Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/25/2013 23:56:51.146 PDT Gen. Time: 04/26/2013 00:00:50.747 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (23:56:51.146 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 83 IPs (82 /24s) (# pkts S/M/O/I=0/83/0/0): 445:83, [] MAC_Src: 00:21:1C:EE:14:00 (23:56:51.146 PDT) (23:58:49.651 PDT) tcpslice 1366959411.146 1366959411.147 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:01:58.112 PDT Gen. Time: 04/26/2013 00:01:58.112 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (00:01:58.112 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 85 IPs (84 /24s) (# pkts S/M/O/I=0/85/0/0): 445:85, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:01:58.112 PDT) tcpslice 1366959718.112 1366959718.113 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:01:58.112 PDT Gen. Time: 04/26/2013 00:06:02.681 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (00:01:58.112 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 85 IPs (84 /24s) (# pkts S/M/O/I=0/85/0/0): 445:85, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:01:58.112 PDT) 0->0 (00:04:49.708 PDT) tcpslice 1366959718.112 1366959718.113 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:07:20.810 PDT Gen. Time: 04/26/2013 00:07:20.810 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (00:07:20.810 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 90 IPs (89 /24s) (# pkts S/M/O/I=0/90/0/0): 445:90, [] MAC_Src: 00:21:1C:EE:14:00 (00:07:20.810 PDT) tcpslice 1366960040.810 1366960040.811 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:07:20.810 PDT Gen. Time: 04/26/2013 00:11:20.905 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (00:07:20.810 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 90 IPs (89 /24s) (# pkts S/M/O/I=0/90/0/0): 445:90, [] MAC_Src: 00:21:1C:EE:14:00 (00:07:20.810 PDT) 0->0 (00:09:47.562 PDT) tcpslice 1366960040.810 1366960040.811 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:11:27.148 PDT Gen. Time: 04/26/2013 00:11:27.148 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (00:11:27.148 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 95 IPs (94 /24s) (# pkts S/M/O/I=0/95/0/0): 445:95, [] MAC_Src: 00:21:1C:EE:14:00 (00:11:27.148 PDT) tcpslice 1366960287.148 1366960287.149 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:11:27.148 PDT Gen. Time: 04/26/2013 00:15:27.243 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (3) (00:11:27.148 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 95 IPs (94 /24s) (# pkts S/M/O/I=0/95/0/0): 445:95, [] MAC_Src: 00:21:1C:EE:14:00 (00:11:27.148 PDT) (00:13:22.848 PDT) 0->0 (00:15:22.525 PDT) tcpslice 1366960287.148 1366960287.149 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:17:11.775 PDT Gen. Time: 04/26/2013 00:17:11.775 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (00:17:11.775 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 99 IPs (98 /24s) (# pkts S/M/O/I=0/99/0/0): 445:99, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:17:11.775 PDT) tcpslice 1366960631.775 1366960631.776 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:17:11.775 PDT Gen. Time: 04/26/2013 00:21:12.320 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (00:17:11.775 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 99 IPs (98 /24s) (# pkts S/M/O/I=0/99/0/0): 445:99, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:17:11.775 PDT) 0->0 (00:18:47.927 PDT) tcpslice 1366960631.775 1366960631.776 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:21:45.690 PDT Gen. Time: 04/26/2013 00:21:45.690 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (00:21:45.690 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 105 IPs (104 /24s) (# pkts S/M/O/I=0/105/0/0): 445:105, [] MAC_Src: 00:21:1C:EE:14:00 (00:21:45.690 PDT) tcpslice 1366960905.690 1366960905.691 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:21:45.690 PDT Gen. Time: 04/26/2013 00:25:45.777 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (00:21:45.690 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 105 IPs (104 /24s) (# pkts S/M/O/I=0/105/0/0): 445:105, [] MAC_Src: 00:21:1C:EE:14:00 (00:21:45.690 PDT) (00:23:16.535 PDT) tcpslice 1366960905.690 1366960905.691 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:26:13.586 PDT Gen. Time: 04/26/2013 00:26:13.586 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (00:26:13.586 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 109 IPs (108 /24s) (# pkts S/M/O/I=0/109/0/0): 445:109, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:26:13.586 PDT) tcpslice 1366961173.586 1366961173.587 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:30:28.580 PDT Gen. Time: 04/26/2013 00:30:28.580 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (00:30:28.580 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 114 IPs (113 /24s) (# pkts S/M/O/I=0/114/0/0): 445:114, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:30:28.580 PDT) tcpslice 1366961428.580 1366961428.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:30:28.580 PDT Gen. Time: 04/26/2013 00:34:29.567 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (00:30:28.580 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 114 IPs (113 /24s) (# pkts S/M/O/I=0/114/0/0): 445:114, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:30:28.580 PDT) (00:32:44.737 PDT) tcpslice 1366961428.580 1366961428.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:35:18.806 PDT Gen. Time: 04/26/2013 00:35:18.806 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (00:35:18.806 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 122 IPs (121 /24s) (# pkts S/M/O/I=0/122/0/0): 445:122, [] MAC_Src: 00:21:1C:EE:14:00 (00:35:18.806 PDT) tcpslice 1366961718.806 1366961718.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:35:18.806 PDT Gen. Time: 04/26/2013 00:39:18.999 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (00:35:18.806 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 122 IPs (121 /24s) (# pkts S/M/O/I=0/122/0/0): 445:122, [] MAC_Src: 00:21:1C:EE:14:00 (00:35:18.806 PDT) (00:37:45.728 PDT) tcpslice 1366961718.806 1366961718.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:42:10.972 PDT Gen. Time: 04/26/2013 00:42:10.972 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (00:42:10.972 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 125 IPs (124 /24s) (# pkts S/M/O/I=0/125/0/0): 445:125, [] MAC_Src: 00:21:1C:EE:14:00 (00:42:10.972 PDT) tcpslice 1366962130.972 1366962130.973 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:42:10.972 PDT Gen. Time: 04/26/2013 00:46:11.232 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (00:42:10.972 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 125 IPs (124 /24s) (# pkts S/M/O/I=0/125/0/0): 445:125, [] MAC_Src: 00:21:1C:EE:14:00 (00:42:10.972 PDT) 0->0 (00:45:23.868 PDT) tcpslice 1366962130.972 1366962130.973 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:48:12.749 PDT Gen. Time: 04/26/2013 00:48:12.749 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (00:48:12.749 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 129 IPs (127 /24s) (# pkts S/M/O/I=0/129/0/0): 445:129, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:48:12.749 PDT) tcpslice 1366962492.749 1366962492.750 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:48:12.749 PDT Gen. Time: 04/26/2013 00:52:13.413 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (00:48:12.749 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 129 IPs (127 /24s) (# pkts S/M/O/I=0/129/0/0): 445:129, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:48:12.749 PDT) (00:50:08.745 PDT) tcpslice 1366962492.749 1366962492.750 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:52:54.111 PDT Gen. Time: 04/26/2013 00:52:54.111 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (00:52:54.111 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 133 IPs (131 /24s) (# pkts S/M/O/I=0/133/0/0): 445:133, [] MAC_Src: 00:21:1C:EE:14:00 (00:52:54.111 PDT) tcpslice 1366962774.111 1366962774.112 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:52:54.111 PDT Gen. Time: 04/26/2013 00:56:53.832 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (3) (00:52:54.111 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 133 IPs (131 /24s) (# pkts S/M/O/I=0/133/0/0): 445:133, [] MAC_Src: 00:21:1C:EE:14:00 (00:52:54.111 PDT) (00:55:19.538 PDT) (00:56:53.832 PDT) tcpslice 1366962774.111 1366962774.112 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:59:22.791 PDT Gen. Time: 04/26/2013 00:59:22.791 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (00:59:22.791 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 142 IPs (140 /24s) (# pkts S/M/O/I=0/142/0/0): 445:142, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:59:22.791 PDT) tcpslice 1366963162.791 1366963162.792 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 00:59:22.791 PDT Gen. Time: 04/26/2013 01:03:23.369 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (3) (00:59:22.791 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 142 IPs (140 /24s) (# pkts S/M/O/I=0/142/0/0): 445:142, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (00:59:22.791 PDT) 0->0 (01:01:42.131 PDT) 0->0 (01:03:17.854 PDT) tcpslice 1366963162.791 1366963162.792 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:05:08.915 PDT Gen. Time: 04/26/2013 01:05:08.915 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (01:05:08.915 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 147 IPs (144 /24s) (# pkts S/M/O/I=0/147/0/0): 445:147, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:05:08.915 PDT) tcpslice 1366963508.915 1366963508.916 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:05:08.915 PDT Gen. Time: 04/26/2013 01:09:09.282 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (01:05:08.915 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 147 IPs (144 /24s) (# pkts S/M/O/I=0/147/0/0): 445:147, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:05:08.915 PDT) (01:08:51.480 PDT) tcpslice 1366963508.915 1366963508.916 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:11:18.307 PDT Gen. Time: 04/26/2013 01:11:18.307 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (01:11:18.307 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 155 IPs (152 /24s) (# pkts S/M/O/I=0/155/0/0): 445:155, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:11:18.307 