Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:03:22.795 PDT Gen. Time: 04/22/2013 09:04:13.756 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 201.25.108.57 (09:03:22.795 PDT) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (09:03:22.795 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (09:04:13.756 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (09:04:13.756 PDT) tcpslice 1366646602.795 1366646602.796 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:03:22.795 PDT Gen. Time: 04/22/2013 09:07:22.896 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 201.25.108.57 (09:03:22.795 PDT) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (09:03:22.795 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (2) (09:04:13.756 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (09:04:13.756 PDT) 0->0 (09:06:19.318 PDT) tcpslice 1366646602.795 1366646602.796 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:14:53.047 PDT Gen. Time: 04/22/2013 09:14:53.047 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (09:14:53.047 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:14:53.047 PDT) tcpslice 1366647293.047 1366647293.048 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:14:53.047 PDT Gen. Time: 04/22/2013 09:18:53.084 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (2) (09:14:53.047 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:14:53.047 PDT) 0->0 (09:16:25.826 PDT) tcpslice 1366647293.047 1366647293.048 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:19:19.775 PDT Gen. Time: 04/22/2013 09:19:19.775 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (09:19:19.775 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 (09:19:19.775 PDT) tcpslice 1366647559.775 1366647559.776 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:19:19.775 PDT Gen. Time: 04/22/2013 09:23:19.805 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (2) (09:19:19.775 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 (09:19:19.775 PDT) 0->0 (09:21:52.593 PDT) tcpslice 1366647559.775 1366647559.776 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:24:31.665 PDT Gen. Time: 04/22/2013 09:24:31.665 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (09:24:31.665 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:24:31.665 PDT) tcpslice 1366647871.665 1366647871.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:24:31.665 PDT Gen. Time: 04/22/2013 09:28:31.715 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (2) (09:24:31.665 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:24:31.665 PDT) (09:26:28.659 PDT) tcpslice 1366647871.665 1366647871.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:29:59.644 PDT Gen. Time: 04/22/2013 09:29:59.644 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (09:29:59.644 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 35 IPs (35 /24s) (# pkts S/M/O/I=0/35/0/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 (09:29:59.644 PDT) tcpslice 1366648199.644 1366648199.645 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:29:59.644 PDT Gen. Time: 04/22/2013 09:33:59.649 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (2) (09:29:59.644 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 35 IPs (35 /24s) (# pkts S/M/O/I=0/35/0/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 (09:29:59.644 PDT) (09:32:29.463 PDT) tcpslice 1366648199.644 1366648199.645 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:38:19.443 PDT Gen. Time: 04/22/2013 09:38:19.443 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (09:38:19.443 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (39 /24s) (# pkts S/M/O/I=0/39/0/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:38:19.443 PDT) tcpslice 1366648699.443 1366648699.444 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:38:19.443 PDT Gen. Time: 04/22/2013 09:42:19.511 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (3) (09:38:19.443 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (39 /24s) (# pkts S/M/O/I=0/39/0/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:38:19.443 PDT) (09:39:54.906 PDT) (09:42:17.692 PDT) tcpslice 1366648699.443 1366648699.444 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:49:27.586 PDT Gen. Time: 04/22/2013 09:49:27.586 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (09:49:27.586 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/45/0/0): 445:45, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:49:27.586 PDT) tcpslice 1366649367.586 1366649367.587 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 09:49:27.586 PDT Gen. Time: 04/22/2013 09:53:27.689 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.25.108.57 (2) (09:49:27.586 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/45/0/0): 445:45, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:49:27.586 PDT) 0->0 (09:51:21.496 PDT) tcpslice 1366649367.586 1366649367.587 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:15:52.342 PDT Gen. Time: 04/22/2013 10:18:24.620 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 189.89.129.52 (10:15:52.342 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 18 IPs (18 /24s) (# pkts S/M/O/I=1/17/0/0): 445:17, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:15:52.342 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.62.52.87 (10:18:24.620 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=1/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:18:24.620 PDT) tcpslice 1366650952.342 1366650952.343 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:20:08.653 PDT Gen. Time: 04/22/2013 10:20:08.653 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.10.106.113 (10:20:08.653 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=1/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:20:08.653 PDT) tcpslice 1366651208.653 1366651208.654 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:24:42.705 PDT Gen. Time: 04/22/2013 10:24:42.705 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (10:24:42.705 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=1/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:24:42.705 PDT) tcpslice 1366651482.705 1366651482.706 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:29:15.868 PDT Gen. Time: 04/22/2013 10:29:15.868 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (10:29:15.868 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=1/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:29:15.868 PDT) tcpslice 1366651755.868 1366651755.869 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:29:15.868 PDT Gen. Time: 04/22/2013 10:33:15.957 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (3) (10:29:15.868 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=1/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:29:15.868 PDT) (10:30:58.816 PDT) (10:33:07.451 PDT) tcpslice 1366651755.868 1366651755.869 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:34:58.894 PDT Gen. Time: 04/22/2013 10:34:58.894 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (10:34:58.894 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=1/33/0/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:34:58.894 PDT) tcpslice 1366652098.894 1366652098.895 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:34:58.894 PDT Gen. Time: 04/22/2013 10:38:58.960 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (2) (10:34:58.894 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=1/33/0/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:34:58.894 PDT) 0->0 (10:37:04.914 PDT) tcpslice 1366652098.894 1366652098.895 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:41:09.864 PDT Gen. Time: 04/22/2013 10:41:09.864 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (10:41:09.864 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=1/39/0/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:41:09.864 PDT) tcpslice 1366652469.864 1366652469.865 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:41:09.864 PDT Gen. Time: 04/22/2013 10:45:09.965 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (2) (10:41:09.864 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=1/39/0/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:41:09.864 PDT) 0->0 (10:43:28.008 PDT) tcpslice 1366652469.864 1366652469.865 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:47:41.752 PDT Gen. Time: 04/22/2013 10:47:41.752 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (10:47:41.752 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=1/43/0/0): 445:43, [] MAC_Src: 00:21:1C:EE:14:00 (10:47:41.752 PDT) tcpslice 1366652861.752 1366652861.753 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:47:41.752 PDT Gen. Time: 04/22/2013 10:51:41.856 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (2) (10:47:41.752 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=1/43/0/0): 445:43, [] MAC_Src: 00:21:1C:EE:14:00 (10:47:41.752 PDT) (10:50:32.638 PDT) tcpslice 1366652861.752 1366652861.753 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:53:30.891 PDT Gen. Time: 04/22/2013 10:53:30.891 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (10:53:30.891 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 47 IPs (47 /24s) (# pkts S/M/O/I=1/46/0/0): 445:46, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:53:30.891 PDT) tcpslice 1366653210.891 1366653210.892 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:53:30.891 PDT Gen. Time: 04/22/2013 10:57:31.081 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (2) (10:53:30.891 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 47 IPs (47 /24s) (# pkts S/M/O/I=1/46/0/0): 445:46, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:53:30.891 PDT) 0->0 (10:55:28.927 PDT) tcpslice 1366653210.891 1366653210.892 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:58:19.779 PDT Gen. Time: 04/22/2013 10:58:19.779 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (10:58:19.779 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 57 IPs (56 /24s) (# pkts S/M/O/I=1/56/0/0): 445:56, [] MAC_Src: 00:21:1C:EE:14:00 (10:58:19.779 PDT) tcpslice 1366653499.779 1366653499.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 10:58:19.779 PDT Gen. Time: 04/22/2013 11:02:19.786 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (2) (10:58:19.779 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 57 IPs (56 /24s) (# pkts S/M/O/I=1/56/0/0): 445:56, [] MAC_Src: 00:21:1C:EE:14:00 (10:58:19.779 PDT) 0->0 (10:59:49.569 PDT) tcpslice 1366653499.779 1366653499.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:04:05.806 PDT Gen. Time: 04/22/2013 11:04:05.806 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (11:04:05.806 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 61 IPs (60 /24s) (# pkts S/M/O/I=1/60/0/0): 445:60, [] MAC_Src: 00:21:1C:EE:14:00 (11:04:05.806 PDT) tcpslice 1366653845.806 1366653845.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:04:05.806 PDT Gen. Time: 04/22/2013 11:08:05.824 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (2) (11:04:05.806 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 61 IPs (60 /24s) (# pkts S/M/O/I=1/60/0/0): 445:60, [] MAC_Src: 00:21:1C:EE:14:00 (11:04:05.806 PDT) 0->0 (11:06:19.129 PDT) tcpslice 1366653845.806 1366653845.