Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/22/2013 23:57:46.506 PDT Gen. Time: 04/23/2013 00:01:46.517 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (23:57:46.506 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 87 IPs (85 /24s) (# pkts S/M/O/I=0/85/2/0): 445:85, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (23:57:46.506 PDT) 0->0 (00:00:03.253 PDT) tcpslice 1366700266.506 1366700266.507 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:01:57.214 PDT Gen. Time: 04/23/2013 00:01:57.214 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (00:01:57.214 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 91 IPs (89 /24s) (# pkts S/M/O/I=0/89/2/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:01:57.214 PDT) tcpslice 1366700517.214 1366700517.215 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:01:57.214 PDT Gen. Time: 04/23/2013 00:05:57.269 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (00:01:57.214 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 91 IPs (89 /24s) (# pkts S/M/O/I=0/89/2/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:01:57.214 PDT) (00:04:35.254 PDT) tcpslice 1366700517.214 1366700517.215 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:09:19.352 PDT Gen. Time: 04/23/2013 00:09:19.352 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (00:09:19.352 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 98 IPs (96 /24s) (# pkts S/M/O/I=0/96/2/0): 445:96, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:09:19.352 PDT) tcpslice 1366700959.352 1366700959.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:14:54.259 PDT Gen. Time: 04/23/2013 00:14:54.259 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (00:14:54.259 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 102 IPs (100 /24s) (# pkts S/M/O/I=0/100/2/0): 445:100, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:14:54.259 PDT) tcpslice 1366701294.259 1366701294.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:14:54.259 PDT Gen. Time: 04/23/2013 00:18:54.337 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (00:14:54.259 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 102 IPs (100 /24s) (# pkts S/M/O/I=0/100/2/0): 445:100, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:14:54.259 PDT) (00:17:38.188 PDT) tcpslice 1366701294.259 1366701294.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:19:17.259 PDT Gen. Time: 04/23/2013 00:19:17.259 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (00:19:17.259 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 105 IPs (103 /24s) (# pkts S/M/O/I=0/103/2/0): 445:103, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:19:17.259 PDT) tcpslice 1366701557.259 1366701557.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:19:17.259 PDT Gen. Time: 04/23/2013 00:23:17.280 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (00:19:17.259 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 105 IPs (103 /24s) (# pkts S/M/O/I=0/103/2/0): 445:103, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:19:17.259 PDT) 0->0 (00:21:32.284 PDT) tcpslice 1366701557.259 1366701557.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:24:02.400 PDT Gen. Time: 04/23/2013 00:24:02.400 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (00:24:02.400 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 109 IPs (107 /24s) (# pkts S/M/O/I=0/107/2/0): 445:107, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:24:02.400 PDT) tcpslice 1366701842.400 1366701842.401 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:24:02.400 PDT Gen. Time: 04/23/2013 00:28:02.437 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (00:24:02.400 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 109 IPs (107 /24s) (# pkts S/M/O/I=0/107/2/0): 445:107, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:24:02.400 PDT) 0->0 (00:25:57.249 PDT) tcpslice 1366701842.400 1366701842.401 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:30:56.365 PDT Gen. Time: 04/23/2013 00:30:56.365 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (00:30:56.365 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 114 IPs (112 /24s) (# pkts S/M/O/I=0/112/2/0): 445:112, [] MAC_Src: 00:21:1C:EE:14:00 (00:30:56.365 PDT) tcpslice 1366702256.365 1366702256.366 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:30:56.365 PDT Gen. Time: 04/23/2013 00:34:55.684 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (00:30:56.365 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 114 IPs (112 /24s) (# pkts S/M/O/I=0/112/2/0): 445:112, [] MAC_Src: 00:21:1C:EE:14:00 (00:30:56.365 PDT) (00:32:50.383 PDT) tcpslice 1366702256.365 1366702256.366 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:35:01.157 PDT Gen. Time: 04/23/2013 00:35:01.157 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (00:35:01.157 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 119 IPs (117 /24s) (# pkts S/M/O/I=0/117/2/0): 445:117, [] MAC_Src: 00:21:1C:EE:14:00 (00:35:01.157 PDT) tcpslice 1366702501.157 1366702501.158 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:35:01.157 PDT Gen. Time: 04/23/2013 00:39:01.189 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (00:35:01.157 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 119 IPs (117 /24s) (# pkts S/M/O/I=0/117/2/0): 445:117, [] MAC_Src: 00:21:1C:EE:14:00 (00:35:01.157 PDT) 0->0 (00:37:22.281 PDT) tcpslice 1366702501.157 1366702501.158 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:40:08.431 PDT Gen. Time: 04/23/2013 00:40:08.431 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (00:40:08.431 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 124 IPs (122 /24s) (# pkts S/M/O/I=0/122/2/0): 445:122, [] MAC_Src: 00:21:1C:EE:14:00 (00:40:08.431 PDT) tcpslice 1366702808.431 1366702808.432 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:40:08.431 PDT Gen. Time: 04/23/2013 00:44:08.828 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (00:40:08.431 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 124 IPs (122 /24s) (# pkts S/M/O/I=0/122/2/0): 445:122, [] MAC_Src: 00:21:1C:EE:14:00 (00:40:08.431 PDT) (00:42:53.486 PDT) tcpslice 1366702808.431 1366702808.432 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:44:28.422 PDT Gen. Time: 04/23/2013 00:44:28.422 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (00:44:28.422 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 130 IPs (128 /24s) (# pkts S/M/O/I=0/128/2/0): 445:128, [] MAC_Src: 00:21:1C:EE:14:00 (00:44:28.422 PDT) tcpslice 1366703068.422 1366703068.423 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:50:17.269 PDT Gen. Time: 04/23/2013 00:50:17.269 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (00:50:17.269 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 132 IPs (130 /24s) (# pkts S/M/O/I=0/130/2/0): 445:130, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:50:17.269 PDT) tcpslice 1366703417.269 1366703417.270 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:50:17.269 PDT Gen. Time: 04/23/2013 00:54:17.272 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (3) (00:50:17.269 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 132 IPs (130 /24s) (# pkts S/M/O/I=0/130/2/0): 445:130, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:50:17.269 PDT) (00:51:49.336 PDT) 0->0 (00:53:27.849 PDT) tcpslice 1366703417.269 1366703417.270 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:58:28.808 PDT Gen. Time: 04/23/2013 00:58:28.808 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (00:58:28.808 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 137 IPs (135 /24s) (# pkts S/M/O/I=0/135/2/0): 445:135, [] MAC_Src: 00:21:1C:EE:14:00 (00:58:28.808 PDT) tcpslice 1366703908.808 1366703908.809 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 00:58:28.808 PDT Gen. Time: 04/23/2013 01:02:29.165 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (00:58:28.808 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 137 IPs (135 /24s) (# pkts S/M/O/I=0/135/2/0): 445:135, [] MAC_Src: 00:21:1C:EE:14:00 (00:58:28.808 PDT) (01:01:27.188 PDT) tcpslice 1366703908.808 1366703908.809 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:03:14.298 PDT Gen. Time: 04/23/2013 01:03:14.298 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (01:03:14.298 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 142 IPs (140 /24s) (# pkts S/M/O/I=0/140/2/0): 445:140, [] MAC_Src: 00:21:1C:EE:14:00 (01:03:14.298 PDT) tcpslice 1366704194.298 1366704194.299 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:03:14.298 PDT Gen. Time: 04/23/2013 01:07:15.175 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (01:03:14.298 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 142 IPs (140 /24s) (# pkts S/M/O/I=0/140/2/0): 445:140, [] MAC_Src: 00:21:1C:EE:14:00 (01:03:14.298 PDT) (01:04:45.337 PDT) tcpslice 1366704194.298 1366704194.299 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:09:52.351 PDT Gen. Time: 04/23/2013 01:09:52.351 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (01:09:52.351 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 147 IPs (144 /24s) (# pkts S/M/O/I=0/145/2/0): 445:145, [] MAC_Src: 00:21:1C:EE:14:00 (01:09:52.351 PDT) tcpslice 1366704592.351 1366704592.352 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:09:52.351 PDT Gen. Time: 04/23/2013 01:13:52.432 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (01:09:52.351 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 147 IPs (144 /24s) (# pkts S/M/O/I=0/145/2/0): 445:145, [] MAC_Src: 00:21:1C:EE:14:00 (01:09:52.351 PDT) 0->0 (01:11:24.506 PDT) tcpslice 1366704592.351 1366704592.352 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:16:48.812 PDT Gen. Time: 04/23/2013 01:16:48.812 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (01:16:48.812 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 152 IPs (149 /24s) (# pkts S/M/O/I=0/150/2/0): 445:150, [] MAC_Src: 00:21:1C:EE:14:00 (01:16:48.812 PDT) tcpslice 1366705008.812 1366705008.813 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:16:48.812 PDT Gen. Time: 04/23/2013 01:20:48.889 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (01:16:48.812 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 152 IPs (149 /24s) (# pkts S/M/O/I=0/150/2/0): 445:150, [] MAC_Src: 00:21:1C:EE:14:00 (01:16:48.812 PDT) (01:19:33.317 PDT) tcpslice 1366705008.812 1366705008.813 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:26:17.359 PDT Gen. Time: 04/23/2013 01:26:17.359 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (01:26:17.359 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 155 IPs (151 /24s) (# pkts S/M/O/I=0/153/2/0): 445:153, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:26:17.359 PDT) tcpslice 1366705577.359 1366705577.360 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:31:59.144 PDT Gen. Time: 04/23/2013 01:31:59.144 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (01:31:59.144 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 159 IPs (155 /24s) (# pkts S/M/O/I=0/157/2/0): 445:157, [] MAC_Src: 00:21:1C:EE:14:00 (01:31:59.144 PDT) tcpslice 1366705919.144 1366705919.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:31:59.144 PDT Gen. Time: 04/23/2013 01:35:59.232 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (01:31:59.144 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 159 IPs (155 /24s) (# pkts S/M/O/I=0/157/2/0): 445:157, [] MAC_Src: 00:21:1C:EE:14:00 (01:31:59.144 PDT) 0->0 (01:33:54.444 PDT) tcpslice 1366705919.144 1366705919.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:36:02.936 PDT Gen. Time: 04/23/2013 01:36:02.936 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (01:36:02.936 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 166 IPs (161 /24s) (# pkts S/M/O/I=0/164/2/0): 445:164, [] MAC_Src: 00:21:1C:EE:14:00 (01:36:02.936 PDT) tcpslice 1366706162.936 1366706162.937 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:36:02.936 PDT Gen. Time: 04/23/2013 01:40:03.352 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (01:36:02.936 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 166 IPs (161 /24s) (# pkts S/M/O/I=0/164/2/0): 445:164, [] MAC_Src: 00:21:1C:EE:14:00 (01:36:02.936 PDT) 0->0 (01:38:30.207 PDT) tcpslice 1366706162.936 1366706162.937 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:40:26.301 PDT Gen. Time: 04/23/2013 01:40:26.301 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (01:40:26.301 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 169 IPs (164 /24s) (# pkts S/M/O/I=0/167/2/0): 445:167, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:40:26.301 PDT) tcpslice 1366706426.301 1366706426.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:40:26.301 PDT Gen. Time: 04/23/2013 01:44:26.338 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (01:40:26.301 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 169 IPs (164 /24s) (# pkts S/M/O/I=0/167/2/0): 445:167, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:40:26.301 PDT) (01:42:39.426 PDT) tcpslice 1366706426.301 1366706426.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:44:46.208 PDT Gen. Time: 04/23/2013 01:44:46.208 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (01:44:46.208 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 171 IPs (166 /24s) (# pkts S/M/O/I=0/169/2/0): 445:169, [] MAC_Src: 00:21:1C:EE:14:00 (01:44:46.208 PDT) tcpslice 1366706686.208 1366706686.209 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:44:46.208 PDT Gen. Time: 04/23/2013 01:48:46.231 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (3) (01:44:46.208 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 171 IPs (166 /24s) (# pkts S/M/O/I=0/169/2/0): 445:169, [] MAC_Src: 00:21:1C:EE:14:00 (01:44:46.208 PDT) (01:46:30.342 PDT) 0->0 (01:48:03.458 PDT) tcpslice 1366706686.208 1366706686.209 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:49:58.226 PDT Gen. Time: 04/23/2013 01:49:58.226 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (01:49:58.226 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 175 IPs (170 /24s) (# pkts S/M/O/I=0/173/2/0): 445:173, [] MAC_Src: 00:21:1C:EE:14:00 (01:49:58.226 PDT) tcpslice 1366706998.226 1366706998.227 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 01:49:58.226 PDT Gen. Time: 04/23/2013 01:53:58.475 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.241.60 (2) (01:49:58.226 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 175 IPs (170 /24s) (# pkts S/M/O/I=0/173/2/0): 445:173, [] MAC_Src: 00:21:1C:EE:14:00 (01:49:58.226 PDT) (01:51:42.341 PDT) tcpslice 1366706998.226 1366706998.227 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 02:37:19.378 PDT Gen. Time: 04/23/2013 02:37:19.378 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.39.185.116 (02:37:19.378 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:37:19.378 PDT) tcpslice 1366709839.378 1366709839.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 02:37:19.378 PDT Gen. Time: 04/23/2013 02:41:19.558 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.39.185.116 (2) (02:37:19.378 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:37:19.378 PDT) 0->0 (02:39:23.427 PDT) tcpslice 1366709839.378 1366709839.