.286 PDT) 80->44279 (09:04:33.591 PDT) 80->37262 (09:04:50.174 PDT) 80->65164 (09:05:15.054 PDT) 80->48592 (09:07:19.438 PDT) 80->64451 (09:07:36.015 PDT) 80->55340 (09:07:44.305 PDT) 80->56725 (09:07:52.593 PDT) 80->60963 (09:09:23.804 PDT) 80->39228 (09:10:30.133 PDT) 80->40578 (09:11:11.597 PDT) 80->37609 (09:11:19.861 PDT) 80->42182 (09:11:53.070 PDT) 80->44934 (09:14:00.970 PDT) 80->59749 (09:16:30.212 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366646648.728 1366646698.541 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.230 Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:53:59.477 PDT Gen. Time: 04/22/2013 14:59:33.958 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.230 (14:59:33.958 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->55540 (14:59:33.958 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.230 (3) (14:53:59.477 PDT) event=1:552123 (3) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->53337 (14:53:59.477 PDT) 80->34402 (14:57:28.188 PDT) 80->47631 (14:57:49.509 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366667639.477 1366667639.478 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.85 Infector List: Egg Source List: C & C List: 66.249.74.230 Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:53:59.477 PDT Gen. Time: 04/22/2013 15:12:40.495 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 66.249.74.230 (14:59:33.958 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->55540 (14:59:33.958 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 66.249.74.230 (8) (14:53:59.477 PDT) event=1:552123 (8) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->53337 (14:53:59.477 PDT) 80->34402 (14:57:28.188 PDT) 80->47631 (14:57:49.509 PDT) 80->56768 (15:01:36.090 PDT) 80->58408 (15:02:07.675 PDT) 80->40300 (15:03:24.750 PDT) 80->45616 (15:06:44.496 PDT) 80->44972 (15:08:40.362 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366667639.477 1366667639.478 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85' ============================== SEPARATOR ================================