Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/23/2013 23:56:18.151 PDT Gen. Time: 04/24/2013 00:00:19.060 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.48.136.41 (3) (23:56:18.151 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 69 IPs (68 /24s) (# pkts S/M/O/I=0/69/0/0): 445:69, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (23:56:18.151 PDT) (23:58:03.807 PDT) 0->0 (23:59:36.655 PDT) tcpslice 1366786578.151 1366786578.152 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:05:42.880 PDT Gen. Time: 04/24/2013 00:05:42.880 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.48.136.41 (00:05:42.880 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 73 IPs (72 /24s) (# pkts S/M/O/I=0/73/0/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 (00:05:42.880 PDT) tcpslice 1366787142.880 1366787142.881 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:05:42.880 PDT Gen. Time: 04/24/2013 00:08:40.287 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.48.136.41 (2) (00:05:42.880 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 73 IPs (72 /24s) (# pkts S/M/O/I=0/73/0/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 (00:05:42.880 PDT) (00:07:24.835 PDT) tcpslice 1366787142.880 1366787142.881 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:09:09.603 PDT Gen. Time: 04/24/2013 00:09:09.603 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.48.136.41 (00:09:09.603 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 78 IPs (77 /24s) (# pkts S/M/O/I=0/78/0/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:09:09.603 PDT) tcpslice 1366787349.603 1366787349.604 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:14:56.854 PDT Gen. Time: 04/24/2013 00:14:56.854 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.48.136.41 (00:14:56.854 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 79 IPs (78 /24s) (# pkts S/M/O/I=0/79/0/0): 445:79, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:14:56.854 PDT) tcpslice 1366787696.854 1366787696.855 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:14:56.854 PDT Gen. Time: 04/24/2013 00:18:22.106 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.48.136.41 (2) (00:14:56.854 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 79 IPs (78 /24s) (# pkts S/M/O/I=0/79/0/0): 445:79, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:14:56.854 PDT) (00:17:10.834 PDT) tcpslice 1366787696.854 1366787696.855 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:18:56.092 PDT Gen. Time: 04/24/2013 00:18:56.092 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.48.136.41 (00:18:56.092 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 84 IPs (83 /24s) (# pkts S/M/O/I=0/84/0/0): 445:84, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:18:56.092 PDT) tcpslice 1366787936.092 1366787936.093 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:23:32.528 PDT Gen. Time: 04/24/2013 00:23:32.528 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.48.136.41 (00:23:32.528 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 89 IPs (88 /24s) (# pkts S/M/O/I=0/89/0/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:23:32.528 PDT) tcpslice 1366788212.528 1366788212.529 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:23:32.528 PDT Gen. Time: 04/24/2013 00:27:02.478 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.48.136.41 (2) (00:23:32.528 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 89 IPs (88 /24s) (# pkts S/M/O/I=0/89/0/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:23:32.528 PDT) (00:25:43.575 PDT) tcpslice 1366788212.528 1366788212.529 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:27:15.858 PDT Gen. Time: 04/24/2013 00:27:15.858 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.48.136.41 (00:27:15.858 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 91 IPs (90 /24s) (# pkts S/M/O/I=0/91/0/0): 445:91, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:27:15.858 PDT) tcpslice 1366788435.858 1366788435.859 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:27:15.858 PDT Gen. Time: 04/24/2013 00:30:49.656 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.48.136.41 (2) (00:27:15.858 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 91 IPs (90 /24s) (# pkts S/M/O/I=0/91/0/0): 445:91, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:27:15.858 PDT) 0->0 (00:30:11.904 PDT) tcpslice 1366788435.858 1366788435.859 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:31:42.892 PDT Gen. Time: 04/24/2013 00:31:42.892 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.215.106 (00:31:42.892 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 98 IPs (97 /24s) (# pkts S/M/O/I=0/98/0/0): 445:98, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:31:42.892 PDT) tcpslice 1366788702.892 1366788702.893 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:31:42.892 PDT Gen. Time: 04/24/2013 00:35:30.692 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.215.106 (2) (00:31:42.892 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 98 IPs (97 /24s) (# pkts S/M/O/I=0/98/0/0): 445:98, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:31:42.892 PDT) 0->0 (00:33:39.819 PDT) tcpslice 1366788702.892 1366788702.893 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:35:35.648 PDT Gen. Time: 04/24/2013 00:35:35.648 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.215.106 (00:35:35.648 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 103 IPs (102 /24s) (# pkts S/M/O/I=0/103/0/0): 445:103, [] MAC_Src: 00:21:1C:EE:14:00 (00:35:35.648 PDT) tcpslice 1366788935.648 1366788935.649 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:35:35.648 PDT Gen. Time: 04/24/2013 00:38:09.321 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (00:37:16.877 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 106 IPs (105 /24s) (# pkts S/M/O/I=0/106/0/0): 445:106, [] MAC_Src: 00:21:1C:EE:14:00 (00:37:16.877 PDT) 177.44.215.106 (00:35:35.648 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 103 IPs (102 /24s) (# pkts S/M/O/I=0/103/0/0): 445:103, [] MAC_Src: 00:21:1C:EE:14:00 (00:35:35.648 PDT) tcpslice 1366788935.648 1366788935.649 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:39:16.076 PDT Gen. Time: 04/24/2013 00:39:16.076 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (00:39:16.076 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 108 IPs (107 /24s) (# pkts S/M/O/I=0/108/0/0): 445:108, [] MAC_Src: 00:21:1C:EE:14:00 (00:39:16.076 PDT) tcpslice 1366789156.076 1366789156.077 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:39:16.076 PDT Gen. Time: 04/24/2013 00:43:20.274 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (3) (00:39:16.076 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 108 IPs (107 /24s) (# pkts S/M/O/I=0/108/0/0): 445:108, [] MAC_Src: 00:21:1C:EE:14:00 (00:39:16.076 PDT) (00:41:10.591 PDT) (00:42:54.262 PDT) tcpslice 1366789156.076 1366789156.077 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:45:04.603 PDT Gen. Time: 04/24/2013 00:45:04.603 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (00:45:04.603 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 117 IPs (116 /24s) (# pkts S/M/O/I=0/117/0/0): 445:117, [] MAC_Src: 00:21:1C:EE:14:00 (00:45:04.603 PDT) tcpslice 1366789504.603 1366789504.604 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:45:04.603 PDT Gen. Time: 04/24/2013 00:48:52.615 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (2) (00:45:04.603 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 117 IPs (116 /24s) (# pkts S/M/O/I=0/117/0/0): 445:117, [] MAC_Src: 00:21:1C:EE:14:00 (00:45:04.603 PDT) 0->0 (00:47:04.696 PDT) tcpslice 1366789504.603 1366789504.604 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:49:38.793 PDT Gen. Time: 04/24/2013 00:49:38.793 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (00:49:38.793 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 123 IPs (122 /24s) (# pkts S/M/O/I=0/123/0/0): 445:123, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:49:38.793 PDT) tcpslice 1366789778.793 1366789778.794 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:49:38.793 PDT Gen. Time: 04/24/2013 00:52:27.196 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (2) (00:49:38.793 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 123 IPs (122 /24s) (# pkts S/M/O/I=0/123/0/0): 445:123, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:49:38.793 PDT) (00:52:27.196 PDT) tcpslice 1366789778.793 1366789778.794 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:54:44.459 PDT Gen. Time: 04/24/2013 00:54:44.459 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (00:54:44.459 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 127 IPs (126 /24s) (# pkts S/M/O/I=0/127/0/0): 445:127, [] MAC_Src: 00:21:1C:EE:14:00 (00:54:44.459 PDT) tcpslice 1366790084.459 1366790084.460 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:54:44.459 PDT Gen. Time: 04/24/2013 00:58:00.241 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (2) (00:54:44.459 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 127 IPs (126 /24s) (# pkts S/M/O/I=0/127/0/0): 445:127, [] MAC_Src: 00:21:1C:EE:14:00 (00:54:44.459 PDT) 0->0 (00:56:33.056 PDT) tcpslice 1366790084.459 1366790084.460 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:58:13.217 PDT Gen. Time: 04/24/2013 00:58:13.217 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (00:58:13.217 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 133 IPs (132 /24s) (# pkts S/M/O/I=0/133/0/0): 445:133, [] MAC_Src: 00:21:1C:EE:14:00 (00:58:13.217 PDT) tcpslice 1366790293.217 1366790293.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 00:58:13.217 PDT Gen. Time: 04/24/2013 01:02:55.192 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (3) (00:58:13.217 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 133 IPs (132 /24s) (# pkts S/M/O/I=0/133/0/0): 445:133, [] MAC_Src: 00:21:1C:EE:14:00 (00:58:13.217 PDT) 0->0 (01:00:14.011 PDT) 0->0 (01:02:55.192 PDT) tcpslice 1366790293.217 1366790293.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:04:30.644 PDT Gen. Time: 04/24/2013 01:04:30.644 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (01:04:30.644 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 140 IPs (138 /24s) (# pkts S/M/O/I=0/140/0/0): 445:140, [] MAC_Src: 00:21:1C:EE:14:00 (01:04:30.644 PDT) tcpslice 1366790670.644 1366790670.645 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:09:03.639 PDT Gen. Time: 04/24/2013 01:09:03.639 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (01:09:03.639 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 142 IPs (140 /24s) (# pkts S/M/O/I=0/142/0/0): 445:142, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:09:03.639 PDT) tcpslice 1366790943.639 1366790943.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:09:03.639 PDT Gen. Time: 04/24/2013 01:12:31.851 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (3) (01:09:03.639 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 142 IPs (140 /24s) (# pkts S/M/O/I=0/142/0/0): 445:142, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:09:03.639 PDT) 0->0 (01:10:33.698 PDT) (01:12:31.851 PDT) tcpslice 1366790943.639 1366790943.