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 02:41:22.332 PDT Gen. Time: 04/23/2013 02:41:22.332 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.39.185.116 (02:41:22.332 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:41:22.332 PDT) tcpslice 1366710082.332 1366710082.333 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 02:41:22.332 PDT Gen. Time: 04/23/2013 02:45:22.438 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.39.185.116 (2) (02:41:22.332 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:41:22.332 PDT) 0->0 (02:44:34.192 PDT) tcpslice 1366710082.332 1366710082.333 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 02:47:13.179 PDT Gen. Time: 04/23/2013 02:47:13.179 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.39.185.116 (02:47:13.179 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:47:13.179 PDT) tcpslice 1366710433.179 1366710433.180 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 02:47:13.179 PDT Gen. Time: 04/23/2013 02:51:14.544 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (02:50:16.412 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 (02:50:16.412 PDT) 177.39.185.116 (2) (02:47:13.179 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:47:13.179 PDT) (02:48:43.174 PDT) tcpslice 1366710433.179 1366710433.180 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 02:53:25.114 PDT Gen. Time: 04/23/2013 02:53:25.114 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (02:53:25.114 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/33/0/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:53:25.114 PDT) tcpslice 1366710805.114 1366710805.115 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 02:53:25.114 PDT Gen. Time: 04/23/2013 02:57:25.181 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (02:53:25.114 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/33/0/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:53:25.114 PDT) 0->0 (02:55:02.324 PDT) tcpslice 1366710805.114 1366710805.115 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 02:57:39.285 PDT Gen. Time: 04/23/2013 02:57:39.285 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (02:57:39.285 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (39 /24s) (# pkts S/M/O/I=0/39/0/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:57:39.285 PDT) tcpslice 1366711059.285 1366711059.286 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 02:57:39.285 PDT Gen. Time: 04/23/2013 03:01:39.358 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (02:57:39.285 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (39 /24s) (# pkts S/M/O/I=0/39/0/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:57:39.285 PDT) (03:00:06.233 PDT) tcpslice 1366711059.285 1366711059.286 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:03:02.374 PDT Gen. Time: 04/23/2013 03:03:02.374 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (03:03:02.374 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/44/0/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:03:02.374 PDT) tcpslice 1366711382.374 1366711382.375 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:03:02.374 PDT Gen. Time: 04/23/2013 03:07:03.372 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (03:03:02.374 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/44/0/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:03:02.374 PDT) (03:05:19.146 PDT) tcpslice 1366711382.374 1366711382.375 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:07:23.770 PDT Gen. Time: 04/23/2013 03:07:23.770 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (03:07:23.770 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 51 IPs (51 /24s) (# pkts S/M/O/I=0/51/0/0): 445:51, [] MAC_Src: 00:21:1C:EE:14:00 (03:07:23.770 PDT) tcpslice 1366711643.770 1366711643.771 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:07:23.770 PDT Gen. Time: 04/23/2013 03:11:24.098 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (03:07:23.770 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 51 IPs (51 /24s) (# pkts S/M/O/I=0/51/0/0): 445:51, [] MAC_Src: 00:21:1C:EE:14:00 (03:07:23.770 PDT) 0->0 (03:08:54.396 PDT) tcpslice 1366711643.770 1366711643.771 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:11:37.264 PDT Gen. Time: 04/23/2013 03:11:37.264 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (03:11:37.264 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 55 IPs (55 /24s) (# pkts S/M/O/I=0/55/0/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 (03:11:37.264 PDT) tcpslice 1366711897.264 1366711897.265 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:11:37.264 PDT Gen. Time: 04/23/2013 03:15:37.319 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (03:11:37.264 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 55 IPs (55 /24s) (# pkts S/M/O/I=0/55/0/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 (03:11:37.264 PDT) (03:13:44.074 PDT) tcpslice 1366711897.264 1366711897.265 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:15:42.336 PDT Gen. Time: 04/23/2013 03:15:42.336 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (03:15:42.336 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 58 IPs (58 /24s) (# pkts S/M/O/I=0/58/0/0): 445:58, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:15:42.336 PDT) tcpslice 1366712142.336 1366712142.337 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:15:42.336 PDT Gen. Time: 04/23/2013 03:19:42.395 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (03:15:42.336 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 58 IPs (58 /24s) (# pkts S/M/O/I=0/58/0/0): 445:58, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:15:42.336 PDT) (03:17:18.119 PDT) tcpslice 1366712142.336 1366712142.337 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:19:43.481 PDT Gen. Time: 04/23/2013 03:19:43.481 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (03:19:43.481 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 61 IPs (61 /24s) (# pkts S/M/O/I=0/61/0/0): 445:61, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:19:43.481 PDT) tcpslice 1366712383.481 1366712383.482 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:24:41.313 PDT Gen. Time: 04/23/2013 03:24:41.313 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (03:24:41.313 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 62 IPs (62 /24s) (# pkts S/M/O/I=0/62/0/0): 445:62, [] MAC_Src: 00:21:1C:EE:14:00 (03:24:41.313 PDT) tcpslice 1366712681.313 1366712681.314 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:24:41.313 PDT Gen. Time: 04/23/2013 03:28:41.393 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (03:24:41.313 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 62 IPs (62 /24s) (# pkts S/M/O/I=0/62/0/0): 445:62, [] MAC_Src: 00:21:1C:EE:14:00 (03:24:41.313 PDT) (03:27:44.344 PDT) tcpslice 1366712681.313 1366712681.314 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:30:11.243 PDT Gen. Time: 04/23/2013 03:30:11.243 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (03:30:11.243 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 67 IPs (67 /24s) (# pkts S/M/O/I=0/67/0/0): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 (03:30:11.243 PDT) tcpslice 1366713011.243 1366713011.244 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:30:11.243 PDT Gen. Time: 04/23/2013 03:34:11.366 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (03:30:11.243 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 67 IPs (67 /24s) (# pkts S/M/O/I=0/67/0/0): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 (03:30:11.243 PDT) 0->0 (03:32:23.561 PDT) tcpslice 1366713011.243 1366713011.244 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:35:45.429 PDT Gen. Time: 04/23/2013 03:35:45.429 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (03:35:45.429 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 72 IPs (72 /24s) (# pkts S/M/O/I=0/72/0/0): 445:72, [] MAC_Src: 00:21:1C:EE:14:00 (03:35:45.429 PDT) tcpslice 1366713345.429 1366713345.430 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:39:56.294 PDT Gen. Time: 04/23/2013 03:39:56.294 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (03:39:56.294 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 75 IPs (75 /24s) (# pkts S/M/O/I=0/75/0/0): 445:75, [] MAC_Src: 00:21:1C:EE:14:00 (03:39:56.294 PDT) tcpslice 1366713596.294 1366713596.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:39:56.294 PDT Gen. Time: 04/23/2013 03:43:55.601 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (03:39:56.294 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 75 IPs (75 /24s) (# pkts S/M/O/I=0/75/0/0): 445:75, [] MAC_Src: 00:21:1C:EE:14:00 (03:39:56.294 PDT) (03:42:36.250 PDT) tcpslice 1366713596.294 1366713596.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:47:37.789 PDT Gen. Time: 04/23/2013 03:47:37.789 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (03:47:37.789 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 81 IPs (81 /24s) (# pkts S/M/O/I=0/81/0/0): 445:81, [] MAC_Src: 00:21:1C:EE:14:00 (03:47:37.789 PDT) tcpslice 1366714057.789 1366714057.790 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:47:37.789 PDT Gen. Time: 04/23/2013 03:51:37.800 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (3) (03:47:37.789 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 81 IPs (81 /24s) (# pkts S/M/O/I=0/81/0/0): 445:81, [] MAC_Src: 00:21:1C:EE:14:00 (03:47:37.789 PDT) (03:49:35.116 PDT) (03:51:31.582 PDT) tcpslice 1366714057.789 1366714057.790 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:55:00.973 PDT Gen. Time: 04/23/2013 03:55:00.973 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (03:55:00.973 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 87 IPs (87 /24s) (# pkts S/M/O/I=0/87/0/0): 445:87, [] MAC_Src: 00:21:1C:EE:14:00 (03:55:00.973 PDT) tcpslice 1366714500.973 1366714500.974 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 03:55:00.973 PDT Gen. Time: 04/23/2013 03:59:01.209 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (03:55:00.973 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 87 IPs (87 /24s) (# pkts S/M/O/I=0/87/0/0): 445:87, [] MAC_Src: 00:21:1C:EE:14:00 (03:55:00.973 PDT) 0->0 (03:57:08.845 PDT) tcpslice 1366714500.973 1366714500.974 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:00:11.198 PDT Gen. Time: 04/23/2013 04:00:11.198 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (04:00:11.198 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 91 IPs (91 /24s) (# pkts S/M/O/I=0/91/0/0): 445:91, [] MAC_Src: 00:21:1C:EE:14:00 (04:00:11.198 PDT) tcpslice 1366714811.198 1366714811.199 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:00:11.198 PDT Gen. Time: 04/23/2013 04:04:11.890 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (04:00:11.198 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 91 IPs (91 /24s) (# pkts S/M/O/I=0/91/0/0): 445:91, [] MAC_Src: 00:21:1C:EE:14:00 (04:00:11.198 PDT) (04:02:17.287 PDT) tcpslice 1366714811.198 1366714811.199 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:05:31.251 PDT Gen. Time: 04/23/2013 04:05:31.251 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (04:05:31.251 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 95 IPs (95 /24s) (# pkts S/M/O/I=0/95/0/0): 445:95, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:05:31.251 PDT) tcpslice 1366715131.251 1366715131.252 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:05:31.251 PDT Gen. Time: 04/23/2013 04:09:31.258 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (04:05:31.251 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 95 IPs (95 /24s) (# pkts S/M/O/I=0/95/0/0): 445:95, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:05:31.251 PDT) (04:07:17.169 PDT) tcpslice 1366715131.251 1366715131.252 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:11:57.460 PDT Gen. Time: 04/23/2013 04:11:57.460 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (04:11:57.460 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 101 IPs (101 /24s) (# pkts S/M/O/I=0/101/0/0): 445:101, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:11:57.460 PDT) tcpslice 1366715517.460 1366715517.461 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:11:57.460 PDT Gen. Time: 04/23/2013 04:15:57.591 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (04:11:57.460 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 101 IPs (101 /24s) (# pkts S/M/O/I=0/101/0/0): 445:101, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:11:57.460 PDT) (04:13:40.361 PDT) tcpslice 1366715517.460 1366715517.461 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:16:36.655 PDT Gen. Time: 04/23/2013 04:16:36.655 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (04:16:36.655 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 105 IPs (105 /24s) (# pkts S/M/O/I=0/105/0/0): 445:105, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:16:36.655 PDT) tcpslice 1366715796.655 1366715796.656 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:16:36.655 PDT Gen. Time: 04/23/2013 04:20:36.676 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (04:16:36.655 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 105 IPs (105 /24s) (# pkts S/M/O/I=0/105/0/0): 445:105, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:16:36.655 PDT) (04:18:07.176 PDT) tcpslice 1366715796.655 1366715796.656 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:20:40.116 PDT Gen. Time: 04/23/2013 04:20:40.116 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (04:20:40.116 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 108 IPs (108 /24s) (# pkts S/M/O/I=0/108/0/0): 445:108, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:20:40.116 PDT) tcpslice 1366716040.116 1366716040.117 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:27:10.055 PDT Gen. Time: 04/23/2013 04:27:10.055 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (04:27:10.055 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 110 IPs (110 /24s) (# pkts S/M/O/I=0/110/0/0): 445:110, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:27:10.055 PDT) tcpslice 1366716430.055 1366716430.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:31:13.434 PDT Gen. Time: 04/23/2013 04:31:13.434 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (04:31:13.434 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 111 IPs (111 /24s) (# pkts S/M/O/I=0/111/0/0): 445:111, [] MAC_Src: 00:21:1C:EE:14:00 (04:31:13.434 PDT) tcpslice 1366716673.434 1366716673.435 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:31:13.434 PDT Gen. Time: 04/23/2013 04:35:14.813 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (04:31:13.434 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 111 IPs (111 /24s) (# pkts S/M/O/I=0/111/0/0): 445:111, [] MAC_Src: 00:21:1C:EE:14:00 (04:31:13.434 PDT) (04:32:47.488 PDT) tcpslice 1366716673.434 1366716673.435 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:35:24.198 PDT Gen. Time: 04/23/2013 04:35:24.198 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (04:35:24.198 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 115 IPs (115 /24s) (# pkts S/M/O/I=0/115/0/0): 445:115, [] MAC_Src: 00:21:1C:EE:14:00 (04:35:24.198 PDT) tcpslice 1366716924.198 1366716924.199 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:35:24.198 PDT Gen. Time: 04/23/2013 04:39:25.435 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (3) (04:35:24.198 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 115 IPs (115 /24s) (# pkts S/M/O/I=0/115/0/0): 445:115, [] MAC_Src: 00:21:1C:EE:14:00 (04:35:24.198 PDT) 0->0 (04:37:16.377 PDT) (04:38:52.437 PDT) tcpslice 1366716924.198 1366716924.199 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:42:16.334 PDT Gen. Time: 04/23/2013 04:42:16.334 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (04:42:16.334 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 121 IPs (121 /24s) (# pkts S/M/O/I=0/121/0/0): 445:121, [] MAC_Src: 00:21:1C:EE:14:00 (04:42:16.334 PDT) tcpslice 1366717336.334 1366717336.335 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:42:16.334 PDT Gen. Time: 04/23/2013 04:46:16.334 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (04:42:16.334 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 121 IPs (121 /24s) (# pkts S/M/O/I=0/121/0/0): 445:121, [] MAC_Src: 00:21:1C:EE:14:00 (04:42:16.334 PDT) (04:44:38.500 PDT) tcpslice 1366717336.334 1366717336.335 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:48:18.188 PDT Gen. Time: 04/23/2013 04:48:18.188 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (04:48:18.188 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 126 IPs (126 /24s) (# pkts S/M/O/I=0/126/0/0): 445:126, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:48:18.188 PDT) tcpslice 1366717698.188 1366717698.189 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:48:18.188 PDT Gen. Time: 04/23/2013 04:52:18.303 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (04:48:18.188 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 126 IPs (126 /24s) (# pkts S/M/O/I=0/126/0/0): 445:126, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:48:18.188 PDT) 0->0 (04:50:43.316 PDT) tcpslice 1366717698.188 1366717698.189 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:53:17.353 PDT Gen. Time: 04/23/2013 04:53:17.353 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (04:53:17.353 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 130 IPs (130 /24s) (# pkts S/M/O/I=0/130/0/0): 445:130, [] MAC_Src: 00:21:1C:EE:14:00 (04:53:17.353 PDT) tcpslice 1366717997.353 1366717997.354 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:53:17.353 PDT Gen. Time: 04/23/2013 04:57:17.356 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (04:53:17.353 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 130 IPs (130 /24s) (# pkts S/M/O/I=0/130/0/0): 445:130, [] MAC_Src: 00:21:1C:EE:14:00 (04:53:17.353 PDT) 0->0 (04:55:00.783 PDT) tcpslice 1366717997.353 1366717997.354 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:57:37.208 PDT Gen. Time: 04/23/2013 04:57:37.208 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (04:57:37.208 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 132 IPs (132 /24s) (# pkts S/M/O/I=0/132/0/0): 445:132, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:57:37.208 PDT) tcpslice 1366718257.208 1366718257.209 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 04:57:37.208 PDT Gen. Time: 04/23/2013 05:01:37.218 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (04:57:37.208 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 132 IPs (132 /24s) (# pkts S/M/O/I=0/132/0/0): 445:132, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:57:37.208 PDT) (05:00:39.343 PDT) tcpslice 1366718257.208 1366718257.209 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:05:49.403 PDT Gen. Time: 04/23/2013 05:05:49.403 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (05:05:49.403 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 135 IPs (135 /24s) (# pkts S/M/O/I=0/135/0/0): 445:135, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:05:49.403 PDT) tcpslice 1366718749.403 1366718749.404 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:05:49.403 PDT Gen. Time: 04/23/2013 05:09:49.426 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (05:05:49.403 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 135 IPs (135 /24s) (# pkts S/M/O/I=0/135/0/0): 445:135, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:05:49.403 PDT) (05:09:08.248 PDT) tcpslice 1366718749.403 1366718749.404 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:10:42.316 PDT Gen. Time: 04/23/2013 05:10:42.316 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (05:10:42.316 