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:08:47.783 PDT Gen. Time: 04/22/2013 11:08:47.783 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (11:08:47.783 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 66 IPs (65 /24s) (# pkts S/M/O/I=1/65/0/0): 445:65, [] MAC_Src: 00:21:1C:EE:14:00 (11:08:47.783 PDT) tcpslice 1366654127.783 1366654127.784 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:08:47.783 PDT Gen. Time: 04/22/2013 11:12:47.949 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.61.75.16 (11:08:47.783 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 66 IPs (65 /24s) (# pkts S/M/O/I=1/65/0/0): 445:65, [] MAC_Src: 00:21:1C:EE:14:00 (11:08:47.783 PDT) 186.42.104.72 (11:11:58.350 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 71 IPs (70 /24s) (# pkts S/M/O/I=1/70/0/0): 445:70, [] MAC_Src: 00:21:1C:EE:14:00 (11:11:58.350 PDT) tcpslice 1366654127.783 1366654127.784 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:13:58.033 PDT Gen. Time: 04/22/2013 11:13:58.033 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.104.72 (11:13:58.033 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 72 IPs (71 /24s) (# pkts S/M/O/I=1/71/0/0): 445:71, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:13:58.033 PDT) tcpslice 1366654438.033 1366654438.034 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:13:58.033 PDT Gen. Time: 04/22/2013 11:17:58.058 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.104.72 (3) (11:13:58.033 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 72 IPs (71 /24s) (# pkts S/M/O/I=1/71/0/0): 445:71, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:13:58.033 PDT) (11:15:41.030 PDT) 0->0 (11:17:20.134 PDT) tcpslice 1366654438.033 1366654438.034 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:19:12.222 PDT Gen. Time: 04/22/2013 11:19:12.222 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.104.72 (11:19:12.222 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 79 IPs (78 /24s) (# pkts S/M/O/I=1/78/0/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:19:12.222 PDT) tcpslice 1366654752.222 1366654752.223 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:24:16.133 PDT Gen. Time: 04/22/2013 11:24:16.133 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.104.72 (11:24:16.133 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 80 IPs (79 /24s) (# pkts S/M/O/I=1/79/0/0): 445:79, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:24:16.133 PDT) tcpslice 1366655056.133 1366655056.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:24:16.133 PDT Gen. Time: 04/22/2013 11:28:16.158 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.104.72 (2) (11:24:16.133 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 80 IPs (79 /24s) (# pkts S/M/O/I=1/79/0/0): 445:79, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:24:16.133 PDT) 0->0 (11:26:35.735 PDT) tcpslice 1366655056.133 1366655056.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:31:48.814 PDT Gen. Time: 04/22/2013 11:31:48.814 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.104.72 (11:31:48.814 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 84 IPs (83 /24s) (# pkts S/M/O/I=1/83/0/0): 445:83, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:31:48.814 PDT) tcpslice 1366655508.814 1366655508.815 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:31:48.814 PDT Gen. Time: 04/22/2013 11:35:49.241 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.104.72 (2) (11:31:48.814 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 84 IPs (83 /24s) (# pkts S/M/O/I=1/83/0/0): 445:83, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:31:48.814 PDT) (11:34:30.887 PDT) tcpslice 1366655508.814 1366655508.815 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:36:31.108 PDT Gen. Time: 04/22/2013 11:36:31.108 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.104.72 (11:36:31.108 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 90 IPs (89 /24s) (# pkts S/M/O/I=1/89/0/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 (11:36:31.108 PDT) tcpslice 1366655791.108 1366655791.109 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:36:31.108 PDT Gen. Time: 04/22/2013 11:40:31.473 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.104.72 (3) (11:36:31.108 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 90 IPs (89 /24s) (# pkts S/M/O/I=1/89/0/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 (11:36:31.108 PDT) (11:38:26.768 PDT) 0->0 (11:40:09.774 PDT) tcpslice 1366655791.108 1366655791.109 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:42:23.102 PDT Gen. Time: 04/22/2013 11:42:23.102 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.104.72 (11:42:23.102 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 96 IPs (95 /24s) (# pkts S/M/O/I=1/95/0/0): 445:95, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:42:23.102 PDT) tcpslice 1366656143.102 1366656143.103 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:42:23.102 PDT Gen. Time: 04/22/2013 11:46:23.102 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.104.72 (3) (11:42:23.102 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 96 IPs (95 /24s) (# pkts S/M/O/I=1/95/0/0): 445:95, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:42:23.102 PDT) 0->0 (11:44:38.030 PDT) 0->0 (11:46:09.943 PDT) tcpslice 1366656143.102 1366656143.103 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:48:29.435 PDT Gen. Time: 04/22/2013 11:48:29.435 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.104.72 (11:48:29.435 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 102 IPs (101 /24s) (# pkts S/M/O/I=1/101/0/0): 445:101, [] MAC_Src: 00:21:1C:EE:14:00 (11:48:29.435 PDT) tcpslice 1366656509.435 1366656509.436 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:48:29.435 PDT Gen. Time: 04/22/2013 11:52:29.449 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.104.72 (3) (11:48:29.435 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 102 IPs (101 /24s) (# pkts S/M/O/I=1/101/0/0): 445:101, [] MAC_Src: 00:21:1C:EE:14:00 (11:48:29.435 PDT) (11:50:00.790 PDT) (11:52:04.992 PDT) tcpslice 1366656509.435 1366656509.436 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:54:40.351 PDT Gen. Time: 04/22/2013 11:54:40.351 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.63.77 (11:54:40.351 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 108 IPs (107 /24s) (# pkts S/M/O/I=1/107/0/0): 445:107, [] MAC_Src: 00:21:1C:EE:14:00 (11:54:40.351 PDT) tcpslice 1366656880.351 1366656880.352 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 11:54:40.351 PDT Gen. Time: 04/22/2013 11:58:40.393 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.99.106 (11:57:39.946 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 112 IPs (111 /24s) (# pkts S/M/O/I=1/111/0/0): 445:111, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:57:39.946 PDT) 189.11.63.77 (11:54:40.351 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 108 IPs (107 /24s) (# pkts S/M/O/I=1/107/0/0): 445:107, [] MAC_Src: 00:21:1C:EE:14:00 (11:54:40.351 PDT) tcpslice 1366656880.351 1366656880.352 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 12:00:19.957 PDT Gen. Time: 04/22/2013 12:00:19.957 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.99.106 (12:00:19.957 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 113 IPs (112 /24s) (# pkts S/M/O/I=1/112/0/0): 445:112, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:00:19.957 PDT) tcpslice 1366657219.957 1366657219.958 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 12:22:30.775 PDT Gen. Time: 04/22/2013 12:26:26.231 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 187.5.81.29 (3) (12:22:30.775 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 16 IPs (16 /24s) (# pkts S/M/O/I=0/16/0/0): 445:16, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:22:30.775 PDT) (12:24:40.686 PDT) 0->0 (12:26:19.536 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.5.81.29 (12:26:26.231 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (12:26:26.231 PDT) tcpslice 1366658550.775 1366658550.776 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 12:27:58.632 PDT Gen. Time: 04/22/2013 12:27:58.632 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.5.81.29 (12:27:58.632 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:27:58.632 PDT) tcpslice 1366658878.632 1366658878.633 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 12:27:58.632 PDT Gen. Time: 04/22/2013 12:31:59.710 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.5.81.29 (3) (12:27:58.632 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:27:58.632 PDT) (12:30:06.627 PDT) 0->0 (12:31:43.081 PDT) tcpslice 1366658878.632 1366658878.633 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 12:34:29.682 PDT Gen. Time: 04/22/2013 12:34:29.682 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.5.81.29 (12:34:29.682 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 (12:34:29.682 PDT) tcpslice 1366659269.682 1366659269.683 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 12:34:29.682 PDT Gen. Time: 04/22/2013 12:38:29.698 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.5.81.29 (2) (12:34:29.682 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 (12:34:29.682 PDT) 0->0 (12:36:06.612 PDT) tcpslice 1366659269.682 1366659269.683 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 12:39:35.509 PDT Gen. Time: 04/22/2013 12:39:35.509 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.5.81.29 (12:39:35.509 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:39:35.509 PDT) tcpslice 1366659575.509 1366659575.510 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 12:39:35.509 PDT Gen. Time: 04/22/2013 12:43:35.609 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.5.81.29 (2) (12:39:35.509 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:39:35.509 PDT) (12:42:56.353 PDT) tcpslice 1366659575.509 1366659575.510 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 12:46:29.722 PDT Gen. Time: 04/22/2013 12:46:29.722 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.5.81.29 (12:46:29.722 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:46:29.722 PDT) tcpslice 1366659989.722 1366659989.