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:14:14.623 PDT Gen. Time: 04/24/2013 01:14:14.623 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (01:14:14.623 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 148 IPs (146 /24s) (# pkts S/M/O/I=0/148/0/0): 445:148, [] MAC_Src: 00:21:1C:EE:14:00 (01:14:14.623 PDT) tcpslice 1366791254.623 1366791254.624 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:21:33.578 PDT Gen. Time: 04/24/2013 01:21:33.578 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (01:21:33.578 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 149 IPs (147 /24s) (# pkts S/M/O/I=0/149/0/0): 445:149, [] MAC_Src: 00:21:1C:EE:14:00 (01:21:33.578 PDT) tcpslice 1366791693.578 1366791693.579 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:21:33.578 PDT Gen. Time: 04/24/2013 01:25:52.736 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (3) (01:21:33.578 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 149 IPs (147 /24s) (# pkts S/M/O/I=0/149/0/0): 445:149, [] MAC_Src: 00:21:1C:EE:14:00 (01:21:33.578 PDT) (01:23:04.082 PDT) (01:25:52.736 PDT) tcpslice 1366791693.578 1366791693.579 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:28:46.904 PDT Gen. Time: 04/24/2013 01:28:46.904 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (01:28:46.904 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 158 IPs (155 /24s) (# pkts S/M/O/I=0/158/0/0): 445:158, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:28:46.904 PDT) tcpslice 1366792126.904 1366792126.905 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:28:46.904 PDT Gen. Time: 04/24/2013 01:32:51.340 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (2) (01:28:46.904 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 158 IPs (155 /24s) (# pkts S/M/O/I=0/158/0/0): 445:158, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:28:46.904 PDT) (01:31:17.635 PDT) tcpslice 1366792126.904 1366792126.905 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:33:33.413 PDT Gen. Time: 04/24/2013 01:33:33.413 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (01:33:33.413 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 161 IPs (158 /24s) (# pkts S/M/O/I=0/161/0/0): 445:161, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:33:33.413 PDT) tcpslice 1366792413.413 1366792413.414 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:33:33.413 PDT Gen. Time: 04/24/2013 01:37:44.683 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (2) (01:33:33.413 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 161 IPs (158 /24s) (# pkts S/M/O/I=0/161/0/0): 445:161, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:33:33.413 PDT) (01:35:42.592 PDT) tcpslice 1366792413.413 1366792413.414 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:38:30.029 PDT Gen. Time: 04/24/2013 01:38:30.029 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (01:38:30.029 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 165 IPs (162 /24s) (# pkts S/M/O/I=0/165/0/0): 445:165, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:38:30.029 PDT) tcpslice 1366792710.029 1366792710.030 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:38:30.029 PDT Gen. Time: 04/24/2013 01:41:39.919 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (2) (01:38:30.029 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 165 IPs (162 /24s) (# pkts S/M/O/I=0/165/0/0): 445:165, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:38:30.029 PDT) (01:40:23.487 PDT) tcpslice 1366792710.029 1366792710.030 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:42:24.492 PDT Gen. Time: 04/24/2013 01:42:24.492 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (01:42:24.492 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 169 IPs (166 /24s) (# pkts S/M/O/I=0/169/0/0): 445:169, [] MAC_Src: 00:21:1C:EE:14:00 (01:42:24.492 PDT) tcpslice 1366792944.492 1366792944.493 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:42:24.492 PDT Gen. Time: 04/24/2013 01:46:47.932 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (2) (01:42:24.492 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 169 IPs (166 /24s) (# pkts S/M/O/I=0/169/0/0): 445:169, [] MAC_Src: 00:21:1C:EE:14:00 (01:42:24.492 PDT) 0->0 (01:44:34.573 PDT) tcpslice 1366792944.492 1366792944.493 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:47:08.495 PDT Gen. Time: 04/24/2013 01:47:08.495 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (01:47:08.495 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 172 IPs (169 /24s) (# pkts S/M/O/I=0/172/0/0): 445:172, [] MAC_Src: 00:21:1C:EE:14:00 (01:47:08.495 PDT) tcpslice 1366793228.495 1366793228.496 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:47:08.495 PDT Gen. Time: 04/24/2013 01:51:34.517 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (2) (01:47:08.495 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 172 IPs (169 /24s) (# pkts S/M/O/I=0/172/0/0): 445:172, [] MAC_Src: 00:21:1C:EE:14:00 (01:47:08.495 PDT) (01:50:13.356 PDT) tcpslice 1366793228.495 1366793228.496 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:52:44.636 PDT Gen. Time: 04/24/2013 01:52:44.636 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (01:52:44.636 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 176 IPs (173 /24s) (# pkts S/M/O/I=0/176/0/0): 445:176, [] MAC_Src: 00:21:1C:EE:14:00 (01:52:44.636 PDT) tcpslice 1366793564.636 1366793564.637 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 01:58:09.743 PDT Gen. Time: 04/24/2013 01:58:09.743 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (01:58:09.743 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 177 IPs (174 /24s) (# pkts S/M/O/I=0/177/0/0): 445:177, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:58:09.743 PDT) tcpslice 1366793889.743 1366793889.744 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 02:03:06.040 PDT Gen. Time: 04/24/2013 02:03:06.040 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (02:03:06.040 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 181 IPs (178 /24s) (# pkts S/M/O/I=0/181/0/0): 445:181, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:03:06.040 PDT) tcpslice 1366794186.040 1366794186.041 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 02:07:06.831 PDT Gen. Time: 04/24/2013 02:07:06.831 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (02:07:06.831 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 183 IPs (180 /24s) (# pkts S/M/O/I=0/183/0/0): 445:183, [] MAC_Src: 00:21:1C:EE:14:00 (02:07:06.831 PDT) tcpslice 1366794426.831 1366794426.832 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 02:07:06.831 PDT Gen. Time: 04/24/2013 02:09:46.609 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (2) (02:07:06.831 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 183 IPs (180 /24s) (# pkts S/M/O/I=0/183/0/0): 445:183, [] MAC_Src: 00:21:1C:EE:14:00 (02:07:06.831 PDT) (02:09:46.609 PDT) tcpslice 1366794426.831 1366794426.832 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 02:12:49.417 PDT Gen. Time: 04/24/2013 02:12:49.417 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (02:12:49.417 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 189 IPs (186 /24s) (# pkts S/M/O/I=0/189/0/0): 445:189, [] MAC_Src: 00:21:1C:EE:14:00 (02:12:49.417 PDT) tcpslice 1366794769.417 1366794769.418 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 02:12:49.417 PDT Gen. Time: 04/24/2013 02:16:18.254 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (2) (02:12:49.417 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 189 IPs (186 /24s) (# pkts S/M/O/I=0/189/0/0): 445:189, [] MAC_Src: 00:21:1C:EE:14:00 (02:12:49.417 PDT) 0->0 (02:16:10.499 PDT) tcpslice 1366794769.417 1366794769.418 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 02:20:47.417 PDT Gen. Time: 04/24/2013 02:20:47.417 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (02:20:47.417 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 195 IPs (192 /24s) (# pkts S/M/O/I=0/195/0/0): 445:195, [] MAC_Src: 00:21:1C:EE:14:00 (02:20:47.417 PDT) tcpslice 1366795247.417 1366795247.418 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 02:24:12.697 PDT Gen. Time: 04/24/2013 02:24:12.697 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (02:24:12.697 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 198 IPs (195 /24s) (# pkts S/M/O/I=0/198/0/0): 445:198, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:24:12.697 PDT) tcpslice 1366795452.697 1366795452.698 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 02:24:12.697 PDT Gen. Time: 04/24/2013 02:27:52.624 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (2) (02:24:12.697 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 198 IPs (195 /24s) (# pkts S/M/O/I=0/198/0/0): 445:198, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:24:12.697 PDT) (02:26:38.821 PDT) tcpslice 1366795452.697 1366795452.698 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 02:27:58.058 PDT Gen. Time: 04/24/2013 02:27:58.058 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.44.161.32 (02:27:58.058 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 200 IPs (197 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 (02:27:58.058 PDT) tcpslice 1366795678.058 1366795678.059 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:13:14.410 PDT Gen. Time: 04/24/2013 03:14:37.386 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 187.115.13.58 (03:13:14.410 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 19 IPs (19 /24s) (# pkts S/M/O/I=0/19/0/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:13:14.410 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.115.13.58 (03:14:37.386 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:14:37.386 PDT) tcpslice 1366798394.410 1366798394.411 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:13:14.410 PDT Gen. Time: 04/24/2013 03:17:19.214 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 187.115.13.58 (03:13:14.410 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 19 IPs (19 /24s) (# pkts S/M/O/I=0/19/0/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:13:14.410 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.115.13.58 (2) (03:14:37.386 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:14:37.386 PDT) (03:16:58.995 PDT) tcpslice 1366798394.410 1366798394.411 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:19:35.417 PDT Gen. Time: 04/24/2013 03:19:35.417 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.115.13.58 (03:19:35.417 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:19:35.417 PDT) tcpslice 1366798775.417 1366798775.418 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:25:25.776 PDT Gen. Time: 04/24/2013 03:25:25.776 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.115.13.58 (03:25:25.776 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 (03:25:25.776 PDT) tcpslice 1366799125.776 1366799125.777 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:25:25.776 PDT Gen. Time: 04/24/2013 03:29:10.336 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.115.13.58 (2) (03:25:25.776 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 (03:25:25.776 PDT) (03:29:10.336 PDT) tcpslice 1366799125.776 1366799125.777 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:30:58.690 PDT Gen. Time: 04/24/2013 03:30:58.690 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.115.13.58 (03:30:58.690 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:30:58.690 PDT) tcpslice 1366799458.690 1366799458.691 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:30:58.690 PDT Gen. Time: 04/24/2013 03:34:59.740 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.115.13.58 (2) (03:30:58.690 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:30:58.690 PDT) (03:33:08.376 PDT) tcpslice 1366799458.690 1366799458.691 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:37:49.770 PDT Gen. Time: 04/24/2013 03:37:49.770 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.115.13.58 (03:37:49.770 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=0/34/0/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 (03:37:49.770 PDT) tcpslice 1366799869.770 1366799869.771 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:42:00.458 PDT Gen. Time: 04/24/2013 03:42:00.458 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.115.13.58 (03:42:00.458 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/36/0/0): 445:36, [] MAC_Src: 00:21:1C:EE:14:00 (03:42:00.458 PDT) tcpslice 1366800120.458 1366800120.459 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:42:00.458 PDT Gen. Time: 04/24/2013 03:46:03.654 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.115.13.58 (2) (03:42:00.458 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/36/0/0): 445:36, [] MAC_Src: 00:21:1C:EE:14:00 (03:42:00.458 PDT) 0->0 (03:44:38.692 PDT) tcpslice 1366800120.458 1366800120.459 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:46:29.276 PDT Gen. Time: 04/24/2013 03:46:29.276 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.115.13.58 (03:46:29.276 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (42 /24s) (# pkts S/M/O/I=0/42/0/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:46:29.276 PDT) tcpslice 1366800389.276 1366800389.