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 138 IPs (138 /24s) (# pkts S/M/O/I=0/138/0/0): 445:138, [] MAC_Src: 00:21:1C:EE:14:00 (05:10:42.316 PDT) tcpslice 1366719042.316 1366719042.317 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:10:42.316 PDT Gen. Time: 04/23/2013 05:14:42.331 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (05:10:42.316 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 138 IPs (138 /24s) (# pkts S/M/O/I=0/138/0/0): 445:138, [] MAC_Src: 00:21:1C:EE:14:00 (05:10:42.316 PDT) 0->0 (05:12:45.282 PDT) tcpslice 1366719042.316 1366719042.317 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:15:35.751 PDT Gen. Time: 04/23/2013 05:15:35.751 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (05:15:35.751 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 143 IPs (143 /24s) (# pkts S/M/O/I=0/143/0/0): 445:143, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:15:35.751 PDT) tcpslice 1366719335.751 1366719335.752 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:15:35.751 PDT Gen. Time: 04/23/2013 05:19:35.826 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (3) (05:15:35.751 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 143 IPs (143 /24s) (# pkts S/M/O/I=0/143/0/0): 445:143, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:15:35.751 PDT) (05:17:24.221 PDT) (05:19:14.226 PDT) tcpslice 1366719335.751 1366719335.752 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:26:42.211 PDT Gen. Time: 04/23/2013 05:26:42.211 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (05:26:42.211 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 149 IPs (149 /24s) (# pkts S/M/O/I=0/149/0/0): 445:149, [] MAC_Src: 00:21:1C:EE:14:00 (05:26:42.211 PDT) tcpslice 1366720002.211 1366720002.212 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:26:42.211 PDT Gen. Time: 04/23/2013 05:30:42.338 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (05:26:42.211 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 149 IPs (149 /24s) (# pkts S/M/O/I=0/149/0/0): 445:149, [] MAC_Src: 00:21:1C:EE:14:00 (05:26:42.211 PDT) (05:29:49.385 PDT) tcpslice 1366720002.211 1366720002.212 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:32:48.319 PDT Gen. Time: 04/23/2013 05:32:48.319 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (05:32:48.319 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 152 IPs (152 /24s) (# pkts S/M/O/I=0/151/1/0): 445:151, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:32:48.319 PDT) tcpslice 1366720368.319 1366720368.320 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:37:12.192 PDT Gen. Time: 04/23/2013 05:37:12.192 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (05:37:12.192 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 156 IPs (156 /24s) (# pkts S/M/O/I=0/155/1/0): 445:155, [] MAC_Src: 00:21:1C:EE:14:00 (05:37:12.192 PDT) tcpslice 1366720632.192 1366720632.193 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:37:12.192 PDT Gen. Time: 04/23/2013 05:41:12.366 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (05:37:12.192 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 156 IPs (156 /24s) (# pkts S/M/O/I=0/155/1/0): 445:155, [] MAC_Src: 00:21:1C:EE:14:00 (05:37:12.192 PDT) 0->0 (05:39:20.347 PDT) tcpslice 1366720632.192 1366720632.193 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:41:33.536 PDT Gen. Time: 04/23/2013 05:41:33.536 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (05:41:33.536 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 160 IPs (159 /24s) (# pkts S/M/O/I=0/159/1/0): 445:159, [] MAC_Src: 00:21:1C:EE:14:00 (05:41:33.536 PDT) tcpslice 1366720893.536 1366720893.537 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:41:33.536 PDT Gen. Time: 04/23/2013 05:45:33.811 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (05:41:33.536 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 160 IPs (159 /24s) (# pkts S/M/O/I=0/159/1/0): 445:159, [] MAC_Src: 00:21:1C:EE:14:00 (05:41:33.536 PDT) 0->0 (05:44:29.575 PDT) tcpslice 1366720893.536 1366720893.537 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:50:12.188 PDT Gen. Time: 04/23/2013 05:50:12.188 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (05:50:12.188 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 167 IPs (166 /24s) (# pkts S/M/O/I=0/166/1/0): 445:166, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:50:12.188 PDT) tcpslice 1366721412.188 1366721412.189 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:50:12.188 PDT Gen. Time: 04/23/2013 05:54:12.716 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (05:50:12.188 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 167 IPs (166 /24s) (# pkts S/M/O/I=0/166/1/0): 445:166, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:50:12.188 PDT) (05:52:00.345 PDT) tcpslice 1366721412.188 1366721412.189 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 05:55:04.156 PDT Gen. Time: 04/23/2013 05:55:04.156 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (05:55:04.156 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 172 IPs (171 /24s) (# pkts S/M/O/I=0/171/1/0): 445:171, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:55:04.156 PDT) tcpslice 1366721704.156 1366721704.157 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 06:00:17.310 PDT Gen. Time: 04/23/2013 06:00:17.310 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (06:00:17.310 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 173 IPs (172 /24s) (# pkts S/M/O/I=0/172/1/0): 445:172, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:00:17.310 PDT) tcpslice 1366722017.310 1366722017.311 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 06:00:17.310 PDT Gen. Time: 04/23/2013 06:04:17.359 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (3) (06:00:17.310 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 173 IPs (172 /24s) (# pkts S/M/O/I=0/172/1/0): 445:172, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:00:17.310 PDT) (06:02:08.270 PDT) (06:04:05.234 PDT) tcpslice 1366722017.310 1366722017.311 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 06:08:36.179 PDT Gen. Time: 04/23/2013 06:08:36.179 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (06:08:36.179 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 178 IPs (177 /24s) (# pkts S/M/O/I=0/177/1/0): 445:177, [] MAC_Src: 00:21:1C:EE:14:00 (06:08:36.179 PDT) tcpslice 1366722516.179 1366722516.180 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 06:08:36.179 PDT Gen. Time: 04/23/2013 06:12:36.907 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (3) (06:08:36.179 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 178 IPs (177 /24s) (# pkts S/M/O/I=0/177/1/0): 445:177, [] MAC_Src: 00:21:1C:EE:14:00 (06:08:36.179 PDT) 0->0 (06:10:36.229 PDT) (06:12:06.431 PDT) tcpslice 1366722516.179 1366722516.180 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 06:13:51.362 PDT Gen. Time: 04/23/2013 06:13:51.362 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (06:13:51.362 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 182 IPs (181 /24s) (# pkts S/M/O/I=0/181/1/0): 445:181, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:13:51.362 PDT) tcpslice 1366722831.362 1366722831.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 06:13:51.362 PDT Gen. Time: 04/23/2013 06:17:52.503 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (3) (06:13:51.362 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 182 IPs (181 /24s) (# pkts S/M/O/I=0/181/1/0): 445:181, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:13:51.362 PDT) 0->0 (06:15:43.255 PDT) 0->0 (06:17:15.233 PDT) tcpslice 1366722831.362 1366722831.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 06:18:52.193 PDT Gen. Time: 04/23/2013 06:18:52.193 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (06:18:52.193 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 192 IPs (191 /24s) (# pkts S/M/O/I=0/191/1/0): 445:191, [] MAC_Src: 00:21:1C:EE:14:00 (06:18:52.193 PDT) tcpslice 1366723132.193 1366723132.194 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 06:18:52.193 PDT Gen. Time: 04/23/2013 06:22:52.235 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (06:18:52.193 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 192 IPs (191 /24s) (# pkts S/M/O/I=0/191/1/0): 445:191, [] MAC_Src: 00:21:1C:EE:14:00 (06:18:52.193 PDT) (06:21:36.207 PDT) tcpslice 1366723132.193 1366723132.194 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 06:23:47.435 PDT Gen. Time: 04/23/2013 06:23:47.435 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (06:23:47.435 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 195 IPs (194 /24s) (# pkts S/M/O/I=0/194/1/0): 445:194, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:23:47.435 PDT) tcpslice 1366723427.435 1366723427.436 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 06:29:30.213 PDT Gen. Time: 04/23/2013 06:29:30.213 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (06:29:30.213 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 196 IPs (195 /24s) (# pkts S/M/O/I=0/195/1/0): 445:195, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:29:30.213 PDT) tcpslice 1366723770.213 1366723770.214 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 06:29:30.213 PDT Gen. Time: 04/23/2013 06:33:30.496 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (06:29:30.213 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 196 IPs (195 /24s) (# pkts S/M/O/I=0/195/1/0): 445:195, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:29:30.213 PDT) 0->0 (06:33:23.158 PDT) tcpslice 1366723770.213 1366723770.214 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 06:36:11.288 PDT Gen. Time: 04/23/2013 06:36:11.288 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (06:36:11.288 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 198 IPs (197 /24s) (# pkts S/M/O/I=0/197/1/0): 445:197, [] MAC_Src: 00:21:1C:EE:14:00 (06:36:11.288 PDT) tcpslice 1366724171.288 1366724171.289 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 06:36:11.288 PDT Gen. Time: 04/23/2013 06:40:11.372 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.216.74 (2) (06:36:11.288 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 198 IPs (197 /24s) (# pkts S/M/O/I=0/197/1/0): 445:197, [] MAC_Src: 00:21:1C:EE:14:00 (06:36:11.288 PDT) 0->0 (06:38:40.237 PDT) tcpslice 1366724171.288 1366724171.289 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 07:13:07.273 PDT Gen. Time: 04/23/2013 07:13:07.273 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.49.117.6 (07:13:07.273 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/0/1): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:13:07.273 PDT) tcpslice 1366726387.273 1366726387.274 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 07:46:05.299 PDT Gen. Time: 04/23/2013 07:46:05.299 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.67.59.35 (07:46:05.299 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:46:05.299 PDT) tcpslice 1366728365.299 1366728365.300 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 07:46:05.299 PDT Gen. Time: 04/23/2013 07:50:05.305 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.67.59.35 (2) (07:46:05.299 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:46:05.299 PDT) (07:48:32.305 PDT) tcpslice 1366728365.299 1366728365.300 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 07:50:26.085 PDT Gen. Time: 04/23/2013 07:50:26.085 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.53.81 (07:50:26.085 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:50:26.085 PDT) tcpslice 1366728626.085 1366728626.086 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 07:50:26.085 PDT Gen. Time: 04/23/2013 07:54:27.400 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.53.81 (3) (07:50:26.085 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:50:26.085 PDT) (07:51:57.043 PDT) 0->0 (07:53:31.158 PDT) tcpslice 1366728626.085 1366728626.086 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 07:55:49.217 PDT Gen. Time: 04/23/2013 07:55:49.217 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.53.81 (07:55:49.217 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 (07:55:49.217 PDT) tcpslice 1366728949.217 1366728949.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 07:55:49.217 PDT Gen. Time: 04/23/2013 07:59:49.223 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.53.81 (2) (07:55:49.217 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 (07:55:49.217 PDT) 0->0 (07:57:56.368 PDT) tcpslice 1366728949.217 1366728949.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:02:56.301 PDT Gen. Time: 04/23/2013 08:02:56.301 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.53.81 (08:02:56.301 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=0/34/0/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:02:56.301 PDT) tcpslice 1366729376.301 1366729376.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:02:56.301 PDT Gen. Time: 04/23/2013 08:06:56.080 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.53.81 (2) (08:02:56.301 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=0/34/0/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:02:56.301 PDT) 0->0 (08:05:14.223 PDT) tcpslice 1366729376.301 1366729376.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:07:07.301 PDT Gen. Time: 04/23/2013 08:07:07.301 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.53.81 (08:07:07.301 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/38/0/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 (08:07:07.301 PDT) tcpslice 1366729627.301 1366729627.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:07:07.301 PDT Gen. Time: 04/23/2013 08:11:07.305 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.53.81 (2) (08:07:07.301 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/38/0/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 (08:07:07.301 PDT) (08:09:29.295 PDT) tcpslice 1366729627.301 1366729627.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:11:59.441 PDT Gen. Time: 04/23/2013 08:11:59.441 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.53.81 (08:11:59.441 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:11:59.441 PDT) tcpslice 1366729919.441 1366729919.442 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:11:59.441 PDT Gen. Time: 04/23/2013 08:15:59.474 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.53.81 (08:11:59.441 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:11:59.441 PDT) 189.11.194.96 (08:14:14.709 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (43 /24s) (# pkts S/M/O/I=0/43/0/0): 445:43, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:14:14.709 PDT) tcpslice 1366729919.441 1366729919.442 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:16:12.098 PDT Gen. Time: 04/23/2013 08:16:12.098 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (08:16:12.098 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/44/0/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 (08:16:12.098 PDT) tcpslice 1366730172.098 1366730172.099 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:16:12.098 PDT Gen. Time: 04/23/2013 08:20:12.136 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (2) (08:16:12.098 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/44/0/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 (08:16:12.098 PDT) 0->0 (08:18:24.067 PDT) tcpslice 1366730172.098 1366730172.099 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:20:55.278 PDT Gen. Time: 04/23/2013 08:20:55.278 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (08:20:55.278 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 49 IPs (49 /24s) (# pkts S/M/O/I=0/49/0/0): 445:49, [] MAC_Src: 00:21:1C:EE:14:00 (08:20:55.278 PDT) tcpslice 1366730455.278 1366730455.279 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:20:55.278 PDT Gen. Time: 04/23/2013 08:24:55.297 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (3) (08:20:55.278 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 49 IPs (49 /24s) (# pkts S/M/O/I=0/49/0/0): 445:49, [] MAC_Src: 00:21:1C:EE:14:00 (08:20:55.278 PDT) 0->0 (08:22:52.398 PDT) 0->0 (08:24:36.143 PDT) tcpslice 1366730455.278 1366730455.279 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:28:01.922 PDT Gen. Time: 04/23/2013 08:28:01.922 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (08:28:01.922 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 55 IPs (55 /24s) (# pkts S/M/O/I=0/55/0/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:28:01.922 PDT) tcpslice 1366730881.922 1366730881.923 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:28:01.922 PDT Gen. Time: 04/23/2013 08:32:01.950 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (3) (08:28:01.922 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 55 IPs (55 /24s) (# pkts S/M/O/I=0/55/0/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:28:01.922 PDT) 0->0 (08:29:48.335 PDT) (08:31:38.708 PDT) tcpslice 1366730881.922 1366730881.923 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:33:19.177 PDT Gen. Time: 04/23/2013 08:33:19.177 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (08:33:19.177 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 59 IPs (59 /24s) (# pkts S/M/O/I=0/59/0/0): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:33:19.177 PDT) tcpslice 1366731199.177 1366731199.178 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:40:21.787 PDT Gen. Time: 04/23/2013 08:40:21.787 