Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:00:08.651 PDT Gen. Time: 04/23/2013 14:00:16.358 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.55 (14:00:16.358 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (7 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:16.358 PDT) OUTBOUND SCAN 128.10.19.52 (14:00:08.651 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39276->22 (14:00:08.651 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366750808.651 1366750808.652 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:00:08.651 PDT Gen. Time: 04/23/2013 14:10:27.672 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.55 (14:00:16.358 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (7 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:16.358 PDT) OUTBOUND SCAN 128.208.4.197 (14:01:23.109 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44922->22 (14:01:23.109 PDT) 152.14.93.140 (14:00:56.185 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58106->22 (14:00:56.185 PDT) 128.10.19.52 (14:00:08.651 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39276->22 (14:00:08.651 PDT) 165.91.55.9 (14:02:31.819 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53192->22 (14:02:31.819 PDT) 131.193.34.38 (14:00:47.566 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47333->22 (14:00:47.566 PDT) 165.91.55.8 (14:02:21.949 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51863->22 (14:02:21.949 PDT) 158.130.6.253 (14:02:12.134 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36037->22 (14:02:12.134 PDT) 128.84.154.44 (14:00:24.342 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50420->22 (14:00:24.342 PDT) 204.123.28.56 (14:00:16.358 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41196->22 (14:00:16.358 PDT) 128.42.142.44 (14:01:09.254 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51499->22 (14:01:09.254 PDT) 192.52.240.213 (14:02:47.749 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40433->22 (14:02:47.749 PDT) 204.123.28.55 (14:02:40.452 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56062->22 (14:02:40.452 PDT) 198.133.224.147 (2) (14:00:34.320 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46857->22 (14:00:34.320 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46857->22 (14:00:34.320 PDT) 130.127.39.153 (2) (14:01:15.169 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36831->22 (14:01:15.169 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36831->22 (14:01:15.169 PDT) 128.208.4.198 (14:01:31.368 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45057->22 (14:01:31.368 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (14:00:34.320 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:34.320 PDT) 128.223.8.111 (3) (14:02:10.575 PDT-14:05:12.376 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (28 /24s) (# pkts S/M/O/I=0/44/1/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (14:02:10.575 PDT-14:05:12.376 PDT) tcpslice 1366750808.651 1366751112.377 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:06:22.146 PDT Gen. Time: 04/23/2013 14:06:22.146 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (14:06:22.146 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (28 /24s) (# pkts S/M/O/I=0/44/1/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:06:22.146 PDT) tcpslice 1366751182.146 1366751182.147 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:06:41.394 PDT Gen. Time: 04/23/2013 15:10:57.126 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (15:10:57.126 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:10:57.126 PDT) OUTBOUND SCAN 128.111.52.58 (2) (15:10:54.090 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49633->22 (15:10:56.367 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49629->22 (15:10:54.090 PDT) 204.8.155.227 (15:10:40.228 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36640->22 (15:10:40.228 PDT) 128.42.142.45 (15:06:41.394 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48983->22 (15:06:41.394 PDT) 72.36.112.79 (15:10:06.493 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52277->22 (15:10:06.493 PDT) 152.3.138.7 (15:09:45.968 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58549->22 (15:09:45.968 PDT) 204.123.28.56 (15:06:44.638 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41658->22 (15:06:44.638 PDT) 141.212.113.180 (15:10:48.248 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34518->22 (15:10:48.248 PDT) 192.52.240.214 (15:09:14.384 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36204->22 (15:09:14.384 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366754801.394 1366754801.395 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:06:41.394 PDT Gen. Time: 04/23/2013 15:14:50.389 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (15:10:57.126 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:10:57.126 PDT) OUTBOUND SCAN 128.111.52.58 (2) (15:10:54.090 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49633->22 (15:10:56.367 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49629->22 (15:10:54.090 PDT) 72.36.112.79 (15:10:06.493 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52277->22 (15:10:06.493 PDT) 131.179.150.70 (15:10:57.126 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43755->22 (15:10:57.126 PDT) 128.42.142.45 (15:06:41.394 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48983->22 (15:06:41.394 PDT) 192.52.240.214 (15:09:14.384 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36204->22 (15:09:14.384 PDT) 204.123.28.56 (15:06:44.638 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41658->22 (15:06:44.638 PDT) 204.8.155.227 (15:10:40.228 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36640->22 (15:10:40.228 PDT) 129.82.12.188 (15:10:59.388 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52716->22 (15:10:59.388 PDT) 141.212.113.180 (15:10:48.248 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34518->22 (15:10:48.248 PDT) 152.3.138.7 (15:09:45.968 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58549->22 (15:09:45.968 PDT) 141.212.113.179 (2) (15:11:27.174 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47616->22 (15:11:45.923 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47612->22 (15:11:27.174 PDT) 152.3.138.6 (15:11:05.581 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45344->22 (15:11:05.581 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366754801.394 1366754801.395 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:15:04.996 PDT Gen. Time: 04/23/2013 15:15:17.380 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (15:15:04.996 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 14 IPs (12 /24s) (# pkts S/M/O/I=0/14/0/0): 22:14, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:15:04.996 PDT) OUTBOUND SCAN 13.7.64.22 (15:15:17.380 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59547->22 (15:15:17.380 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366755304.996 1366755304.997 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:15:04.996 PDT Gen. Time: 04/23/2013 15:29:21.215 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (2) (15:15:04.996 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 14 IPs (12 /24s) (# pkts S/M/O/I=0/14/0/0): 22:14, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:15:04.996 PDT) 0->0 (15:16:52.613 PDT) OUTBOUND SCAN 128.208.4.197 (15:16:16.101 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45203->22 (15:16:16.101 PDT) 72.36.112.78 (15:19:11.292 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43205->22 (15:19:11.292 PDT) 13.7.64.22 (15:15:17.380 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59547->22 (15:15:17.380 PDT) 155.246.12.164 (15:17:48.430 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51964->22 (15:17:48.430 PDT) 131.193.34.38 (15:19:28.891 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47832->22 (15:19:28.891 PDT) 165.91.55.8 (15:17:56.165 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52091->22 (15:17:56.165 PDT) 128.42.142.44 (15:18:56.590 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51884->22 (15:18:56.590 PDT) 128.84.154.44 (15:18:47.406 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50980->22 (15:18:47.406 PDT) 13.7.64.20 (15:19:32.473 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53790->22 (15:19:32.473 PDT) 192.52.240.213 (15:17:03.932 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40631->22 (15:17:03.932 PDT) 204.123.28.55 (15:19:23.510 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56310->22 (15:19:23.510 PDT) 128.252.19.19 (2) (15:19:20.561 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 34492->22 (15:19:20.561 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34492->22 (15:19:20.561 PDT) 204.8.155.226 (15:17:18.062 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56895->22 (15:17:18.062 PDT) 198.133.224.147 (2) (15:19:53.939 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47425->22 (15:19:53.939 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47425->22 (15:19:53.939 PDT) 128.111.52.59 (15:16:28.994 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44473->22 (15:16:28.994 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (3) (15:21:34.545 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:21:34.545 PDT) 0->0 (15:23:04.657 PDT) 0->0 (15:25:03.973 PDT) 198.133.224.147 (15:20:00.813 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (20 /24s) (# pkts S/M/O/I=0/29/0/0): 22:29, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:20:00.813 PDT) 204.123.28.56 (15:18:30.261 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:18:30.261 PDT) tcpslice 1366755304.996 1366755304.997 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:40:53.330 PDT Gen. Time: 04/23/2013 15:43:44.660 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (15:43:44.660 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:43:44.660 PDT) OUTBOUND SCAN 128.111.52.58 (15:43:44.229 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49859->22 (15:43:44.229 PDT) 72.36.112.79 (15:42:32.599 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52507->22 (15:42:32.599 PDT) 158.130.6.254 (15:41:28.548 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40440->22 (15:41:28.548 PDT) 128.42.142.45 (15:40:53.330 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49209->22 (15:40:53.330 PDT) 192.52.240.214 (15:41:39.287 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36434->22 (15:41:39.287 PDT) 204.123.28.56 (15:41:12.739 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41884->22 (15:41:12.739 PDT) 204.8.155.227 (15:42:59.756 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36870->22 (15:42:59.756 PDT) 141.212.113.180 (15:43:26.460 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34748->22 (15:43:26.460 PDT) 152.3.138.7 (15:42:01.326 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58779->22 (15:42:01.326 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366756853.330 1366756853.331 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:40:53.330 PDT Gen. Time: 04/23/2013 15:58:51.849 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (3) (15:43:44.660 