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:50:18.378 PDT Gen. Time: 04/24/2013 03:50:18.378 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (03:50:18.378 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 47 IPs (47 /24s) (# pkts S/M/O/I=0/47/0/0): 445:47, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:50:18.378 PDT) tcpslice 1366800618.378 1366800618.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:50:18.378 PDT Gen. Time: 04/24/2013 03:54:42.619 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (2) (03:50:18.378 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 47 IPs (47 /24s) (# pkts S/M/O/I=0/47/0/0): 445:47, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:50:18.378 PDT) (03:52:54.609 PDT) tcpslice 1366800618.378 1366800618.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:54:49.744 PDT Gen. Time: 04/24/2013 03:54:49.744 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (03:54:49.744 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 50 IPs (50 /24s) (# pkts S/M/O/I=0/50/0/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 (03:54:49.744 PDT) tcpslice 1366800889.744 1366800889.745 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:54:49.744 PDT Gen. Time: 04/24/2013 03:57:25.067 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (2) (03:54:49.744 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 50 IPs (50 /24s) (# pkts S/M/O/I=0/50/0/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 (03:54:49.744 PDT) (03:56:48.772 PDT) tcpslice 1366800889.744 1366800889.745 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:58:27.525 PDT Gen. Time: 04/24/2013 03:58:27.525 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (03:58:27.525 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 56 IPs (56 /24s) (# pkts S/M/O/I=0/56/0/0): 445:56, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:58:27.525 PDT) tcpslice 1366801107.525 1366801107.526 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 03:58:27.525 PDT Gen. Time: 04/24/2013 04:01:53.708 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (2) (03:58:27.525 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 56 IPs (56 /24s) (# pkts S/M/O/I=0/56/0/0): 445:56, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:58:27.525 PDT) 0->0 (04:00:53.602 PDT) tcpslice 1366801107.525 1366801107.526 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 04:02:25.775 PDT Gen. Time: 04/24/2013 04:02:25.775 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (04:02:25.775 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 59 IPs (59 /24s) (# pkts S/M/O/I=0/59/0/0): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:02:25.775 PDT) tcpslice 1366801345.775 1366801345.776 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 04:06:04.676 PDT Gen. Time: 04/24/2013 04:06:04.676 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (04:06:04.676 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 62 IPs (62 /24s) (# pkts S/M/O/I=0/62/0/0): 445:62, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:06:04.676 PDT) tcpslice 1366801564.676 1366801564.677 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 04:10:32.383 PDT Gen. Time: 04/24/2013 04:10:32.383 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (04:10:32.383 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 63 IPs (63 /24s) (# pkts S/M/O/I=0/63/0/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:10:32.383 PDT) tcpslice 1366801832.383 1366801832.384 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 04:12:55.019 PDT Gen. Time: 04/24/2013 04:12:55.019 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (04:12:55.019 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 65 IPs (65 /24s) (# pkts S/M/O/I=0/65/0/0): 445:65, [] MAC_Src: 00:21:1C:EE:14:00 (04:12:55.019 PDT) tcpslice 1366801975.019 1366801975.020 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 04:16:30.920 PDT Gen. Time: 04/24/2013 04:16:30.920 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (04:16:30.920 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 67 IPs (67 /24s) (# pkts S/M/O/I=0/67/0/0): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 (04:16:30.920 PDT) tcpslice 1366802190.920 1366802190.921 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 04:16:30.920 PDT Gen. Time: 04/24/2013 04:20:52.517 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (2) (04:16:30.920 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 67 IPs (67 /24s) (# pkts S/M/O/I=0/67/0/0): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 (04:16:30.920 PDT) 0->0 (04:19:30.416 PDT) tcpslice 1366802190.920 1366802190.921 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 04:22:30.005 PDT Gen. Time: 04/24/2013 04:22:30.005 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (04:22:30.005 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 69 IPs (69 /24s) (# pkts S/M/O/I=0/69/0/0): 445:69, [] MAC_Src: 00:21:1C:EE:14:00 (04:22:30.005 PDT) tcpslice 1366802550.005 1366802550.006 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 04:26:12.495 PDT Gen. Time: 04/24/2013 04:26:12.495 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (04:26:12.495 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 74 IPs (74 /24s) (# pkts S/M/O/I=0/74/0/0): 445:74, [] MAC_Src: 00:21:1C:EE:14:00 (04:26:12.495 PDT) tcpslice 1366802772.495 1366802772.496 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 04:26:12.495 PDT Gen. Time: 04/24/2013 04:30:16.401 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (2) (04:26:12.495 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 74 IPs (74 /24s) (# pkts S/M/O/I=0/74/0/0): 445:74, [] MAC_Src: 00:21:1C:EE:14:00 (04:26:12.495 PDT) (04:30:16.401 PDT) tcpslice 1366802772.495 1366802772.496 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 04:33:14.636 PDT Gen. Time: 04/24/2013 04:33:14.636 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (04:33:14.636 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 78 IPs (78 /24s) (# pkts S/M/O/I=0/78/0/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:33:14.636 PDT) tcpslice 1366803194.636 1366803194.637 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 04:33:14.636 PDT Gen. Time: 04/24/2013 04:37:20.006 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.12.30.17 (2) (04:33:14.636 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 78 IPs (78 /24s) (# pkts S/M/O/I=0/78/0/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:33:14.636 PDT) (04:35:14.646 PDT) tcpslice 1366803194.636 1366803194.637 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:11:25.666 PDT Gen. Time: 04/24/2013 05:13:20.986 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 200.102.0.34 (2) (05:11:25.666 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 19 IPs (19 /24s) (# pkts S/M/O/I=0/18/1/0): 445:18, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:11:25.666 PDT) 0->0 (05:13:19.462 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.102.0.34 (05:13:20.986 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (05:13:20.986 PDT) tcpslice 1366805485.666 1366805485.667 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:17:39.690 PDT Gen. Time: 04/24/2013 05:17:39.690 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.102.0.34 (05:17:39.690 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/23/1/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 (05:17:39.690 PDT) tcpslice 1366805859.690 1366805859.691 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:17:39.690 PDT Gen. Time: 04/24/2013 05:21:44.015 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.102.0.34 (2) (05:17:39.690 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/23/1/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 (05:17:39.690 PDT) (05:21:39.424 PDT) tcpslice 1366805859.690 1366805859.691 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:23:24.819 PDT Gen. Time: 04/24/2013 05:23:24.819 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.102.0.34 (05:23:24.819 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/28/1/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:23:24.819 PDT) tcpslice 1366806204.819 1366806204.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:23:24.819 PDT Gen. Time: 04/24/2013 05:27:25.237 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.102.0.34 (2) (05:23:24.819 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/28/1/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:23:24.819 PDT) 0->0 (05:25:23.810 PDT) tcpslice 1366806204.819 1366806204.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:29:01.755 PDT Gen. Time: 04/24/2013 05:29:01.755 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.63.160.49 (05:29:01.755 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/31/1/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:29:01.755 PDT) tcpslice 1366806541.755 1366806541.756 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:29:01.755 PDT Gen. Time: 04/24/2013 05:33:02.947 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.63.160.49 (3) (05:29:01.755 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/31/1/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:29:01.755 PDT) 0->0 (05:30:35.851 PDT) 0->0 (05:32:13.567 PDT) tcpslice 1366806541.755 1366806541.756 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:34:19.137 PDT Gen. Time: 04/24/2013 05:34:19.137 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.63.160.49 (05:34:19.137 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/37/1/0): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 (05:34:19.137 PDT) tcpslice 1366806859.137 1366806859.138 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:34:19.137 PDT Gen. Time: 04/24/2013 05:38:25.414 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.4.152.85 (05:38:04.724 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/43/1/0): 445:43, [] MAC_Src: 00:21:1C:EE:14:00 (05:38:04.724 PDT) 187.63.160.49 (2) (05:34:19.137 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/37/1/0): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 (05:34:19.137 PDT) (05:36:04.599 PDT) tcpslice 1366806859.137 1366806859.138 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:41:38.443 PDT Gen. Time: 04/24/2013 05:41:38.443 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.4.152.85 (05:41:38.443 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/44/1/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 (05:41:38.443 PDT) tcpslice 1366807298.443 1366807298.444 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:41:38.443 PDT Gen. Time: 04/24/2013 05:45:37.134 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.4.152.85 (2) (05:41:38.443 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/44/1/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 (05:41:38.443 PDT) 0->0 (05:45:04.982 PDT) tcpslice 1366807298.443 1366807298.444 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:49:39.005 PDT Gen. Time: 04/24/2013 05:49:39.005 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (05:49:39.005 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 115 IPs (115 /24s) (# pkts S/M/O/I=0/114/1/0): 445:114, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:49:39.005 PDT) tcpslice 1366807779.005 1366807779.006 