PDT) tcpslice 1366963878.307 1366963878.308 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:11:18.307 PDT Gen. Time: 04/26/2013 01:15:19.919 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (01:11:18.307 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 155 IPs (152 /24s) (# pkts S/M/O/I=0/155/0/0): 445:155, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:11:18.307 PDT) (01:13:18.843 PDT) tcpslice 1366963878.307 1366963878.308 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:16:45.473 PDT Gen. Time: 04/26/2013 01:16:45.473 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (01:16:45.473 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 158 IPs (155 /24s) (# pkts S/M/O/I=0/158/0/0): 445:158, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:16:45.473 PDT) tcpslice 1366964205.473 1366964205.474 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:16:45.473 PDT Gen. Time: 04/26/2013 01:20:46.489 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (3) (01:16:45.473 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 158 IPs (155 /24s) (# pkts S/M/O/I=0/158/0/0): 445:158, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:16:45.473 PDT) 0->0 (01:18:33.735 PDT) 0->0 (01:20:03.786 PDT) tcpslice 1366964205.473 1366964205.474 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:22:58.457 PDT Gen. Time: 04/26/2013 01:22:58.457 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (01:22:58.457 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 167 IPs (164 /24s) (# pkts S/M/O/I=0/167/0/0): 445:167, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:22:58.457 PDT) tcpslice 1366964578.457 1366964578.458 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:22:58.457 PDT Gen. Time: 04/26/2013 01:27:02.008 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (01:22:58.457 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 167 IPs (164 /24s) (# pkts S/M/O/I=0/167/0/0): 445:167, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:22:58.457 PDT) 0->0 (01:25:24.425 PDT) tcpslice 1366964578.457 1366964578.458 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:28:48.833 PDT Gen. Time: 04/26/2013 01:28:48.833 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (01:28:48.833 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 170 IPs (167 /24s) (# pkts S/M/O/I=0/170/0/0): 445:170, [] MAC_Src: 00:21:1C:EE:14:00 (01:28:48.833 PDT) tcpslice 1366964928.833 1366964928.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:28:48.833 PDT Gen. Time: 04/26/2013 01:32:46.321 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (3) (01:28:48.833 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 170 IPs (167 /24s) (# pkts S/M/O/I=0/170/0/0): 445:170, [] MAC_Src: 00:21:1C:EE:14:00 (01:28:48.833 PDT) 0->0 (01:30:18.470 PDT) (01:32:04.895 PDT) tcpslice 1366964928.833 1366964928.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:34:32.699 PDT Gen. Time: 04/26/2013 01:34:32.699 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (01:34:32.699 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 177 IPs (174 /24s) (# pkts S/M/O/I=0/177/0/0): 445:177, [] MAC_Src: 00:21:1C:EE:14:00 (01:34:32.699 PDT) tcpslice 1366965272.699 1366965272.700 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:34:32.699 PDT Gen. Time: 04/26/2013 01:38:33.529 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (01:34:32.699 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 177 IPs (174 /24s) (# pkts S/M/O/I=0/177/0/0): 445:177, [] MAC_Src: 00:21:1C:EE:14:00 (01:34:32.699 PDT) (01:37:19.656 PDT) tcpslice 1366965272.699 1366965272.700 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:40:38.721 PDT Gen. Time: 04/26/2013 01:40:38.721 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (01:40:38.721 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 182 IPs (178 /24s) (# pkts S/M/O/I=0/182/0/0): 445:182, [] MAC_Src: 00:21:1C:EE:14:00 (01:40:38.721 PDT) tcpslice 1366965638.721 1366965638.722 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:40:38.721 PDT Gen. Time: 04/26/2013 01:44:40.246 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (2) (01:40:38.721 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 182 IPs (178 /24s) (# pkts S/M/O/I=0/182/0/0): 445:182, [] MAC_Src: 00:21:1C:EE:14:00 (01:40:38.721 PDT) 0->0 (01:43:28.550 PDT) tcpslice 1366965638.721 1366965638.722 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:45:06.376 PDT Gen. Time: 04/26/2013 01:45:06.376 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.30.80.1 (01:45:06.376 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 187 IPs (183 /24s) (# pkts S/M/O/I=0/187/0/0): 445:187, [] MAC_Src: 00:21:1C:EE:14:00 (01:45:06.376 PDT) tcpslice 1366965906.376 1366965906.377 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:45:06.376 PDT Gen. Time: 04/26/2013 01:49:07.110 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.27.104.12 (2) (01:47:10.483 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 193 IPs (189 /24s) (# pkts S/M/O/I=0/193/0/0): 445:193, [] MAC_Src: 00:21:1C:EE:14:00 (01:47:10.483 PDT) 0->0 (01:48:40.717 PDT) 189.30.80.1 (01:45:06.376 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 187 IPs (183 /24s) (# pkts S/M/O/I=0/187/0/0): 445:187, [] MAC_Src: 00:21:1C:EE:14:00 (01:45:06.376 PDT) tcpslice 1366965906.376 1366965906.377 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:50:17.835 PDT Gen. Time: 04/26/2013 01:50:17.835 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.27.104.12 (01:50:17.835 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 196 IPs (192 /24s) (# pkts S/M/O/I=0/196/0/0): 445:196, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:50:17.835 PDT) tcpslice 1366966217.835 1366966217.836 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:50:17.835 PDT Gen. Time: 04/26/2013 01:54:18.311 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.27.104.12 (2) (01:50:17.835 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 196 IPs (192 /24s) (# pkts S/M/O/I=0/196/0/0): 445:196, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:50:17.835 PDT) (01:52:18.504 PDT) tcpslice 1366966217.835 1366966217.836 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 01:53:21.874 PDT Gen. Time: 04/26/2013 01:53:21.874 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 189.27.104.12 (01:53:21.874 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 200 IPs (195 /24s) (# pkts S/M/O/I=0/200/0/0): 445:200, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (01:53:21.874 PDT) tcpslice 1366966401.874 1366966401.875 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 02:20:51.842 PDT Gen. Time: 04/26/2013 02:20:51.842 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (02:20:51.842 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (02:20:51.842 PDT) tcpslice 1366968051.842 1366968051.843 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 02:20:51.842 PDT Gen. Time: 04/26/2013 02:24:52.987 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (2) (02:20:51.842 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (02:20:51.842 PDT) (02:23:19.701 PDT) tcpslice 1366968051.842 1366968051.843 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 02:25:21.841 PDT Gen. Time: 04/26/2013 02:25:21.841 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (02:25:21.841 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:25:21.841 PDT) tcpslice 1366968321.841 1366968321.842 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 02:25:21.841 PDT Gen. Time: 04/26/2013 02:29:23.697 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (2) (02:25:21.841 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:25:21.841 PDT) (02:28:45.796 PDT) tcpslice 1366968321.841 1366968321.842 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 02:31:27.925 PDT Gen. Time: 04/26/2013 02:31:27.925 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (02:31:27.925 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:31:27.925 PDT) tcpslice 1366968687.925 1366968687.926 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 02:31:27.925 PDT Gen. Time: 04/26/2013 02:35:32.553 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (2) (02:31:27.925 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:31:27.925 PDT) 0->0 (02:33:54.805 PDT) tcpslice 1366968687.925 1366968687.926 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 02:37:09.747 PDT Gen. Time: 04/26/2013 02:37:09.747 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (02:37:09.747 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=0/34/0/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 (02:37:09.747 PDT) tcpslice 1366969029.747 1366969029.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 02:37:09.747 PDT Gen. Time: 04/26/2013 02:41:09.865 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (3) (02:37:09.747 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=0/34/0/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 (02:37:09.747 PDT) 0->0 (02:38:56.850 PDT) (02:40:31.534 PDT) tcpslice 1366969029.747 1366969029.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 02:43:14.639 PDT Gen. Time: 04/26/2013 02:43:14.639 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (02:43:14.639 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:43:14.639 PDT) tcpslice 1366969394.639 1366969394.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 02:43:14.639 PDT Gen. Time: 04/26/2013 02:47:14.782 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (3) (02:43:14.639 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:43:14.639 PDT) 0->0 (02:44:50.742 PDT) (02:46:20.841 PDT) tcpslice 1366969394.639 1366969394.