Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 108.59.8.70 Peer Coord. List: Resource List: Observed Start: 04/28/2013 01:00:44.872 PDT Gen. Time: 04/28/2013 01:01:32.707 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 108.59.8.70 (01:01:32.707 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->40261 (01:01:32.707 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 108.59.8.70 (8) (01:00:44.872 PDT) event=1:552123 (8) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->59989 (01:00:44.872 PDT) 80->60856 (01:00:49.515 PDT) 80->33106 (01:00:51.954 PDT) 80->33558 (01:00:54.174 PDT) 80->36462 (01:01:11.048 PDT) 80->36987 (01:01:13.703 PDT) 80->37516 (01:01:16.843 PDT) 80->38961 (01:01:25.200 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367136044.872 1367136044.873 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 108.59.8.70 (9) Peer Coord. List: Resource List: Observed Start: 04/28/2013 01:00:44.872 PDT Gen. Time: 04/28/2013 01:05:47.447 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 108.59.8.70 (9) (01:01:32.707 PDT-01:01:32.708 PDT) event=1:2002033 (9) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 9: 80->40261 (01:01:32.707 PDT-01:01:32.708 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 108.59.8.70 (12) (01:00:44.872 PDT) event=1:552123 (12) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->59989 (01:00:44.872 PDT) 80->60856 (01:00:49.515 PDT) 80->33106 (01:00:51.954 PDT) 80->33558 (01:00:54.174 PDT) 80->36462 (01:01:11.048 PDT) 80->36987 (01:01:13.703 PDT) 80->37516 (01:01:16.843 PDT) 80->38961 (01:01:25.200 PDT) 80->42261 (01:01:43.381 PDT) 80->42909 (01:01:46.882 PDT) 80->43633 (01:01:50.599 PDT) 80->44388 (01:01:54.262 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367136044.872 1367136092.709 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 91.121.24.97 Peer Coord. List: Resource List: Observed Start: 04/28/2013 18:19:20.630 PDT Gen. Time: 04/28/2013 18:19:31.917 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 91.121.24.97 (18:19:31.917 PDT) event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 80->43073 (18:19:31.917 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 91.121.24.97 (4) (18:19:20.630 PDT) event=1:552123 (4) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40471 (18:19:20.630 PDT) 80->40959 (18:19:22.596 PDT) 80->41389 (18:19:24.487 PDT) 80->42199 (18:19:27.895 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367198360.630 1367198360.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.14 Infector List: Egg Source List: C & C List: 91.121.24.97 (9) Peer Coord. List: Resource List: Observed Start: 04/28/2013 18:19:20.630 PDT Gen. Time: 04/28/2013 18:22:31.237 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 91.121.24.97 (9) (18:19:31.917 PDT-18:19:32.064 PDT) event=1:2002033 (9) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA 9: 80->43073 (18:19:31.917 PDT-18:19:32.064 PDT) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 91.121.24.97 (5) (18:19:20.630 PDT) event=1:552123 (5) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA 80->40471 (18:19:20.630 PDT) 80->40959 (18:19:22.596 PDT) 80->41389 (18:19:24.487 PDT) 80->42199 (18:19:27.895 PDT) 80->44449 (18:19:36.923 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367198360.630 1367198372.065 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.14' ============================== SEPARATOR ================================