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 12:53:22.977 PDT Gen. Time: 04/22/2013 12:53:22.977 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (12:53:22.977 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (35 /24s) (# pkts S/M/O/I=0/35/0/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:53:22.977 PDT) tcpslice 1366660402.977 1366660402.978 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 12:53:22.977 PDT Gen. Time: 04/22/2013 12:57:23.070 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (12:53:22.977 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (35 /24s) (# pkts S/M/O/I=0/35/0/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:53:22.977 PDT) (12:55:01.279 PDT) tcpslice 1366660402.977 1366660402.978 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:01:14.942 PDT Gen. Time: 04/22/2013 13:01:14.942 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (13:01:14.942 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/40/0/0): 445:40, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:01:14.942 PDT) tcpslice 1366660874.942 1366660874.943 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:01:14.942 PDT Gen. Time: 04/22/2013 13:05:14.993 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (13:01:14.942 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/40/0/0): 445:40, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:01:14.942 PDT) 0->0 (13:02:59.939 PDT) tcpslice 1366660874.942 1366660874.943 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:05:31.206 PDT Gen. Time: 04/22/2013 13:05:31.206 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (13:05:31.206 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (42 /24s) (# pkts S/M/O/I=0/42/0/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:05:31.206 PDT) tcpslice 1366661131.206 1366661131.207 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:05:31.206 PDT Gen. Time: 04/22/2013 13:09:31.347 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (13:05:31.206 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (42 /24s) (# pkts S/M/O/I=0/42/0/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:05:31.206 PDT) 0->0 (13:08:56.047 PDT) tcpslice 1366661131.206 1366661131.207 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:10:35.480 PDT Gen. Time: 04/22/2013 13:10:35.480 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (13:10:35.480 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/45/0/0): 445:45, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:10:35.480 PDT) tcpslice 1366661435.480 1366661435.481 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:10:35.480 PDT Gen. Time: 04/22/2013 13:14:36.212 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (13:10:35.480 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/45/0/0): 445:45, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:10:35.480 PDT) 0->0 (13:13:26.884 PDT) tcpslice 1366661435.480 1366661435.481 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:15:49.045 PDT Gen. Time: 04/22/2013 13:15:49.045 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (13:15:49.045 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 49 IPs (49 /24s) (# pkts S/M/O/I=0/49/0/0): 445:49, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:15:49.045 PDT) tcpslice 1366661749.045 1366661749.046 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:19:58.728 PDT Gen. Time: 04/22/2013 13:19:58.728 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (13:19:58.728 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 50 IPs (50 /24s) (# pkts S/M/O/I=0/50/0/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 (13:19:58.728 PDT) tcpslice 1366661998.728 1366661998.729 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:19:58.728 PDT Gen. Time: 04/22/2013 13:23:58.907 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (13:19:58.728 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 50 IPs (50 /24s) (# pkts S/M/O/I=0/50/0/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 (13:19:58.728 PDT) 0->0 (13:21:28.670 PDT) tcpslice 1366661998.728 1366661998.729 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:28:47.019 PDT Gen. Time: 04/22/2013 13:28:47.019 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (13:28:47.019 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 54 IPs (54 /24s) (# pkts S/M/O/I=0/54/0/0): 445:54, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:28:47.019 PDT) tcpslice 1366662527.019 1366662527.020 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:28:47.019 PDT Gen. Time: 04/22/2013 13:32:47.207 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (13:28:47.019 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 54 IPs (54 /24s) (# pkts S/M/O/I=0/54/0/0): 445:54, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:28:47.019 PDT) (13:31:40.160 PDT) tcpslice 1366662527.019 1366662527.020 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:37:40.184 PDT Gen. Time: 04/22/2013 13:37:40.184 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (13:37:40.184 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 58 IPs (58 /24s) (# pkts S/M/O/I=0/58/0/0): 445:58, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:37:40.184 PDT) tcpslice 1366663060.184 1366663060.185 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:37:40.184 PDT Gen. Time: 04/22/2013 13:41:40.191 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (13:37:40.184 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 58 IPs (58 /24s) (# pkts S/M/O/I=0/58/0/0): 445:58, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:37:40.184 PDT) 0->0 (13:40:45.125 PDT) tcpslice 1366663060.184 1366663060.185 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:43:08.520 PDT Gen. Time: 04/22/2013 13:43:08.520 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (13:43:08.520 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 62 IPs (62 /24s) (# pkts S/M/O/I=0/62/0/0): 445:62, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:43:08.520 PDT) tcpslice 1366663388.520 1366663388.521 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:43:08.520 PDT Gen. Time: 04/22/2013 13:47:08.972 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (13:43:08.520 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 62 IPs (62 /24s) (# pkts S/M/O/I=0/62/0/0): 445:62, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:43:08.520 PDT) 0->0 (13:45:39.290 PDT) tcpslice 1366663388.520 1366663388.521 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:50:02.192 PDT Gen. Time: 04/22/2013 13:50:02.192 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (13:50:02.192 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 65 IPs (65 /24s) (# pkts S/M/O/I=0/65/0/0): 445:65, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:50:02.192 PDT) tcpslice 1366663802.192 1366663802.193 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:50:02.192 PDT Gen. Time: 04/22/2013 13:54:02.687 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (13:50:02.192 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 65 IPs (65 /24s) (# pkts S/M/O/I=0/65/0/0): 445:65, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:50:02.192 PDT) 0->0 (13:52:25.539 PDT) tcpslice 1366663802.192 1366663802.193 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:54:11.232 PDT Gen. Time: 04/22/2013 13:54:11.232 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (13:54:11.232 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 69 IPs (69 /24s) (# pkts S/M/O/I=0/69/0/0): 445:69, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:54:11.232 PDT) tcpslice 1366664051.232 1366664051.233 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:54:11.232 PDT Gen. Time: 04/22/2013 13:58:11.236 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (13:54:11.232 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 69 IPs (69 /24s) (# pkts S/M/O/I=0/69/0/0): 445:69, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:54:11.232 PDT) 0->0 (13:56:05.662 PDT) tcpslice 1366664051.232 1366664051.233 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 13:59:27.228 PDT Gen. Time: 04/22/2013 13:59:27.228 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (13:59:27.228 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 71 IPs (71 /24s) (# pkts S/M/O/I=0/71/0/0): 445:71, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:59:27.228 PDT) tcpslice 1366664367.228 1366664367.229 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:05:02.605 PDT Gen. Time: 04/22/2013 14:05:02.605 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (14:05:02.605 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 73 IPs (73 /24s) (# pkts S/M/O/I=0/73/0/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 (14:05:02.605 PDT) tcpslice 1366664702.605 1366664702.606 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:05:02.605 PDT Gen. Time: 04/22/2013 14:09:02.612 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (3) (14:05:02.605 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 73 IPs (73 /24s) (# pkts S/M/O/I=0/73/0/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 (14:05:02.605 PDT) 0->0 (14:07:00.227 PDT) 0->0 (14:08:37.152 PDT) tcpslice 1366664702.605 1366664702.606 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:11:59.289 PDT Gen. Time: 04/22/2013 14:11:59.289 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (14:11:59.289 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 82 IPs (82 /24s) (# pkts S/M/O/I=0/82/0/0): 445:82, [] MAC_Src: 00:21:1C:EE:14:00 (14:11:59.289 PDT) tcpslice 1366665119.289 1366665119.290 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:11:59.289 PDT Gen. Time: 04/22/2013 14:15:59.345 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (14:11:59.289 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 82 IPs (82 /24s) (# pkts S/M/O/I=0/82/0/0): 445:82, [] MAC_Src: 00:21:1C:EE:14:00 (14:11:59.289 PDT) (14:14:53.491 PDT) tcpslice 1366665119.289 1366665119.290 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:16:31.230 PDT Gen. Time: 04/22/2013 14:16:31.230 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (14:16:31.230 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 85 IPs (84 /24s) (# pkts S/M/O/I=0/85/0/0): 445:85, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:16:31.230 PDT) tcpslice 1366665391.230 1366665391.231 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:16:31.230 PDT Gen. Time: 04/22/2013 14:20:31.239 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (3) (14:16:31.230 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 85 IPs (84 /24s) (# pkts S/M/O/I=0/85/0/0): 445:85, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:16:31.230 PDT) 0->0 (14:18:15.572 PDT) (14:20:30.188 PDT) tcpslice 1366665391.230 1366665391.231 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:24:20.372 PDT Gen. Time: 04/22/2013 14:24:20.372 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (14:24:20.372 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 91 IPs (90 /24s) (# pkts S/M/O/I=0/91/0/0): 445:91, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:24:20.372 PDT) tcpslice 1366665860.372 1366665860.373 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:24:20.372 PDT Gen. Time: 04/22/2013 14:28:20.399 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (14:24:20.372 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 91 IPs (90 /24s) (# pkts S/M/O/I=0/91/0/0): 445:91, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:24:20.372 PDT) 0->0 (14:28:20.227 PDT) tcpslice 1366665860.372 1366665860.373 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:31:00.430 PDT Gen. Time: 04/22/2013 14:31:00.430 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (14:31:00.430 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 94 IPs (93 /24s) (# pkts S/M/O/I=0/94/0/0): 445:94, [] MAC_Src: 