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 02:47:51.427 PDT Gen. Time: 04/26/2013 02:47:51.427 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (02:47:51.427 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 47 IPs (47 /24s) (# pkts S/M/O/I=0/47/0/0): 445:47, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:47:51.427 PDT) tcpslice 1366969671.427 1366969671.428 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 02:47:51.427 PDT Gen. Time: 04/26/2013 02:51:48.333 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (3) (02:47:51.427 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 47 IPs (47 /24s) (# pkts S/M/O/I=0/47/0/0): 445:47, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (02:47:51.427 PDT) 0->0 (02:49:42.615 PDT) 0->0 (02:51:13.791 PDT) tcpslice 1366969671.427 1366969671.428 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 02:55:28.772 PDT Gen. Time: 04/26/2013 02:55:28.772 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (02:55:28.772 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 51 IPs (51 /24s) (# pkts S/M/O/I=0/51/0/0): 445:51, [] MAC_Src: 00:21:1C:EE:14:00 (02:55:28.772 PDT) tcpslice 1366970128.772 1366970128.773 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:00:05.500 PDT Gen. Time: 04/26/2013 03:00:05.500 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (03:00:05.500 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/53/0/0): 445:53, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:00:05.500 PDT) tcpslice 1366970405.500 1366970405.501 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:00:05.500 PDT Gen. Time: 04/26/2013 03:04:07.255 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (3) (03:00:05.500 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/53/0/0): 445:53, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:00:05.500 PDT) 0->0 (03:01:39.068 PDT) 0->0 (03:04:03.821 PDT) tcpslice 1366970405.500 1366970405.501 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:06:27.544 PDT Gen. Time: 04/26/2013 03:06:27.544 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (03:06:27.544 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 59 IPs (59 /24s) (# pkts S/M/O/I=0/59/0/0): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:06:27.544 PDT) tcpslice 1366970787.544 1366970787.545 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:06:27.544 PDT Gen. Time: 04/26/2013 03:10:29.279 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (3) (03:06:27.544 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 59 IPs (59 /24s) (# pkts S/M/O/I=0/59/0/0): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:06:27.544 PDT) 0->0 (03:08:32.849 PDT) (03:10:20.081 PDT) tcpslice 1366970787.544 1366970787.545 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:12:12.693 PDT Gen. Time: 04/26/2013 03:12:12.693 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (03:12:12.693 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 64 IPs (64 /24s) (# pkts S/M/O/I=0/64/0/0): 445:64, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:12:12.693 PDT) tcpslice 1366971132.693 1366971132.694 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:12:12.693 PDT Gen. Time: 04/26/2013 03:16:14.294 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (2) (03:12:12.693 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 64 IPs (64 /24s) (# pkts S/M/O/I=0/64/0/0): 445:64, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:12:12.693 PDT) 0->0 (03:14:53.784 PDT) tcpslice 1366971132.693 1366971132.694 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:19:29.679 PDT Gen. Time: 04/26/2013 03:19:29.679 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (03:19:29.679 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 69 IPs (69 /24s) (# pkts S/M/O/I=0/69/0/0): 445:69, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:19:29.679 PDT) tcpslice 1366971569.679 1366971569.680 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:19:29.679 PDT Gen. Time: 04/26/2013 03:23:31.146 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (2) (03:19:29.679 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 69 IPs (69 /24s) (# pkts S/M/O/I=0/69/0/0): 445:69, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:19:29.679 PDT) (03:21:38.837 PDT) tcpslice 1366971569.679 1366971569.680 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:24:35.429 PDT Gen. Time: 04/26/2013 03:24:35.429 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (03:24:35.429 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 71 IPs (71 /24s) (# pkts S/M/O/I=0/71/0/0): 445:71, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:24:35.429 PDT) tcpslice 1366971875.429 1366971875.430 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:24:35.429 PDT Gen. Time: 04/26/2013 03:28:35.825 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (2) (03:24:35.429 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 71 IPs (71 /24s) (# pkts S/M/O/I=0/71/0/0): 445:71, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:24:35.429 PDT) 0->0 (03:27:18.103 PDT) tcpslice 1366971875.429 1366971875.430 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:29:19.124 PDT Gen. Time: 04/26/2013 03:29:19.124 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (03:29:19.124 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 78 IPs (78 /24s) (# pkts S/M/O/I=0/78/0/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 (03:29:19.124 PDT) tcpslice 1366972159.124 1366972159.125 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:29:19.124 PDT Gen. Time: 04/26/2013 03:33:19.971 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (2) (03:29:19.124 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 78 IPs (78 /24s) (# pkts S/M/O/I=0/78/0/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 (03:29:19.124 PDT) 0->0 (03:31:54.801 PDT) tcpslice 1366972159.124 1366972159.125 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:33:52.946 PDT Gen. Time: 04/26/2013 03:33:52.946 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (03:33:52.946 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 82 IPs (82 /24s) (# pkts S/M/O/I=0/82/0/0): 445:82, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:33:52.946 PDT) tcpslice 1366972432.946 1366972432.947 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:33:52.946 PDT Gen. Time: 04/26/2013 03:37:50.073 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (2) (03:33:52.946 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 82 IPs (82 /24s) (# pkts S/M/O/I=0/82/0/0): 445:82, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:33:52.946 PDT) 0->0 (03:36:21.435 PDT) tcpslice 1366972432.946 1366972432.947 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 03:38:04.516 PDT Gen. Time: 04/26/2013 03:38:04.516 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.22.6.105 (03:38:04.516 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 86 IPs (86 /24s) (# pkts S/M/O/I=0/86/0/0): 445:86, [] MAC_Src: 00:21:1C:EE:14:00 (03:38:04.516 PDT) tcpslice 1366972684.516 1366972684.517 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 04:04:48.651 PDT Gen. Time: 04/26/2013 04:07:46.092 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 177.86.51.48 (04:04:48.651 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 18 IPs (18 /24s) (# pkts S/M/O/I=0/18/0/0): 445:18, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:04:48.651 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.51.48 (04:07:46.092 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (04:07:46.092 PDT) tcpslice 1366974288.651 1366974288.652 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 04:09:24.282 PDT Gen. Time: 04/26/2013 04:09:24.282 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 177.86.51.48 (04:09:24.282 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 (04:09:24.282 PDT) tcpslice 1366974564.282 1366974564.283 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 04:09:24.282 PDT Gen. Time: 04/26/2013 04:13:24.855 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.52.198.69 (04:11:02.576 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:11:02.576 PDT) 177.86.51.48 (04:09:24.282 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 (04:09:24.282 PDT) tcpslice 1366974564.282 1366974564.283 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 04:14:51.764 PDT Gen. Time: 04/26/2013 04:14:51.764 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.52.198.69 (04:14:51.764 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 (04:14:51.764 PDT) tcpslice 1366974891.764 1366974891.765 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 04:14:51.764 PDT Gen. Time: 04/26/2013 04:18:52.135 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.52.198.69 (2) (04:14:51.764 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 (04:14:51.764 PDT) (04:16:52.770 PDT) tcpslice 1366974891.764 1366974891.765 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 04:19:00.877 PDT Gen. Time: 04/26/2013 04:19:00.877 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.52.198.69 (04:19:00.877 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (35 /24s) (# pkts S/M/O/I=0/35/0/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:19:00.877 PDT) tcpslice 1366975140.877 1366975140.878 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 05:28:07.885 PDT Gen. Time: 04/26/2013 05:28:07.885 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.6.182.32 (05:28:07.885 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:28:07.885 PDT) tcpslice 1366979287.885 1366979287.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 05:28:07.885 PDT Gen. Time: 04/26/2013 05:32:08.142 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.6.182.32 (2) (05:28:07.885 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:28:07.885 PDT) 0->0 (05:30:36.363 PDT) tcpslice 1366979287.885 1366979287.