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (08:40:21.787 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 60 IPs (60 /24s) (# pkts S/M/O/I=0/60/0/0): 445:60, [] MAC_Src: 00:21:1C:EE:14:00 (08:40:21.787 PDT) tcpslice 1366731621.787 1366731621.788 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:40:21.787 PDT Gen. Time: 04/23/2013 08:44:21.856 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (2) (08:40:21.787 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 60 IPs (60 /24s) (# pkts S/M/O/I=0/60/0/0): 445:60, [] MAC_Src: 00:21:1C:EE:14:00 (08:40:21.787 PDT) (08:43:00.208 PDT) tcpslice 1366731621.787 1366731621.788 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:46:16.763 PDT Gen. Time: 04/23/2013 08:46:16.763 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (08:46:16.763 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 62 IPs (62 /24s) (# pkts S/M/O/I=0/62/0/0): 445:62, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:46:16.763 PDT) tcpslice 1366731976.763 1366731976.764 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:46:16.763 PDT Gen. Time: 04/23/2013 08:50:17.120 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (2) (08:46:16.763 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 62 IPs (62 /24s) (# pkts S/M/O/I=0/62/0/0): 445:62, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:46:16.763 PDT) 0->0 (08:48:35.283 PDT) tcpslice 1366731976.763 1366731976.764 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:55:16.664 PDT Gen. Time: 04/23/2013 08:55:16.664 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (08:55:16.664 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 66 IPs (66 /24s) (# pkts S/M/O/I=0/66/0/0): 445:66, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:55:16.664 PDT) tcpslice 1366732516.664 1366732516.665 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 08:55:16.664 PDT Gen. Time: 04/23/2013 08:57:56.986 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (2) (08:55:16.664 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 66 IPs (66 /24s) (# pkts S/M/O/I=0/66/0/0): 445:66, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:55:16.664 PDT) 0->0 (08:57:37.306 PDT) tcpslice 1366732516.664 1366732516.665 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 09:03:04.424 PDT Gen. Time: 04/23/2013 09:03:04.424 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (09:03:04.424 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 71 IPs (71 /24s) (# pkts S/M/O/I=0/69/2/0): 445:69, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:03:04.424 PDT) tcpslice 1366732984.424 1366732984.425 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 09:08:52.674 PDT Gen. Time: 04/23/2013 09:08:52.674 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (09:08:52.674 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 72 IPs (72 /24s) (# pkts S/M/O/I=0/70/2/0): 445:70, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:08:52.674 PDT) tcpslice 1366733332.674 1366733332.675 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 09:12:20.354 PDT Gen. Time: 04/23/2013 09:12:20.354 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (09:12:20.354 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 74 IPs (74 /24s) (# pkts S/M/O/I=0/72/2/0): 445:72, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:12:20.354 PDT) tcpslice 1366733540.354 1366733540.355 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 09:12:20.354 PDT Gen. Time: 04/23/2013 09:16:09.717 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (3) (09:12:20.354 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 74 IPs (74 /24s) (# pkts S/M/O/I=0/72/2/0): 445:72, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:12:20.354 PDT) 0->0 (09:14:23.861 PDT) (09:16:09.717 PDT) tcpslice 1366733540.354 1366733540.355 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 09:21:00.942 PDT Gen. Time: 04/23/2013 09:21:00.942 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (09:21:00.942 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 78 IPs (78 /24s) (# pkts S/M/O/I=0/76/2/0): 445:76, [] MAC_Src: 00:21:1C:EE:14:00 (09:21:00.942 PDT) tcpslice 1366734060.942 1366734060.943 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 09:21:00.942 PDT Gen. Time: 04/23/2013 09:25:54.614 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (2) (09:21:00.942 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 78 IPs (78 /24s) (# pkts S/M/O/I=0/76/2/0): 445:76, [] MAC_Src: 00:21:1C:EE:14:00 (09:21:00.942 PDT) 0->0 (09:22:57.190 PDT) tcpslice 1366734060.942 1366734060.943 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 09:29:49.248 PDT Gen. Time: 04/23/2013 09:29:49.248 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (09:29:49.248 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 80 IPs (80 /24s) (# pkts S/M/O/I=0/78/2/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 (09:29:49.248 PDT) tcpslice 1366734589.248 1366734589.249 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 09:29:49.248 PDT Gen. Time: 04/23/2013 09:33:09.232 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (2) (09:29:49.248 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 80 IPs (80 /24s) (# pkts S/M/O/I=0/78/2/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 (09:29:49.248 PDT) 0->0 (09:31:36.283 PDT) tcpslice 1366734589.248 1366734589.249 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 09:34:13.686 PDT Gen. Time: 04/23/2013 09:34:13.686 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (09:34:13.686 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 83 IPs (83 /24s) (# pkts S/M/O/I=0/81/2/0): 445:81, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:34:13.686 PDT) tcpslice 1366734853.686 1366734853.687 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 09:34:13.686 PDT Gen. Time: 04/23/2013 09:38:15.633 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.11.194.96 (09:34:13.686 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 83 IPs (83 /24s) (# pkts S/M/O/I=0/81/2/0): 445:81, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:34:13.686 PDT) 189.50.157.38 (09:36:40.239 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 85 IPs (85 /24s) (# pkts S/M/O/I=0/83/2/0): 445:83, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:36:40.239 PDT) tcpslice 1366734853.686 1366734853.687 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 10:29:35.732 PDT Gen. Time: 04/23/2013 10:31:20.681 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 201.66.249.83 (10:29:35.732 PDT) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/19/1/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 (10:29:35.732 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.249.83 (10:31:20.681 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (10:31:20.681 PDT) tcpslice 1366738175.732 1366738175.733 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 10:29:35.732 PDT Gen. Time: 04/23/2013 10:33:32.681 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 201.66.249.83 (10:29:35.732 PDT) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/19/1/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 (10:29:35.732 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.249.83 (2) (10:31:20.681 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (10:31:20.681 PDT) 0->0 (10:33:29.596 PDT) tcpslice 1366738175.732 1366738175.733 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 10:40:54.781 PDT Gen. Time: 04/23/2013 10:40:54.781 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.249.83 (10:40:54.781 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/24/1/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:40:54.781 PDT) tcpslice 1366738854.781 1366738854.782 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 10:40:54.781 PDT Gen. Time: 04/23/2013 10:44:19.620 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.84.147.101 (10:43:04.675 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/25/1/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 (10:43:04.675 PDT) 201.66.249.83 (10:40:54.781 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/24/1/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:40:54.781 PDT) tcpslice 1366738854.781 1366738854.782 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 10:45:09.737 PDT Gen. Time: 04/23/2013 10:45:09.737 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.84.147.101 (10:45:09.737 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/30/1/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:45:09.737 PDT) tcpslice 1366739109.737 1366739109.738 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 10:45:09.737 PDT Gen. Time: 04/23/2013 10:49:32.384 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.84.147.101 (2) (10:45:09.737 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/30/1/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:45:09.737 PDT) (10:47:11.667 PDT) tcpslice 1366739109.737 1366739109.738 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 10:50:49.773 PDT Gen. Time: 04/23/2013 10:50:49.773 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.84.147.101 (10:50:49.773 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=0/33/1/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:50:49.773 PDT) tcpslice 1366739449.773 1366739449.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 10:50:49.773 PDT Gen. Time: 04/23/2013 10:53:55.198 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (10:52:47.674 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/35/1/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 (10:52:47.674 PDT) 187.84.147.101 (10:50:49.773 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=0/33/1/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:50:49.773 PDT) tcpslice 1366739449.773 1366739449.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 10:54:49.669 PDT Gen. Time: 04/23/2013 10:54:49.669 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (10:54:49.669 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/37/1/0): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 (10:54:49.669 PDT) tcpslice 1366739689.669 1366739689.670 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 10:58:44.752 PDT Gen. Time: 04/23/2013 10:58:44.752 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (10:58:44.752 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/39/1/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:58:44.752 PDT) tcpslice 1366739924.752 1366739924.753 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 10:58:44.752 PDT Gen. Time: 04/23/2013 11:02:12.383 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (2) (10:58:44.752 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/39/1/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:58:44.752 PDT) 0->0 (11:00:59.706 PDT) tcpslice 1366739924.752 1366739924.753 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:02:53.355 PDT Gen. Time: 04/23/2013 11:02:53.355 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (11:02:53.355 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 43 IPs (43 /24s) (# pkts S/M/O/I=0/42/1/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 (11:02:53.355 PDT) tcpslice 1366740173.355 1366740173.356 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:02:53.355 PDT Gen. Time: 04/23/2013 11:06:37.920 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (2) (11:02:53.355 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 43 IPs (43 /24s) (# pkts S/M/O/I=0/42/1/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 (11:02:53.355 PDT) 0->0 (11:04:55.793 PDT) tcpslice 1366740173.355 1366740173.356 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:06:38.665 PDT Gen. Time: 04/23/2013 11:06:38.665 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (11:06:38.665 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 51 IPs (51 /24s) (# pkts S/M/O/I=0/50/1/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 (11:06:38.665 PDT) tcpslice 1366740398.665 1366740398.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:06:38.665 PDT Gen. Time: 04/23/2013 11:10:31.297 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (2) (11:06:38.665 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 51 IPs (51 /24s) (# pkts S/M/O/I=0/50/1/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 (11:06:38.665 PDT) (11:09:28.656 PDT) tcpslice 1366740398.665 1366740398.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:12:36.842 PDT Gen. Time: 04/23/2013 11:12:36.842 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (11:12:36.842 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 58 IPs (57 /24s) (# pkts S/M/O/I=0/57/1/0): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:12:36.842 PDT) tcpslice 1366740756.842 1366740756.843 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:12:36.842 PDT Gen. Time: 04/23/2013 11:14:52.213 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (2) (11:12:36.842 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 58 IPs (57 /24s) (# pkts S/M/O/I=0/57/1/0): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:12:36.842 PDT) 0->0 (11:14:30.408 PDT) tcpslice 1366740756.842 1366740756.843 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:17:39.735 PDT Gen. Time: 04/23/2013 11:17:39.735 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (11:17:39.735 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 64 IPs (63 /24s) (# pkts S/M/O/I=0/63/1/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:17:39.735 PDT) tcpslice 1366741059.735 1366741059.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:17:39.735 PDT Gen. Time: 04/23/2013 11:21:05.392 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (2) (11:17:39.735 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 64 IPs (63 /24s) (# pkts S/M/O/I=0/63/1/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:17:39.735 PDT) 0->0 (11:19:50.800 PDT) tcpslice 1366741059.735 1366741059.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:22:39.564 PDT Gen. Time: 04/23/2013 11:22:39.564 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (11:22:39.564 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 70 IPs (69 /24s) (# pkts S/M/O/I=0/69/1/0): 445:69, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:22:39.564 PDT) tcpslice 1366741359.564 1366741359.565 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:22:39.564 PDT Gen. Time: 04/23/2013 11:25:37.129 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (2) (11:22:39.564 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 70 IPs (69 /24s) (# pkts S/M/O/I=0/69/1/0): 445:69, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:22:39.564 PDT) (11:24:38.685 PDT) tcpslice 1366741359.564 1366741359.565 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:26:27.634 PDT Gen. Time: 04/23/2013 11:26:27.634 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (11:26:27.634 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 74 IPs (73 /24s) (# pkts S/M/O/I=0/73/1/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 (11:26:27.634 PDT) tcpslice 1366741587.634 1366741587.635 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:26:27.634 PDT Gen. Time: 04/23/2013 11:30:09.678 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (3) (11:26:27.634 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 74 IPs (73 /24s) (# pkts S/M/O/I=0/73/1/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 (11:26:27.634 PDT) 0->0 (11:28:14.587 PDT) (11:30:09.678 PDT) tcpslice 1366741587.634 1366741587.635 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:33:27.713 PDT Gen. Time: 04/23/2013 11:33:27.713 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (11:33:27.713 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 78 IPs (77 /24s) (# pkts S/M/O/I=0/77/1/0): 445:77, [] MAC_Src: 00:21:1C:EE:14:00 (11:33:27.713 PDT) tcpslice 1366742007.713 1366742007.714 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:33:27.713 PDT Gen. Time: 04/23/2013 11:37:37.386 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (2) (11:33:27.713 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 78 IPs (77 /24s) (# pkts S/M/O/I=0/77/1/0): 445:77, [] MAC_Src: 00:21:1C:EE:14:00 (11:33:27.713 PDT) (11:35:32.734 PDT) tcpslice 1366742007.713 1366742007.714 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 11:39:34.482 PDT Gen. Time: 04/23/2013 11:39:34.482 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.88.81.54 (11:39:34.482 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 86 IPs (85 /24s) (# pkts S/M/O/I=0/85/1/0): 445:85, [] MAC_Src: 00:21:1C:EE:14:00 (11:39:34.482 PDT) tcpslice 1366742374.482 1366742374.483 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 12:10:45.767 PDT Gen. Time: 04/23/2013 12:12:44.663 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 189.76.68.116 (2) (12:10:45.767 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 18 IPs (18 /24s) (# pkts S/M/O/I=0/18/0/0): 445:18, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:10:45.767 PDT) 0->0 (12:12:17.727 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.7.229.98 (12:12:44.663 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (12:12:44.663 PDT) tcpslice 1366744245.767 1366744245.768 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 12:14:41.820 PDT Gen. Time: 04/23/2013 12:14:41.820 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.7.229.98 (12:14:41.820 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:14:41.820 PDT) tcpslice 1366744481.820 1366744481.821 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 12:14:41.820 PDT Gen. Time: 04/23/2013 12:18:12.157 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.7.229.98 (2) (12:14:41.820 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:14:41.820 PDT) 0->0 (12:16:49.590 PDT) tcpslice 1366744481.820 1366744481.821 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 12:19:18.658 PDT Gen. Time: 04/23/2013 12:19:18.658 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.7.229.98 (12:19:18.658 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 (12:19:18.658 PDT) tcpslice 1366744758.658 1366744758.