00:21:1C:EE:14:00 (14:31:00.430 PDT) tcpslice 1366666260.430 1366666260.431 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:31:00.430 PDT Gen. Time: 04/22/2013 14:35:00.430 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (14:31:00.430 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 94 IPs (93 /24s) (# pkts S/M/O/I=0/94/0/0): 445:94, [] MAC_Src: 00:21:1C:EE:14:00 (14:31:00.430 PDT) (14:34:33.268 PDT) tcpslice 1366666260.430 1366666260.431 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:36:09.441 PDT Gen. Time: 04/22/2013 14:36:09.441 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (14:36:09.441 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 100 IPs (99 /24s) (# pkts S/M/O/I=0/100/0/0): 445:100, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:36:09.441 PDT) tcpslice 1366666569.441 1366666569.442 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:36:09.441 PDT Gen. Time: 04/22/2013 14:40:09.616 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.180.10 (2) (14:36:09.441 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 100 IPs (99 /24s) (# pkts S/M/O/I=0/100/0/0): 445:100, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:36:09.441 PDT) 0->0 (14:38:14.394 PDT) tcpslice 1366666569.441 1366666569.442 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:40:28.424 PDT Gen. Time: 04/22/2013 14:40:28.424 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (14:40:28.424 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 108 IPs (107 /24s) (# pkts S/M/O/I=0/108/0/0): 445:108, [] MAC_Src: 00:21:1C:EE:14:00 (14:40:28.424 PDT) tcpslice 1366666828.424 1366666828.425 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:40:28.424 PDT Gen. Time: 04/22/2013 14:44:28.549 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (3) (14:40:28.424 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 108 IPs (107 /24s) (# pkts S/M/O/I=0/108/0/0): 445:108, [] MAC_Src: 00:21:1C:EE:14:00 (14:40:28.424 PDT) 0->0 (14:42:20.425 PDT) 0->0 (14:44:28.549 PDT) tcpslice 1366666828.424 1366666828.425 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:46:55.291 PDT Gen. Time: 04/22/2013 14:46:55.291 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (14:46:55.291 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 114 IPs (113 /24s) (# pkts S/M/O/I=0/114/0/0): 445:114, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:46:55.291 PDT) tcpslice 1366667215.291 1366667215.292 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:46:55.291 PDT Gen. Time: 04/22/2013 14:50:55.365 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (14:46:55.291 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 114 IPs (113 /24s) (# pkts S/M/O/I=0/114/0/0): 445:114, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:46:55.291 PDT) 0->0 (14:49:36.510 PDT) tcpslice 1366667215.291 1366667215.292 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:51:49.322 PDT Gen. Time: 04/22/2013 14:51:49.322 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (14:51:49.322 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 117 IPs (116 /24s) (# pkts S/M/O/I=0/117/0/0): 445:117, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:51:49.322 PDT) tcpslice 1366667509.322 1366667509.323 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:51:49.322 PDT Gen. Time: 04/22/2013 14:55:49.857 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (14:51:49.322 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 117 IPs (116 /24s) (# pkts S/M/O/I=0/117/0/0): 445:117, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:51:49.322 PDT) 0->0 (14:55:03.477 PDT) tcpslice 1366667509.322 1366667509.323 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:57:40.324 PDT Gen. Time: 04/22/2013 14:57:40.324 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (14:57:40.324 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 120 IPs (119 /24s) (# pkts S/M/O/I=0/120/0/0): 445:120, [] MAC_Src: 00:21:1C:EE:14:00 (14:57:40.324 PDT) tcpslice 1366667860.324 1366667860.325 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 14:57:40.324 PDT Gen. Time: 04/22/2013 15:01:40.326 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (14:57:40.324 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 120 IPs (119 /24s) (# pkts S/M/O/I=0/120/0/0): 445:120, [] MAC_Src: 00:21:1C:EE:14:00 (14:57:40.324 PDT) 0->0 (15:00:52.369 PDT) tcpslice 1366667860.324 1366667860.325 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:02:37.524 PDT Gen. Time: 04/22/2013 15:02:37.524 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (15:02:37.524 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 123 IPs (122 /24s) (# pkts S/M/O/I=0/123/0/0): 445:123, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:02:37.524 PDT) tcpslice 1366668157.524 1366668157.525 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:07:19.317 PDT Gen. Time: 04/22/2013 15:07:19.317 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (15:07:19.317 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 125 IPs (124 /24s) (# pkts S/M/O/I=0/125/0/0): 445:125, [] MAC_Src: 00:21:1C:EE:14:00 (15:07:19.317 PDT) tcpslice 1366668439.317 1366668439.318 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:07:19.317 PDT Gen. Time: 04/22/2013 15:11:19.325 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (15:07:19.317 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 125 IPs (124 /24s) (# pkts S/M/O/I=0/125/0/0): 445:125, [] MAC_Src: 00:21:1C:EE:14:00 (15:07:19.317 PDT) 0->0 (15:10:57.354 PDT) tcpslice 1366668439.317 1366668439.318 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:13:37.338 PDT Gen. Time: 04/22/2013 15:13:37.338 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (15:13:37.338 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 129 IPs (128 /24s) (# pkts S/M/O/I=0/129/0/0): 445:129, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:13:37.338 PDT) tcpslice 1366668817.338 1366668817.339 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:13:37.338 PDT Gen. Time: 04/22/2013 15:17:38.629 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (15:13:37.338 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 129 IPs (128 /24s) (# pkts S/M/O/I=0/129/0/0): 445:129, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:13:37.338 PDT) (15:15:18.486 PDT) tcpslice 1366668817.338 1366668817.339 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:18:06.326 PDT Gen. Time: 04/22/2013 15:18:06.326 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (15:18:06.326 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 132 IPs (131 /24s) (# pkts S/M/O/I=0/132/0/0): 445:132, [] MAC_Src: 00:21:1C:EE:14:00 (15:18:06.326 PDT) tcpslice 1366669086.326 1366669086.327 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:18:06.326 PDT Gen. Time: 04/22/2013 15:22:06.358 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (15:18:06.326 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 132 IPs (131 /24s) (# pkts S/M/O/I=0/132/0/0): 445:132, [] MAC_Src: 00:21:1C:EE:14:00 (15:18:06.326 PDT) 0->0 (15:21:19.363 PDT) tcpslice 1366669086.326 1366669086.327 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:24:07.382 PDT Gen. Time: 04/22/2013 15:24:07.382 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (15:24:07.382 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 136 IPs (135 /24s) (# pkts S/M/O/I=0/136/0/0): 445:136, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:24:07.382 PDT) tcpslice 1366669447.382 1366669447.383 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:24:07.382 PDT Gen. Time: 04/22/2013 15:28:09.471 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (15:24:07.382 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 136 IPs (135 /24s) (# pkts S/M/O/I=0/136/0/0): 445:136, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:24:07.382 PDT) (15:25:40.415 PDT) tcpslice 1366669447.382 1366669447.383 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:29:19.369 PDT Gen. Time: 04/22/2013 15:29:19.369 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (15:29:19.369 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 142 IPs (141 /24s) (# pkts S/M/O/I=0/142/0/0): 445:142, [] MAC_Src: 00:21:1C:EE:14:00 (15:29:19.369 PDT) tcpslice 1366669759.369 1366669759.370 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:29:19.369 PDT Gen. Time: 04/22/2013 15:33:20.149 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (15:29:19.369 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 142 IPs (141 /24s) (# pkts S/M/O/I=0/142/0/0): 445:142, [] MAC_Src: 00:21:1C:EE:14:00 (15:29:19.369 PDT) 0->0 (15:30:55.439 PDT) tcpslice 1366669759.369 1366669759.370 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:33:30.537 PDT Gen. Time: 04/22/2013 15:33:30.537 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (15:33:30.537 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 144 IPs (143 /24s) (# pkts S/M/O/I=0/144/0/0): 445:144, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:33:30.537 PDT) tcpslice 1366670010.537 1366670010.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:33:30.537 PDT Gen. Time: 04/22/2013 15:37:30.756 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (15:33:30.537 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 144 IPs (143 /24s) (# pkts S/M/O/I=0/144/0/0): 445:144, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:33:30.537 PDT) (15:36:43.515 PDT) tcpslice 1366670010.537 1366670010.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:40:12.747 PDT Gen. Time: 04/22/2013 15:40:12.747 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (15:40:12.747 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 147 IPs (146 /24s) (# pkts S/M/O/I=0/147/0/0): 445:147, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:40:12.747 PDT) tcpslice 1366670412.747 1366670412.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:40:12.747 PDT Gen. Time: 04/22/2013 15:44:12.759 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (15:40:12.747 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 147 IPs (146 /24s) (# pkts S/M/O/I=0/147/0/0): 445:147, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:40:12.747 PDT) 0->0 (15:41:44.305 PDT) tcpslice 1366670412.747 1366670412.