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 05:33:13.505 PDT Gen. Time: 04/26/2013 05:33:13.505 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.6.182.32 (05:33:13.505 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:33:13.505 PDT) tcpslice 1366979593.505 1366979593.506 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 05:33:13.505 PDT Gen. Time: 04/26/2013 05:37:15.350 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.6.182.32 (3) (05:33:13.505 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:33:13.505 PDT) (05:34:47.809 PDT) (05:37:07.257 PDT) tcpslice 1366979593.505 1366979593.506 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 05:39:39.812 PDT Gen. Time: 04/26/2013 05:39:39.812 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.6.182.32 (05:39:39.812 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:39:39.812 PDT) tcpslice 1366979979.812 1366979979.813 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 05:39:39.812 PDT Gen. Time: 04/26/2013 05:43:40.493 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.6.182.32 (3) (05:39:39.812 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:39:39.812 PDT) (05:41:44.927 PDT) 0->0 (05:43:14.406 PDT) tcpslice 1366979979.812 1366979979.813 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 05:45:30.939 PDT Gen. Time: 04/26/2013 05:45:30.939 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.29.160.76 (05:45:30.939 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:45:30.939 PDT) tcpslice 1366980330.939 1366980330.940 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:15:14.889 PDT Gen. Time: 04/26/2013 06:16:59.340 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 201.67.104.52 (2) (06:15:14.889 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 16 IPs (16 /24s) (# pkts S/M/O/I=0/16/0/0): 445:16, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:15:14.889 PDT) (06:16:55.117 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.67.104.52 (06:16:59.340 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:16:59.340 PDT) tcpslice 1366982114.889 1366982114.890 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:19:57.459 PDT Gen. Time: 04/26/2013 06:19:57.459 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.67.104.52 (06:19:57.459 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 (06:19:57.459 PDT) tcpslice 1366982397.459 1366982397.460 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:19:57.459 PDT Gen. Time: 04/26/2013 06:23:57.471 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.67.104.52 (2) (06:19:57.459 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 (06:19:57.459 PDT) (06:22:15.773 PDT) tcpslice 1366982397.459 1366982397.460 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:24:11.760 PDT Gen. Time: 04/26/2013 06:24:11.760 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.67.104.52 (06:24:11.760 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 (06:24:11.760 PDT) tcpslice 1366982651.760 1366982651.761 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:24:11.760 PDT Gen. Time: 04/26/2013 06:28:13.399 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.67.104.52 (06:24:11.760 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 (06:24:11.760 PDT) 187.110.215.18 (2) (06:25:56.680 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 (06:25:56.680 PDT) 0->0 (06:27:38.530 PDT) tcpslice 1366982651.760 1366982651.761 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:29:53.535 PDT Gen. Time: 04/26/2013 06:29:53.535 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.110.215.18 (06:29:53.535 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:29:53.535 PDT) tcpslice 1366982993.535 1366982993.536 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:29:53.535 PDT Gen. Time: 04/26/2013 06:33:52.482 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.110.215.18 (2) (06:29:53.535 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:29:53.535 PDT) 0->0 (06:31:32.529 PDT) tcpslice 1366982993.535 1366982993.536 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:34:50.766 PDT Gen. Time: 04/26/2013 06:34:50.766 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.110.215.18 (06:34:50.766 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/38/0/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:34:50.766 PDT) tcpslice 1366983290.766 1366983290.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:38:52.186 PDT Gen. Time: 04/26/2013 06:38:52.186 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 64.120.252.114 (06:38:52.186 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/40/1/0): 445:40, [] MAC_Src: 00:21:1C:EE:14:00 (06:38:52.186 PDT) tcpslice 1366983532.186 1366983532.187 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:38:52.186 PDT Gen. Time: 04/26/2013 06:42:52.373 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 64.120.252.114 (2) (06:38:52.186 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/40/1/0): 445:40, [] MAC_Src: 00:21:1C:EE:14:00 (06:38:52.186 PDT) 0->0 (06:42:29.736 PDT) tcpslice 1366983532.186 1366983532.187 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:44:21.768 PDT Gen. Time: 04/26/2013 06:44:21.768 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 64.120.252.114 (06:44:21.768 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/44/1/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 (06:44:21.768 PDT) tcpslice 1366983861.768 1366983861.769 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:48:34.475 PDT Gen. Time: 04/26/2013 06:48:34.475 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 64.120.252.114 (06:48:34.475 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 46 IPs (46 /24s) (# pkts S/M/O/I=0/45/1/0): 445:45, [] MAC_Src: 00:21:1C:EE:14:00 (06:48:34.475 PDT) tcpslice 1366984114.475 1366984114.476 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:48:34.475 PDT Gen. Time: 04/26/2013 06:52:37.102 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (06:52:13.833 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 51 IPs (51 /24s) (# pkts S/M/O/I=0/50/1/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 (06:52:13.833 PDT) 64.120.252.114 (06:48:34.475 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 46 IPs (46 /24s) (# pkts S/M/O/I=0/45/1/0): 445:45, [] MAC_Src: 00:21:1C:EE:14:00 (06:48:34.475 PDT) tcpslice 1366984114.475 1366984114.476 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:56:49.637 PDT Gen. Time: 04/26/2013 06:56:49.637 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (06:56:49.637 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/52/1/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 (06:56:49.637 PDT) tcpslice 1366984609.637 1366984609.638 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 06:56:49.637 PDT Gen. Time: 04/26/2013 07:00:35.807 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (2) (06:56:49.637 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/52/1/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 (06:56:49.637 PDT) (06:58:30.534 PDT) tcpslice 1366984609.637 1366984609.638 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:01:06.727 PDT Gen. Time: 04/26/2013 07:01:06.727 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (07:01:06.727 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 56 IPs (56 /24s) (# pkts S/M/O/I=0/55/1/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:01:06.727 PDT) tcpslice 1366984866.727 1366984866.728 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:01:06.727 PDT Gen. Time: 04/26/2013 07:05:07.774 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (2) (07:01:06.727 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 56 IPs (56 /24s) (# pkts S/M/O/I=0/55/1/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:01:06.727 PDT) 0->0 (07:03:33.607 PDT) tcpslice 1366984866.727 1366984866.728 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:06:50.688 PDT Gen. Time: 04/26/2013 07:06:50.688 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (07:06:50.688 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 64 IPs (64 /24s) (# pkts S/M/O/I=0/63/1/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:06:50.688 PDT) tcpslice 1366985210.688 1366985210.689 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:06:50.688 PDT Gen. Time: 04/26/2013 07:10:45.079 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (2) (07:06:50.688 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 64 IPs (64 /24s) (# pkts S/M/O/I=0/63/1/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:06:50.688 PDT) 0->0 (07:09:37.995 PDT) tcpslice 1366985210.688 1366985210.689 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:11:44.765 PDT Gen. Time: 04/26/2013 07:11:44.765 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (07:11:44.765 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 74 IPs (74 /24s) (# pkts S/M/O/I=0/72/2/0): 445:72, [] MAC_Src: 00:21:1C:EE:14:00 (07:11:44.765 PDT) tcpslice 1366985504.765 1366985504.766 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:11:44.765 PDT Gen. Time: 04/26/2013 07:15:29.658 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (2) (07:11:44.765 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 74 IPs (74 /24s) (# pkts S/M/O/I=0/72/2/0): 445:72, [] MAC_Src: 00:21:1C:EE:14:00 (07:11:44.765 PDT) 0->0 (07:14:57.746 PDT) tcpslice 1366985504.765 1366985504.766 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:16:28.351 PDT Gen. Time: 04/26/2013 07:16:28.351 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (07:16:28.351 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 80 IPs (80 /24s) (# pkts S/M/O/I=0/78/2/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:16:28.351 PDT) tcpslice 1366985788.351 1366985788.352 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:16:28.351 PDT Gen. Time: 04/26/2013 07:20:31.528 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (2) (07:16:28.351 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 80 IPs (80 /24s) (# pkts S/M/O/I=0/78/2/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:16:28.351 PDT) (07:18:24.449 PDT) tcpslice 1366985788.351 1366985788.352 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:21:42.813 PDT Gen. Time: 04/26/2013 07:21:42.813 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (07:21:42.813 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 86 IPs (86 /24s) (# pkts S/M/O/I=0/84/2/0): 445:84, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:21:42.813 PDT) tcpslice 1366986102.813 1366986102.814 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:21:42.813 PDT Gen. Time: 04/26/2013 07:25:40.586 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (3) (07:21:42.813 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 86 IPs (86 /24s) (# pkts S/M/O/I=0/84/2/0): 445:84, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:21:42.813 PDT) (07:23:12.507 PDT) 0->0 (07:25:40.586 PDT) tcpslice 1366986102.813 1366986102.814 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:27:14.847 PDT Gen. Time: 04/26/2013 07:27:14.847 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (07:27:14.847 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 94 IPs (94 /24s) (# pkts S/M/O/I=0/92/2/0): 445:92, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:27:14.847 PDT) tcpslice 1366986434.847 1366986434.848 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:27:14.847 PDT Gen. Time: 04/26/2013 07:31:16.431 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (2) (07:27:14.847 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 94 IPs (94 /24s) (# pkts S/M/O/I=0/92/2/0): 445:92, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:27:14.847 PDT) (07:29:50.549 PDT) tcpslice 1366986434.847 1366986434.848 