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:49:39.005 PDT Gen. Time: 04/24/2013 05:53:39.564 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (2) (05:49:39.005 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 115 IPs (115 /24s) (# pkts S/M/O/I=0/114/1/0): 445:114, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:49:39.005 PDT) (05:51:44.723 PDT) tcpslice 1366807779.005 1366807779.006 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:54:21.763 PDT Gen. Time: 04/24/2013 05:54:21.763 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (05:54:21.763 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 119 IPs (119 /24s) (# pkts S/M/O/I=0/118/1/0): 445:118, [] MAC_Src: 00:21:1C:EE:14:00 (05:54:21.763 PDT) tcpslice 1366808061.763 1366808061.764 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:54:21.763 PDT Gen. Time: 04/24/2013 05:58:21.892 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (2) (05:54:21.763 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 119 IPs (119 /24s) (# pkts S/M/O/I=0/118/1/0): 445:118, [] MAC_Src: 00:21:1C:EE:14:00 (05:54:21.763 PDT) 0->0 (05:56:31.581 PDT) tcpslice 1366808061.763 1366808061.764 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 05:58:46.632 PDT Gen. Time: 04/24/2013 05:58:46.632 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (05:58:46.632 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 125 IPs (125 /24s) (# pkts S/M/O/I=0/124/1/0): 445:124, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:58:46.632 PDT) tcpslice 1366808326.632 1366808326.633 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:03:58.136 PDT Gen. Time: 04/24/2013 06:03:58.136 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (06:03:58.136 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 127 IPs (127 /24s) (# pkts S/M/O/I=0/126/1/0): 445:126, [] MAC_Src: 00:21:1C:EE:14:00 (06:03:58.136 PDT) tcpslice 1366808638.136 1366808638.137 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:03:58.136 PDT Gen. Time: 04/24/2013 06:07:59.515 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (2) (06:03:58.136 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 127 IPs (127 /24s) (# pkts S/M/O/I=0/126/1/0): 445:126, [] MAC_Src: 00:21:1C:EE:14:00 (06:03:58.136 PDT) (06:06:09.572 PDT) tcpslice 1366808638.136 1366808638.137 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:08:32.628 PDT Gen. Time: 04/24/2013 06:08:32.628 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (06:08:32.628 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 133 IPs (133 /24s) (# pkts S/M/O/I=0/132/1/0): 445:132, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:08:32.628 PDT) tcpslice 1366808912.628 1366808912.629 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:08:32.628 PDT Gen. Time: 04/24/2013 06:12:34.544 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (3) (06:08:32.628 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 133 IPs (133 /24s) (# pkts S/M/O/I=0/132/1/0): 445:132, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:08:32.628 PDT) (06:10:17.390 PDT) 0->0 (06:12:22.871 PDT) tcpslice 1366808912.628 1366808912.629 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:15:07.524 PDT Gen. Time: 04/24/2013 06:15:07.524 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (06:15:07.524 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 142 IPs (141 /24s) (# pkts S/M/O/I=0/141/1/0): 445:141, [] MAC_Src: 00:21:1C:EE:14:00 (06:15:07.524 PDT) tcpslice 1366809307.524 1366809307.525 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:19:51.351 PDT Gen. Time: 04/24/2013 06:19:51.351 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (06:19:51.351 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 143 IPs (142 /24s) (# pkts S/M/O/I=0/142/1/0): 445:142, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:19:51.351 PDT) tcpslice 1366809591.351 1366809591.352 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:19:51.351 PDT Gen. Time: 04/24/2013 06:23:39.972 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (2) (06:19:51.351 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 143 IPs (142 /24s) (# pkts S/M/O/I=0/142/1/0): 445:142, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:19:51.351 PDT) (06:22:14.781 PDT) tcpslice 1366809591.351 1366809591.352 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:24:59.385 PDT Gen. Time: 04/24/2013 06:24:59.385 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (06:24:59.385 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 146 IPs (145 /24s) (# pkts S/M/O/I=0/145/1/0): 445:145, [] MAC_Src: 00:21:1C:EE:14:00 (06:24:59.385 PDT) tcpslice 1366809899.385 1366809899.386 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:24:59.385 PDT Gen. Time: 04/24/2013 06:29:00.012 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (2) (06:24:59.385 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 146 IPs (145 /24s) (# pkts S/M/O/I=0/145/1/0): 445:145, [] MAC_Src: 00:21:1C:EE:14:00 (06:24:59.385 PDT) (06:27:50.808 PDT) tcpslice 1366809899.385 1366809899.386 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:30:39.389 PDT Gen. Time: 04/24/2013 06:30:39.389 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (06:30:39.389 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 150 IPs (149 /24s) (# pkts S/M/O/I=0/149/1/0): 445:149, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:30:39.389 PDT) tcpslice 1366810239.389 1366810239.390 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:30:39.389 PDT Gen. Time: 04/24/2013 06:34:18.521 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (2) (06:30:39.389 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 150 IPs (149 /24s) (# pkts S/M/O/I=0/149/1/0): 445:149, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:30:39.389 PDT) 0->0 (06:32:52.604 PDT) tcpslice 1366810239.389 1366810239.390 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:37:27.869 PDT Gen. Time: 04/24/2013 06:37:27.869 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.136.98 (06:37:27.869 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 155 IPs (154 /24s) (# pkts S/M/O/I=0/154/1/0): 445:154, [] MAC_Src: 00:21:1C:EE:14:00 (06:37:27.869 PDT) tcpslice 1366810647.869 1366810647.870 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:37:27.869 PDT Gen. Time: 04/24/2013 06:41:29.325 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.52.46 (06:41:16.714 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 160 IPs (159 /24s) (# pkts S/M/O/I=0/159/1/0): 445:159, [] MAC_Src: 00:21:1C:EE:14:00 (06:41:16.714 PDT) 189.73.136.98 (2) (06:37:27.869 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 155 IPs (154 /24s) (# pkts S/M/O/I=0/154/1/0): 445:154, [] MAC_Src: 00:21:1C:EE:14:00 (06:37:27.869 PDT) 0->0 (06:39:42.966 PDT) tcpslice 1366810647.869 1366810647.870 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:43:17.130 PDT Gen. Time: 04/24/2013 06:43:17.130 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.52.46 (06:43:17.130 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 162 IPs (161 /24s) (# pkts S/M/O/I=0/161/1/0): 445:161, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:43:17.130 PDT) tcpslice 1366810997.130 1366810997.131 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:43:17.130 PDT Gen. Time: 04/24/2013 06:47:17.518 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.52.46 (3) (06:43:17.130 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 162 IPs (161 /24s) (# pkts S/M/O/I=0/161/1/0): 445:161, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:43:17.130 PDT) (06:44:51.076 PDT) 0->0 (06:46:22.321 PDT) tcpslice 1366810997.130 1366810997.131 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:48:16.056 PDT Gen. Time: 04/24/2013 06:48:16.056 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.52.46 (06:48:16.056 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 168 IPs (167 /24s) (# pkts S/M/O/I=0/167/1/0): 445:167, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:48:16.056 PDT) tcpslice 1366811296.056 1366811296.057 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:48:16.056 PDT Gen. Time: 04/24/2013 06:52:16.882 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.52.46 (2) (06:48:16.056 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 168 IPs (167 /24s) (# pkts S/M/O/I=0/167/1/0): 445:167, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:48:16.056 PDT) (06:50:34.482 PDT) tcpslice 1366811296.056 1366811296.057 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:55:08.139 PDT Gen. Time: 04/24/2013 06:55:08.139 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.52.46 (06:55:08.139 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 172 IPs (171 /24s) (# pkts S/M/O/I=0/171/1/0): 445:171, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:55:08.139 PDT) tcpslice 1366811708.139 1366811708.140 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 06:55:08.139 PDT Gen. Time: 04/24/2013 06:59:08.272 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.52.46 (2) (06:55:08.139 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 172 IPs (171 /24s) (# pkts S/M/O/I=0/171/1/0): 445:171, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:55:08.139 PDT) 0->0 (06:56:56.133 PDT) tcpslice 1366811708.139 1366811708.140 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 07:01:19.799 PDT Gen. Time: 04/24/2013 07:01:19.799 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.52.46 (07:01:19.799 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 175 IPs (173 /24s) (# pkts S/M/O/I=0/174/1/0): 445:174, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:01:19.799 PDT) tcpslice 1366812079.799 1366812079.800 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 07:37:16.170 PDT Gen. Time: 04/24/2013 07:39:09.047 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 187.62.145.109 (07:37:16.170 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 19 IPs (19 /24s) (# pkts S/M/O/I=0/19/0/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:37:16.170 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.62.145.109 (07:39:09.047 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (07:39:09.047 PDT) tcpslice 1366814236.170 1366814236.171 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 07:43:00.998 PDT Gen. Time: 04/24/2013 07:43:00.998 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (07:43:00.998 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:43:00.998 PDT) tcpslice 1366814580.998 1366814580.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 07:43:00.998 PDT Gen. Time: 04/24/2013 07:47:01.183 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (3) (07:43:00.998 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:43:00.998 PDT) 0->0 (07:44:30.567 PDT) (07:46:44.074 PDT) tcpslice 1366814580.998 1366814580.