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:43:44.660 PDT) 0->0 (15:45:17.191 PDT) 0->0 (15:46:58.633 PDT) OUTBOUND SCAN 128.111.52.58 (15:43:44.229 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49859->22 (15:43:44.229 PDT) 128.208.4.197 (15:45:48.221 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45433->22 (15:45:48.221 PDT) 152.14.93.140 (15:45:21.444 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58727->22 (15:45:21.444 PDT) 72.36.112.79 (15:42:32.599 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52507->22 (15:42:32.599 PDT) 131.179.150.70 (2) (15:43:46.367 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43985->22 (15:43:46.367 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43985->22 (15:43:46.367 PDT) 13.7.64.22 (15:45:44.734 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59777->22 (15:45:44.734 PDT) 158.130.6.254 (15:41:28.548 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40440->22 (15:41:28.548 PDT) 128.42.142.45 (15:40:53.330 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49209->22 (15:40:53.330 PDT) 192.52.240.214 (15:41:39.287 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36434->22 (15:41:39.287 PDT) 204.123.28.56 (15:41:12.739 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41884->22 (15:41:12.739 PDT) 204.8.155.227 (15:42:59.756 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36870->22 (15:42:59.756 PDT) 129.82.12.188 (15:43:52.494 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52946->22 (15:43:52.494 PDT) 141.212.113.180 (15:43:26.460 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34748->22 (15:43:26.460 PDT) 152.3.138.7 (15:42:01.326 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58779->22 (15:42:01.326 PDT) 141.212.113.179 (15:44:34.559 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47842->22 (15:44:34.559 PDT) 152.3.138.6 (15:44:18.686 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45574->22 (15:44:18.686 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.227 (5) (15:47:23.515 PDT-15:51:54.970 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 38 IPs (25 /24s) (# pkts S/M/O/I=0/38/0/0): 22:38, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:53:28.715 PDT) 0->0 (15:48:54.263 PDT) 2: 0->0 (15:50:24.325 PDT-15:51:54.970 PDT) 0->0 (15:47:23.515 PDT) tcpslice 1366756853.330 1366757514.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:10:02.729 PDT Gen. Time: 04/23/2013 16:10:09.058 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.84.154.44 (16:10:02.729 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 18 IPs (13 /24s) (# pkts S/M/O/I=0/18/0/0): 22:18, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:10:02.729 PDT) OUTBOUND SCAN 128.42.142.45 (16:10:09.058 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49439->22 (16:10:09.058 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366758602.729 1366758602.730 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:10:02.729 PDT Gen. Time: 04/23/2013 16:23:13.516 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.84.154.44 (16:10:02.729 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 18 IPs (13 /24s) (# pkts S/M/O/I=0/18/0/0): 22:18, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:10:02.729 PDT) OUTBOUND SCAN 128.111.52.58 (16:13:05.136 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50089->22 (16:13:05.136 PDT) 128.208.4.197 (16:14:12.499 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45663->22 (16:14:12.499 PDT) 152.14.93.140 (16:13:43.593 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58957->22 (16:13:43.593 PDT) 72.36.112.79 (16:12:43.233 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52737->22 (16:12:43.233 PDT) 131.179.150.70 (16:13:07.606 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44215->22 (16:13:07.606 PDT) 13.7.64.22 (16:13:56.710 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60007->22 (16:13:56.710 PDT) 158.130.6.254 (16:11:00.910 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40670->22 (16:11:00.910 PDT) 128.42.142.45 (16:10:09.058 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49439->22 (16:10:09.058 PDT) 192.52.240.214 (16:11:08.363 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36664->22 (16:11:08.363 PDT) 204.123.28.56 (16:10:12.070 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42114->22 (16:10:12.070 PDT) 204.8.155.227 (16:12:53.460 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37100->22 (16:12:53.460 PDT) 129.82.12.188 (16:13:12.877 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53176->22 (16:13:12.877 PDT) 141.212.113.180 (16:13:01.836 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34978->22 (16:13:01.836 PDT) 152.3.138.7 (16:12:03.061 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59009->22 (16:12:03.061 PDT) 141.212.113.179 (2) (16:13:21.493 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48068->22 (16:13:21.493 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48072->22 (16:13:26.863 PDT) 152.3.138.6 (16:13:20.062 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45804->22 (16:13:20.062 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (6) (16:11:02.316 PDT-16:12:33.199 PDT) event=777:7777008 (6) {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (19 /24s) (# pkts S/M/O/I=0/27/0/0): 22:27, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:14:06.297 PDT) 0->0 (16:17:23.769 PDT) 0->0 (16:19:01.140 PDT) 0->0 (16:15:37.256 PDT) 2: 0->0 (16:11:02.316 PDT-16:12:33.199 PDT) tcpslice 1366758602.729 1366758753.200 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:26:13.519 PDT