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:33:22.367 PDT Gen. Time: 04/26/2013 07:33:22.367 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (07:33:22.367 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 99 IPs (99 /24s) (# pkts S/M/O/I=0/97/2/0): 445:97, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:33:22.367 PDT) tcpslice 1366986802.367 1366986802.368 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:33:22.367 PDT Gen. Time: 04/26/2013 07:37:22.582 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (2) (07:33:22.367 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 99 IPs (99 /24s) (# pkts S/M/O/I=0/97/2/0): 445:97, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:33:22.367 PDT) 0->0 (07:35:40.799 PDT) tcpslice 1366986802.367 1366986802.368 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:39:47.852 PDT Gen. Time: 04/26/2013 07:39:47.852 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (07:39:47.852 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 105 IPs (105 /24s) (# pkts S/M/O/I=0/103/2/0): 445:103, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:39:47.852 PDT) tcpslice 1366987187.852 1366987187.853 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:39:47.852 PDT Gen. Time: 04/26/2013 07:43:48.102 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (2) (07:39:47.852 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 105 IPs (105 /24s) (# pkts S/M/O/I=0/103/2/0): 445:103, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:39:47.852 PDT) 0->0 (07:41:56.724 PDT) tcpslice 1366987187.852 1366987187.853 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:44:28.750 PDT Gen. Time: 04/26/2013 07:44:28.750 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (07:44:28.750 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 114 IPs (114 /24s) (# pkts S/M/O/I=0/112/2/0): 445:112, [] MAC_Src: 00:21:1C:EE:14:00 (07:44:28.750 PDT) tcpslice 1366987468.750 1366987468.751 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:44:28.750 PDT Gen. Time: 04/26/2013 07:48:29.113 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (2) (07:44:28.750 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 114 IPs (114 /24s) (# pkts S/M/O/I=0/112/2/0): 445:112, [] MAC_Src: 00:21:1C:EE:14:00 (07:44:28.750 PDT) (07:47:37.496 PDT) tcpslice 1366987468.750 1366987468.751 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:50:09.914 PDT Gen. Time: 04/26/2013 07:50:09.914 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (07:50:09.914 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 119 IPs (119 /24s) (# pkts S/M/O/I=0/117/2/0): 445:117, [] MAC_Src: 00:21:1C:EE:14:00 (07:50:09.914 PDT) tcpslice 1366987809.914 1366987809.915 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:50:09.914 PDT Gen. Time: 04/26/2013 07:54:11.127 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (2) (07:50:09.914 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 119 IPs (119 /24s) (# pkts S/M/O/I=0/117/2/0): 445:117, [] MAC_Src: 00:21:1C:EE:14:00 (07:50:09.914 PDT) 0->0 (07:54:02.552 PDT) tcpslice 1366987809.914 1366987809.915 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:55:47.575 PDT Gen. Time: 04/26/2013 07:55:47.575 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (07:55:47.575 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 122 IPs (122 /24s) (# pkts S/M/O/I=0/120/2/0): 445:120, [] MAC_Src: 00:21:1C:EE:14:00 (07:55:47.575 PDT) tcpslice 1366988147.575 1366988147.576 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 07:55:47.575 PDT Gen. Time: 04/26/2013 07:59:47.352 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (2) (07:55:47.575 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 122 IPs (122 /24s) (# pkts S/M/O/I=0/120/2/0): 445:120, [] MAC_Src: 00:21:1C:EE:14:00 (07:55:47.575 PDT) 0->0 (07:58:27.134 PDT) tcpslice 1366988147.575 1366988147.576 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 08:05:56.836 PDT Gen. Time: 04/26/2013 08:05:56.836 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (08:05:56.836 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 127 IPs (127 /24s) (# pkts S/M/O/I=0/125/2/0): 445:125, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:05:56.836 PDT) tcpslice 1366988756.836 1366988756.837 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 08:07:25.926 PDT Gen. Time: 04/26/2013 08:07:25.926 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.147.37 (08:07:25.926 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 128 IPs (128 /24s) (# pkts S/M/O/I=0/126/2/0): 445:126, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:07:25.926 PDT) tcpslice 1366988845.926 1366988845.927 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 08:37:15.032 PDT Gen. Time: 04/26/2013 08:38:30.246 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 201.2.36.26 (08:37:15.032 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:37:15.032 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (08:38:30.246 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:38:30.246 PDT) tcpslice 1366990635.032 1366990635.033 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 08:37:15.032 PDT Gen. Time: 04/26/2013 08:41:15.168 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 201.2.36.26 (08:37:15.032 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:37:15.032 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (2) (08:38:30.246 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:38:30.246 PDT) 0->0 (08:40:07.475 PDT) tcpslice 1366990635.032 1366990635.033 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 08:41:55.682 PDT Gen. Time: 04/26/2013 08:41:55.682 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (08:41:55.682 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:41:55.682 PDT) tcpslice 1366990915.682 1366990915.683 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 08:46:26.800 PDT Gen. Time: 04/26/2013 08:46:26.800 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (08:46:26.800 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:46:26.800 PDT) tcpslice 1366991186.800 1366991186.801 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 08:46:26.800 PDT Gen. Time: 04/26/2013 08:50:29.197 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (2) (08:46:26.800 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:46:26.800 PDT) (08:48:00.266 PDT) tcpslice 1366991186.800 1366991186.801 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 08:52:05.094 PDT Gen. Time: 04/26/2013 08:52:05.094 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (08:52:05.094 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:52:05.094 PDT) tcpslice 1366991525.094 1366991525.095 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 08:52:05.094 PDT Gen. Time: 04/26/2013 08:56:05.771 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (3) (08:52:05.094 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:52:05.094 PDT) 0->0 (08:53:46.017 PDT) (08:56:04.535 PDT) tcpslice 1366991525.094 1366991525.095 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 08:59:38.048 PDT Gen. Time: 04/26/2013 08:59:38.048 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (08:59:38.048 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/38/0/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 (08:59:38.048 PDT) tcpslice 1366991978.048 1366991978.049 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 08:59:38.048 PDT Gen. Time: 04/26/2013 09:03:40.922 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (2) (08:59:38.048 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/38/0/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 (08:59:38.048 PDT) 0->0 (09:02:18.846 PDT) tcpslice 1366991978.048 1366991978.049 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:04:02.923 PDT Gen. Time: 04/26/2013 09:04:02.923 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (09:04:02.923 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (42 /24s) (# pkts S/M/O/I=0/42/0/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:04:02.923 PDT) tcpslice 1366992242.923 1366992242.924 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:04:02.923 PDT Gen. Time: 04/26/2013 09:08:04.709 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (2) (09:04:02.923 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (42 /24s) (# pkts S/M/O/I=0/42/0/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:04:02.923 PDT) (09:06:41.951 PDT) tcpslice 1366992242.923 1366992242.924 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:09:28.722 PDT Gen. Time: 04/26/2013 09:09:28.722 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (09:09:28.722 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 48 IPs (48 /24s) (# pkts S/M/O/I=0/48/0/0): 445:48, [] MAC_Src: 00:21:1C:EE:14:00 (09:09:28.722 PDT) tcpslice 1366992568.722 1366992568.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:09:28.722 PDT Gen. Time: 04/26/2013 09:13:28.892 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (2) (09:09:28.722 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 48 IPs (48 /24s) (# pkts S/M/O/I=0/48/0/0): 445:48, [] MAC_Src: 00:21:1C:EE:14:00 (09:09:28.722 PDT) 0->0 (09:12:40.612 PDT) tcpslice 1366992568.722 1366992568.