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 12:19:18.658 PDT Gen. Time: 04/23/2013 12:23:05.223 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.7.229.98 (2) (12:19:18.658 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 (12:19:18.658 PDT) 0->0 (12:21:30.835 PDT) tcpslice 1366744758.658 1366744758.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 12:55:55.667 PDT Gen. Time: 04/23/2013 12:56:01.332 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 189.85.66.114 (12:55:55.667 PDT) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (12:55:55.667 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.85.66.114 (12:56:01.332 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:56:01.332 PDT) tcpslice 1366746955.667 1366746955.668 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 12:55:55.667 PDT Gen. Time: 04/23/2013 12:58:09.272 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 189.85.66.114 (12:55:55.667 PDT) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (12:55:55.667 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.85.66.114 (2) (12:56:01.332 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:56:01.332 PDT) 0->0 (12:58:05.834 PDT) tcpslice 1366746955.667 1366746955.668 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:00:53.785 PDT Gen. Time: 04/23/2013 13:00:53.785 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.85.66.114 (13:00:53.785 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:00:53.785 PDT) tcpslice 1366747253.785 1366747253.786 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:03:50.655 PDT Gen. Time: 04/23/2013 13:03:50.655 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.85.66.114 (13:03:50.655 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 (13:03:50.655 PDT) tcpslice 1366747430.655 1366747430.656 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:03:50.655 PDT Gen. Time: 04/23/2013 13:06:46.594 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.85.66.114 (2) (13:03:50.655 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 (13:03:50.655 PDT) (13:05:27.501 PDT) tcpslice 1366747430.655 1366747430.656 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:08:26.711 PDT Gen. Time: 04/23/2013 13:08:26.711 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.85.66.114 (13:08:26.711 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/36/0/0): 445:36, [] MAC_Src: 00:21:1C:EE:14:00 (13:08:26.711 PDT) tcpslice 1366747706.711 1366747706.712 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:08:26.711 PDT Gen. Time: 04/23/2013 13:12:14.475 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.85.66.114 (2) (13:08:26.711 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/36/0/0): 445:36, [] MAC_Src: 00:21:1C:EE:14:00 (13:08:26.711 PDT) (13:11:42.662 PDT) tcpslice 1366747706.711 1366747706.712 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:17:58.810 PDT Gen. Time: 04/23/2013 13:17:58.810 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (13:17:58.810 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/38/0/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:17:58.810 PDT) tcpslice 1366748278.810 1366748278.811 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:17:58.810 PDT Gen. Time: 04/23/2013 13:22:30.666 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (2) (13:17:58.810 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/38/0/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:17:58.810 PDT) (13:22:30.666 PDT) tcpslice 1366748278.810 1366748278.811 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:26:15.632 PDT Gen. Time: 04/23/2013 13:26:15.632 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (13:26:15.632 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/44/0/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 (13:26:15.632 PDT) tcpslice 1366748775.632 1366748775.633 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:26:15.632 PDT Gen. Time: 04/23/2013 13:29:48.695 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (2) (13:26:15.632 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/44/0/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 (13:26:15.632 PDT) (13:28:14.562 PDT) tcpslice 1366748775.632 1366748775.633 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:30:00.635 PDT Gen. Time: 04/23/2013 13:30:00.635 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (13:30:00.635 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 49 IPs (49 /24s) (# pkts S/M/O/I=0/49/0/0): 445:49, [] MAC_Src: 00:21:1C:EE:14:00 (13:30:00.635 PDT) tcpslice 1366749000.635 1366749000.636 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:34:44.781 PDT Gen. Time: 04/23/2013 13:34:44.781 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (13:34:44.781 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 50 IPs (50 /24s) (# pkts S/M/O/I=0/50/0/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:34:44.781 PDT) tcpslice 1366749284.781 1366749284.782 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:38:20.650 PDT Gen. Time: 04/23/2013 13:38:20.650 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (13:38:20.650 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 54 IPs (54 /24s) (# pkts S/M/O/I=0/54/0/0): 445:54, [] MAC_Src: 00:21:1C:EE:14:00 (13:38:20.650 PDT) tcpslice 1366749500.650 1366749500.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:38:20.650 PDT Gen. Time: 04/23/2013 13:42:49.596 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (3) (13:38:20.650 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 54 IPs (54 /24s) (# pkts S/M/O/I=0/54/0/0): 445:54, [] MAC_Src: 00:21:1C:EE:14:00 (13:38:20.650 PDT) 0->0 (13:39:50.557 PDT) 0->0 (13:41:35.599 PDT) tcpslice 1366749500.650 1366749500.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:47:25.777 PDT Gen. Time: 04/23/2013 13:47:25.777 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (13:47:25.777 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 57 IPs (57 /24s) (# pkts S/M/O/I=0/57/0/0): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:47:25.777 PDT) tcpslice 1366750045.777 1366750045.778 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:47:25.777 PDT Gen. Time: 04/23/2013 13:51:34.692 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (2) (13:47:25.777 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 57 IPs (57 /24s) (# pkts S/M/O/I=0/57/0/0): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:47:25.777 PDT) (13:50:06.333 PDT) tcpslice 1366750045.777 1366750045.778 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:52:31.303 PDT Gen. Time: 04/23/2013 13:52:31.303 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (13:52:31.303 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 61 IPs (61 /24s) (# pkts S/M/O/I=0/61/0/0): 445:61, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:52:31.303 PDT) tcpslice 1366750351.303 1366750351.304 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:52:31.303 PDT Gen. Time: 04/23/2013 13:56:44.740 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (2) (13:52:31.303 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 61 IPs (61 /24s) (# pkts S/M/O/I=0/61/0/0): 445:61, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:52:31.303 PDT) 0->0 (13:55:06.850 PDT) tcpslice 1366750351.303 1366750351.304 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:57:35.650 PDT Gen. Time: 04/23/2013 13:57:35.650 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (13:57:35.650 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 64 IPs (63 /24s) (# pkts S/M/O/I=0/64/0/0): 445:64, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:57:35.650 PDT) tcpslice 1366750655.650 1366750655.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 13:57:35.650 PDT Gen. Time: 04/23/2013 14:01:09.254 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (2) (13:57:35.650 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 64 IPs (63 /24s) (# pkts S/M/O/I=0/64/0/0): 445:64, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:57:35.650 PDT) (13:59:23.281 PDT) tcpslice 1366750655.650 1366750655.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:01:47.163 PDT Gen. Time: 04/23/2013 14:01:47.163 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (14:01:47.163 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 68 IPs (67 /24s) (# pkts S/M/O/I=0/68/0/0): 445:68, [] MAC_Src: 00:21:1C:EE:14:00 (14:01:47.163 PDT) tcpslice 1366750907.163 1366750907.164 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:01:47.163 PDT Gen. Time: 04/23/2013 14:04:46.387 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.178.24 (2) (14:01:47.163 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 68 IPs (67 /24s) (# pkts S/M/O/I=0/68/0/0): 445:68, [] MAC_Src: 00:21:1C:EE:14:00 (14:01:47.163 PDT) 0->0 (14:04:22.690 PDT) tcpslice 1366750907.163 1366750907.164 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:07:51.719 PDT Gen. Time: 04/23/2013 14:07:51.719 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (14:07:51.719 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 73 IPs (72 /24s) (# pkts S/M/O/I=0/73/0/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:07:51.719 PDT) tcpslice 1366751271.719 1366751271.720 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:07:51.719 PDT Gen. Time: 04/23/2013 14:10:27.672 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (14:07:51.719 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 73 IPs (72 /24s) (# pkts S/M/O/I=0/73/0/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:07:51.719 PDT) (14:10:27.672 PDT) tcpslice 1366751271.719 1366751271.720 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:12:10.642 PDT Gen. Time: 04/23/2013 14:12:10.642 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (14:12:10.642 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 77 IPs (76 /24s) (# pkts S/M/O/I=0/77/0/0): 445:77, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:12:10.642 PDT) tcpslice 1366751530.642 1366751530.643 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:12:10.642 PDT Gen. Time: 04/23/2013 14:16:51.276 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (14:12:10.642 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 77 IPs (76 /24s) (# pkts S/M/O/I=0/77/0/0): 445:77, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:12:10.642 PDT) 0->0 (14:15:09.751 PDT) tcpslice 1366751530.642 1366751530.643 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:17:30.652 PDT Gen. Time: 04/23/2013 14:17:30.652 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (14:17:30.652 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 83 IPs (81 /24s) (# pkts S/M/O/I=0/83/0/0): 445:83, [] MAC_Src: 00:21:1C:EE:14:00 (14:17:30.652 PDT) tcpslice 1366751850.652 1366751850.653 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:17:30.652 PDT Gen. Time: 04/23/2013 14:20:54.730 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (14:17:30.652 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 83 IPs (81 /24s) (# pkts S/M/O/I=0/83/0/0): 445:83, [] MAC_Src: 00:21:1C:EE:14:00 (14:17:30.652 PDT) 0->0 (14:19:24.624 PDT) tcpslice 1366751850.652 1366751850.653 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:22:04.668 PDT Gen. Time: 04/23/2013 14:22:04.668 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (14:22:04.668 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 88 IPs (86 /24s) (# pkts S/M/O/I=0/88/0/0): 445:88, [] MAC_Src: 00:21:1C:EE:14:00 (14:22:04.668 PDT) tcpslice 1366752124.668 1366752124.669 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:26:48.564 PDT Gen. Time: 04/23/2013 14:26:48.564 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (14:26:48.564 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 89 IPs (87 /24s) (# pkts S/M/O/I=0/89/0/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 (14:26:48.564 PDT) tcpslice 1366752408.564 1366752408.565 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:26:48.564 PDT Gen. Time: 04/23/2013 14:29:51.223 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (14:26:48.564 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 89 IPs (87 /24s) (# pkts S/M/O/I=0/89/0/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 (14:26:48.564 PDT) 0->0 (14:28:55.597 PDT) tcpslice 1366752408.564 1366752408.565 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:30:46.908 PDT Gen. Time: 04/23/2013 14:30:46.908 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (14:30:46.908 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 97 IPs (95 /24s) (# pkts S/M/O/I=0/97/0/0): 445:97, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:30:46.908 PDT) tcpslice 1366752646.908 1366752646.909 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:30:46.908 PDT Gen. Time: 04/23/2013 14:34:44.310 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (14:30:46.908 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 97 IPs (95 /24s) (# pkts S/M/O/I=0/97/0/0): 445:97, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:30:46.908 PDT) 0->0 (14:33:09.712 PDT) tcpslice 1366752646.908 1366752646.909 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:35:16.254 PDT Gen. Time: 04/23/2013 14:35:16.254 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (14:35:16.254 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 104 IPs (102 /24s) (# pkts S/M/O/I=0/104/0/0): 445:104, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:35:16.254 PDT) tcpslice 1366752916.254 1366752916.255 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:35:16.254 PDT Gen. Time: 04/23/2013 14:39:43.959 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (14:35:16.254 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 104 IPs (102 /24s) (# pkts S/M/O/I=0/104/0/0): 445:104, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:35:16.254 PDT) 0->0 (14:38:26.080 PDT) tcpslice 1366752916.254 1366752916.255 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:40:05.991 PDT Gen. Time: 04/23/2013 14:40:05.991 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (14:40:05.991 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 109 IPs (107 /24s) (# pkts S/M/O/I=0/109/0/0): 445:109, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:40:05.991 PDT) tcpslice 1366753205.991 1366753205.992 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:40:05.991 PDT Gen. Time: 04/23/2013 14:42:49.455 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (14:40:05.991 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 109 IPs (107 /24s) (# pkts S/M/O/I=0/109/0/0): 445:109, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:40:05.991 PDT) 0->0 (14:42:06.870 PDT) tcpslice 1366753205.991 1366753205.992 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:44:00.225 PDT Gen. Time: 04/23/2013 14:44:00.225 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (14:44:00.225 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 112 IPs (110 /24s) (# pkts S/M/O/I=0/112/0/0): 445:112, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:44:00.225 PDT) tcpslice 1366753440.225 1366753440.226 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:49:28.009 PDT Gen. Time: 04/23/2013 14:49:28.009 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (14:49:28.009 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 113 IPs (111 /24s) (# pkts S/M/O/I=0/113/0/0): 445:113, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:49:28.009 PDT) tcpslice 1366753768.009 1366753768.010 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:49:28.009 PDT Gen. Time: 04/23/2013 14:53:22.233 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (14:49:28.009 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 113 IPs (111 /24s) (# pkts S/M/O/I=0/113/0/0): 445:113, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:49:28.009 PDT) (14:51:39.287 PDT) tcpslice 1366753768.009 1366753768.010 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:53:49.770 PDT Gen. Time: 04/23/2013 14:53:49.770 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (14:53:49.770 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 118 IPs (116 /24s) (# pkts S/M/O/I=0/118/0/0): 445:118, [] MAC_Src: 00:21:1C:EE:14:00 (14:53:49.770 PDT) tcpslice 1366754029.770 1366754029.771 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:53:49.770 PDT Gen. Time: 04/23/2013 14:56:54.835 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (14:53:49.770 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 118 IPs (116 /24s) (# pkts S/M/O/I=0/118/0/0): 445:118, [] MAC_Src: 00:21:1C:EE:14:00 (14:53:49.770 PDT) (14:56:00.351 PDT) tcpslice 1366754029.770 1366754029.771 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:58:14.867 PDT Gen. Time: 04/23/2013 14:58:14.867 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (14:58:14.867 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 121 IPs (119 /24s) (# pkts S/M/O/I=0/121/0/0): 445:121, [] MAC_Src: 00:21:1C:EE:14:00 (14:58:14.867 PDT) tcpslice 1366754294.867 1366754294.868 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 14:58:14.867 PDT Gen. Time: 04/23/2013 15:01:28.596 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (14:58:14.867 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 121 IPs (119 /24s) (# pkts S/M/O/I=0/121/0/0): 445:121, [] MAC_Src: 00:21:1C:EE:14:00 (14:58:14.867 PDT) (14:59:49.011 PDT) tcpslice 1366754294.867 1366754294.868 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:01:28.894 PDT Gen. Time: 04/23/2013 15:01:28.894 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (15:01:28.894 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 124 IPs (122 /24s) (# pkts S/M/O/I=0/124/0/0): 445:124, [] MAC_Src: 00:21:1C:EE:14:00 (15:01:28.894 PDT) tcpslice 1366754488.894 1366754488.895 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:03:49.896 PDT Gen. Time: 04/23/2013 15:03:49.896 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (15:03:49.896 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 128 IPs (126 /24s) (# pkts S/M/O/I=0/128/0/0): 445:128, [] MAC_Src: 00:21:1C:EE:14:00 (15:03:49.896 PDT) tcpslice 1366754629.896 1366754629.897 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:03:49.896 PDT Gen. Time: 04/23/2013 15:06:01.921 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (15:03:49.896 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 128 IPs (126 /24s) (# pkts S/M/O/I=0/128/0/0): 445:128, [] MAC_Src: 00:21:1C:EE:14:00 (15:03:49.896 PDT) (15:06:01.921 PDT) tcpslice 1366754629.896 1366754629.897 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:12:00.890 PDT Gen. Time: 04/23/2013 15:12:00.890 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (15:12:00.890 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 130 IPs (128 /24s) (# pkts S/M/O/I=0/130/0/0): 445:130, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:12:00.890 PDT) tcpslice 1366755120.890 1366755120.891 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:12:00.890 PDT Gen. Time: 04/23/2013 15:14:50.389 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (15:12:00.890 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 130 IPs (128 /24s) (# pkts S/M/O/I=0/130/0/0): 445:130, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:12:00.890 PDT) 0->0 (15:13:46.047 PDT) tcpslice 1366755120.890 1366755120.891 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:17:18.886 PDT Gen. Time: 04/23/2013 15:17:18.886 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (15:17:18.886 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 133 IPs (131 /24s) (# pkts S/M/O/I=0/133/0/0): 445:133, [] MAC_Src: 00:21:1C:EE:14:00 (15:17:18.886 PDT) tcpslice 1366755438.886 1366755438.887 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:17:18.886 PDT Gen. Time: 04/23/2013 15:20:55.330 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (15:17:18.886 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 133 IPs (131 /24s) (# pkts S/M/O/I=0/133/0/0): 445:133, [] MAC_Src: 00:21:1C:EE:14:00 (15:17:18.886 PDT) (15:19:28.813 PDT) tcpslice 1366755438.886 1366755438.887 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:22:46.369 PDT Gen. Time: 04/23/2013 15:22:46.369 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (15:22:46.369 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 138 IPs (136 /24s) (# pkts S/M/O/I=0/138/0/0): 445:138, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:22:46.369 PDT) tcpslice 1366755766.369 1366755766.370 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:22:46.369 PDT Gen. Time: 04/23/2013 15:26:32.362 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (3) (15:22:46.369 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 138 IPs (136 /24s) (# pkts S/M/O/I=0/138/0/0): 445:138, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:22:46.369 PDT) 0->0 (15:24:48.005 PDT) (15:26:19.929 PDT) tcpslice 1366755766.369 1366755766.370 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:28:17.014 PDT Gen. Time: 04/23/2013 15:28:17.014 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (15:28:17.014 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 145 IPs (143 /24s) (# pkts S/M/O/I=0/145/0/0): 445:145, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:28:17.014 PDT) tcpslice 1366756097.014 1366756097.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:28:17.014 PDT Gen. Time: 04/23/2013 15:32:41.810 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (3) (15:28:17.014 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 145 IPs (143 /24s) (# pkts S/M/O/I=0/145/0/0): 445:145, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:28:17.014 PDT) (15:29:49.352 PDT) 0->0 (15:32:41.810 PDT) tcpslice 1366756097.014 1366756097.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:34:13.068 PDT Gen. Time: 04/23/2013 15:34:13.068 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (15:34:13.068 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 155 IPs (152 /24s) (# pkts S/M/O/I=0/155/0/0): 445:155, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:34:13.068 PDT) tcpslice 1366756453.068 1366756453.069 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:38:52.214 PDT Gen. Time: 04/23/2013 15:38:52.214 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (15:38:52.214 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 157 IPs (154 /24s) (# pkts S/M/O/I=0/157/0/0): 445:157, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:38:52.214 PDT) tcpslice 1366756732.214 1366756732.215 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:40:33.402 PDT Gen. Time: 04/23/2013 15:40:33.402 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (15:40:33.402 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 159 IPs (156 /24s) (# pkts S/M/O/I=0/159/0/0): 445:159, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:40:33.402 PDT) tcpslice 1366756833.402 1366756833.403 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:40:33.402 PDT Gen. Time: 04/23/2013 15:44:34.559 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (15:40:33.402 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 159 IPs (156 /24s) (# pkts S/M/O/I=0/159/0/0): 445:159, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:40:33.402 PDT) 0->0 (15:43:52.428 PDT) tcpslice 1366756833.402 1366756833.403 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:46:44.912 PDT Gen. Time: 04/23/2013 15:46:44.912 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (15:46:44.912 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 165 IPs (162 /24s) (# pkts S/M/O/I=0/165/0/0): 445:165, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:46:44.912 PDT) tcpslice 1366757204.912 1366757204.913 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:46:44.912 PDT Gen. Time: 04/23/2013 15:50:39.937 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (15:46:44.912 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 165 IPs (162 /24s) (# pkts S/M/O/I=0/165/0/0): 445:165, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:46:44.912 PDT) (15:48:20.551 PDT) tcpslice 1366757204.912 1366757204.913 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:51:05.354 PDT Gen. Time: 04/23/2013 15:51:05.354 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (15:51:05.354 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 168 IPs (165 /24s) (# pkts S/M/O/I=0/168/0/0): 445:168, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:51:05.354 PDT) tcpslice 1366757465.354 1366757465.355 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:51:05.354 PDT Gen. Time: 04/23/2013 15:55:19.107 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (2) (15:51:05.354 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 168 IPs (165 /24s) (# pkts S/M/O/I=0/168/0/0): 445:168, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:51:05.354 PDT) 0->0 (15:53:18.574 PDT) tcpslice 1366757465.354 1366757465.355 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 15:56:13.700 PDT Gen. Time: 04/23/2013 15:56:13.700 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.14.73 (15:56:13.700 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 174 IPs (171 /24s) (# pkts S/M/O/I=0/174/0/0): 445:174, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:56:13.700 PDT) tcpslice 1366757773.700 1366757773.701 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:18:31.884 PDT Gen. Time: 04/23/2013 16:20:46.065 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 177.98.229.116 (2) (16:18:31.884 PDT) event=777:7777005 (2) {icmp} E5[bh] Detected moderate malware port scanning of 19 IPs (19 /24s) (# pkts S/M/O/I=0/19/0/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 (16:18:31.884 PDT) 0->0 (16:20:36.937 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (16:20:46.065 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:20:46.065 PDT) tcpslice 1366759111.884 1366759111.885 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:23:13.516 PDT Gen. Time: 04/23/2013 16:23:13.516 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (16:23:13.516 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 (16:23:13.516 PDT) tcpslice 1366759393.516 1366759393.517 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:28:33.102 PDT Gen. Time: 04/23/2013 16:28:33.102 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (16:28:33.102 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 (16:28:33.102 PDT) tcpslice 1366759713.102 1366759713.103 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:32:45.289 PDT Gen. Time: 04/23/2013 16:32:45.289 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (16:32:45.289 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:32:45.289 PDT) tcpslice 1366759965.289 1366759965.290 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:37:41.819 PDT Gen. Time: 04/23/2013 16:37:41.819 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (16:37:41.819 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:37:41.819 PDT) tcpslice 1366760261.819 1366760261.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:37:41.819 PDT Gen. Time: 04/23/2013 16:40:59.002 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (2) (16:37:41.819 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:37:41.819 PDT) 0->0 (16:40:23.544 PDT) tcpslice 1366760261.819 1366760261.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:45:19.599 PDT Gen. Time: 04/23/2013 16:45:19.599 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (16:45:19.599 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:45:19.599 PDT) tcpslice 1366760719.599 1366760719.600 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:45:19.599 PDT Gen. Time: 04/23/2013 16:49:24.430 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (2) (16:45:19.599 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:45:19.599 PDT) 0->0 (16:46:51.114 PDT) tcpslice 1366760719.599 1366760719.600 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:49:36.189 PDT Gen. Time: 04/23/2013 16:49:36.189 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (16:49:36.189 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 35 IPs (35 /24s) (# pkts S/M/O/I=0/35/0/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 (16:49:36.189 PDT) tcpslice 1366760976.189 1366760976.190 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:49:36.189 PDT Gen. Time: 04/23/2013 16:51:32.961 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (2) (16:49:36.189 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 35 IPs (35 /24s) (# pkts S/M/O/I=0/35/0/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 (16:49:36.189 PDT) 0->0 (16:51:22.062 PDT) tcpslice 1366760976.189 1366760976.190 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:56:24.598 PDT Gen. Time: 04/23/2013 16:56:24.598 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (16:56:24.598 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (39 /24s) (# pkts S/M/O/I=0/39/0/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:56:24.598 PDT) tcpslice 1366761384.598 1366761384.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 16:56:24.598 PDT Gen. Time: 04/23/2013 17:00:38.327 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (2) (16:56:24.598 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (39 /24s) (# pkts S/M/O/I=0/39/0/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:56:24.598 PDT) (16:59:13.160 PDT) tcpslice 1366761384.598 1366761384.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:01:09.194 PDT Gen. Time: 04/23/2013 17:01:09.194 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (17:01:09.194 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/44/0/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 (17:01:09.194 PDT) tcpslice 1366761669.194 1366761669.195 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:01:09.194 PDT Gen. Time: 04/23/2013 17:05:13.230 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (2) (17:01:09.194 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/44/0/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 (17:01:09.194 PDT) (17:03:39.756 PDT) tcpslice 1366761669.194 1366761669.195 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:08:21.769 PDT Gen. Time: 04/23/2013 17:08:21.769 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (17:08:21.769 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 47 IPs (47 /24s) (# pkts S/M/O/I=0/47/0/0): 445:47, [] MAC_Src: 00:21:1C:EE:14:00 (17:08:21.769 PDT) tcpslice 1366762101.769 1366762101.770 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:08:21.769 PDT Gen. Time: 04/23/2013 17:11:24.179 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (2) (17:08:21.769 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 47 IPs (47 /24s) (# pkts S/M/O/I=0/47/0/0): 445:47, [] MAC_Src: 00:21:1C:EE:14:00 (17:08:21.769 PDT) 0->0 (17:10:34.026 PDT) tcpslice 1366762101.769 1366762101.770 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:12:54.947 PDT Gen. Time: 04/23/2013 17:12:54.947 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (17:12:54.947 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 52 IPs (52 /24s) (# pkts S/M/O/I=0/52/0/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 (17:12:54.947 PDT) tcpslice 1366762374.947 1366762374.948 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:17:00.642 PDT Gen. Time: 04/23/2013 17:17:00.642 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (17:17:00.642 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 55 IPs (55 /24s) (# pkts S/M/O/I=0/55/0/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:17:00.642 PDT) tcpslice 1366762620.642 1366762620.643 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:17:00.642 PDT Gen. Time: 04/23/2013 17:19:54.390 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (2) (17:17:00.642 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 55 IPs (55 /24s) (# pkts S/M/O/I=0/55/0/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:17:00.642 PDT) 0->0 (17:18:59.727 PDT) tcpslice 1366762620.642 1366762620.643 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:23:29.797 PDT Gen. Time: 04/23/2013 17:23:29.797 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (17:23:29.797 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 59 IPs (59 /24s) (# pkts S/M/O/I=0/59/0/0): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:23:29.797 PDT) tcpslice 1366763009.797 1366763009.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:23:29.797 PDT Gen. Time: 04/23/2013 17:25:59.037 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (2) (17:23:29.797 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 59 IPs (59 /24s) (# pkts S/M/O/I=0/59/0/0): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:23:29.797 PDT) (17:25:59.037 PDT) tcpslice 1366763009.797 1366763009.