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 07:48:34.720 PDT Gen. Time: 04/24/2013 07:48:34.720 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (07:48:34.720 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 (07:48:34.720 PDT) tcpslice 1366814914.720 1366814914.721 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 07:48:34.720 PDT Gen. Time: 04/24/2013 07:52:35.121 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (3) (07:48:34.720 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 (07:48:34.720 PDT) (07:50:30.051 PDT) 0->0 (07:52:11.521 PDT) tcpslice 1366814914.720 1366814914.721 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 07:54:56.048 PDT Gen. Time: 04/24/2013 07:54:56.048 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (07:54:56.048 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 37 IPs (37 /24s) (# pkts S/M/O/I=0/37/0/0): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 (07:54:56.048 PDT) tcpslice 1366815296.048 1366815296.049 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 07:54:56.048 PDT Gen. Time: 04/24/2013 07:58:39.310 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (2) (07:54:56.048 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 37 IPs (37 /24s) (# pkts S/M/O/I=0/37/0/0): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 (07:54:56.048 PDT) 0->0 (07:56:47.076 PDT) tcpslice 1366815296.048 1366815296.049 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 07:59:49.926 PDT Gen. Time: 04/24/2013 07:59:49.926 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (07:59:49.926 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/40/0/0): 445:40, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:59:49.926 PDT) tcpslice 1366815589.926 1366815589.927 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 07:59:49.926 PDT Gen. Time: 04/24/2013 08:03:45.637 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (2) (07:59:49.926 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/40/0/0): 445:40, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:59:49.926 PDT) 0->0 (08:01:53.175 PDT) tcpslice 1366815589.926 1366815589.927 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:05:16.111 PDT Gen. Time: 04/24/2013 08:05:16.111 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (08:05:16.111 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/44/0/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:05:16.111 PDT) tcpslice 1366815916.111 1366815916.112 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:05:16.111 PDT Gen. Time: 04/24/2013 08:09:16.197 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (2) (08:05:16.111 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/44/0/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:05:16.111 PDT) (08:07:15.077 PDT) tcpslice 1366815916.111 1366815916.112 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:09:33.470 PDT Gen. Time: 04/24/2013 08:09:33.470 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (08:09:33.470 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 48 IPs (48 /24s) (# pkts S/M/O/I=0/48/0/0): 445:48, [] MAC_Src: 00:21:1C:EE:14:00 (08:09:33.470 PDT) tcpslice 1366816173.470 1366816173.471 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:09:33.470 PDT Gen. Time: 04/24/2013 08:13:33.981 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (2) (08:09:33.470 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 48 IPs (48 /24s) (# pkts S/M/O/I=0/48/0/0): 445:48, [] MAC_Src: 00:21:1C:EE:14:00 (08:09:33.470 PDT) (08:11:40.756 PDT) tcpslice 1366816173.470 1366816173.471 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:15:23.716 PDT Gen. Time: 04/24/2013 08:15:23.716 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (08:15:23.716 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 52 IPs (52 /24s) (# pkts S/M/O/I=0/52/0/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 (08:15:23.716 PDT) tcpslice 1366816523.716 1366816523.717 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:15:23.716 PDT Gen. Time: 04/24/2013 08:19:24.371 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (2) (08:15:23.716 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 52 IPs (52 /24s) (# pkts S/M/O/I=0/52/0/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 (08:15:23.716 PDT) 0->0 (08:18:58.747 PDT) tcpslice 1366816523.716 1366816523.717 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:21:05.449 PDT Gen. Time: 04/24/2013 08:21:05.449 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (08:21:05.449 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 57 IPs (57 /24s) (# pkts S/M/O/I=0/57/0/0): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:21:05.449 PDT) tcpslice 1366816865.449 1366816865.450 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:21:05.449 PDT Gen. Time: 04/24/2013 08:25:05.470 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (2) (08:21:05.449 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 57 IPs (57 /24s) (# pkts S/M/O/I=0/57/0/0): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:21:05.449 PDT) (08:23:01.624 PDT) tcpslice 1366816865.449 1366816865.450 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:25:13.947 PDT Gen. Time: 04/24/2013 08:25:13.947 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (08:25:13.947 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 62 IPs (62 /24s) (# pkts S/M/O/I=0/61/1/0): 445:61, [] MAC_Src: 00:21:1C:EE:14:00 (08:25:13.947 PDT) tcpslice 1366817113.947 1366817113.948 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:30:37.748 PDT Gen. Time: 04/24/2013 08:30:37.748 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (08:30:37.748 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 65 IPs (65 /24s) (# pkts S/M/O/I=0/64/1/0): 445:64, [] MAC_Src: 00:21:1C:EE:14:00 (08:30:37.748 PDT) tcpslice 1366817437.748 1366817437.749 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:30:37.748 PDT Gen. Time: 04/24/2013 08:34:40.706 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (2) (08:30:37.748 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 65 IPs (65 /24s) (# pkts S/M/O/I=0/64/1/0): 445:64, [] MAC_Src: 00:21:1C:EE:14:00 (08:30:37.748 PDT) 0->0 (08:32:12.717 PDT) tcpslice 1366817437.748 1366817437.749 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:35:28.776 PDT Gen. Time: 04/24/2013 08:35:28.776 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (08:35:28.776 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 68 IPs (68 /24s) (# pkts S/M/O/I=0/67/1/0): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:35:28.776 PDT) tcpslice 1366817728.776 1366817728.777 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:35:28.776 PDT Gen. Time: 04/24/2013 08:39:29.489 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (2) (08:35:28.776 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 68 IPs (68 /24s) (# pkts S/M/O/I=0/67/1/0): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:35:28.776 PDT) (08:37:43.302 PDT) tcpslice 1366817728.776 1366817728.777 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:40:12.681 PDT Gen. Time: 04/24/2013 08:40:12.681 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (08:40:12.681 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 75 IPs (75 /24s) (# pkts S/M/O/I=0/74/1/0): 445:74, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:40:12.681 PDT) tcpslice 1366818012.681 1366818012.682 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:40:12.681 PDT Gen. Time: 04/24/2013 08:44:16.639 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (2) (08:40:12.681 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 75 IPs (75 /24s) (# pkts S/M/O/I=0/74/1/0): 445:74, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:40:12.681 PDT) 0->0 (08:42:35.741 PDT) tcpslice 1366818012.681 1366818012.682 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:44:25.625 PDT Gen. Time: 04/24/2013 08:44:25.625 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (08:44:25.625 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 79 IPs (79 /24s) (# pkts S/M/O/I=0/78/1/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:44:25.625 PDT) tcpslice 1366818265.625 1366818265.626 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:44:25.625 PDT Gen. Time: 04/24/2013 08:48:27.118 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (3) (08:44:25.625 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 79 IPs (79 /24s) (# pkts S/M/O/I=0/78/1/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:44:25.625 PDT) (08:45:56.751 PDT) 0->0 (08:47:28.819 PDT) tcpslice 1366818265.625 1366818265.626 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:50:03.792 PDT Gen. Time: 04/24/2013 08:50:03.792 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (08:50:03.792 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 86 IPs (86 /24s) (# pkts S/M/O/I=0/85/1/0): 445:85, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:50:03.792 PDT) tcpslice 1366818603.792 1366818603.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:54:42.316 PDT Gen. Time: 04/24/2013 08:54:42.316 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (08:54:42.316 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 87 IPs (87 /24s) (# pkts S/M/O/I=0/86/1/0): 445:86, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:54:42.316 PDT) tcpslice 1366818882.316 1366818882.317 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 08:54:42.316 PDT Gen. Time: 04/24/2013 08:58:31.264 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (2) (08:54:42.316 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 87 IPs (87 /24s) (# pkts S/M/O/I=0/86/1/0): 445:86, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:54:42.316 PDT) (08:56:56.721 PDT) tcpslice 1366818882.316 1366818882.317 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:01:58.737 PDT Gen. Time: 04/24/2013 09:01:58.737 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.4.40.77 (09:01:58.737 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 93 IPs (93 /24s) (# pkts S/M/O/I=0/92/1/0): 445:92, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:01:58.737 PDT) tcpslice 1366819318.737 1366819318.738 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:07:58.830 PDT Gen. Time: 04/24/2013 09:07:58.830 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (09:07:58.830 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 97 IPs (97 /24s) (# pkts S/M/O/I=0/96/1/0): 445:96, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:07:58.830 PDT) tcpslice 1366819678.830 1366819678.831 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:07:58.830 PDT Gen. Time: 04/24/2013 09:12:01.791 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (3) (09:07:58.830 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 97 IPs (97 /24s) (# pkts S/M/O/I=0/96/1/0): 445:96, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:07:58.830 PDT) (09:09:37.382 PDT) 0->0 (09:11:50.620 PDT) tcpslice 1366819678.830 1366819678.831 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:16:02.915 PDT Gen. Time: 04/24/2013 09:16:02.915 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (09:16:02.915 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 106 IPs (106 /24s) (# pkts S/M/O/I=0/105/1/0): 445:105, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:16:02.915 PDT) tcpslice 1366820162.915 1366820162.916 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:16:02.915 PDT Gen. Time: 04/24/2013 09:20:03.795 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (3) (09:16:02.915 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 106 IPs (106 /24s) (# pkts S/M/O/I=0/105/1/0): 445:105, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:16:02.915 PDT) (09:18:10.712 PDT) (09:20:00.928 PDT) tcpslice 1366820162.915 1366820162.916 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:23:03.238 PDT Gen. Time: 04/24/2013 09:23:03.238 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (09:23:03.238 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 111 IPs (111 /24s) (# pkts S/M/O/I=0/110/1/0): 445:110, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:23:03.238 PDT) tcpslice 1366820583.238 1366820583.239 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:23:03.238 PDT Gen. Time: 04/24/2013 09:27:08.336 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (3) (09:23:03.238 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 111 IPs (111 /24s) (# pkts S/M/O/I=0/110/1/0): 445:110, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:23:03.238 PDT) 0->0 (09:24:35.778 PDT) 0->0 (09:26:23.239 PDT) tcpslice 1366820583.238 1366820583.239 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:28:42.323 PDT Gen. Time: 04/24/2013 09:28:42.323 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (09:28:42.323 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 120 IPs (120 /24s) (# pkts S/M/O/I=0/119/1/0): 445:119, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:28:42.323 PDT) tcpslice 1366820922.323 1366820922.324 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:28:42.323 