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:15:03.560 PDT Gen. Time: 04/26/2013 09:15:03.560 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (09:15:03.560 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/53/0/0): 445:53, [] MAC_Src: 00:21:1C:EE:14:00 (09:15:03.560 PDT) tcpslice 1366992903.560 1366992903.561 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:15:03.560 PDT Gen. Time: 04/26/2013 09:19:05.098 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (2) (09:15:03.560 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/53/0/0): 445:53, [] MAC_Src: 00:21:1C:EE:14:00 (09:15:03.560 PDT) 0->0 (09:17:01.857 PDT) tcpslice 1366992903.560 1366992903.561 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:20:55.022 PDT Gen. Time: 04/26/2013 09:20:55.022 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (09:20:55.022 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 59 IPs (59 /24s) (# pkts S/M/O/I=0/59/0/0): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:20:55.022 PDT) tcpslice 1366993255.022 1366993255.023 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:20:55.022 PDT Gen. Time: 04/26/2013 09:24:52.736 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (2) (09:20:55.022 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 59 IPs (59 /24s) (# pkts S/M/O/I=0/59/0/0): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:20:55.022 PDT) 0->0 (09:22:56.229 PDT) tcpslice 1366993255.022 1366993255.023 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:26:05.132 PDT Gen. Time: 04/26/2013 09:26:05.132 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (09:26:05.132 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 65 IPs (65 /24s) (# pkts S/M/O/I=0/65/0/0): 445:65, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:26:05.132 PDT) tcpslice 1366993565.132 1366993565.133 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:26:05.132 PDT Gen. Time: 04/26/2013 09:30:05.256 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (2) (09:26:05.132 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 65 IPs (65 /24s) (# pkts S/M/O/I=0/65/0/0): 445:65, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:26:05.132 PDT) (09:28:43.613 PDT) tcpslice 1366993565.132 1366993565.133 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:31:35.976 PDT Gen. Time: 04/26/2013 09:31:35.976 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (09:31:35.976 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 68 IPs (68 /24s) (# pkts S/M/O/I=0/68/0/0): 445:68, [] MAC_Src: 00:21:1C:EE:14:00 (09:31:35.976 PDT) tcpslice 1366993895.976 1366993895.977 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:31:35.976 PDT Gen. Time: 04/26/2013 09:35:36.678 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (2) (09:31:35.976 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 68 IPs (68 /24s) (# pkts S/M/O/I=0/68/0/0): 445:68, [] MAC_Src: 00:21:1C:EE:14:00 (09:31:35.976 PDT) 0->0 (09:33:24.168 PDT) tcpslice 1366993895.976 1366993895.977 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:35:39.789 PDT Gen. Time: 04/26/2013 09:35:39.789 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (09:35:39.789 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 71 IPs (71 /24s) (# pkts S/M/O/I=0/71/0/0): 445:71, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:35:39.789 PDT) tcpslice 1366994139.789 1366994139.790 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:35:39.789 PDT Gen. Time: 04/26/2013 09:39:40.645 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (2) (09:35:39.789 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 71 IPs (71 /24s) (# pkts S/M/O/I=0/71/0/0): 445:71, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:35:39.789 PDT) 0->0 (09:38:41.699 PDT) tcpslice 1366994139.789 1366994139.790 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:43:07.263 PDT Gen. Time: 04/26/2013 09:43:07.263 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (09:43:07.263 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 75 IPs (75 /24s) (# pkts S/M/O/I=0/75/0/0): 445:75, [] MAC_Src: 00:21:1C:EE:14:00 (09:43:07.263 PDT) tcpslice 1366994587.263 1366994587.264 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 09:43:07.263 PDT Gen. Time: 04/26/2013 09:47:07.331 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.2.36.26 (2) (09:43:07.263 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 75 IPs (75 /24s) (# pkts S/M/O/I=0/75/0/0): 445:75, [] MAC_Src: 00:21:1C:EE:14:00 (09:43:07.263 PDT) 0->0 (09:46:18.036 PDT) tcpslice 1366994587.263 1366994587.264 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 10:26:43.411 PDT Gen. Time: 04/26/2013 10:28:18.404 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 187.87.178.14 (10:26:43.411 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:26:43.411 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.178.14 (10:28:18.404 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (10:28:18.404 PDT) tcpslice 1366997203.411 1366997203.412 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 10:26:43.411 PDT Gen. Time: 04/26/2013 10:30:45.616 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 187.87.178.14 (10:26:43.411 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:26:43.411 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.178.14 (2) (10:28:18.404 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (10:28:18.404 PDT) 0->0 (10:30:06.629 PDT) tcpslice 1366997203.411 1366997203.412 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 10:33:23.513 PDT Gen. Time: 04/26/2013 10:33:23.513 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.178.14 (10:33:23.513 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:33:23.513 PDT) tcpslice 1366997603.513 1366997603.514 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 10:33:23.513 PDT Gen. Time: 04/26/2013 10:37:23.664 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.178.14 (2) (10:33:23.513 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:33:23.513 PDT) 0->0 (10:36:20.225 PDT) tcpslice 1366997603.513 1366997603.514 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 10:39:38.676 PDT Gen. Time: 04/26/2013 10:39:38.676 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.178.14 (10:39:38.676 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:39:38.676 PDT) tcpslice 1366997978.676 1366997978.677 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 10:39:38.676 PDT Gen. Time: 04/26/2013 10:43:38.063 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.87.178.14 (2) (10:39:38.676 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:39:38.676 PDT) (10:42:54.625 PDT) tcpslice 1366997978.676 1366997978.677 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 10:44:58.436 PDT Gen. Time: 04/26/2013 10:44:58.436 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (10:44:58.436 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=0/34/0/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:44:58.436 PDT) tcpslice 1366998298.436 1366998298.437 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 10:44:58.436 PDT Gen. Time: 04/26/2013 10:48:59.056 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (2) (10:44:58.436 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=0/34/0/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:44:58.436 PDT) 0->0 (10:47:08.632 PDT) tcpslice 1366998298.436 1366998298.437 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 10:49:56.184 PDT Gen. Time: 04/26/2013 10:49:56.184 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (10:49:56.184 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/38/0/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:49:56.184 PDT) tcpslice 1366998596.184 1366998596.185 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 10:49:56.184 PDT Gen. Time: 04/26/2013 10:53:33.875 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (2) (10:49:56.184 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/38/0/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:49:56.184 PDT) (10:52:48.611 PDT) tcpslice 1366998596.184 1366998596.185 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 10:55:28.680 PDT Gen. Time: 04/26/2013 10:55:28.680 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (10:55:28.680 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (42 /24s) (# pkts S/M/O/I=0/42/0/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:55:28.680 PDT) tcpslice 1366998928.680 1366998928.681 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 10:55:28.680 PDT Gen. Time: 04/26/2013 10:59:29.274 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (2) (10:55:28.680 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (42 /24s) (# pkts S/M/O/I=0/42/0/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (10:55:28.680 PDT) 0->0 (10:58:50.609 PDT) tcpslice 1366998928.680 1366998928.681 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:01:52.650 PDT Gen. Time: 04/26/2013 11:01:52.650 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (11:01:52.650 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (46 /24s) (# pkts S/M/O/I=0/46/0/0): 445:46, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:01:52.650 PDT) tcpslice 1366999312.650 1366999312.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:01:52.650 PDT Gen. Time: 04/26/2013 11:05:52.849 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (3) (11:01:52.650 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (46 /24s) (# pkts S/M/O/I=0/46/0/0): 445:46, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:01:52.650 PDT) 0->0 (11:03:33.312 PDT) 0->0 (11:05:15.045 PDT) tcpslice 1366999312.650 1366999312.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:09:00.160 PDT Gen. Time: 04/26/2013 11:09:00.160 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (11:09:00.160 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 55 IPs (55 /24s) (# pkts S/M/O/I=0/55/0/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:09:00.160 PDT) tcpslice 1366999740.160 1366999740.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:09:00.160 PDT Gen. Time: 04/26/2013 11:13:00.431 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (2) (11:09:00.160 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 55 IPs (55 /24s) (# pkts S/M/O/I=0/55/0/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:09:00.160 PDT) (11:12:36.634 PDT) tcpslice 1366999740.160 1366999740.