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:46:33.442 PDT Gen. Time: 04/22/2013 15:46:33.442 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (15:46:33.442 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 152 IPs (151 /24s) (# pkts S/M/O/I=0/152/0/0): 445:152, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:46:33.442 PDT) tcpslice 1366670793.442 1366670793.443 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:46:33.442 PDT Gen. Time: 04/22/2013 15:50:33.914 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (15:46:33.442 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 152 IPs (151 /24s) (# pkts S/M/O/I=0/152/0/0): 445:152, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:46:33.442 PDT) (15:48:03.369 PDT) tcpslice 1366670793.442 1366670793.443 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:54:03.356 PDT Gen. Time: 04/22/2013 15:54:03.356 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (15:54:03.356 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 155 IPs (154 /24s) (# pkts S/M/O/I=0/155/0/0): 445:155, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:54:03.356 PDT) tcpslice 1366671243.356 1366671243.357 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 15:54:03.356 PDT Gen. Time: 04/22/2013 15:58:03.465 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (15:54:03.356 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 155 IPs (154 /24s) (# pkts S/M/O/I=0/155/0/0): 445:155, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:54:03.356 PDT) (15:57:45.337 PDT) tcpslice 1366671243.356 1366671243.357 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:00:30.539 PDT Gen. Time: 04/22/2013 16:00:30.539 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (16:00:30.539 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 160 IPs (159 /24s) (# pkts S/M/O/I=0/160/0/0): 445:160, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:00:30.539 PDT) tcpslice 1366671630.539 1366671630.540 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:00:30.539 PDT Gen. Time: 04/22/2013 16:04:30.543 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (16:00:30.539 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 160 IPs (159 /24s) (# pkts S/M/O/I=0/160/0/0): 445:160, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:00:30.539 PDT) 0->0 (16:02:40.557 PDT) tcpslice 1366671630.539 1366671630.540 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:04:56.885 PDT Gen. Time: 04/22/2013 16:04:56.885 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (16:04:56.885 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 164 IPs (163 /24s) (# pkts S/M/O/I=0/164/0/0): 445:164, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:04:56.885 PDT) tcpslice 1366671896.885 1366671896.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:04:56.885 PDT Gen. Time: 04/22/2013 16:08:55.297 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (16:04:56.885 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 164 IPs (163 /24s) (# pkts S/M/O/I=0/164/0/0): 445:164, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:04:56.885 PDT) 0->0 (16:06:33.336 PDT) tcpslice 1366671896.885 1366671896.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:09:56.588 PDT Gen. Time: 04/22/2013 16:09:56.588 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (16:09:56.588 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 166 IPs (165 /24s) (# pkts S/M/O/I=0/166/0/0): 445:166, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:09:56.588 PDT) tcpslice 1366672196.588 1366672196.589 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:09:56.588 PDT Gen. Time: 04/22/2013 16:13:55.447 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (16:09:56.588 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 166 IPs (165 /24s) (# pkts S/M/O/I=0/166/0/0): 445:166, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:09:56.588 PDT) (16:13:41.374 PDT) tcpslice 1366672196.588 1366672196.589 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:15:11.435 PDT Gen. Time: 04/22/2013 16:15:11.435 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (16:15:11.435 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 174 IPs (173 /24s) (# pkts S/M/O/I=0/174/0/0): 445:174, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:15:11.435 PDT) tcpslice 1366672511.435 1366672511.436 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:15:11.435 PDT Gen. Time: 04/22/2013 16:19:13.341 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (16:15:11.435 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 174 IPs (173 /24s) (# pkts S/M/O/I=0/174/0/0): 445:174, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:15:11.435 PDT) 0->0 (16:17:31.460 PDT) tcpslice 1366672511.435 1366672511.436 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:19:39.303 PDT Gen. Time: 04/22/2013 16:19:39.303 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (16:19:39.303 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 179 IPs (178 /24s) (# pkts S/M/O/I=0/179/0/0): 445:179, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:19:39.303 PDT) tcpslice 1366672779.303 1366672779.304 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:19:39.303 PDT Gen. Time: 04/22/2013 16:23:39.889 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (16:19:39.303 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 179 IPs (178 /24s) (# pkts S/M/O/I=0/179/0/0): 445:179, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:19:39.303 PDT) 0->0 (16:23:05.262 PDT) tcpslice 1366672779.303 1366672779.304 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:25:47.433 PDT Gen. Time: 04/22/2013 16:25:47.433 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (16:25:47.433 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 184 IPs (183 /24s) (# pkts S/M/O/I=0/184/0/0): 445:184, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:25:47.433 PDT) tcpslice 1366673147.433 1366673147.434 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:29:52.588 PDT Gen. Time: 04/22/2013 16:29:52.588 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (16:29:52.588 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 186 IPs (185 /24s) (# pkts S/M/O/I=0/186/0/0): 445:186, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:29:52.588 PDT) tcpslice 1366673392.588 1366673392.589 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:29:52.588 PDT Gen. Time: 04/22/2013 16:33:52.741 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (2) (16:29:52.588 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 186 IPs (185 /24s) (# pkts S/M/O/I=0/186/0/0): 445:186, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:29:52.588 PDT) (16:31:48.377 PDT) tcpslice 1366673392.588 1366673392.589 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:33:54.581 PDT Gen. Time: 04/22/2013 16:33:54.581 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (16:33:54.581 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 190 IPs (189 /24s) (# pkts S/M/O/I=0/190/0/0): 445:190, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:33:54.581 PDT) tcpslice 1366673634.581 1366673634.582 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 16:41:18.345 PDT Gen. Time: 04/22/2013 16:41:18.345 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.6.84.12 (16:41:18.345 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 192 IPs (191 /24s) (# pkts S/M/O/I=0/192/0/0): 445:192, [] MAC_Src: 00:21:1C:EE:14:00 (16:41:18.345 PDT) tcpslice 1366674078.345 1366674078.346 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 17:17:11.359 PDT Gen. Time: 04/22/2013 17:21:11.186 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 177.84.221.101 (17:17:11.359 PDT) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/19/1/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 (17:17:11.359 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.84.221.101 (17:21:11.186 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:21:11.186 PDT) tcpslice 1366676231.359 1366676231.360 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 17:24:27.451 PDT Gen. Time: 04/22/2013 17:24:27.451 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.84.221.101 (17:24:27.451 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/23/1/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:24:27.451 PDT) tcpslice 1366676667.451 1366676667.452 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 17:24:27.451 PDT Gen. Time: 04/22/2013 17:28:27.613 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.84.221.101 (2) (17:24:27.451 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/23/1/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:24:27.451 PDT) (17:28:06.294 PDT) tcpslice 1366676667.451 1366676667.452 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 17:33:42.364 PDT Gen. Time: 04/22/2013 17:33:42.364 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.84.221.101 (17:33:42.364 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/28/1/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:33:42.364 PDT) tcpslice 1366677222.364 1366677222.365 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 17:39:00.709 PDT Gen. Time: 04/22/2013 17:39:00.709 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.84.221.101 (17:39:00.709 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/31/1/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 (17:39:00.709 PDT) tcpslice 1366677540.709 1366677540.710 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 17:39:00.709 PDT Gen. Time: 04/22/2013 17:43:00.756 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.84.221.101 (2) (17:39:00.709 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/31/1/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 (17:39:00.709 PDT) 0->0 (17:42:08.345 PDT) tcpslice 1366677540.709 1366677540.710 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 17:45:36.899 PDT Gen. Time: 04/22/2013 17:45:36.899 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.84.221.101 (17:45:36.899 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/36/2/0): 445:36, [] MAC_Src: 00:21:1C:EE:14:00 (17:45:36.899 PDT) tcpslice 1366677936.899 1366677936.900 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 17:51:09.712 PDT Gen. Time: 04/22/2013 17:51:09.712 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.84.221.101 (17:51:09.712 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (39 /24s) (# pkts S/M/O/I=0/37/2/0): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:51:09.712 PDT) tcpslice 1366678269.712 1366678269.713 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 17:51:09.712 PDT Gen. Time: 04/22/2013 17:55:09.977 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.84.221.101 (2) (17:51:09.712 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (39 /24s) (# pkts S/M/O/I=0/37/2/0): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:51:09.712 PDT) 0->0 (17:53:49.206 PDT) tcpslice 1366678269.712 1366678269.713 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 17:55:32.515 PDT Gen. Time: 04/22/2013 17:55:32.515 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.84.221.101 (17:55:32.515 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (42 /24s) (# pkts S/M/O/I=0/40/2/0): 445:40, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:55:32.515 PDT) tcpslice 1366678532.515 1366678532.516 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 17:55:32.515 PDT Gen. Time: 04/22/2013 17:59:32.576 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.36.176.91 (17:59:02.447 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 46 IPs (46 /24s) (# pkts S/M/O/I=0/44/2/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 (17:59:02.447 PDT) 177.84.221.101 (2) (17:55:32.515 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (42 /24s) (# pkts S/M/O/I=0/40/2/0): 445:40, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:55:32.515 PDT) 0->0 (17:57:30.317 PDT) tcpslice 1366678532.515 1366678532.516 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:01:26.510 