Gen. Time: 04/23/2013 16:26:13.519 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (16:26:13.519 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (27 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:26:13.519 PDT) tcpslice 1366759573.519 1366759573.520 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:32:48.562 PDT Gen. Time: 04/23/2013 16:32:48.562 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (16:32:48.562 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (27 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:32:48.562 PDT) tcpslice 1366759968.562 1366759968.563 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:35:13.714 PDT Gen. Time: 04/23/2013 16:35:13.714 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (16:35:13.714 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (27 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:35:13.714 PDT) tcpslice 1366760113.714 1366760113.715 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:35:13.714 PDT Gen. Time: 04/23/2013 16:40:59.002 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (16:37:37.007 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50319->22 (16:37:37.007 PDT) 72.36.112.79 (16:37:14.182 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52967->22 (16:37:14.182 PDT) 131.179.150.70 (16:37:39.117 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44445->22 (16:37:39.117 PDT) 158.130.6.254 (16:36:01.013 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40900->22 (16:36:01.013 PDT) 128.42.142.45 (16:35:27.903 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49669->22 (16:35:27.903 PDT) 192.52.240.214 (16:36:44.659 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36894->22 (16:36:44.659 PDT) 204.123.28.56 (16:35:45.336 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42344->22 (16:35:45.336 PDT) 204.8.155.227 (16:37:27.948 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37330->22 (16:37:27.948 PDT) 129.82.12.188 (2) (16:37:42.467 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53404->22 (16:37:42.467 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53406->22 (16:37:44.913 PDT) 141.212.113.180 (16:37:34.042 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35208->22 (16:37:34.042 PDT) 152.3.138.7 (16:36:55.423 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59239->22 (16:36:55.423 PDT) 141.212.113.179 (16:38:05.275 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48302->22 (16:38:05.275 PDT) 152.3.138.6 (16:37:54.025 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46034->22 (16:37:54.025 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (3) (16:35:13.714 PDT-16:39:04.817 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (27 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (16:35:13.714 PDT-16:39:04.817 PDT) tcpslice 1366760113.714 1366760344.818 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:41:22.684 PDT Gen. Time: 04/23/2013 16:41:22.684 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (16:41:22.684 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (27 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:41:22.684 PDT) tcpslice 1366760482.684 1366760482.685 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:41:22.684 PDT Gen. Time: 04/23/2013 16:55:30.654 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.197 (16:42:14.412 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45891->22 (16:42:14.412 PDT) 128.10.19.52 (16:46:54.405 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40578->22 (16:46:54.405 PDT) 72.36.112.78 (16:46:18.088 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43893->22 (16:46:18.088 PDT) 13.7.64.22 (16:41:44.445 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60235->22 (16:41:44.445 PDT) 155.246.12.164 (16:43:42.800 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52652->22 (16:43:42.800 PDT) 131.193.34.38 (2) (16:46:29.734 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48516->22 (16:46:29.734 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48520->22 (16:46:34.895 PDT) 165.91.55.8 (16:43:58.731 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52779->22 (16:43:58.731 PDT) 128.42.142.44 (16:46:00.641 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52572->22 (16:46:00.641 PDT) 128.84.154.44 (16:45:40.635 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51668->22 (16:45:40.635 PDT) 13.7.64.20 (16:46:39.352 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54478->22 (16:46:39.352 PDT) 192.52.240.213 (16:42:42.775 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41319->22 (16:42:42.775 PDT) 204.123.28.55 (16:46:29.256 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56998->22 (16:46:29.256 PDT) 128.252.19.19 (16:46:26.313 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35180->22 (16:46:26.313 PDT) 204.8.155.226 (16:43:08.554 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57583->22 (16:43:08.554 PDT) 198.133.224.147 (16:46:47.242 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48113->22 (16:46:47.242 PDT) 128.111.52.59 (16:42:17.190 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45161->22 (16:42:17.190 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (7) (16:41:22.684 PDT-16:51:10.540 PDT) event=777:7777008 (7) {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (27 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 7: 0->0 (16:41:22.684 PDT-16:51:10.540 PDT) tcpslice 1366760482.684 1366761070.541 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:52:07.823 PDT Gen. Time: 04/23/2013 16:52:07.823 