Score: 1.3 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:03:10.689 PDT Gen. Time: 04/26/2013 15:59:01.607 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.47.243.139 (2) (13:03:23.300 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:03:23.300 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:03:23.300 PDT) 192.47.243.137 (13:03:22.981 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (13:03:22.981 PDT) 192.47.243.68 (13:03:11.008 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:03:11.008 PDT) 192.47.243.152 (13:03:25.328 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:03:25.328 PDT) 192.47.243.129 (2) (13:03:21.561 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (13:03:21.561 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (13:03:21.561 PDT) 192.47.243.66 (13:03:10.689 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (13:03:10.689 PDT) 192.47.243.142 (13:03:23.734 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (13:03:23.734 PDT) 192.47.243.157 (2) (13:03:27.125 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:03:27.125 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:03:27.125 PDT) 192.47.243.134 (3) (13:03:22.492 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 20->139 (13:03:22.554 PDT) ------------------------- event=1:2002992 {tcp} E5[rb] ET SCAN Rapid POP3 Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20381->110 (13:03:22.512 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:03:22.492 PDT) 192.47.243.71 (13:03:11.478 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:03:11.478 PDT) 192.47.243.155 (13:03:25.806 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (13:03:25.806 PDT) 192.47.243.132 (13:03:22.049 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (13:03:22.049 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.5 (15:59:01.607 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 131 IPs (3 /24s) (# pkts S/M/O/I=319/1461/0/0): 22:128, 139:128, 445:128, 136:64, 2100:64, 3127:64, 3306:64, 4445:64, 5000:64, 10000:64, 27374:64, 137:63, 138:63, 559:63, 1433:63, 2067:63, 5554:63, 9996:63, 1025:62, 6129:59, 4350, 6101, 11768, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:59:01.607 PDT) tcpslice 1367006590.689 1367006590.690 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 17:22:35.993 PDT Gen. Time: 04/26/2013 17:40:26.480 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.47.243.193 (17) (17:22:35.993 PDT) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 2991->22 (17:22:47.465 PDT) 67->22 (17:23:03.671 PDT) ------------------------- event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 20->139 (17:23:00.818 PDT) ------------------------- event=1:2002911 (2) {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:01:64:FF:CE:EA 3522->5901 (17:24:27.153 PDT) 3636->5900 (17:24:31.285 PDT) ------------------------- event=1:2002992 {tcp} E5[rb] ET SCAN Rapid POP3 Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20->110 (17:22:59.367 PDT) ------------------------- event=1:2002994 {tcp} E5[rb] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20->143 (17:22:59.507 PDT) ------------------------- event=1:2003068 (10) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 3333->22 (17:22:35.993 PDT) 1743->22 (17:22:41.755 PDT) 2991->22 (17:22:47.464 PDT) 2991->22 (17:22:47.465 PDT) 21->22 (17:22:55.912 PDT) 20->22 (17:22:58.459 PDT) 53->22 (17:23:01.076 PDT) 67->22 (17:23:03.671 PDT) 1034->22 (17:23:08.883 PDT) 34561->22 (17:23:11.540 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.8 (17:40:26.480 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 131 IPs (3 /24s) (# pkts S/M/O/I=351/2002/0/0): 22:128, 139:128, 445:128, 5000:96, 136:95, 137:95, 138:95, 559:95, 1025:95, 1433:95, 2067:95, 2100:95, 3127:95, 3306:95, 4445:95, 5554:95, 9996:95, 10000:95, 27374:95, 6129:94, 4350, 6101, 11768, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:40:26.480 PDT) tcpslice 1367022155.993 1367022155.994 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 18:28:06.276 PDT Gen. Time: 04/26/2013 19:13:26.235 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.47.243.252 (17) (18:28:06.276 PDT) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 3680->22 (18:28:17.801 PDT) 67->22 (18:28:33.855 PDT) ------------------------- event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 20->139 (18:28:31.059 PDT) ------------------------- event=1:2002910 {tcp} E5[rb] ET SCAN Potential VNC Scan 5800-5820, [] MAC_Src: 00:01:64:FF:CE:EA 62324->5801 (18:30:36.900 PDT) ------------------------- event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:01:64:FF:CE:EA 62984->5902 (18:30:59.665 PDT) ------------------------- event=1:2002992 {tcp} E5[rb] ET SCAN Rapid POP3 Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20->110 (18:28:29.664 PDT) ------------------------- event=1:2002994 {tcp} E5[rb] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20->143 (18:28:29.803 PDT) ------------------------- event=1:2003068 (10) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 2733->22 (18:28:06.276 PDT) 2445->22 (18:28:12.068 PDT) 3680->22 (18:28:17.800 PDT) 3680->22 (18:28:17.801 PDT) 21->22 (18:28:26.088 PDT) 20->22 (18:28:28.683 PDT) 53->22 (18:28:31.309 PDT) 67->22 (18:28:33.855 PDT) 1034->22 (18:28:39.018 PDT) 34561->22 (18:28:41.605 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.136 (19:13:26.235 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 132 IPs (4 /24s) (# pkts S/M/O/I=383/2542/0/0): 22:128, 136:128, 137:128, 139:128, 445:128, 2100:128, 5000:128, 559:127, 1433:127, 2067:127, 3127:127, 3306:127, 4445:127, 5554:127, 9996:127, 138:126, 1025:126, 10000:126, 27374:126, 6129:123, 4350, 6101, 11768, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:13:26.235 PDT) tcpslice 1367026086.276 1367026086.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 19:13:48.952 PDT Gen. Time: 04/26/2013 19:13:48.952 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.136 (19:13:48.952 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 132 IPs (4 /24s) (# pkts S/M/O/I=384/2563/2529/0): 22:128, 136:128, 137:128, 138:128, 139:128, 445:128, 559:128, 1025:128, 1433:128, 2067:128, 2100:128, 3127:128, 3306:128, 4445:128, 5000:128, 5554:128, 6129:128, 9996:128, 10000:128, 27374:128, 4350, 6101, 11768, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:13:48.952 PDT) tcpslice 1367028828.952 1367028828.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================