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:14:19.112 PDT Gen. Time: 04/26/2013 11:14:19.112 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (11:14:19.112 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 60 IPs (60 /24s) (# pkts S/M/O/I=0/60/0/0): 445:60, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:14:19.112 PDT) tcpslice 1367000059.112 1367000059.113 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:14:19.112 PDT Gen. Time: 04/26/2013 11:18:20.303 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (2) (11:14:19.112 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 60 IPs (60 /24s) (# pkts S/M/O/I=0/60/0/0): 445:60, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:14:19.112 PDT) 0->0 (11:16:44.736 PDT) tcpslice 1367000059.112 1367000059.113 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:18:33.611 PDT Gen. Time: 04/26/2013 11:18:33.611 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (11:18:33.611 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 63 IPs (63 /24s) (# pkts S/M/O/I=0/63/0/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 (11:18:33.611 PDT) tcpslice 1367000313.611 1367000313.612 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:18:33.611 PDT Gen. Time: 04/26/2013 11:22:35.621 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (3) (11:18:33.611 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 63 IPs (63 /24s) (# pkts S/M/O/I=0/63/0/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 (11:18:33.611 PDT) 0->0 (11:20:08.448 PDT) 0->0 (11:22:04.598 PDT) tcpslice 1367000313.611 1367000313.612 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:23:49.035 PDT Gen. Time: 04/26/2013 11:23:49.035 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (11:23:49.035 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 68 IPs (68 /24s) (# pkts S/M/O/I=0/68/0/0): 445:68, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:23:49.035 PDT) tcpslice 1367000629.035 1367000629.036 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:25:53.827 PDT Gen. Time: 04/26/2013 11:25:53.827 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (11:25:53.827 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 71 IPs (71 /24s) (# pkts S/M/O/I=0/71/0/0): 445:71, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:25:53.827 PDT) tcpslice 1367000753.827 1367000753.828 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:25:53.827 PDT Gen. Time: 04/26/2013 11:29:38.826 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.53.142.22 (2) (11:25:53.827 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 71 IPs (71 /24s) (# pkts S/M/O/I=0/71/0/0): 445:71, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:25:53.827 PDT) (11:28:03.142 PDT) tcpslice 1367000753.827 1367000753.828 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:48:10.107 PDT Gen. Time: 04/26/2013 11:50:13.859 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 190.67.123.69 (11:48:10.107 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 18 IPs (18 /24s) (# pkts S/M/O/I=0/18/0/0): 445:18, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:48:10.107 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.67.123.69 (11:50:13.859 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:50:13.859 PDT) tcpslice 1367002090.107 1367002090.108 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:48:10.107 PDT Gen. Time: 04/26/2013 11:52:26.097 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 190.67.123.69 (11:48:10.107 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 18 IPs (18 /24s) (# pkts S/M/O/I=0/18/0/0): 445:18, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:48:10.107 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.67.123.69 (2) (11:50:13.859 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:50:13.859 PDT) (11:52:26.097 PDT) tcpslice 1367002090.107 1367002090.108 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:54:36.936 PDT Gen. Time: 04/26/2013 11:54:36.936 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.67.123.69 (11:54:36.936 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:54:36.936 PDT) tcpslice 1367002476.936 1367002476.937 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:54:36.936 PDT Gen. Time: 04/26/2013 11:58:17.386 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.67.123.69 (2) (11:54:36.936 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:54:36.936 PDT) 0->0 (11:56:24.574 PDT) tcpslice 1367002476.936 1367002476.937 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:58:58.067 PDT Gen. Time: 04/26/2013 11:58:58.067 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.67.123.69 (11:58:58.067 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 (11:58:58.067 PDT) tcpslice 1367002738.067 1367002738.068 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 11:58:58.067 PDT Gen. Time: 04/26/2013 12:02:58.541 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.67.123.69 (2) (11:58:58.067 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 (11:58:58.067 PDT) 0->0 (12:01:48.962 PDT) tcpslice 1367002738.067 1367002738.068 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:04:05.471 PDT Gen. Time: 04/26/2013 12:04:05.471 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.67.123.69 (12:04:05.471 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:04:05.471 PDT) tcpslice 1367003045.471 1367003045.472 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:04:05.471 PDT Gen. Time: 04/26/2013 12:08:07.133 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.67.123.69 (3) (12:04:05.471 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:04:05.471 PDT) 0->0 (12:05:49.650 PDT) 0->0 (12:07:29.640 PDT) tcpslice 1367003045.471 1367003045.472 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:09:34.615 PDT Gen. Time: 04/26/2013 12:09:34.615 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.67.123.69 (12:09:34.615 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (37 /24s) (# pkts S/M/O/I=0/37/0/0): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:09:34.615 PDT) tcpslice 1367003374.615 1367003374.616 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:09:34.615 PDT Gen. Time: 04/26/2013 12:13:36.096 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.67.123.69 (12:09:34.615 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (37 /24s) (# pkts S/M/O/I=0/37/0/0): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:09:34.615 PDT) 187.49.238.36 (12:12:39.098 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:12:39.098 PDT) tcpslice 1367003374.615 1367003374.616 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:18:35.600 PDT Gen. Time: 04/26/2013 12:18:35.600 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (12:18:35.600 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 43 IPs (43 /24s) (# pkts S/M/O/I=0/43/0/0): 445:43, [] MAC_Src: 00:21:1C:EE:14:00 (12:18:35.600 PDT) tcpslice 1367003915.600 1367003915.601 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:18:35.600 PDT Gen. Time: 04/26/2013 12:22:37.626 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (2) (12:18:35.600 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 43 IPs (43 /24s) (# pkts S/M/O/I=0/43/0/0): 445:43, [] MAC_Src: 00:21:1C:EE:14:00 (12:18:35.600 PDT) (12:20:41.358 PDT) tcpslice 1367003915.600 1367003915.601 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:23:45.532 PDT Gen. Time: 04/26/2013 12:23:45.532 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (12:23:45.532 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 50 IPs (50 /24s) (# pkts S/M/O/I=0/50/0/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:23:45.532 PDT) tcpslice 1367004225.532 1367004225.533 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:23:45.532 PDT Gen. Time: 04/26/2013 12:27:45.709 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (2) (12:23:45.532 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 50 IPs (50 /24s) (# pkts S/M/O/I=0/50/0/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:23:45.532 PDT) (12:26:19.530 PDT) tcpslice 1367004225.532 1367004225.533 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:28:24.178 PDT Gen. Time: 04/26/2013 12:28:24.178 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (12:28:24.178 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 57 IPs (57 /24s) (# pkts S/M/O/I=0/57/0/0): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 (12:28:24.178 PDT) tcpslice 1367004504.178 1367004504.179 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:28:24.178 PDT Gen. Time: 04/26/2013 12:32:26.617 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (2) (12:28:24.178 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 57 IPs (57 /24s) (# pkts S/M/O/I=0/57/0/0): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 (12:28:24.178 PDT) (12:32:14.533 PDT) tcpslice 1367004504.178 1367004504.179 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:34:33.541 PDT Gen. Time: 04/26/2013 12:34:33.541 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (12:34:33.541 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 62 IPs (62 /24s) (# pkts S/M/O/I=0/62/0/0): 445:62, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:34:33.541 PDT) tcpslice 1367004873.541 1367004873.542 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:34:33.541 PDT Gen. Time: 04/26/2013 12:38:35.963 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (3) (12:34:33.541 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 62 IPs (62 /24s) (# pkts S/M/O/I=0/62/0/0): 445:62, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:34:33.541 PDT) (12:36:40.578 PDT) (12:38:18.190 PDT) tcpslice 1367004873.541 1367004873.542 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:39:49.596 PDT Gen. Time: 04/26/2013 12:39:49.596 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (12:39:49.596 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 74 IPs (74 /24s) (# pkts S/M/O/I=0/74/0/0): 445:74, [] MAC_Src: 00:21:1C:EE:14:00 (12:39:49.596 PDT) tcpslice 1367005189.596 1367005189.597 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:39:49.596 PDT Gen. Time: 04/26/2013 12:43:50.045 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (2) (12:39:49.596 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 74 IPs (74 /24s) (# pkts S/M/O/I=0/74/0/0): 445:74, [] MAC_Src: 00:21:1C:EE:14:00 (12:39:49.596 PDT) (12:42:02.772 PDT) tcpslice 1367005189.596 1367005189.597 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:43:50.554 PDT Gen. Time: 04/26/2013 12:43:50.554 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (12:43:50.554 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 79 IPs (78 /24s) (# pkts S/M/O/I=0/79/0/0): 445:79, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:43:50.554 PDT) tcpslice 1367005430.554 1367005430.555 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:43:50.554 PDT Gen. Time: 04/26/2013 12:47:30.827 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (2) (12:43:50.554 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 79 IPs (78 /24s) (# pkts S/M/O/I=0/79/0/0): 445:79, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:43:50.554 PDT) (12:47:22.591 PDT) tcpslice 1367005430.554 1367005430.555 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:48:59.565 PDT Gen. Time: 04/26/2013 12:48:59.565 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (12:48:59.565 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 82 IPs (81 /24s) (# pkts S/M/O/I=0/82/0/0): 445:82, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:48:59.565 PDT) tcpslice 1367005739.565 1367005739.566 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:48:59.565 PDT Gen. Time: 