PDT Gen. Time: 04/22/2013 18:01:26.510 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.36.176.91 (18:01:26.510 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 48 IPs (48 /24s) (# pkts S/M/O/I=0/46/2/0): 445:46, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:01:26.510 PDT) tcpslice 1366678886.510 1366678886.511 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:01:26.510 PDT Gen. Time: 04/22/2013 18:05:26.526 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.36.176.91 (2) (18:01:26.510 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 48 IPs (48 /24s) (# pkts S/M/O/I=0/46/2/0): 445:46, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:01:26.510 PDT) (18:03:02.251 PDT) tcpslice 1366678886.510 1366678886.511 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:31:11.225 PDT Gen. Time: 04/22/2013 18:31:22.402 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 189.76.156.45 (18:31:11.225 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/19/1/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:31:11.225 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.76.156.45 (18:31:22.402 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:31:22.402 PDT) tcpslice 1366680671.225 1366680671.226 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:31:11.225 PDT Gen. Time: 04/22/2013 18:35:11.408 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 189.76.156.45 (18:31:11.225 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/19/1/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:31:11.225 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.76.156.45 (3) (18:31:22.402 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:31:22.402 PDT) 0->0 (18:33:19.456 PDT) (18:35:00.323 PDT) tcpslice 1366680671.225 1366680671.226 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:36:56.479 PDT Gen. Time: 04/22/2013 18:36:56.479 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.76.156.45 (18:36:56.479 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/26/1/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 (18:36:56.479 PDT) tcpslice 1366681016.479 1366681016.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:36:56.479 PDT Gen. Time: 04/22/2013 18:40:56.635 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.76.156.45 (2) (18:36:56.479 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/26/1/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 (18:36:56.479 PDT) (18:39:25.545 PDT) tcpslice 1366681016.479 1366681016.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:41:29.222 PDT Gen. Time: 04/22/2013 18:41:29.222 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.76.156.45 (18:41:29.222 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (30 /24s) (# pkts S/M/O/I=0/30/1/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:41:29.222 PDT) tcpslice 1366681289.222 1366681289.223 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:41:29.222 PDT Gen. Time: 04/22/2013 18:45:29.417 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.76.156.45 (2) (18:41:29.222 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (30 /24s) (# pkts S/M/O/I=0/30/1/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:41:29.222 PDT) (18:43:31.378 PDT) tcpslice 1366681289.222 1366681289.223 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:45:53.338 PDT Gen. Time: 04/22/2013 18:45:53.338 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.76.156.45 (18:45:53.338 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 36 IPs (34 /24s) (# pkts S/M/O/I=0/35/1/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 (18:45:53.338 PDT) tcpslice 1366681553.338 1366681553.339 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:45:53.338 PDT Gen. Time: 04/22/2013 18:49:53.411 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.76.156.45 (2) (18:45:53.338 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 36 IPs (34 /24s) (# pkts S/M/O/I=0/35/1/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 (18:45:53.338 PDT) 0->0 (18:47:23.475 PDT) tcpslice 1366681553.338 1366681553.339 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:51:58.331 PDT Gen. Time: 04/22/2013 18:51:58.331 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.76.156.45 (18:51:58.331 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (37 /24s) (# pkts S/M/O/I=0/38/1/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:51:58.331 PDT) tcpslice 1366681918.331 1366681918.332 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:51:58.331 PDT Gen. Time: 04/22/2013 18:55:58.831 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.76.156.45 (2) (18:51:58.331 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (37 /24s) (# pkts S/M/O/I=0/38/1/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:51:58.331 PDT) (18:54:41.453 PDT) tcpslice 1366681918.331 1366681918.332 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:57:02.340 PDT Gen. Time: 04/22/2013 18:57:02.340 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.76.156.45 (18:57:02.340 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (42 /24s) (# pkts S/M/O/I=0/43/1/0): 445:43, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:57:02.340 PDT) tcpslice 1366682222.340 1366682222.341 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 18:57:02.340 PDT Gen. Time: 04/22/2013 19:01:02.367 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.134.126 (18:59:59.169 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 47 IPs (45 /24s) (# pkts S/M/O/I=0/46/1/0): 445:46, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:59:59.169 PDT) 189.76.156.45 (18:57:02.340 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (42 /24s) (# pkts S/M/O/I=0/43/1/0): 445:43, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:57:02.340 PDT) tcpslice 1366682222.340 1366682222.341 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:07:04.322 PDT Gen. Time: 04/22/2013 19:07:04.322 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.134.126 (19:07:04.322 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 49 IPs (47 /24s) (# pkts S/M/O/I=0/48/1/0): 445:48, [] MAC_Src: 00:21:1C:EE:14:00 (19:07:04.322 PDT) tcpslice 1366682824.322 1366682824.323 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:07:04.322 PDT Gen. Time: 04/22/2013 19:11:05.479 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.134.126 (2) (19:07:04.322 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 49 IPs (47 /24s) (# pkts S/M/O/I=0/48/1/0): 445:48, [] MAC_Src: 00:21:1C:EE:14:00 (19:07:04.322 PDT) 0->0 (19:10:11.301 PDT) tcpslice 1366682824.322 1366682824.323 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:16:33.397 PDT Gen. Time: 04/22/2013 19:16:33.397 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.134.126 (19:16:33.397 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 53 IPs (51 /24s) (# pkts S/M/O/I=0/52/1/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:16:33.397 PDT) tcpslice 1366683393.397 1366683393.398 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:16:33.397 PDT Gen. Time: 04/22/2013 19:20:33.451 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.134.126 (2) (19:16:33.397 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 53 IPs (51 /24s) (# pkts S/M/O/I=0/52/1/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:16:33.397 PDT) 0->0 (19:19:56.476 PDT) tcpslice 1366683393.397 1366683393.398 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:21:54.230 PDT Gen. Time: 04/22/2013 19:21:54.230 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.134.126 (19:21:54.230 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 56 IPs (54 /24s) (# pkts S/M/O/I=0/55/1/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 (19:21:54.230 PDT) tcpslice 1366683714.230 1366683714.231 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:21:54.230 PDT Gen. Time: 04/22/2013 19:25:53.651 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.134.126 (2) (19:21:54.230 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 56 IPs (54 /24s) (# pkts S/M/O/I=0/55/1/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 (19:21:54.230 PDT) (19:25:45.378 PDT) tcpslice 1366683714.230 1366683714.231 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:28:16.548 PDT Gen. Time: 04/22/2013 19:28:16.548 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.134.126 (19:28:16.548 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 60 IPs (58 /24s) (# pkts S/M/O/I=0/59/1/0): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:28:16.548 PDT) tcpslice 1366684096.548 1366684096.549 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:28:16.548 PDT Gen. Time: 04/22/2013 19:32:16.568 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.134.126 (2) (19:28:16.548 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 60 IPs (58 /24s) (# pkts S/M/O/I=0/59/1/0): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:28:16.548 PDT) 0->0 (19:30:06.447 PDT) tcpslice 1366684096.548 1366684096.549 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:33:10.571 PDT Gen. Time: 04/22/2013 19:33:10.571 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.134.126 (19:33:10.571 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 64 IPs (62 /24s) (# pkts S/M/O/I=0/63/1/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:33:10.571 PDT) tcpslice 1366684390.571 1366684390.572 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:37:30.947 PDT Gen. Time: 04/22/2013 19:37:30.947 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.134.126 (19:37:30.947 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 66 IPs (64 /24s) (# pkts S/M/O/I=0/65/1/0): 445:65, [] MAC_Src: 00:21:1C:EE:14:00 (19:37:30.947 PDT) tcpslice 1366684650.947 1366684650.948 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:37:30.947 PDT Gen. Time: 04/22/2013 19:41:31.353 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.134.126 (2) (19:37:30.947 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 66 IPs (64 /24s) (# pkts S/M/O/I=0/65/1/0): 445:65, [] MAC_Src: 00:21:1C:EE:14:00 (19:37:30.947 PDT) 0->0 (19:39:05.331 PDT) 187.76.76.73 (19:40:45.379 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 73 IPs (71 /24s) (# pkts S/M/O/I=0/72/1/0): 445:72, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:40:45.379 PDT) tcpslice 1366684650.947 1366684650.948 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:45:09.245 PDT Gen. Time: 04/22/2013 19:45:09.245 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.76.76.73 (19:45:09.245 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 74 IPs (72 /24s) (# pkts S/M/O/I=0/73/1/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 (19:45:09.245 PDT) tcpslice 1366685109.245 1366685109.246 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:45:09.245 PDT Gen. Time: 04/22/2013 19:49:09.998 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.76.76.73 (3) (19:45:09.245 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 74 IPs (72 /24s) (# pkts S/M/O/I=0/73/1/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 (19:45:09.245 PDT) 0->0 (19:46:50.244 PDT) (19:48:35.352 PDT) tcpslice 1366685109.245 