PDT Gen. Time: 04/24/2013 09:32:38.090 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (2) (09:28:42.323 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 120 IPs (120 /24s) (# pkts S/M/O/I=0/119/1/0): 445:119, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:28:42.323 PDT) 0->0 (09:30:39.318 PDT) tcpslice 1366820922.323 1366820922.324 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:32:47.749 PDT Gen. Time: 04/24/2013 09:32:47.749 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (09:32:47.749 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 123 IPs (123 /24s) (# pkts S/M/O/I=0/122/1/0): 445:122, [] MAC_Src: 00:21:1C:EE:14:00 (09:32:47.749 PDT) tcpslice 1366821167.749 1366821167.750 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:32:47.749 PDT Gen. Time: 04/24/2013 09:36:44.113 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (2) (09:32:47.749 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 123 IPs (123 /24s) (# pkts S/M/O/I=0/122/1/0): 445:122, [] MAC_Src: 00:21:1C:EE:14:00 (09:32:47.749 PDT) 0->0 (09:34:33.358 PDT) tcpslice 1366821167.749 1366821167.750 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:37:18.810 PDT Gen. Time: 04/24/2013 09:37:18.810 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (09:37:18.810 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 132 IPs (130 /24s) (# pkts S/M/O/I=0/131/1/0): 445:131, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:37:18.810 PDT) tcpslice 1366821438.810 1366821438.811 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:37:18.810 PDT Gen. Time: 04/24/2013 09:41:19.101 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (2) (09:37:18.810 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 132 IPs (130 /24s) (# pkts S/M/O/I=0/131/1/0): 445:131, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:37:18.810 PDT) 0->0 (09:39:45.690 PDT) tcpslice 1366821438.810 1366821438.811 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:41:29.317 PDT Gen. Time: 04/24/2013 09:41:29.317 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (09:41:29.317 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 138 IPs (136 /24s) (# pkts S/M/O/I=0/137/1/0): 445:137, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:41:29.317 PDT) tcpslice 1366821689.317 1366821689.318 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:41:29.317 PDT Gen. Time: 04/24/2013 09:45:32.277 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (2) (09:41:29.317 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 138 IPs (136 /24s) (# pkts S/M/O/I=0/137/1/0): 445:137, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:41:29.317 PDT) 0->0 (09:43:09.392 PDT) tcpslice 1366821689.317 1366821689.318 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:45:58.474 PDT Gen. Time: 04/24/2013 09:45:58.474 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (09:45:58.474 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 141 IPs (139 /24s) (# pkts S/M/O/I=0/140/1/0): 445:140, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:45:58.474 PDT) tcpslice 1366821958.474 1366821958.475 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:51:03.695 PDT Gen. Time: 04/24/2013 09:51:03.695 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (09:51:03.695 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 142 IPs (140 /24s) (# pkts S/M/O/I=0/141/1/0): 445:141, [] MAC_Src: 00:21:1C:EE:14:00 (09:51:03.695 PDT) tcpslice 1366822263.695 1366822263.696 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:51:03.695 PDT Gen. Time: 04/24/2013 09:55:03.836 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (2) (09:51:03.695 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 142 IPs (140 /24s) (# pkts S/M/O/I=0/141/1/0): 445:141, [] MAC_Src: 00:21:1C:EE:14:00 (09:51:03.695 PDT) 0->0 (09:55:03.836 PDT) tcpslice 1366822263.695 1366822263.696 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:56:38.802 PDT Gen. Time: 04/24/2013 09:56:38.802 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (09:56:38.802 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 148 IPs (146 /24s) (# pkts S/M/O/I=0/147/1/0): 445:147, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:56:38.802 PDT) tcpslice 1366822598.802 1366822598.803 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 09:56:38.802 PDT Gen. Time: 04/24/2013 10:00:38.670 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (3) (09:56:38.802 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 148 IPs (146 /24s) (# pkts S/M/O/I=0/147/1/0): 445:147, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:56:38.802 PDT) (09:58:44.667 PDT) (10:00:33.863 PDT) tcpslice 1366822598.802 1366822598.803 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 10:02:27.965 PDT Gen. Time: 04/24/2013 10:02:27.965 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (10:02:27.965 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 153 IPs (151 /24s) (# pkts S/M/O/I=0/152/1/0): 445:152, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:02:27.965 PDT) tcpslice 1366822947.965 1366822947.966 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 10:02:27.965 PDT Gen. Time: 04/24/2013 10:06:30.506 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.182.61 (2) (10:02:27.965 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 153 IPs (151 /24s) (# pkts S/M/O/I=0/152/1/0): 445:152, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:02:27.965 PDT) 0->0 (10:04:40.131 PDT) tcpslice 1366822947.965 1366822947.966 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 10:34:41.610 PDT Gen. Time: 04/24/2013 10:34:41.610 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.64.59 (10:34:41.610 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (10:34:41.610 PDT) tcpslice 1366824881.610 1366824881.611 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 10:39:35.950 PDT Gen. Time: 04/24/2013 10:39:35.950 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.64.59 (10:39:35.950 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:39:35.950 PDT) tcpslice 1366825175.950 1366825175.951 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 10:39:35.950 PDT Gen. Time: 04/24/2013 10:43:39.712 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.36.158.91 (2) (10:41:41.314 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 (10:41:41.314 PDT) 0->0 (10:43:39.712 PDT) 187.95.64.59 (10:39:35.950 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:39:35.950 PDT) tcpslice 1366825175.950 1366825175.951 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 10:47:31.560 PDT Gen. Time: 04/24/2013 10:47:31.560 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.36.158.91 (10:47:31.560 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:47:31.560 PDT) tcpslice 1366825651.560 1366825651.561 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 10:47:31.560 PDT Gen. Time: 04/24/2013 10:51:25.262 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.36.158.91 (2) (10:47:31.560 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:47:31.560 PDT) 0->0 (10:50:27.406 PDT) tcpslice 1366825651.560 1366825651.561 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 10:52:40.981 PDT Gen. Time: 04/24/2013 10:52:40.981 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.36.158.91 (10:52:40.981 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 (10:52:40.981 PDT) tcpslice 1366825960.981 1366825960.982 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 10:52:40.981 PDT Gen. Time: 04/24/2013 10:56:42.007 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.36.158.91 (2) (10:52:40.981 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 (10:52:40.981 PDT) 0->0 (10:54:53.966 PDT) tcpslice 1366825960.981 1366825960.982 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 10:58:21.620 PDT Gen. Time: 04/24/2013 10:58:21.620 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.1.217.46 (10:58:21.620 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/36/0/0): 445:36, [] MAC_Src: 00:21:1C:EE:14:00 (10:58:21.620 PDT) tcpslice 1366826301.620 1366826301.621 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 10:58:21.620 PDT Gen. Time: 04/24/2013 11:02:22.671 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.4.184.76 (11:02:05.150 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (43 /24s) (# pkts S/M/O/I=0/43/0/0): 445:43, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:02:05.150 PDT) 189.1.217.46 (2) (10:58:21.620 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/36/0/0): 445:36, [] MAC_Src: 00:21:1C:EE:14:00 (10:58:21.620 PDT) (11:00:22.081 PDT) tcpslice 1366826301.620 1366826301.621 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 11:03:46.070 PDT Gen. Time: 04/24/2013 11:03:46.070 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.4.184.76 (11:03:46.070 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (46 /24s) (# pkts S/M/O/I=0/45/1/0): 445:45, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:03:46.070 PDT) tcpslice 1366826626.070 1366826626.071 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 11:26:21.140 PDT Gen. Time: 04/24/2013 11:26:21.140 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.90.19 (11:26:21.140 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:26:21.140 PDT) tcpslice 1366827981.140 1366827981.141 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 11:34:07.144 PDT Gen. Time: 04/24/2013 11:34:07.144 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.90.19 (11:34:07.144 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 (11:34:07.144 PDT) tcpslice 1366828447.144 1366828447.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 11:34:07.144 PDT Gen. Time: 04/24/2013 11:37:14.180 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.73.90.19 (11:34:07.144 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 (11:34:07.144 PDT) 177.12.149.102 (11:35:49.060 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 28 IPs (27 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 (11:35:49.060 PDT) tcpslice 1366828447.144 1366828447.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 11:42:04.097 PDT Gen. Time: 04/24/2013 11:42:04.097 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (11:42:04.097 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:42:04.097 PDT) tcpslice 1366828924.097 1366828924.098 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 11:42:04.097 PDT Gen. Time: 04/24/2013 11:46:28.973 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (3) (11:42:04.097 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:42:04.097 PDT) (11:44:00.125 PDT) 0->0 (11:46:28.973 PDT) tcpslice 1366828924.097 1366828924.098 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 11:48:07.066 PDT Gen. Time: 04/24/2013 11:48:07.066 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (11:48:07.066 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 34 IPs (33 /24s) (# pkts S/M/O/I=0/34/0/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 (11:48:07.066 PDT) tcpslice 1366829287.066 1366829287.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 11:48:07.066 PDT Gen. Time: 04/24/2013 11:52:56.172 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (3) (11:48:07.066 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 34 IPs (33 /24s) (# pkts S/M/O/I=0/34/0/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 (11:48:07.066 PDT) (11:50:32.061 PDT) (11:52:02.546 PDT) tcpslice 1366829287.066 1366829287.