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:27:50.105 PDT Gen. Time: 04/23/2013 17:27:50.105 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (17:27:50.105 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 63 IPs (63 /24s) (# pkts S/M/O/I=0/63/0/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 (17:27:50.105 PDT) tcpslice 1366763270.105 1366763270.106 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:27:50.105 PDT Gen. Time: 04/23/2013 17:31:51.252 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (2) (17:27:50.105 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 63 IPs (63 /24s) (# pkts S/M/O/I=0/63/0/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 (17:27:50.105 PDT) (17:29:43.071 PDT) tcpslice 1366763270.105 1366763270.106 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:31:52.570 PDT Gen. Time: 04/23/2013 17:31:52.570 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (17:31:52.570 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 67 IPs (67 /24s) (# pkts S/M/O/I=0/67/0/0): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:31:52.570 PDT) tcpslice 1366763512.570 1366763512.571 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:34:19.786 PDT Gen. Time: 04/23/2013 17:34:19.786 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (17:34:19.786 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 70 IPs (70 /24s) (# pkts S/M/O/I=0/70/0/0): 445:70, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:34:19.786 PDT) tcpslice 1366763659.786 1366763659.787 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:34:19.786 PDT Gen. Time: 04/23/2013 17:38:35.985 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (2) (17:34:19.786 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 70 IPs (70 /24s) (# pkts S/M/O/I=0/70/0/0): 445:70, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:34:19.786 PDT) (17:36:24.193 PDT) tcpslice 1366763659.786 1366763659.787 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:39:20.433 PDT Gen. Time: 04/23/2013 17:39:20.433 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (17:39:20.433 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 74 IPs (74 /24s) (# pkts S/M/O/I=0/74/0/0): 445:74, [] MAC_Src: 00:21:1C:EE:14:00 (17:39:20.433 PDT) tcpslice 1366763960.433 1366763960.434 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:39:20.433 PDT Gen. Time: 04/23/2013 17:42:04.257 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.98.229.116 (2) (17:39:20.433 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 74 IPs (74 /24s) (# pkts S/M/O/I=0/74/0/0): 445:74, [] MAC_Src: 00:21:1C:EE:14:00 (17:39:20.433 PDT) 0->0 (17:40:52.120 PDT) tcpslice 1366763960.433 1366763960.434 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:43:29.016 PDT Gen. Time: 04/23/2013 17:43:29.016 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (17:43:29.016 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 83 IPs (83 /24s) (# pkts S/M/O/I=0/83/0/0): 445:83, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:43:29.016 PDT) tcpslice 1366764209.016 1366764209.017 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:43:29.016 PDT Gen. Time: 04/23/2013 17:46:50.812 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (2) (17:43:29.016 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 83 IPs (83 /24s) (# pkts S/M/O/I=0/83/0/0): 445:83, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:43:29.016 PDT) 0->0 (17:45:20.988 PDT) tcpslice 1366764209.016 1366764209.017 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:46:56.773 PDT Gen. Time: 04/23/2013 17:46:56.773 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (17:46:56.773 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 86 IPs (86 /24s) (# pkts S/M/O/I=0/86/0/0): 445:86, [] MAC_Src: 00:21:1C:EE:14:00 (17:46:56.773 PDT) tcpslice 1366764416.773 1366764416.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:46:56.773 PDT Gen. Time: 04/23/2013 17:50:39.785 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (2) (17:46:56.773 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 86 IPs (86 /24s) (# pkts S/M/O/I=0/86/0/0): 445:86, [] MAC_Src: 00:21:1C:EE:14:00 (17:46:56.773 PDT) 0->0 (17:49:30.780 PDT) tcpslice 1366764416.773 1366764416.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:51:29.119 PDT Gen. Time: 04/23/2013 17:51:29.119 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (17:51:29.119 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 93 IPs (93 /24s) (# pkts S/M/O/I=0/93/0/0): 445:93, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:51:29.119 PDT) tcpslice 1366764689.119 1366764689.120 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:54:19.029 PDT Gen. Time: 04/23/2013 17:54:19.029 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (17:54:19.029 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 96 IPs (96 /24s) (# pkts S/M/O/I=0/96/0/0): 445:96, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:54:19.029 PDT) tcpslice 1366764859.029 1366764859.030 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:54:19.029 PDT Gen. Time: 04/23/2013 17:57:31.862 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (2) (17:54:19.029 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 96 IPs (96 /24s) (# pkts S/M/O/I=0/96/0/0): 445:96, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:54:19.029 PDT) 0->0 (17:56:20.964 PDT) tcpslice 1366764859.029 1366764859.030 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:57:53.804 PDT Gen. Time: 04/23/2013 17:57:53.804 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (17:57:53.804 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 100 IPs (100 /24s) (# pkts S/M/O/I=0/100/0/0): 445:100, [] MAC_Src: 00:21:1C:EE:14:00 (17:57:53.804 PDT) tcpslice 1366765073.804 1366765073.805 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 17:57:53.804 PDT Gen. Time: 04/23/2013 18:01:52.392 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (2) (17:57:53.804 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 100 IPs (100 /24s) (# pkts S/M/O/I=0/100/0/0): 445:100, [] MAC_Src: 00:21:1C:EE:14:00 (17:57:53.804 PDT) 0->0 (18:00:58.418 PDT) tcpslice 1366765073.804 1366765073.805 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:03:39.806 PDT Gen. Time: 04/23/2013 18:03:39.806 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (18:03:39.806 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 106 IPs (106 /24s) (# pkts S/M/O/I=0/106/0/0): 445:106, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:03:39.806 PDT) tcpslice 1366765419.806 1366765419.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:08:19.161 PDT Gen. Time: 04/23/2013 18:08:19.161 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (18:08:19.161 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 108 IPs (108 /24s) (# pkts S/M/O/I=0/108/0/0): 445:108, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:08:19.161 PDT) tcpslice 1366765699.161 1366765699.162 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:08:19.161 PDT Gen. Time: 04/23/2013 18:11:10.123 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (2) (18:08:19.161 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 108 IPs (108 /24s) (# pkts S/M/O/I=0/108/0/0): 445:108, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:08:19.161 PDT) 0->0 (18:09:51.404 PDT) tcpslice 1366765699.161 1366765699.162 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:11:54.027 PDT Gen. Time: 04/23/2013 18:11:54.027 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (18:11:54.027 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 110 IPs (110 /24s) (# pkts S/M/O/I=0/110/0/0): 445:110, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:11:54.027 PDT) tcpslice 1366765914.027 1366765914.028 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:11:54.027 PDT Gen. Time: 04/23/2013 18:15:35.127 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (3) (18:11:54.027 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 110 IPs (110 /24s) (# pkts S/M/O/I=0/110/0/0): 445:110, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:11:54.027 PDT) (18:13:33.122 PDT) (18:15:35.127 PDT) tcpslice 1366765914.027 1366765914.028 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:19:28.388 PDT Gen. Time: 04/23/2013 18:19:28.388 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (18:19:28.388 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 115 IPs (115 /24s) (# pkts S/M/O/I=0/115/0/0): 445:115, [] MAC_Src: 00:21:1C:EE:14:00 (18:19:28.388 PDT) tcpslice 1366766368.388 1366766368.389 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:19:28.388 PDT Gen. Time: 04/23/2013 18:23:28.357 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (2) (18:19:28.388 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 115 IPs (115 /24s) (# pkts S/M/O/I=0/115/0/0): 445:115, [] MAC_Src: 00:21:1C:EE:14:00 (18:19:28.388 PDT) 0->0 (18:21:34.013 PDT) tcpslice 1366766368.388 1366766368.389 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:23:28.665 PDT Gen. Time: 04/23/2013 18:23:28.665 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (18:23:28.665 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 123 IPs (123 /24s) (# pkts S/M/O/I=0/123/0/0): 445:123, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:23:28.665 PDT) tcpslice 1366766608.665 1366766608.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:23:28.665 PDT Gen. Time: 04/23/2013 18:26:37.225 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (2) (18:23:28.665 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 123 IPs (123 /24s) (# pkts S/M/O/I=0/123/0/0): 445:123, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:23:28.665 PDT) (18:26:37.225 PDT) tcpslice 1366766608.665 1366766608.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:28:07.133 PDT Gen. Time: 04/23/2013 18:28:07.133 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (18:28:07.133 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 128 IPs (128 /24s) (# pkts S/M/O/I=0/128/0/0): 445:128, [] MAC_Src: 00:21:1C:EE:14:00 (18:28:07.133 PDT) tcpslice 1366766887.133 1366766887.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:28:07.133 PDT Gen. Time: 04/23/2013 18:31:47.327 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (2) (18:28:07.133 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 128 IPs (128 /24s) (# pkts S/M/O/I=0/128/0/0): 445:128, [] MAC_Src: 00:21:1C:EE:14:00 (18:28:07.133 PDT) (18:29:37.814 PDT) tcpslice 1366766887.133 1366766887.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:34:24.089 PDT Gen. Time: 04/23/2013 18:34:24.089 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (18:34:24.089 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 131 IPs (131 /24s) (# pkts S/M/O/I=0/131/0/0): 445:131, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:34:24.089 PDT) tcpslice 1366767264.089 1366767264.090 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:34:24.089 PDT Gen. Time: 04/23/2013 18:36:50.328 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (2) (18:34:24.089 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 131 IPs (131 /24s) (# pkts S/M/O/I=0/131/0/0): 445:131, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:34:24.089 PDT) (18:35:59.677 PDT) tcpslice 1366767264.089 1366767264.090 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:37:39.762 PDT Gen. Time: 04/23/2013 18:37:39.762 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (18:37:39.762 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 135 IPs (135 /24s) (# pkts S/M/O/I=0/135/0/0): 445:135, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:37:39.762 PDT) tcpslice 1366767459.762 1366767459.763 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:37:39.762 PDT Gen. Time: 04/23/2013 18:40:52.968 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (2) (18:37:39.762 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 135 IPs (135 /24s) (# pkts S/M/O/I=0/135/0/0): 445:135, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:37:39.762 PDT) (18:39:38.818 PDT) tcpslice 1366767459.762 1366767459.763 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:46:19.757 PDT Gen. Time: 04/23/2013 18:46:19.757 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (18:46:19.757 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 137 IPs (137 /24s) (# pkts S/M/O/I=0/137/0/0): 445:137, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:46:19.757 PDT) tcpslice 1366767979.757 1366767979.758 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:46:19.757 PDT Gen. Time: 04/23/2013 18:50:37.621 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (2) (18:46:19.757 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 137 IPs (137 /24s) (# pkts S/M/O/I=0/137/0/0): 445:137, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:46:19.757 PDT) 0->0 (18:48:55.676 PDT) tcpslice 1366767979.757 1366767979.758 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:51:45.713 PDT Gen. Time: 04/23/2013 18:51:45.713 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (18:51:45.713 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 139 IPs (139 /24s) (# pkts S/M/O/I=0/139/0/0): 445:139, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:51:45.713 PDT) tcpslice 1366768305.713 1366768305.714 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:51:45.713 PDT Gen. Time: 04/23/2013 18:55:26.720 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (2) (18:51:45.713 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 139 IPs (139 /24s) (# pkts S/M/O/I=0/139/0/0): 445:139, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:51:45.713 PDT) (18:53:57.735 PDT) tcpslice 1366768305.713 1366768305.714 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 18:57:08.270 PDT Gen. Time: 04/23/2013 18:57:08.270 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.45.173.123 (18:57:08.270 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 144 IPs (144 /24s) (# pkts S/M/O/I=0/144/0/0): 445:144, [] MAC_Src: 00:21:1C:EE:14:00 (18:57:08.270 PDT) tcpslice 1366768628.270 1366768628.271 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:04:09.731 PDT Gen. Time: 04/23/2013 19:04:09.731 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.83.59 (19:04:09.731 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 147 IPs (147 /24s) (# pkts S/M/O/I=0/147/0/0): 445:147, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:04:09.731 PDT) tcpslice 1366769049.731 1366769049.732 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:08:15.941 PDT Gen. Time: 04/23/2013 19:08:15.941 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.83.59 (19:08:15.941 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 148 IPs (148 /24s) (# pkts S/M/O/I=0/148/0/0): 445:148, [] MAC_Src: 00:21:1C:EE:14:00 (19:08:15.941 PDT) tcpslice 1366769295.941 1366769295.942 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:08:15.941 PDT Gen. Time: 04/23/2013 19:11:18.792 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.73.83.59 (2) (19:08:15.941 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 148 IPs (148 /24s) (# pkts S/M/O/I=0/148/0/0): 445:148, [] MAC_Src: 00:21:1C:EE:14:00 (19:08:15.941 PDT) (19:10:17.644 PDT) tcpslice 1366769295.941 1366769295.942 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:13:10.036 PDT Gen. Time: 04/23/2013 19:13:10.036 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.0.231.120 (19:13:10.036 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 152 IPs (152 /24s) (# pkts S/M/O/I=0/152/0/0): 445:152, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:13:10.036 PDT) tcpslice 1366769590.036 1366769590.037 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:17:58.582 PDT Gen. Time: 04/23/2013 19:17:58.582 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.0.231.120 (19:17:58.582 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 154 IPs (154 /24s) (# pkts S/M/O/I=0/154/0/0): 445:154, [] MAC_Src: 00:21:1C:EE:14:00 (19:17:58.582 PDT) tcpslice 1366769878.582 1366769878.583 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:17:58.582 PDT Gen. Time: 04/23/2013 19:22:04.994 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.0.231.120 (3) (19:17:58.582 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 154 IPs (154 /24s) (# pkts S/M/O/I=0/154/0/0): 445:154, [] MAC_Src: 00:21:1C:EE:14:00 (19:17:58.582 PDT) 0->0 (19:19:28.641 PDT) (19:21:38.759 PDT) tcpslice 1366769878.582 1366769878.583 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:23:27.902 PDT Gen. Time: 04/23/2013 19:23:27.902 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.0.231.120 (19:23:27.902 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 159 IPs (159 /24s) (# pkts S/M/O/I=0/159/0/0): 445:159, [] MAC_Src: 00:21:1C:EE:14:00 (19:23:27.902 PDT) tcpslice 1366770207.902 1366770207.903 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:27:09.667 PDT Gen. Time: 04/23/2013 19:27:09.667 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.0.231.120 (19:27:09.667 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 161 IPs (161 /24s) (# pkts S/M/O/I=0/161/0/0): 445:161, [] MAC_Src: 00:21:1C:EE:14:00 (19:27:09.667 PDT) tcpslice 1366770429.667 1366770429.668 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:27:09.667 PDT Gen. Time: 04/23/2013 19:31:24.213 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.0.231.120 (3) (19:27:09.667 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 161 IPs (161 /24s) (# pkts S/M/O/I=0/161/0/0): 445:161, [] MAC_Src: 00:21:1C:EE:14:00 (19:27:09.667 PDT) 0->0 (19:28:47.252 PDT) (19:31:24.213 PDT) tcpslice 1366770429.667 1366770429.668 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:34:02.981 PDT Gen. Time: 04/23/2013 19:34:02.981 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.70.114 (19:34:02.981 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 166 IPs (164 /24s) (# pkts S/M/O/I=0/166/0/0): 445:166, [] MAC_Src: 00:21:1C:EE:14:00 (19:34:02.981 PDT) tcpslice 1366770842.981 1366770842.982 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:34:02.981 PDT Gen. Time: 04/23/2013 19:37:52.057 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.70.114 (2) (19:34:02.981 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 166 IPs (164 /24s) (# pkts S/M/O/I=0/166/0/0): 445:166, [] MAC_Src: 00:21:1C:EE:14:00 (19:34:02.981 PDT) 0->0 (19:36:35.755 PDT) tcpslice 1366770842.981 1366770842.982 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:38:24.995 PDT Gen. Time: 04/23/2013 19:38:24.995 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.70.114 (19:38:24.995 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 168 IPs (166 /24s) (# pkts S/M/O/I=0/168/0/0): 445:168, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:38:24.995 PDT) tcpslice 1366771104.995 1366771104.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:38:24.995 PDT Gen. Time: 04/23/2013 19:42:27.426 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.70.114 (3) (19:38:24.995 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 168 IPs (166 /24s) (# pkts S/M/O/I=0/168/0/0): 445:168, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:38:24.995 PDT) (19:40:08.617 PDT) 0->0 (19:41:59.667 PDT) tcpslice 1366771104.995 1366771104.