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (16:52:07.823 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (27 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:52:07.823 PDT) tcpslice 1366761127.823 1366761127.824 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:07:14.517 PDT Gen. Time: 04/23/2013 17:08:08.743 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 72.36.112.79 (17:08:08.743 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:08:08.743 PDT) OUTBOUND SCAN 204.8.155.227 (17:08:01.573 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37558->22 (17:08:01.573 PDT) 128.42.142.45 (17:07:14.517 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49897->22 (17:07:14.517 PDT) 72.36.112.79 (17:07:54.119 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53195->22 (17:07:54.119 PDT) 152.3.138.7 (17:07:46.670 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59467->22 (17:07:46.670 PDT) 204.123.28.56 (17:07:18.405 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42572->22 (17:07:18.405 PDT) 141.212.113.180 (2) (17:08:07.718 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35436->22 (17:08:07.718 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35436->22 (17:08:07.718 PDT) 192.52.240.214 (2) (17:07:39.548 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37122->22 (17:07:39.548 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37122->22 (17:07:39.548 PDT) 158.130.6.254 (17:07:32.219 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41128->22 (17:07:32.219 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366762034.517 1366762034.518 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:07:14.517 PDT Gen. Time: 04/23/2013 17:15:56.012 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 72.36.112.79 (17:08:08.743 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:08:08.743 PDT) OUTBOUND SCAN 128.111.52.58 (17:08:10.499 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50547->22 (17:08:10.499 PDT) 152.14.93.140 (17:08:38.949 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59415->22 (17:08:38.949 PDT) 72.36.112.79 (17:07:54.119 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53195->22 (17:07:54.119 PDT) 131.179.150.70 (17:08:12.827 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44673->22 (17:08:12.827 PDT) 158.130.6.254 (17:07:32.219 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41128->22 (17:07:32.219 PDT) 128.42.142.45 (17:07:14.517 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49897->22 (17:07:14.517 PDT) 192.52.240.214 (2) (17:07:39.548 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37122->22 (17:07:39.548 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37122->22 (17:07:39.548 PDT) 204.123.28.56 (17:07:18.405 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42572->22 (17:07:18.405 PDT) 204.8.155.227 (17:08:01.573 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37558->22 (17:08:01.573 PDT) 129.82.12.188 (17:08:18.243 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53634->22 (17:08:18.243 PDT) 141.212.113.180 (2) (17:08:07.718 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35436->22 (17:08:07.718 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35436->22 (17:08:07.718 PDT) 152.3.138.7 (17:07:46.670 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59467->22 (17:07:46.670 PDT) 141.212.113.179 (17:08:32.238 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48530->22 (17:08:32.238 PDT) 152.3.138.6 (2) (17:08:25.499 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46262->22 (17:08:25.499 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46262->22 (17:08:25.499 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (17:09:17.893 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:09:17.893 PDT) 72.36.112.78 (17:10:47.514 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:10:47.514 PDT) tcpslice 1366762034.517 1366762034.518 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:12:16.965 PDT Gen. Time: 04/23/2013 17:12:16.965 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (17:12:16.965 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (27 /24s) (# pkts S/M/O/I=0/44/0/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:12:16.965 PDT) tcpslice 1366762336.965 1366762336.966 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:27:23.277 PDT Gen. Time: 04/23/2013 17:28:23.070 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (17:28:23.070 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:28:23.070 PDT) OUTBOUND SCAN 128.111.52.58 (17:28:22.681 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50777->22 (17:28:22.681 PDT) 72.36.112.79 (17:28:06.319 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53425->22 (17:28:06.319 PDT) 158.130.6.254 (17:27:38.892 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41358->22 (17:27:38.892 PDT) 128.42.142.45 (17:27:23.277 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50127->22 (17:27:23.277 PDT) 192.52.240.214 (2) (17:27:46.314 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37352->22 (17:27:46.314 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37352->22 (17:27:46.314 PDT) 204.123.28.56 (17:27:26.237 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42802->22 (17:27:26.237 PDT) 204.8.155.227 (17:28:13.722 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37788->22 (17:28:13.722 PDT) 141.212.113.180 (2) (17:28:19.894 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35666->22 (17:28:19.894 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35666->22 (17:28:19.894 PDT) 152.3.138.7 (17:27:53.892 