1366685109.246 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:51:48.476 PDT Gen. Time: 04/22/2013 19:51:48.476 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.76.76.73 (19:51:48.476 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 80 IPs (78 /24s) (# pkts S/M/O/I=0/79/1/0): 445:79, [] MAC_Src: 00:21:1C:EE:14:00 (19:51:48.476 PDT) tcpslice 1366685508.476 1366685508.477 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:51:48.476 PDT Gen. Time: 04/22/2013 19:55:49.515 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.76.76.73 (2) (19:51:48.476 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 80 IPs (78 /24s) (# pkts S/M/O/I=0/79/1/0): 445:79, [] MAC_Src: 00:21:1C:EE:14:00 (19:51:48.476 PDT) 0->0 (19:53:28.182 PDT) tcpslice 1366685508.476 1366685508.477 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:56:11.252 PDT Gen. Time: 04/22/2013 19:56:11.252 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.76.76.73 (19:56:11.252 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 87 IPs (84 /24s) (# pkts S/M/O/I=0/86/1/0): 445:86, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:56:11.252 PDT) tcpslice 1366685771.252 1366685771.253 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 19:56:11.252 PDT Gen. Time: 04/22/2013 20:00:11.347 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (19:57:59.419 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 90 IPs (87 /24s) (# pkts S/M/O/I=0/89/1/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:57:59.419 PDT) 0->0 (20:00:07.373 PDT) 187.76.76.73 (19:56:11.252 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 87 IPs (84 /24s) (# pkts S/M/O/I=0/86/1/0): 445:86, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:56:11.252 PDT) tcpslice 1366685771.252 1366685771.253 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:04:10.449 PDT Gen. Time: 04/22/2013 20:04:10.449 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (20:04:10.449 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 97 IPs (94 /24s) (# pkts S/M/O/I=0/96/1/0): 445:96, [] MAC_Src: 00:21:1C:EE:14:00 (20:04:10.449 PDT) tcpslice 1366686250.449 1366686250.450 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:04:10.449 PDT Gen. Time: 04/22/2013 20:08:11.741 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (20:04:10.449 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 97 IPs (94 /24s) (# pkts S/M/O/I=0/96/1/0): 445:96, [] MAC_Src: 00:21:1C:EE:14:00 (20:04:10.449 PDT) (20:05:41.447 PDT) tcpslice 1366686250.449 1366686250.450 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:10:39.309 PDT Gen. Time: 04/22/2013 20:10:39.309 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (20:10:39.309 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 102 IPs (99 /24s) (# pkts S/M/O/I=0/100/1/1): 445:100, [] MAC_Src: 00:21:1C:EE:14:00 (20:10:39.309 PDT) tcpslice 1366686639.309 1366686639.310 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:10:39.309 PDT Gen. Time: 04/22/2013 20:14:39.322 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (20:10:39.309 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 102 IPs (99 /24s) (# pkts S/M/O/I=0/100/1/1): 445:100, [] MAC_Src: 00:21:1C:EE:14:00 (20:10:39.309 PDT) 0->0 (20:13:19.779 PDT) tcpslice 1366686639.309 1366686639.310 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:14:49.286 PDT Gen. Time: 04/22/2013 20:14:49.286 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (20:14:49.286 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 107 IPs (104 /24s) (# pkts S/M/O/I=0/105/1/1): 445:105, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:14:49.286 PDT) tcpslice 1366686889.286 1366686889.287 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:14:49.286 PDT Gen. Time: 04/22/2013 20:18:49.296 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (3) (20:14:49.286 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 107 IPs (104 /24s) (# pkts S/M/O/I=0/105/1/1): 445:105, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:14:49.286 PDT) (20:16:29.471 PDT) 0->0 (20:18:41.487 PDT) tcpslice 1366686889.286 1366686889.287 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:20:33.367 PDT Gen. Time: 04/22/2013 20:20:33.367 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (20:20:33.367 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 112 IPs (109 /24s) (# pkts S/M/O/I=0/110/1/1): 445:110, [] MAC_Src: 00:21:1C:EE:14:00 (20:20:33.367 PDT) tcpslice 1366687233.367 1366687233.368 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:20:33.367 PDT Gen. Time: 04/22/2013 20:24:34.075 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (20:20:33.367 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 112 IPs (109 /24s) (# pkts S/M/O/I=0/110/1/1): 445:110, [] MAC_Src: 00:21:1C:EE:14:00 (20:20:33.367 PDT) (20:23:34.340 PDT) tcpslice 1366687233.367 1366687233.368 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:25:54.209 PDT Gen. Time: 04/22/2013 20:25:54.209 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (20:25:54.209 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 118 IPs (115 /24s) (# pkts S/M/O/I=0/116/1/1): 445:116, [] MAC_Src: 00:21:1C:EE:14:00 (20:25:54.209 PDT) tcpslice 1366687554.209 1366687554.210 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:25:54.209 PDT Gen. Time: 04/22/2013 20:29:55.623 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (20:25:54.209 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 118 IPs (115 /24s) (# pkts S/M/O/I=0/116/1/1): 445:116, [] MAC_Src: 00:21:1C:EE:14:00 (20:25:54.209 PDT) (20:28:52.324 PDT) tcpslice 1366687554.209 1366687554.210 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:32:32.982 PDT Gen. Time: 04/22/2013 20:32:32.982 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (20:32:32.982 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 123 IPs (120 /24s) (# pkts S/M/O/I=0/120/2/1): 445:120, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:32:32.982 PDT) tcpslice 1366687952.982 1366687952.983 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:32:32.982 PDT Gen. Time: 04/22/2013 20:36:34.094 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (20:32:32.982 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 123 IPs (120 /24s) (# pkts S/M/O/I=0/120/2/1): 445:120, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:32:32.982 PDT) 0->0 (20:36:23.295 PDT) tcpslice 1366687952.982 1366687952.983 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:41:14.268 PDT Gen. Time: 04/22/2013 20:41:14.268 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (20:41:14.268 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 125 IPs (122 /24s) (# pkts S/M/O/I=0/122/2/1): 445:122, [] MAC_Src: 00:21:1C:EE:14:00 (20:41:14.268 PDT) tcpslice 1366688474.268 1366688474.269 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:41:14.268 PDT Gen. Time: 04/22/2013 20:45:14.316 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (20:41:14.268 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 125 IPs (122 /24s) (# pkts S/M/O/I=0/122/2/1): 445:122, [] MAC_Src: 00:21:1C:EE:14:00 (20:41:14.268 PDT) (20:43:24.060 PDT) tcpslice 1366688474.268 1366688474.269 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:46:09.137 PDT Gen. Time: 04/22/2013 20:46:09.137 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (20:46:09.137 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 128 IPs (125 /24s) (# pkts S/M/O/I=0/125/2/1): 445:125, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:46:09.137 PDT) tcpslice 1366688769.137 1366688769.138 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:46:09.137 PDT Gen. Time: 04/22/2013 20:50:09.203 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (20:46:09.137 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 128 IPs (125 /24s) (# pkts S/M/O/I=0/125/2/1): 445:125, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:46:09.137 PDT) 0->0 (20:49:56.454 PDT) tcpslice 1366688769.137 1366688769.138 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:52:05.424 PDT Gen. Time: 04/22/2013 20:52:05.424 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (20:52:05.424 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 134 IPs (131 /24s) (# pkts S/M/O/I=0/131/2/1): 445:131, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:52:05.424 PDT) tcpslice 1366689125.424 1366689125.425 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:52:05.424 PDT Gen. Time: 04/22/2013 20:56:05.436 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (20:52:05.424 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 134 IPs (131 /24s) (# pkts S/M/O/I=0/131/2/1): 445:131, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:52:05.424 PDT) 0->0 (20:54:33.287 PDT) tcpslice 1366689125.424 1366689125.425 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:58:39.276 PDT Gen. Time: 04/22/2013 20:58:39.276 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (20:58:39.276 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 139 IPs (135 /24s) (# pkts S/M/O/I=0/136/2/1): 445:136, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:58:39.276 PDT) tcpslice 1366689519.276 1366689519.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 20:58:39.276 PDT Gen. Time: 04/22/2013 21:02:39.384 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (20:58:39.276 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 139 IPs (135 /24s) (# pkts S/M/O/I=0/136/2/1): 445:136, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:58:39.276 PDT) (21:00:10.411 PDT) tcpslice 1366689519.276 1366689519.