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 11:54:07.809 PDT Gen. Time: 04/24/2013 11:54:07.809 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (11:54:07.809 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 41 IPs (40 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 (11:54:07.809 PDT) tcpslice 1366829647.809 1366829647.810 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 11:54:07.809 PDT Gen. Time: 04/24/2013 11:58:09.348 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (2) (11:54:07.809 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 41 IPs (40 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 (11:54:07.809 PDT) (11:55:43.891 PDT) tcpslice 1366829647.809 1366829647.810 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 11:59:23.955 PDT Gen. Time: 04/24/2013 11:59:23.955 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (11:59:23.955 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 48 IPs (47 /24s) (# pkts S/M/O/I=0/48/0/0): 445:48, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:59:23.955 PDT) tcpslice 1366829963.955 1366829963.956 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:06:37.505 PDT Gen. Time: 04/24/2013 12:06:37.505 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (12:06:37.505 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 51 IPs (50 /24s) (# pkts S/M/O/I=0/51/0/0): 445:51, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:06:37.505 PDT) tcpslice 1366830397.505 1366830397.506 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:10:56.088 PDT Gen. Time: 04/24/2013 12:10:56.088 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (12:10:56.088 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 54 IPs (53 /24s) (# pkts S/M/O/I=0/54/0/0): 445:54, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:10:56.088 PDT) tcpslice 1366830656.088 1366830656.089 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:10:56.088 PDT Gen. Time: 04/24/2013 12:14:35.752 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (2) (12:10:56.088 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 54 IPs (53 /24s) (# pkts S/M/O/I=0/54/0/0): 445:54, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:10:56.088 PDT) 0->0 (12:12:35.106 PDT) tcpslice 1366830656.088 1366830656.089 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:16:23.078 PDT Gen. Time: 04/24/2013 12:16:23.078 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (12:16:23.078 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 59 IPs (58 /24s) (# pkts S/M/O/I=0/59/0/0): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 (12:16:23.078 PDT) tcpslice 1366830983.078 1366830983.079 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:16:23.078 PDT Gen. Time: 04/24/2013 12:20:29.431 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (2) (12:16:23.078 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 59 IPs (58 /24s) (# pkts S/M/O/I=0/59/0/0): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 (12:16:23.078 PDT) 0->0 (12:18:14.042 PDT) tcpslice 1366830983.078 1366830983.079 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:23:07.071 PDT Gen. Time: 04/24/2013 12:23:07.071 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (12:23:07.071 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 64 IPs (63 /24s) (# pkts S/M/O/I=0/64/0/0): 445:64, [] MAC_Src: 00:21:1C:EE:14:00 (12:23:07.071 PDT) tcpslice 1366831387.071 1366831387.072 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:23:07.071 PDT Gen. Time: 04/24/2013 12:27:08.980 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (2) (12:23:07.071 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 64 IPs (63 /24s) (# pkts S/M/O/I=0/64/0/0): 445:64, [] MAC_Src: 00:21:1C:EE:14:00 (12:23:07.071 PDT) 0->0 (12:26:40.970 PDT) tcpslice 1366831387.071 1366831387.072 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:29:12.136 PDT Gen. Time: 04/24/2013 12:29:12.136 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (12:29:12.136 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 70 IPs (69 /24s) (# pkts S/M/O/I=0/70/0/0): 445:70, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:29:12.136 PDT) tcpslice 1366831752.136 1366831752.137 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:29:12.136 PDT Gen. Time: 04/24/2013 12:33:12.472 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (3) (12:29:12.136 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 70 IPs (69 /24s) (# pkts S/M/O/I=0/70/0/0): 445:70, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:29:12.136 PDT) 0->0 (12:31:40.929 PDT) (12:33:10.515 PDT) tcpslice 1366831752.136 1366831752.137 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:35:34.909 PDT Gen. Time: 04/24/2013 12:35:34.909 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (12:35:34.909 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 75 IPs (74 /24s) (# pkts S/M/O/I=0/75/0/0): 445:75, [] MAC_Src: 00:21:1C:EE:14:00 (12:35:34.909 PDT) tcpslice 1366832134.909 1366832134.910 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:35:34.909 PDT Gen. Time: 04/24/2013 12:39:35.853 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (2) (12:35:34.909 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 75 IPs (74 /24s) (# pkts S/M/O/I=0/75/0/0): 445:75, [] MAC_Src: 00:21:1C:EE:14:00 (12:35:34.909 PDT) (12:39:16.653 PDT) tcpslice 1366832134.909 1366832134.910 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:41:09.644 PDT Gen. Time: 04/24/2013 12:41:09.644 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (12:41:09.644 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 79 IPs (78 /24s) (# pkts S/M/O/I=0/79/0/0): 445:79, [] MAC_Src: 00:21:1C:EE:14:00 (12:41:09.644 PDT) tcpslice 1366832469.644 1366832469.645 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:41:09.644 PDT Gen. Time: 04/24/2013 12:45:11.735 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (2) (12:41:09.644 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 79 IPs (78 /24s) (# pkts S/M/O/I=0/79/0/0): 445:79, [] MAC_Src: 00:21:1C:EE:14:00 (12:41:09.644 PDT) (12:44:02.876 PDT) tcpslice 1366832469.644 1366832469.645 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:45:46.169 PDT Gen. Time: 04/24/2013 12:45:46.169 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (12:45:46.169 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 85 IPs (84 /24s) (# pkts S/M/O/I=0/85/0/0): 445:85, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:45:46.169 PDT) tcpslice 1366832746.169 1366832746.170 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:51:24.104 PDT Gen. Time: 04/24/2013 12:51:24.104 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (12:51:24.104 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 87 IPs (86 /24s) (# pkts S/M/O/I=0/87/0/0): 445:87, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:51:24.104 PDT) tcpslice 1366833084.104 1366833084.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:56:09.017 PDT Gen. Time: 04/24/2013 12:56:09.017 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (12:56:09.017 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 89 IPs (88 /24s) (# pkts S/M/O/I=0/89/0/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 (12:56:09.017 PDT) tcpslice 1366833369.017 1366833369.018 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 12:56:09.017 PDT Gen. Time: 04/24/2013 13:00:09.741 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.12.149.102 (2) (12:56:09.017 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 89 IPs (88 /24s) (# pkts S/M/O/I=0/89/0/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 (12:56:09.017 PDT) (12:58:57.678 PDT) tcpslice 1366833369.017 1366833369.018 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 13:03:35.051 PDT Gen. Time: 04/24/2013 13:03:35.051 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.6.144.27 (13:03:35.051 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 94 IPs (93 /24s) (# pkts S/M/O/I=0/94/0/0): 445:94, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:03:35.051 PDT) tcpslice 1366833815.051 1366833815.052 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 13:08:05.703 PDT Gen. Time: 04/24/2013 13:08:05.703 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.6.144.27 (13:08:05.703 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 96 IPs (95 /24s) (# pkts S/M/O/I=0/96/0/0): 445:96, [] MAC_Src: 00:21:1C:EE:14:00 (13:08:05.703 PDT) tcpslice 1366834085.703 1366834085.704 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 13:25:59.029 PDT Gen. Time: 04/24/2013 13:28:06.740 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 187.95.57.49 (2) (13:25:59.029 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 17 IPs (17 /24s) (# pkts S/M/O/I=0/17/0/0): 445:17, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:25:59.029 PDT) 0->0 (13:27:36.116 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.57.49 (13:28:06.740 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:28:06.740 PDT) tcpslice 1366835159.029 1366835159.030 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 13:30:33.743 PDT Gen. Time: 04/24/2013 13:30:33.743 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.57.49 (13:30:33.743 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:30:33.743 PDT) tcpslice 1366835433.743 1366835433.744 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 13:30:33.743 PDT Gen. Time: 04/24/2013 13:34:32.292 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.57.49 (2) (13:30:33.743 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:30:33.743 PDT) (13:32:26.881 PDT) tcpslice 1366835433.743 1366835433.744 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 13:37:44.833 PDT Gen. Time: 04/24/2013 13:37:44.833 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.57.49 (13:37:44.833 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/29/1/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:37:44.833 PDT) tcpslice 1366835864.833 1366835864.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 13:37:44.833 PDT Gen. Time: 04/24/2013 13:41:44.914 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.57.49 (3) (13:37:44.833 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/29/1/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:37:44.833 PDT) (13:39:45.040 PDT) (13:41:21.586 PDT) tcpslice 1366835864.833 1366835864.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 13:43:42.803 PDT Gen. Time: 04/24/2013 13:43:42.803 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.57.49 (13:43:42.803 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (39 /24s) (# pkts S/M/O/I=0/38/1/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:43:42.803 PDT) tcpslice 1366836222.803 1366836222.804 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 13:48:36.259 PDT Gen. Time: 04/24/2013 13:48:36.259 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.57.49 (13:48:36.259 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/39/1/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 (13:48:36.259 PDT) tcpslice 1366836516.259 1366836516.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 13:48:36.259 PDT Gen. Time: 04/24/2013 13:52:37.286 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.57.49 (2) (13:48:36.259 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/39/1/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 (13:48:36.259 PDT) 0->0 (13:51:13.711 PDT) tcpslice 1366836516.259 1366836516.