Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/27/2013 23:54:47.873 PDT Gen. Time: 04/28/2013 00:02:03.349 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (23:55:33.781 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (23:55:33.781 PDT) OUTBOUND SCAN 128.111.52.58 (2) (23:55:31.224 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41219->22 (23:55:31.224 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41219->22 (23:55:31.224 PDT) 152.14.93.140 (23:55:59.045 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50087->22 (23:55:59.045 PDT) 131.179.150.70 (23:55:33.400 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35345->22 (23:55:33.400 PDT) 13.7.64.22 (23:56:02.668 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51137->22 (23:56:02.668 PDT) 158.130.6.254 (23:55:00.296 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60038->22 (23:55:00.296 PDT) 128.42.142.45 (23:54:47.873 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40574->22 (23:54:47.873 PDT) 192.52.240.214 (2) (23:55:07.567 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56032->22 (23:55:07.567 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56032->22 (23:55:07.567 PDT) 204.123.28.56 (23:54:50.694 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33249->22 (23:54:50.694 PDT) 204.8.155.227 (23:55:22.233 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56463->22 (23:55:22.233 PDT) 129.82.12.188 (23:55:38.574 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44306->22 (23:55:38.574 PDT) 141.212.113.180 (23:55:28.447 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54341->22 (23:55:28.447 PDT) 152.3.138.7 (23:55:14.715 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50144->22 (23:55:14.715 PDT) 141.212.113.179 (2) (23:55:52.393 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39202->22 (23:55:52.393 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39202->22 (23:55:52.393 PDT) 152.3.138.6 (23:55:45.773 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36934->22 (23:55:45.773 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.59 (23:56:43.940 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (23:56:43.940 PDT) 131.193.34.38 (2) (23:58:13.139 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (23:58:13.139 PDT) 0->0 (00:01:19.049 PDT) tcpslice 1367132087.873 1367132087.874 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 00:02:49.798 PDT Gen. Time: 04/28/2013 00:02:49.798 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.193.34.38 (00:02:49.798 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (27 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (00:02:49.798 PDT) tcpslice 1367132569.798 1367132569.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 00:12:56.650 PDT Gen. Time: 04/28/2013 00:12:56.650 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.193.34.38 (00:12:56.650 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (00:12:56.650 PDT) tcpslice 1367133176.650 1367133176.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 00:12:56.650 PDT Gen. Time: 04/28/2013 00:22:46.657 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (00:14:59.881 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41434->22 (00:14:59.881 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41434->22 (00:14:59.881 PDT) 128.208.4.197 (00:15:34.596 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37003->22 (00:15:34.596 PDT) 152.14.93.140 (2) (00:15:24.989 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50297->22 (00:15:24.989 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50297->22 (00:15:24.989 PDT) 13.7.64.22 (00:15:31.593 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51347->22 (00:15:31.593 PDT) 158.130.6.254 (00:14:26.179 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60253->22 (00:14:26.179 PDT) 128.42.142.45 (00:14:11.031 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40789->22 (00:14:11.031 PDT) 192.52.240.214 (2) (00:14:33.467 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56247->22 (00:14:33.467 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56247->22 (00:14:33.467 PDT) 204.123.28.56 (00:14:13.947 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33464->22 (00:14:13.947 PDT) 204.8.155.227 (00:14:50.370 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56678->22 (00:14:50.370 PDT) 129.82.12.188 (00:15:01.995 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44516->22 (00:15:01.995 PDT) 141.212.113.180 (00:14:56.948 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54556->22 (00:14:56.948 PDT) 152.3.138.7 (00:14:42.744 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50359->22 (00:14:42.744 PDT) 141.212.113.179 (00:15:18.626 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39412->22 (00:15:18.626 PDT) 152.3.138.6 (00:15:10.621 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37144->22 (00:15:10.621 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.193.34.38 (5) (00:12:56.650 PDT-00:19:08.260 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (00:12:56.650 PDT-00:19:08.260 PDT) tcpslice 1367133176.650 1367133548.261 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 00:25:48.880 PDT Gen. Time: 04/28/2013 00:25:48.880 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.193.34.38 (00:25:48.880 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (00:25:48.880 PDT) tcpslice 1367133948.880 1367133948.881 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 00:25:48.880 PDT Gen. Time: 04/28/2013 00:28:51.004 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.193.34.38 (2) (00:25:48.880 