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:46:30.158 PDT Gen. Time: 04/23/2013 19:46:30.158 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.70.114 (19:46:30.158 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 175 IPs (173 /24s) (# pkts S/M/O/I=0/175/0/0): 445:175, [] MAC_Src: 00:21:1C:EE:14:00 (19:46:30.158 PDT) tcpslice 1366771590.158 1366771590.159 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:46:30.158 PDT Gen. Time: 04/23/2013 19:50:13.371 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.70.114 (2) (19:46:30.158 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 175 IPs (173 /24s) (# pkts S/M/O/I=0/175/0/0): 445:175, [] MAC_Src: 00:21:1C:EE:14:00 (19:46:30.158 PDT) (19:48:19.346 PDT) tcpslice 1366771590.158 1366771590.159 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:50:19.237 PDT Gen. Time: 04/23/2013 19:50:19.237 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.70.114 (19:50:19.237 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 179 IPs (177 /24s) (# pkts S/M/O/I=0/179/0/0): 445:179, [] MAC_Src: 00:21:1C:EE:14:00 (19:50:19.237 PDT) tcpslice 1366771819.237 1366771819.238 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 19:54:37.156 PDT Gen. Time: 04/23/2013 19:54:37.156 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.70.114 (19:54:37.156 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 182 IPs (180 /24s) (# pkts S/M/O/I=0/182/0/0): 445:182, [] MAC_Src: 00:21:1C:EE:14:00 (19:54:37.156 PDT) tcpslice 1366772077.156 1366772077.157 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 20:00:57.081 PDT Gen. Time: 04/23/2013 20:00:57.081 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.70.114 (20:00:57.081 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 183 IPs (181 /24s) (# pkts S/M/O/I=0/183/0/0): 445:183, [] MAC_Src: 00:21:1C:EE:14:00 (20:00:57.081 PDT) tcpslice 1366772457.081 1366772457.082 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 20:00:57.081 PDT Gen. Time: 04/23/2013 20:05:17.005 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.70.114 (20:00:57.081 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 183 IPs (181 /24s) (# pkts S/M/O/I=0/183/0/0): 445:183, [] MAC_Src: 00:21:1C:EE:14:00 (20:00:57.081 PDT) 187.49.160.90 (20:04:39.678 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 186 IPs (184 /24s) (# pkts S/M/O/I=0/186/0/0): 445:186, [] MAC_Src: 00:21:1C:EE:14:00 (20:04:39.678 PDT) tcpslice 1366772457.081 1366772457.082 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 20:07:17.993 PDT Gen. Time: 04/23/2013 20:07:17.993 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.160.90 (20:07:17.993 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 188 IPs (185 /24s) (# pkts S/M/O/I=0/188/0/0): 445:188, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:07:17.993 PDT) tcpslice 1366772837.993 1366772837.994 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 20:07:17.993 PDT Gen. Time: 04/23/2013 20:10:34.929 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.160.90 (3) (20:07:17.993 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 188 IPs (185 /24s) (# pkts S/M/O/I=0/188/0/0): 445:188, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:07:17.993 PDT) (20:08:57.690 PDT) 0->0 (20:10:34.929 PDT) tcpslice 1366772837.993 1366772837.994 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 20:12:36.533 PDT Gen. Time: 04/23/2013 20:12:36.533 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.160.90 (20:12:36.533 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 195 IPs (192 /24s) (# pkts S/M/O/I=0/195/0/0): 445:195, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:12:36.533 PDT) tcpslice 1366773156.533 1366773156.534 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 20:12:36.533 PDT Gen. Time: 04/23/2013 20:16:04.570 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.160.90 (2) (20:12:36.533 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 195 IPs (192 /24s) (# pkts S/M/O/I=0/195/0/0): 445:195, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:12:36.533 PDT) (20:14:08.598 PDT) tcpslice 1366773156.533 1366773156.534 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 20:17:33.402 PDT Gen. Time: 04/23/2013 20:17:33.402 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.160.90 (20:17:33.402 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 199 IPs (196 /24s) (# pkts S/M/O/I=0/199/0/0): 445:199, [] MAC_Src: 00:21:1C:EE:14:00 (20:17:33.402 PDT) tcpslice 1366773453.402 1366773453.403 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 20:52:35.944 PDT Gen. Time: 04/23/2013 20:54:40.609 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 187.52.164.16 (20:52:35.944 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 17 IPs (17 /24s) (# pkts S/M/O/I=0/17/0/0): 445:17, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:52:35.944 PDT) 177.54.105.107 (20:54:23.603 PDT) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (20:54:23.603 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.54.105.107 (20:54:40.609 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (20:54:40.609 PDT) tcpslice 1366775555.944 1366775555.945 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 20:57:16.707 PDT Gen. Time: 04/23/2013 20:57:16.707 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.54.105.107 (20:57:16.707 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:57:16.707 PDT) tcpslice 1366775836.707 1366775836.708 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 20:57:16.707 PDT Gen. Time: 04/23/2013 21:00:44.521 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.54.105.107 (2) (20:57:16.707 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:57:16.707 PDT) (21:00:15.746 PDT) tcpslice 1366775836.707 1366775836.708 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:02:56.074 PDT Gen. Time: 04/23/2013 21:02:56.074 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.54.105.107 (21:02:56.074 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 (21:02:56.074 PDT) tcpslice 1366776176.074 1366776176.075 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:02:56.074 PDT Gen. Time: 04/23/2013 21:06:30.034 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.54.105.107 (2) (21:02:56.074 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 (21:02:56.074 PDT) (21:04:39.591 PDT) tcpslice 1366776176.074 1366776176.075 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:06:50.876 PDT Gen. Time: 04/23/2013 21:06:50.876 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.54.105.107 (21:06:50.876 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 (21:06:50.876 PDT) tcpslice 1366776410.876 1366776410.877 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:06:50.876 PDT Gen. Time: 04/23/2013 21:10:40.717 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.54.105.107 (3) (21:06:50.876 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 (21:06:50.876 PDT) (21:08:59.861 PDT) 0->0 (21:10:40.717 PDT) tcpslice 1366776410.876 1366776410.877 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:12:41.335 PDT Gen. Time: 04/23/2013 21:12:41.335 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.54.105.107 (21:12:41.335 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/33/0/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:12:41.335 PDT) tcpslice 1366776761.335 1366776761.336 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:12:41.335 PDT Gen. Time: 04/23/2013 21:16:07.031 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.54.105.107 (2) (21:12:41.335 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/33/0/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:12:41.335 PDT) 0->0 (21:15:04.073 PDT) tcpslice 1366776761.335 1366776761.336 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:17:09.671 PDT Gen. Time: 04/23/2013 21:17:09.671 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.54.105.107 (21:17:09.671 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/38/0/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 (21:17:09.671 PDT) tcpslice 1366777029.671 1366777029.672 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:17:09.671 PDT Gen. Time: 04/23/2013 21:20:23.246 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.54.105.107 (2) (21:17:09.671 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/38/0/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 (21:17:09.671 PDT) 0->0 (21:19:11.276 PDT) tcpslice 1366777029.671 1366777029.672 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:21:16.060 PDT Gen. Time: 04/23/2013 21:21:16.060 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (21:21:16.060 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 (21:21:16.060 PDT) tcpslice 1366777276.060 1366777276.061 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:25:09.320 PDT Gen. Time: 04/23/2013 21:25:09.320 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (21:25:09.320 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (43 /24s) (# pkts S/M/O/I=0/42/1/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:25:09.320 PDT) tcpslice 1366777509.320 1366777509.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:25:09.320 PDT Gen. Time: 04/23/2013 21:29:43.517 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (2) (21:25:09.320 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (43 /24s) (# pkts S/M/O/I=0/42/1/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:25:09.320 PDT) (21:28:18.428 PDT) tcpslice 1366777509.320 1366777509.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:31:20.646 PDT Gen. Time: 04/23/2013 21:31:20.646 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (21:31:20.646 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/44/1/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 (21:31:20.646 PDT) tcpslice 1366777880.646 1366777880.647 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:31:20.646 PDT Gen. Time: 04/23/2013 21:35:38.419 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (2) (21:31:20.646 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/44/1/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 (21:31:20.646 PDT) 0->0 (21:33:10.638 PDT) tcpslice 1366777880.646 1366777880.647 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:36:38.885 PDT Gen. Time: 04/23/2013 21:36:38.885 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (21:36:38.885 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 47 IPs (47 /24s) (# pkts S/M/O/I=0/46/1/0): 445:46, [] MAC_Src: 00:21:1C:EE:14:00 (21:36:38.885 PDT) tcpslice 1366778198.885 1366778198.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:36:38.885 PDT Gen. Time: 04/23/2013 21:40:13.570 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (2) (21:36:38.885 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 47 IPs (47 /24s) (# pkts S/M/O/I=0/46/1/0): 445:46, [] MAC_Src: 00:21:1C:EE:14:00 (21:36:38.885 PDT) 0->0 (21:39:01.714 PDT) tcpslice 1366778198.885 1366778198.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:41:13.257 PDT Gen. Time: 04/23/2013 21:41:13.257 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (21:41:13.257 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 51 IPs (51 /24s) (# pkts S/M/O/I=0/50/1/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 (21:41:13.257 PDT) tcpslice 1366778473.257 1366778473.258 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:41:13.257 PDT Gen. Time: 04/23/2013 21:44:14.746 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (2) (21:41:13.257 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 51 IPs (51 /24s) (# pkts S/M/O/I=0/50/1/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 (21:41:13.257 PDT) 0->0 (21:42:59.454 PDT) tcpslice 1366778473.257 1366778473.258 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:44:54.931 PDT Gen. Time: 04/23/2013 21:44:54.931 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (21:44:54.931 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/52/1/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:44:54.931 PDT) tcpslice 1366778694.931 1366778694.932 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:44:54.931 PDT Gen. Time: 04/23/2013 21:48:17.765 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (2) (21:44:54.931 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/52/1/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:44:54.931 PDT) 0->0 (21:46:55.313 PDT) tcpslice 1366778694.931 1366778694.932 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:49:06.652 PDT Gen. Time: 04/23/2013 21:49:06.652 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (21:49:06.652 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 57 IPs (57 /24s) (# pkts S/M/O/I=0/56/1/0): 445:56, [] MAC_Src: 00:21:1C:EE:14:00 (21:49:06.652 PDT) tcpslice 1366778946.652 1366778946.653 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:49:06.652 PDT Gen. Time: 04/23/2013 21:53:15.718 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (3) (21:49:06.652 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 57 IPs (57 /24s) (# pkts S/M/O/I=0/56/1/0): 445:56, [] MAC_Src: 00:21:1C:EE:14:00 (21:49:06.652 PDT) (21:50:44.705 PDT) 0->0 (21:52:16.478 PDT) tcpslice 1366778946.652 1366778946.653 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:54:16.627 PDT Gen. Time: 04/23/2013 21:54:16.627 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (21:54:16.627 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 67 IPs (67 /24s) (# pkts S/M/O/I=0/66/1/0): 445:66, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:54:16.627 PDT) tcpslice 1366779256.627 1366779256.628 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:54:16.627 PDT Gen. Time: 04/23/2013 21:58:35.512 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (2) (21:54:16.627 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 67 IPs (67 /24s) (# pkts S/M/O/I=0/66/1/0): 445:66, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (21:54:16.627 PDT) (21:56:21.666 PDT) tcpslice 1366779256.627 1366779256.628 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:59:03.076 PDT Gen. Time: 04/23/2013 21:59:03.076 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (21:59:03.076 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 73 IPs (73 /24s) (# pkts S/M/O/I=0/72/1/0): 445:72, [] MAC_Src: 00:21:1C:EE:14:00 (21:59:03.076 PDT) tcpslice 1366779543.076 1366779543.077 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 21:59:03.076 PDT Gen. Time: 04/23/2013 22:03:15.757 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (2) (21:59:03.076 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 73 IPs (73 /24s) (# pkts S/M/O/I=0/72/1/0): 445:72, [] MAC_Src: 00:21:1C:EE:14:00 (21:59:03.076 PDT) 0->0 (22:02:16.739 PDT) tcpslice 1366779543.076 1366779543.077 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 22:04:27.532 PDT Gen. Time: 04/23/2013 22:04:27.532 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (22:04:27.532 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 75 IPs (75 /24s) (# pkts S/M/O/I=0/74/1/0): 445:74, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (22:04:27.532 PDT) tcpslice 1366779867.532 1366779867.533 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 22:04:27.532 PDT Gen. Time: 04/23/2013 22:08:28.054 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (3) (22:04:27.532 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 75 IPs (75 /24s) (# pkts S/M/O/I=0/74/1/0): 445:74, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (22:04:27.532 PDT) (22:06:33.715 PDT) (22:08:08.297 PDT) tcpslice 1366779867.532 1366779867.533 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 22:09:56.269 PDT Gen. Time: 04/23/2013 22:09:56.269 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (22:09:56.269 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 80 IPs (80 /24s) (# pkts S/M/O/I=0/79/1/0): 445:79, [] MAC_Src: 00:21:1C:EE:14:00 (22:09:56.269 PDT) tcpslice 1366780196.269 1366780196.270 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 22:13:51.054 PDT Gen. Time: 04/23/2013 22:13:51.054 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (22:13:51.054 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 81 IPs (81 /24s) (# pkts S/M/O/I=0/80/1/0): 445:80, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (22:13:51.054 PDT) tcpslice 1366780431.054 1366780431.055 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 22:13:51.054 PDT Gen. Time: 04/23/2013 22:17:55.712 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (3) (22:13:51.054 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 81 IPs (81 /24s) (# pkts S/M/O/I=0/80/1/0): 445:80, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (22:13:51.054 PDT) (22:15:29.685 PDT) (22:17:55.712 PDT) tcpslice 1366780431.054 1366780431.055 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 22:19:27.623 PDT Gen. Time: 04/23/2013 22:19:27.623 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (22:19:27.623 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 89 IPs (89 /24s) (# pkts S/M/O/I=0/88/1/0): 445:88, [] MAC_Src: 00:21:1C:EE:14:00 (22:19:27.623 PDT) tcpslice 1366780767.623 1366780767.624 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 22:23:33.682 PDT Gen. Time: 04/23/2013 22:23:33.682 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.33.20.5 (22:23:33.682 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 91 IPs (91 /24s) (# pkts S/M/O/I=0/90/1/0): 445:90, [] MAC_Src: 00:21:1C:EE:14:00 (22:23:33.682 PDT) tcpslice 1366781013.682 1366781013.683 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================