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 13:54:51.557 PDT Gen. Time: 04/24/2013 13:54:51.557 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.57.49 (13:54:51.557 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/43/1/0): 445:43, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:54:51.557 PDT) tcpslice 1366836891.557 1366836891.558 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 13:54:51.557 PDT Gen. Time: 04/24/2013 13:58:47.074 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.57.49 (2) (13:54:51.557 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/43/1/0): 445:43, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:54:51.557 PDT) 0->0 (13:58:31.054 PDT) tcpslice 1366836891.557 1366836891.558 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:03:08.127 PDT Gen. Time: 04/24/2013 14:03:08.127 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.95.57.49 (14:03:08.127 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 48 IPs (47 /24s) (# pkts S/M/O/I=0/47/1/0): 445:47, [] MAC_Src: 00:21:1C:EE:14:00 (14:03:08.127 PDT) tcpslice 1366837388.127 1366837388.128 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:03:08.127 PDT Gen. Time: 04/24/2013 14:07:15.192 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.125.28.28 (14:05:31.056 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 51 IPs (50 /24s) (# pkts S/M/O/I=0/50/1/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 (14:05:31.056 PDT) 187.95.57.49 (14:03:08.127 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 48 IPs (47 /24s) (# pkts S/M/O/I=0/47/1/0): 445:47, [] MAC_Src: 00:21:1C:EE:14:00 (14:03:08.127 PDT) tcpslice 1366837388.127 1366837388.128 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:08:31.050 PDT Gen. Time: 04/24/2013 14:08:31.050 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.125.28.28 (14:08:31.050 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 52 IPs (51 /24s) (# pkts S/M/O/I=0/51/1/0): 445:51, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:08:31.050 PDT) tcpslice 1366837711.050 1366837711.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:08:31.050 PDT Gen. Time: 04/24/2013 14:12:33.619 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.125.28.28 (2) (14:08:31.050 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 52 IPs (51 /24s) (# pkts S/M/O/I=0/51/1/0): 445:51, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:08:31.050 PDT) 0->0 (14:10:57.058 PDT) tcpslice 1366837711.050 1366837711.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:14:29.096 PDT Gen. Time: 04/24/2013 14:14:29.096 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.125.28.28 (14:14:29.096 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 58 IPs (57 /24s) (# pkts S/M/O/I=0/57/1/0): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 (14:14:29.096 PDT) tcpslice 1366838069.096 1366838069.097 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:14:29.096 PDT Gen. Time: 04/24/2013 14:18:32.876 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.125.28.28 (2) (14:14:29.096 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 58 IPs (57 /24s) (# pkts S/M/O/I=0/57/1/0): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 (14:14:29.096 PDT) 0->0 (14:16:04.312 PDT) 177.55.34.10 (14:17:52.190 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 64 IPs (63 /24s) (# pkts S/M/O/I=0/63/1/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:17:52.190 PDT) tcpslice 1366838069.096 1366838069.097 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:20:18.260 PDT Gen. Time: 04/24/2013 14:20:18.260 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.55.34.10 (14:20:18.260 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 65 IPs (64 /24s) (# pkts S/M/O/I=0/64/1/0): 445:64, [] MAC_Src: 00:21:1C:EE:14:00 (14:20:18.260 PDT) tcpslice 1366838418.260 1366838418.261 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:24:31.404 PDT Gen. Time: 04/24/2013 14:24:31.404 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.55.34.10 (14:24:31.404 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 68 IPs (67 /24s) (# pkts S/M/O/I=0/67/1/0): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:24:31.404 PDT) tcpslice 1366838671.404 1366838671.405 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:24:31.404 PDT Gen. Time: 04/24/2013 14:28:31.416 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.55.34.10 (2) (14:24:31.404 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 68 IPs (67 /24s) (# pkts S/M/O/I=0/67/1/0): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:24:31.404 PDT) 0->0 (14:27:20.955 PDT) tcpslice 1366838671.404 1366838671.405 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:29:24.209 PDT Gen. Time: 04/24/2013 14:29:24.209 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.55.34.10 (14:29:24.209 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 72 IPs (71 /24s) (# pkts S/M/O/I=0/71/1/0): 445:71, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:29:24.209 PDT) tcpslice 1366838964.209 1366838964.210 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:29:24.209 PDT Gen. Time: 04/24/2013 14:33:24.215 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.55.34.10 (2) (14:29:24.209 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 72 IPs (71 /24s) (# pkts S/M/O/I=0/71/1/0): 445:71, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:29:24.209 PDT) (14:31:23.073 PDT) tcpslice 1366838964.209 1366838964.210 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:34:00.164 PDT Gen. Time: 04/24/2013 14:34:00.164 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.55.34.10 (14:34:00.164 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 74 IPs (73 /24s) (# pkts S/M/O/I=0/73/1/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:34:00.164 PDT) tcpslice 1366839240.164 1366839240.165 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:34:00.164 PDT Gen. Time: 04/24/2013 14:38:04.492 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.55.34.10 (2) (14:34:00.164 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 74 IPs (73 /24s) (# pkts S/M/O/I=0/73/1/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:34:00.164 PDT) (14:36:56.748 PDT) tcpslice 1366839240.164 1366839240.165 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:39:47.801 PDT Gen. Time: 04/24/2013 14:39:47.801 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.55.34.10 (14:39:47.801 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 78 IPs (77 /24s) (# pkts S/M/O/I=0/77/1/0): 445:77, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:39:47.801 PDT) tcpslice 1366839587.801 1366839587.802 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:39:47.801 PDT Gen. Time: 04/24/2013 14:43:35.203 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.55.34.10 (3) (14:39:47.801 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 78 IPs (77 /24s) (# pkts S/M/O/I=0/77/1/0): 445:77, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:39:47.801 PDT) 0->0 (14:41:18.158 PDT) 0->0 (14:43:13.597 PDT) tcpslice 1366839587.801 1366839587.802 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:46:33.749 PDT Gen. Time: 04/24/2013 14:46:33.749 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.55.34.10 (14:46:33.749 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 85 IPs (84 /24s) (# pkts S/M/O/I=0/84/1/0): 445:84, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:46:33.749 PDT) tcpslice 1366839993.749 1366839993.750 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:46:33.749 PDT Gen. Time: 04/24/2013 14:50:34.939 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.55.34.10 (2) (14:46:33.749 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 85 IPs (84 /24s) (# pkts S/M/O/I=0/84/1/0): 445:84, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:46:33.749 PDT) (14:48:49.853 PDT) tcpslice 1366839993.749 1366839993.750 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:51:23.580 PDT Gen. Time: 04/24/2013 14:51:23.580 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.55.34.10 (14:51:23.580 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 90 IPs (89 /24s) (# pkts S/M/O/I=0/89/1/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 (14:51:23.580 PDT) tcpslice 1366840283.580 1366840283.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:51:23.580 PDT Gen. Time: 04/24/2013 14:55:27.567 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.83.110 (14:54:00.554 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 93 IPs (92 /24s) (# pkts S/M/O/I=0/92/1/0): 445:92, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (14:54:00.554 PDT) 177.55.34.10 (14:51:23.580 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 90 IPs (89 /24s) (# pkts S/M/O/I=0/89/1/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 (14:51:23.580 PDT) tcpslice 1366840283.580 1366840283.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:56:25.603 PDT Gen. Time: 04/24/2013 14:56:25.603 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.83.110 (14:56:25.603 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 97 IPs (96 /24s) (# pkts S/M/O/I=0/96/1/0): 445:96, [] MAC_Src: 00:21:1C:EE:14:00 (14:56:25.603 PDT) tcpslice 1366840585.603 1366840585.604 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 14:56:25.603 PDT Gen. Time: 04/24/2013 15:00:25.966 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.83.110 (2) (14:56:25.603 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 97 IPs (96 /24s) (# pkts S/M/O/I=0/96/1/0): 445:96, [] MAC_Src: 00:21:1C:EE:14:00 (14:56:25.603 PDT) (14:59:45.603 PDT) tcpslice 1366840585.603 1366840585.604 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 15:01:35.175 PDT Gen. Time: 04/24/2013 15:01:35.175 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.83.110 (15:01:35.175 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 99 IPs (98 /24s) (# pkts S/M/O/I=0/98/1/0): 445:98, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:01:35.175 PDT) tcpslice 1366840895.175 1366840895.176 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 15:01:35.175 PDT Gen. Time: 04/24/2013 15:05:35.441 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.83.110 (3) (15:01:35.175 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 99 IPs (98 /24s) (# pkts S/M/O/I=0/98/1/0): 445:98, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:01:35.175 PDT) 0->0 (15:03:09.570 PDT) 0->0 (15:05:15.468 PDT) tcpslice 1366840895.175 1366840895.176 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 15:09:28.269 PDT Gen. Time: 04/24/2013 15:09:28.269 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.83.110 (15:09:28.269 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 104 IPs (103 /24s) (# pkts S/M/O/I=0/103/1/0): 445:103, [] MAC_Src: 00:21:1C:EE:14:00 (15:09:28.269 PDT) tcpslice 1366841368.269 1366841368.270 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 15:09:28.269 PDT Gen. Time: 04/24/2013 15:13:30.004 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.83.110 (2) (15:09:28.269 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 104 IPs (103 /24s) (# pkts S/M/O/I=0/103/1/0): 445:103, [] MAC_Src: 00:21:1C:EE:14:00 (15:09:28.269 PDT) 0->0 (15:12:46.540 PDT) tcpslice 1366841368.269 1366841368.270 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 15:15:35.593 PDT Gen. Time: 04/24/2013 15:15:35.593 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.83.110 (15:15:35.593 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 108 IPs (107 /24s) (# pkts S/M/O/I=0/107/1/0): 445:107, [] MAC_Src: 00:21:1C:EE:14:00 (15:15:35.593 PDT) tcpslice 1366841735.593 1366841735.594 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 15:15:35.593 PDT Gen. Time: 04/24/2013 15:19:36.650 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.83.110 (2) (15:15:35.593 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 108 IPs (107 /24s) (# pkts S/M/O/I=0/107/1/0): 445:107, [] MAC_Src: 00:21:1C:EE:14:00 (15:15:35.593 PDT) 0->0 (15:17:51.438 PDT) tcpslice 1366841735.593 1366841735.594 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 15:19:40.626 PDT Gen. Time: 04/24/2013 15:19:40.626 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.83.110 (15:19:40.626 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 114 IPs (113 /24s) (# pkts S/M/O/I=0/113/1/0): 445:113, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:19:40.626 PDT) tcpslice 1366841980.626 1366841980.627 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/24/2013 15:19:40.626 PDT Gen. Time: 04/24/2013 15:23:42.048 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.83.110 (2) (15:19:40.626 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 114 IPs (113 /24s) (# pkts S/M/O/I=0/113/1/0): 445:113, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:19:40.626 PDT) 0->0 (15:21:32.865 PDT) tcpslice 1366841980.626 1366841980.627 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================