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (00:25:48.880 PDT) 0->0 (00:28:25.807 PDT) tcpslice 1367133948.880 1367133948.881 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 00:33:39.551 PDT Gen. Time: 04/28/2013 00:33:39.551 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.193.34.38 (00:33:39.551 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (28 /24s) (# pkts S/M/O/I=0/42/2/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (00:33:39.551 PDT) tcpslice 1367134419.551 1367134419.552 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 00:33:39.551 PDT Gen. Time: 04/28/2013 00:43:23.034 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (00:35:40.592 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41640->22 (00:35:40.592 PDT) 152.14.93.140 (00:36:04.958 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50508->22 (00:36:04.958 PDT) 131.179.150.70 (00:35:42.819 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35766->22 (00:35:42.819 PDT) 13.7.64.22 (2) (00:36:11.712 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51561->22 (00:36:13.555 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51558->22 (00:36:11.712 PDT) 158.130.6.254 (00:35:03.075 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60459->22 (00:35:03.075 PDT) 128.42.142.45 (00:33:48.781 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40999->22 (00:33:48.781 PDT) 192.52.240.214 (00:35:12.358 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56453->22 (00:35:12.358 PDT) 204.123.28.56 (00:33:51.540 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33674->22 (00:33:51.540 PDT) 204.8.155.227 (2) (00:35:26.832 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56887->22 (00:35:31.735 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56884->22 (00:35:26.832 PDT) 129.82.12.188 (2) (00:35:45.175 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44730->22 (00:35:48.976 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44727->22 (00:35:45.175 PDT) 141.212.113.180 (00:35:34.416 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54762->22 (00:35:34.416 PDT) 152.3.138.7 (00:35:19.431 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50565->22 (00:35:19.431 PDT) 141.212.113.179 (00:35:58.716 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39623->22 (00:35:58.716 PDT) 152.3.138.6 (00:35:51.098 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37355->22 (00:35:51.098 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.193.34.38 (4) (00:33:39.551 PDT-00:38:10.957 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (28 /24s) (# pkts S/M/O/I=0/42/2/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (00:33:39.551 PDT-00:38:10.957 PDT) tcpslice 1367134419.551 1367134690.958 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 00:44:09.244 PDT Gen. Time: 04/28/2013 00:44:09.244 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.193.34.38 (00:44:09.244 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (28 /24s) (# pkts S/M/O/I=0/42/2/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (00:44:09.244 PDT) tcpslice 1367135049.244 1367135049.245 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 00:59:33.793 PDT Gen. Time: 04/28/2013 01:00:23.201 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (01:00:23.201 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:00:23.201 PDT) OUTBOUND SCAN 128.111.52.58 (01:00:22.553 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41856->22 (01:00:22.553 PDT) 204.8.155.227 (01:00:12.941 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57100->22 (01:00:12.941 PDT) 152.3.138.7 (01:00:05.154 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50781->22 (01:00:05.154 PDT) 141.212.113.180 (01:00:19.645 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54978->22 (01:00:19.645 PDT) 192.52.240.214 (00:59:57.670 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56668->22 (00:59:57.670 PDT) 158.130.6.254 (00:59:33.793 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60674->22 (00:59:33.793 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367135973.793 1367135973.794 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 00:59:33.793 PDT Gen. Time: 04/28/2013 01:08:27.079 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (01:00:23.201 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:00:23.201 PDT) OUTBOUND SCAN 128.111.52.58 (01:00:22.553 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41856->22 (01:00:22.553 PDT) 128.208.4.197 (2) (01:00:55.936 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37425->22 (01:00:55.936 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37425->22 (01:00:55.936 PDT) 152.14.93.140 (01:00:48.088 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50719->22 (01:00:48.088 PDT) 13.7.64.22 (01:00:52.561 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51769->22 (01:00:52.561 PDT) 158.130.6.254 (00:59:33.793 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60674->22 (00:59:33.793 PDT) 192.52.240.214 (00:59:57.670 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56668->22 (00:59:57.670 PDT) 204.8.155.227 (01:00:12.941 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57100->22 (01:00:12.941 PDT) 192.52.240.213 (01:01:04.618 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32853->22 (01:01:04.618 PDT) 141.212.113.180 (01:00:19.645 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54978->22 (01:00:19.645 PDT) 129.82.12.188 (01:00:27.109 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44938->22 (01:00:27.109 PDT) 204.8.155.226 (01:01:12.314 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49117->22 (01:01:12.314 PDT) 152.3.138.7 (01:00:05.154 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50781->22 (01:00:05.154 PDT) 141.212.113.179 (01:00:41.199 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39834->22 (01:00:41.199 PDT) 128.111.52.59 (01:00:58.776 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36695->22 (01:00:58.776 PDT) 152.3.138.6 (2) (01:00:34.454 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37566->22 (01:00:34.454 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37566->22 (01:00:34.454 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (01:01:36.118 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:01:36.118 PDT) 198.133.224.147 (01:03:08.287 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (22 /24s) (# pkts S/M/O/I=0/32/0/0): 22:32, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:03:08.287 PDT) tcpslice 1367135973.793 1367135973.794 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 01:04:11.182 PDT Gen. Time: 04/28/2013 01:04:11.182 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (01:04:11.182 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:04:11.182 PDT) tcpslice 1367136251.182 1367136251.183 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 01:19:17.847 PDT Gen. Time: 04/28/2013 01:22:30.391 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.7 (01:22:30.391 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:22:30.391 PDT) OUTBOUND SCAN 128.111.52.58 (01:22:29.497 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42069->22 (01:22:29.497 PDT) 204.8.155.227 (01:22:19.208 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57313->22 (01:22:19.208 PDT) 128.42.142.45 (01:19:17.847 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41425->22 (01:19:17.847 PDT) 152.3.138.7 (01:22:11.723 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50994->22 (01:22:11.723 PDT) 204.123.28.56 (01:19:20.725 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34100->22 (01:19:20.725 PDT) 141.212.113.180 (2) (01:22:25.929 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55192->22 (01:22:27.081 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55191->22 (01:22:25.929 PDT) 192.52.240.214 (01:22:04.482 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56882->22 (01:22:04.482 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367137157.847 1367137157.848 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 01:19:17.847 PDT Gen. Time: 04/28/2013 01:29:54.742 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.7 (01:22:30.391 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:22:30.391 PDT) OUTBOUND SCAN 128.111.52.58 (01:22:29.497 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42069->22 (01:22:29.497 PDT) 128.208.4.197 (01:23:02.165 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37638->22 (01:23:02.165 PDT) 152.14.93.140 (01:22:53.624 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50932->22 (01:22:53.624 PDT) 13.7.64.22 (01:22:58.835 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51982->22 (01:22:58.835 PDT) 128.42.142.45 (01:19:17.847 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41425->22 (01:19:17.847 PDT) 192.52.240.214 (01:22:04.482 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56882->22 (01:22:04.482 PDT) 204.123.28.56 (01:19:20.725 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34100->22 (01:19:20.725 PDT) 204.8.155.227 (01:22:19.208 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57313->22 (01:22:19.208 PDT) 141.212.113.180 (2) (01:22:25.929 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55192->22 (01:22:27.081 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55191->22 (01:22:25.929 PDT) 129.82.12.188 (01:22:32.973 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45151->22 (01:22:32.973 PDT) 152.3.138.7 (01:22:11.723 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50994->22 (01:22:11.723 PDT) 141.212.113.179 (2) (01:22:46.805 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40048->22 (01:22:48.398 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40047->22 (01:22:46.805 PDT) 128.111.52.59 (2) (01:23:05.303 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36909->22 (01:23:05.819 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36908->22 (01:23:05.303 PDT) 152.3.138.6 (01:22:39.634 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37779->22 (01:22:39.634 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (01:23:47.358 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:23:47.358 PDT) 72.36.112.78 (01:25:17.532 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:25:17.532 PDT) tcpslice 1367137157.847 1367137157.848 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 01:26:14.353 PDT Gen. Time: 04/28/2013 01:26:14.353 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (01:26:14.353 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:26:14.353 PDT) tcpslice 1367137574.353 1367137574.354 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 01:41:20.819 PDT Gen. Time: 04/28/2013 01:42:08.026 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (01:42:08.026 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:42:08.026 PDT) OUTBOUND SCAN 204.8.155.227 (01:42:06.600 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57523->22 (01:42:06.600 PDT) 128.42.142.45 (01:41:20.819 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41634->22 (01:41:20.819 PDT) 152.3.138.7 (01:41:58.753 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51204->22 (01:41:58.753 PDT) 204.123.28.56 (01:41:23.609 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34309->22 (01:41:23.609 PDT) 192.52.240.214 (2) (01:41:51.305 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57092->22 (01:41:51.305 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57092->22 (01:41:51.305 PDT) 158.130.6.254 (01:41:43.366 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32865->22 (01:41:43.366 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367138480.819 1367138480.