04/26/2013 12:52:59.923 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (3) (12:48:59.565 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 82 IPs (81 /24s) (# pkts S/M/O/I=0/82/0/0): 445:82, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:48:59.565 PDT) 0->0 (12:50:29.516 PDT) 0->0 (12:52:09.667 PDT) tcpslice 1367005739.565 1367005739.566 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:56:38.640 PDT Gen. Time: 04/26/2013 12:56:38.640 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (12:56:38.640 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 87 IPs (86 /24s) (# pkts S/M/O/I=0/87/0/0): 445:87, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:56:38.640 PDT) tcpslice 1367006198.640 1367006198.641 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 12:56:38.640 PDT Gen. Time: 04/26/2013 13:00:15.065 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 187.49.238.36 (2) (12:56:38.640 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 87 IPs (86 /24s) (# pkts S/M/O/I=0/87/0/0): 445:87, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:56:38.640 PDT) 0->0 (12:59:12.629 PDT) tcpslice 1367006198.640 1367006198.641 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:04:16.602 PDT Gen. Time: 04/26/2013 13:04:16.602 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.30.80 (13:04:16.602 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 98 IPs (97 /24s) (# pkts S/M/O/I=0/98/0/0): 445:98, [] MAC_Src: 00:21:1C:EE:14:00 (13:04:16.602 PDT) tcpslice 1367006656.602 1367006656.603 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:04:16.602 PDT Gen. Time: 04/26/2013 13:08:17.961 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.30.80 (2) (13:04:16.602 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 98 IPs (97 /24s) (# pkts S/M/O/I=0/98/0/0): 445:98, [] MAC_Src: 00:21:1C:EE:14:00 (13:04:16.602 PDT) 0->0 (13:06:41.164 PDT) tcpslice 1367006656.602 1367006656.603 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:08:35.575 PDT Gen. Time: 04/26/2013 13:08:35.575 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.30.80 (13:08:35.575 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 103 IPs (102 /24s) (# pkts S/M/O/I=0/103/0/0): 445:103, [] MAC_Src: 00:21:1C:EE:14:00 (13:08:35.575 PDT) tcpslice 1367006915.575 1367006915.576 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:08:35.575 PDT Gen. Time: 04/26/2013 13:12:37.598 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.30.80 (3) (13:08:35.575 PDT) event=777:7777008 (3) {icmp} E8[bh] Detected intense malware port scanning of 103 IPs (102 /24s) (# pkts S/M/O/I=0/103/0/0): 445:103, [] MAC_Src: 00:21:1C:EE:14:00 (13:08:35.575 PDT) (13:10:13.507 PDT) 0->0 (13:11:51.077 PDT) tcpslice 1367006915.575 1367006915.576 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:14:37.661 PDT Gen. Time: 04/26/2013 13:14:37.661 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.30.80 (13:14:37.661 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 113 IPs (112 /24s) (# pkts S/M/O/I=0/113/0/0): 445:113, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:14:37.661 PDT) tcpslice 1367007277.661 1367007277.662 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:14:37.661 PDT Gen. Time: 04/26/2013 13:18:38.455 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.30.80 (3) (13:14:37.661 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 113 IPs (112 /24s) (# pkts S/M/O/I=0/113/0/0): 445:113, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:14:37.661 PDT) 0->0 (13:16:08.141 PDT) 0->0 (13:17:58.477 PDT) tcpslice 1367007277.661 1367007277.662 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:21:45.480 PDT Gen. Time: 04/26/2013 13:21:45.480 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.30.80 (13:21:45.480 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 122 IPs (121 /24s) (# pkts S/M/O/I=0/122/0/0): 445:122, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:21:45.480 PDT) tcpslice 1367007705.480 1367007705.481 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:21:45.480 PDT Gen. Time: 04/26/2013 13:25:46.540 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.30.80 (3) (13:21:45.480 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 122 IPs (121 /24s) (# pkts S/M/O/I=0/122/0/0): 445:122, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:21:45.480 PDT) 0->0 (13:23:40.443 PDT) 0->0 (13:25:17.519 PDT) tcpslice 1367007705.480 1367007705.481 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:28:06.485 PDT Gen. Time: 04/26/2013 13:28:06.485 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.30.80 (13:28:06.485 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 128 IPs (127 /24s) (# pkts S/M/O/I=0/128/0/0): 445:128, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:28:06.485 PDT) tcpslice 1367008086.485 1367008086.486 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:28:06.485 PDT Gen. Time: 04/26/2013 13:32:07.666 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.30.80 (2) (13:28:06.485 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 128 IPs (127 /24s) (# pkts S/M/O/I=0/128/0/0): 445:128, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:28:06.485 PDT) 0->0 (13:30:47.853 PDT) tcpslice 1367008086.485 1367008086.486 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:32:42.522 PDT Gen. Time: 04/26/2013 13:32:42.522 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.30.80 (13:32:42.522 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 130 IPs (129 /24s) (# pkts S/M/O/I=0/130/0/0): 445:130, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:32:42.522 PDT) tcpslice 1367008362.522 1367008362.523 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:32:42.522 PDT Gen. Time: 04/26/2013 13:36:43.302 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.30.80 (3) (13:32:42.522 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 130 IPs (129 /24s) (# pkts S/M/O/I=0/130/0/0): 445:130, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:32:42.522 PDT) 0->0 (13:34:15.012 PDT) 0->0 (13:36:02.461 PDT) tcpslice 1367008362.522 1367008362.523 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 13:38:04.010 PDT Gen. Time: 04/26/2013 13:38:04.010 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 201.66.30.80 (13:38:04.010 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 138 IPs (136 /24s) (# pkts S/M/O/I=0/138/0/0): 445:138, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:38:04.010 PDT) tcpslice 1367008684.010 1367008684.011 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 15:56:10.915 PDT Gen. Time: 04/26/2013 15:56:10.915 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.9.189.106 (15:56:10.915 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:56:10.915 PDT) tcpslice 1367016970.915 1367016970.916 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 16:03:45.807 PDT Gen. Time: 04/26/2013 16:03:45.807 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.9.189.106 (16:03:45.807 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 (16:03:45.807 PDT) tcpslice 1367017425.807 1367017425.808 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 16:09:13.349 PDT Gen. Time: 04/26/2013 16:09:13.349 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.9.189.106 (16:09:13.349 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:09:13.349 PDT) tcpslice 1367017753.349 1367017753.350 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 16:09:13.349 PDT Gen. Time: 04/26/2013 16:13:13.422 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.9.189.106 (2) (16:09:13.349 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:09:13.349 PDT) 0->0 (16:11:02.894 PDT) tcpslice 1367017753.349 1367017753.350 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 16:15:17.882 PDT Gen. Time: 04/26/2013 16:15:17.882 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.9.189.106 (16:15:17.882 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:15:17.882 PDT) tcpslice 1367018117.882 1367018117.883 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 16:15:17.882 PDT Gen. Time: 04/26/2013 16:19:18.063 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.9.189.106 (2) (16:15:17.882 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:15:17.882 PDT) 0->0 (16:18:31.196 PDT) tcpslice 1367018117.882 1367018117.883 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 18:22:28.987 PDT Gen. Time: 04/26/2013 18:22:28.987 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.109.182.57 (18:22:28.987 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (20 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:22:28.987 PDT) tcpslice 1367025748.987 1367025748.988 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 19:06:41.131 PDT Gen. Time: 04/26/2013 19:07:08.500 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 186.0.84.3 (19:06:41.131 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 19 IPs (19 /24s) (# pkts S/M/O/I=0/19/0/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:06:41.131 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.145.57 (19:07:08.500 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:07:08.500 PDT) tcpslice 1367028401.131 1367028401.132 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 19:06:41.131 PDT Gen. Time: 04/26/2013 19:10:41.264 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 186.0.84.3 (19:06:41.131 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 19 IPs (19 /24s) (# pkts S/M/O/I=0/19/0/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:06:41.131 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.145.57 (3) (19:07:08.500 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:07:08.500 PDT) 0->0 (19:08:45.190 PDT) 0->0 (19:10:15.928 PDT) tcpslice 1367028401.131 1367028401.132 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 19:11:51.156 PDT Gen. Time: 04/26/2013 19:11:51.156 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.145.57 (19:11:51.156 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:11:51.156 PDT) tcpslice 1367028711.156 1367028711.157 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/26/2013 19:11:51.156 PDT Gen. Time: 04/26/2013 19:15:51.555 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.145.57 (2) (19:11:51.156 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:11:51.156 PDT) (19:15:19.000 PDT) tcpslice 1367028711.156 1367028711.157 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================