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59697->22 (17:27:53.892 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1366763243.277 1366763243.278 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:27:23.277 PDT Gen. Time: 04/23/2013 17:35:57.012 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (17:28:23.070 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:28:23.070 PDT) OUTBOUND SCAN 128.111.52.58 (17:28:22.681 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50777->22 (17:28:22.681 PDT) 152.14.93.140 (17:28:50.722 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59645->22 (17:28:50.722 PDT) 72.36.112.79 (17:28:06.319 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53425->22 (17:28:06.319 PDT) 131.179.150.70 (17:28:24.878 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44903->22 (17:28:24.878 PDT) 158.130.6.254 (17:27:38.892 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41358->22 (17:27:38.892 PDT) 128.42.142.45 (17:27:23.277 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50127->22 (17:27:23.277 PDT) 192.52.240.214 (2) (17:27:46.314 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37352->22 (17:27:46.314 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37352->22 (17:27:46.314 PDT) 204.123.28.56 (17:27:26.237 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42802->22 (17:27:26.237 PDT) 204.8.155.227 (17:28:13.722 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37788->22 (17:28:13.722 PDT) 129.82.12.188 (17:28:30.432 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53864->22 (17:28:30.432 PDT) 141.212.113.180 (2) (17:28:19.894 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35666->22 (17:28:19.894 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35666->22 (17:28:19.894 PDT) 152.3.138.7 (17:27:53.892 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59697->22 (17:27:53.892 PDT) 141.212.113.179 (17:28:44.032 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48760->22 (17:28:44.032 PDT) 152.3.138.6 (2) (17:28:37.652 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46492->22 (17:28:37.652 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46492->22 (17:28:37.652 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (2) (17:30:47.829 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (23 /24s) (# pkts S/M/O/I=0/31/1/0): 22:31, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:30:47.829 PDT) 0->0 (17:32:18.644 PDT) 192.52.240.214 (17:29:16.372 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:29:16.372 PDT) tcpslice 1366763243.277 1366763243.278 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:39:49.806 PDT Gen. Time: 04/23/2013 17:39:49.806 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (17:39:49.806 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (28 /24s) (# pkts S/M/O/I=0/44/1/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:39:49.806 PDT) tcpslice 1366763989.806 1366763989.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:47:31.037 PDT Gen. Time: 04/23/2013 17:47:31.037 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (17:47:31.037 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (28 /24s) (# pkts S/M/O/I=0/44/1/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:47:31.037 PDT) tcpslice 1366764451.037 1366764451.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:47:31.037 PDT Gen. Time: 04/23/2013 17:57:31.862 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (17:50:15.857 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51007->22 (17:50:15.857 PDT) 152.14.93.140 (17:50:45.291 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59875->22 (17:50:45.291 PDT) 72.36.112.79 (17:49:57.288 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53655->22 (17:49:57.288 PDT) 131.179.150.70 (17:50:18.365 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45133->22 (17:50:18.365 PDT) 13.7.64.22 (17:50:49.003 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60925->22 (17:50:49.003 PDT) 158.130.6.254 (17:49:14.097 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41588->22 (17:49:14.097 PDT) 128.42.142.45 (17:47:36.751 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50357->22 (17:47:36.751 PDT) 192.52.240.214 (17:49:41.905 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37582->22 (17:49:41.905 PDT) 204.123.28.56 (17:47:39.663 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43032->22 (17:47:39.663 PDT) 204.8.155.227 (2) (17:50:05.126 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38018->22 (17:50:05.126 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38018->22 (17:50:05.126 PDT) 129.82.12.188 (2) (17:50:23.904 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54094->22 (17:50:23.904 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54094->22 (17:50:23.904 PDT) 141.212.113.180 (17:50:11.882 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35896->22 (17:50:11.882 PDT) 152.3.138.7 (17:49:49.263 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59927->22 (17:49:49.263 PDT) 141.212.113.179 (17:50:37.925 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48990->22 (17:50:37.925 PDT) 152.3.138.6 (17:50:31.395 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46722->22 (17:50:31.395 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (5) (17:47:31.037 PDT-17:53:45.747 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (28 /24s) (# pkts S/M/O/I=0/44/1/0): 22:44, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (17:47:31.037 PDT-17:53:45.747 PDT) tcpslice 1366764451.037 1366764825.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================