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:02:44.331 PDT Gen. Time: 04/22/2013 21:02:44.331 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (21:02:44.331 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 144 IPs (140 /24s) (# pkts S/M/O/I=0/141/2/1): 445:141, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:02:44.331 PDT) tcpslice 1366689764.331 1366689764.332 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:02:44.331 PDT Gen. Time: 04/22/2013 21:06:44.650 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (21:02:44.331 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 144 IPs (140 /24s) (# pkts S/M/O/I=0/141/2/1): 445:141, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:02:44.331 PDT) 0->0 (21:05:18.382 PDT) tcpslice 1366689764.331 1366689764.332 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:07:02.250 PDT Gen. Time: 04/22/2013 21:07:02.250 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (21:07:02.250 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 146 IPs (142 /24s) (# pkts S/M/O/I=0/143/2/1): 445:143, [] MAC_Src: 00:21:1C:EE:14:00 (21:07:02.250 PDT) tcpslice 1366690022.250 1366690022.251 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:07:02.250 PDT Gen. Time: 04/22/2013 21:11:02.312 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (21:07:02.250 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 146 IPs (142 /24s) (# pkts S/M/O/I=0/143/2/1): 445:143, [] MAC_Src: 00:21:1C:EE:14:00 (21:07:02.250 PDT) (21:08:47.406 PDT) tcpslice 1366690022.250 1366690022.251 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:12:31.085 PDT Gen. Time: 04/22/2013 21:12:31.085 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (21:12:31.085 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 150 IPs (146 /24s) (# pkts S/M/O/I=0/147/2/1): 445:147, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:12:31.085 PDT) tcpslice 1366690351.085 1366690351.086 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:16:43.297 PDT Gen. Time: 04/22/2013 21:16:43.297 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (21:16:43.297 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 152 IPs (148 /24s) (# pkts S/M/O/I=0/149/2/1): 445:149, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:16:43.297 PDT) tcpslice 1366690603.297 1366690603.298 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:16:43.297 PDT Gen. Time: 04/22/2013 21:20:44.513 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (21:16:43.297 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 152 IPs (148 /24s) (# pkts S/M/O/I=0/149/2/1): 445:149, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:16:43.297 PDT) (21:18:34.277 PDT) tcpslice 1366690603.297 1366690603.298 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:21:19.946 PDT Gen. Time: 04/22/2013 21:21:19.946 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (21:21:19.946 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 158 IPs (154 /24s) (# pkts S/M/O/I=1/154/2/1): 445:154, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:21:19.946 PDT) tcpslice 1366690879.946 1366690879.947 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:21:19.946 PDT Gen. Time: 04/22/2013 21:25:20.536 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (3) (21:21:19.946 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 158 IPs (154 /24s) (# pkts S/M/O/I=1/154/2/1): 445:154, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:21:19.946 PDT) 0->0 (21:23:24.180 PDT) (21:25:11.368 PDT) tcpslice 1366690879.946 1366690879.947 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:28:10.413 PDT Gen. Time: 04/22/2013 21:28:10.413 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (21:28:10.413 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 165 IPs (161 /24s) (# pkts S/M/O/I=1/161/2/1): 445:161, [] MAC_Src: 00:21:1C:EE:14:00 (21:28:10.413 PDT) tcpslice 1366691290.413 1366691290.414 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:28:10.413 PDT Gen. Time: 04/22/2013 21:32:10.434 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (21:28:10.413 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 165 IPs (161 /24s) (# pkts S/M/O/I=1/161/2/1): 445:161, [] MAC_Src: 00:21:1C:EE:14:00 (21:28:10.413 PDT) (21:30:50.900 PDT) tcpslice 1366691290.413 1366691290.414 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:33:45.429 PDT Gen. Time: 04/22/2013 21:33:45.429 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (21:33:45.429 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 169 IPs (165 /24s) (# pkts S/M/O/I=1/165/2/1): 445:165, [] MAC_Src: 00:21:1C:EE:14:00 (21:33:45.429 PDT) tcpslice 1366691625.429 1366691625.430 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:38:41.607 PDT Gen. Time: 04/22/2013 21:38:41.607 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (21:38:41.607 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 170 IPs (166 /24s) (# pkts S/M/O/I=1/165/3/1): 445:165, [] MAC_Src: 00:21:1C:EE:14:00 (21:38:41.607 PDT) tcpslice 1366691921.607 1366691921.608 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:45:29.252 PDT Gen. Time: 04/22/2013 21:45:29.252 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (21:45:29.252 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 175 IPs (171 /24s) (# pkts S/M/O/I=1/170/3/1): 445:170, [] MAC_Src: 00:21:1C:EE:14:00 (21:45:29.252 PDT) tcpslice 1366692329.252 1366692329.253 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:45:29.252 PDT Gen. Time: 04/22/2013 21:49:29.429 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (3) (21:45:29.252 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 175 IPs (171 /24s) (# pkts S/M/O/I=1/170/3/1): 445:170, [] MAC_Src: 00:21:1C:EE:14:00 (21:45:29.252 PDT) 0->0 (21:47:10.247 PDT) (21:48:40.205 PDT) tcpslice 1366692329.252 1366692329.253 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:51:02.423 PDT Gen. Time: 04/22/2013 21:51:02.423 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (21:51:02.423 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 180 IPs (176 /24s) (# pkts S/M/O/I=1/175/3/1): 445:175, [] MAC_Src: 00:21:1C:EE:14:00 (21:51:02.423 PDT) tcpslice 1366692662.423 1366692662.424 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:51:02.423 PDT Gen. Time: 04/22/2013 21:55:02.430 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (21:51:02.423 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 180 IPs (176 /24s) (# pkts S/M/O/I=1/175/3/1): 445:175, [] MAC_Src: 00:21:1C:EE:14:00 (21:51:02.423 PDT) (21:52:49.229 PDT) tcpslice 1366692662.423 1366692662.424 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:56:44.302 PDT Gen. Time: 04/22/2013 21:56:44.302 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (21:56:44.302 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 184 IPs (180 /24s) (# pkts S/M/O/I=1/179/3/1): 445:179, [] MAC_Src: 00:21:1C:EE:14:00 (21:56:44.302 PDT) tcpslice 1366693004.302 1366693004.303 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 21:56:44.302 PDT Gen. Time: 04/22/2013 22:00:46.324 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (21:56:44.302 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 184 IPs (180 /24s) (# pkts S/M/O/I=1/179/3/1): 445:179, [] MAC_Src: 00:21:1C:EE:14:00 (21:56:44.302 PDT) 0->0 (21:59:37.171 PDT) tcpslice 1366693004.302 1366693004.303 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 22:01:40.305 PDT Gen. Time: 04/22/2013 22:01:40.305 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (22:01:40.305 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 188 IPs (184 /24s) (# pkts S/M/O/I=1/183/3/1): 445:183, [] MAC_Src: 00:21:1C:EE:14:00 (22:01:40.305 PDT) tcpslice 1366693300.305 1366693300.306 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 22:07:15.308 PDT Gen. Time: 04/22/2013 22:07:15.308 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (22:07:15.308 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 189 IPs (185 /24s) (# pkts S/M/O/I=1/184/3/1): 445:184, [] MAC_Src: 00:21:1C:EE:14:00 (22:07:15.308 PDT) tcpslice 1366693635.308 1366693635.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 22:07:15.308 PDT Gen. Time: 04/22/2013 22:11:15.347 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (3) (22:07:15.308 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 189 IPs (185 /24s) (# pkts S/M/O/I=1/184/3/1): 445:184, [] MAC_Src: 00:21:1C:EE:14:00 (22:07:15.308 PDT) 0->0 (22:09:03.270 PDT) 0->0 (22:11:14.410 PDT) tcpslice 1366693635.308 1366693635.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 22:13:24.134 PDT Gen. Time: 04/22/2013 22:13:24.134 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (22:13:24.134 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 201 IPs (197 /24s) (# pkts S/M/O/I=1/195/4/1): 445:195, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (22:13:24.134 PDT) tcpslice 1366694004.134 1366694004.135 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 22:13:24.134 PDT Gen. Time: 04/22/2013 22:17:24.138 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (22:13:24.134 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 201 IPs (197 /24s) (# pkts S/M/O/I=1/195/4/1): 445:195, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (22:13:24.134 PDT) 0->0 (22:15:08.258 PDT) tcpslice 1366694004.134 1366694004.135 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 22:17:44.374 PDT Gen. Time: 04/22/2013 22:17:44.374 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (22:17:44.374 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 204 IPs (200 /24s) (# pkts S/M/O/I=1/198/4/1): 445:198, [] MAC_Src: 00:21:1C:EE:14:00 (22:17:44.374 PDT) tcpslice 1366694264.374 1366694264.375 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 22:17:44.374 PDT Gen. Time: 04/22/2013 22:21:45.122 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (2) (22:17:44.374 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 204 IPs (200 /24s) (# pkts S/M/O/I=1/198/4/1): 445:198, [] MAC_Src: 00:21:1C:EE:14:00 (22:17:44.374 PDT) 0->0 (22:20:05.464 PDT) tcpslice 1366694264.374 1366694264.375 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 22:20:58.841 PDT Gen. Time: 04/22/2013 22:20:58.841 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.6.67.10 (22:20:58.841 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 206 IPs (202 /24s) (# pkts S/M/O/I=1/200/4/1): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (22:20:58.841 PDT) tcpslice 1366694458.841 1366694458.842 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 22:47:54.261 PDT Gen. Time: 04/22/2013 22:48:28.254 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 177.72.108.52 (22:47:54.261 PDT) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 19 IPs (19 /24s) (# pkts S/M/O/I=0/18/1/0): 445:18, [] MAC_Src: 00:21:1C:EE:14:00 (22:47:54.261 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.72.108.52 (22:48:28.254 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (22:48:28.254 PDT) tcpslice 1366696074.261 1366696074.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 22:47:54.261 PDT Gen. Time: 04/22/2013 22:51:54.278 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 177.72.108.52 (22:47:54.261 PDT) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 19 IPs (19 /24s) (# pkts S/M/O/I=0/18/1/0): 445:18, [] MAC_Src: 00:21:1C:EE:14:00 (22:47:54.261 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.72.108.52 (2) (22:48:28.254 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (22:48:28.254 PDT) (22:51:08.359 PDT) tcpslice 1366696074.261 1366696074.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 22:52:51.416 PDT Gen. Time: 04/22/2013 22:52:51.416 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.72.108.52 (22:52:51.416 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/22/1/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (22:52:51.416 PDT) tcpslice 1366696371.416 1366696371.417 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 22:52:51.416 PDT Gen. Time: 04/22/2013 22:56:52.127 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.72.108.52 (2) (22:52:51.416 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/22/1/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (22:52:51.416 PDT) (22:56:18.345 PDT) tcpslice 1366696371.416 1366696371.417 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 22:58:03.729 PDT Gen. Time: 04/22/2013 22:58:03.729 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.72.108.52 (22:58:03.729 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (25 /24s) (# pkts S/M/O/I=0/24/2/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (22:58:03.729 PDT) tcpslice 1366696683.729 1366696683.730 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================