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 01:41:20.819 PDT Gen. Time: 04/28/2013 01:50:02.975 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (01:42:08.026 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:42:08.026 PDT) OUTBOUND SCAN 128.111.52.58 (2) (01:42:16.262 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42279->22 (01:42:16.262 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42279->22 (01:42:16.262 PDT) 128.208.4.197 (01:42:49.424 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37848->22 (01:42:49.424 PDT) 152.14.93.140 (2) (01:42:41.640 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51142->22 (01:42:41.640 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51142->22 (01:42:41.640 PDT) 13.7.64.22 (01:42:45.955 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52192->22 (01:42:45.955 PDT) 158.130.6.254 (01:41:43.366 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32865->22 (01:41:43.366 PDT) 128.42.142.45 (01:41:20.819 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41634->22 (01:41:20.819 PDT) 192.52.240.214 (2) (01:41:51.305 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57092->22 (01:41:51.305 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57092->22 (01:41:51.305 PDT) 204.123.28.56 (01:41:23.609 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34309->22 (01:41:23.609 PDT) 204.8.155.227 (01:42:06.600 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57523->22 (01:42:06.600 PDT) 129.82.12.188 (01:42:20.595 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45361->22 (01:42:20.595 PDT) 141.212.113.180 (01:42:13.433 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55401->22 (01:42:13.433 PDT) 152.3.138.7 (01:41:58.753 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51204->22 (01:41:58.753 PDT) 141.212.113.179 (01:42:34.816 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40257->22 (01:42:34.816 PDT) 152.3.138.6 (01:42:27.752 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37989->22 (01:42:27.752 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (2) (01:43:11.156 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:43:11.156 PDT) 0->0 (01:44:42.413 PDT) tcpslice 1367138480.819 1367138480.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 01:46:02.108 PDT Gen. Time: 04/28/2013 01:46:02.108 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (01:46:02.108 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:46:02.108 PDT) tcpslice 1367138762.108 1367138762.109 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 02:01:08.179 PDT Gen. Time: 04/28/2013 02:01:54.612 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.10.19.52 (02:01:54.612 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:01:54.612 PDT) OUTBOUND SCAN 204.8.155.227 (02:01:52.331 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57743->22 (02:01:52.331 PDT) 128.42.142.45 (02:01:08.179 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41854->22 (02:01:08.179 PDT) 152.3.138.7 (02:01:44.638 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51424->22 (02:01:44.638 PDT) 204.123.28.56 (02:01:12.700 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34529->22 (02:01:12.700 PDT) 192.52.240.214 (2) (02:01:36.997 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57312->22 (02:01:36.997 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57312->22 (02:01:36.997 PDT) 158.130.6.254 (02:01:27.673 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33085->22 (02:01:27.673 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367139668.179 1367139668.180 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 02:01:08.179 PDT Gen. Time: 04/28/2013 02:09:40.944 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.10.19.52 (02:01:54.612 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:01:54.612 PDT) OUTBOUND SCAN 128.111.52.58 (2) (02:02:03.006 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42499->22 (02:02:03.006 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42499->22 (02:02:03.006 PDT) 128.208.4.197 (02:02:36.015 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38068->22 (02:02:36.015 PDT) 152.14.93.140 (2) (02:02:28.201 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51362->22 (02:02:28.201 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51362->22 (02:02:28.201 PDT) 13.7.64.22 (02:02:32.544 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52412->22 (02:02:32.544 PDT) 158.130.6.254 (02:01:27.673 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33085->22 (02:01:27.673 PDT) 128.42.142.45 (02:01:08.179 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41854->22 (02:01:08.179 PDT) 192.52.240.214 (2) (02:01:36.997 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57312->22 (02:01:36.997 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57312->22 (02:01:36.997 PDT) 204.123.28.56 (02:01:12.700 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34529->22 (02:01:12.700 PDT) 204.8.155.227 (02:01:52.331 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57743->22 (02:01:52.331 PDT) 129.82.12.188 (02:02:07.414 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45581->22 (02:02:07.414 PDT) 141.212.113.180 (02:02:00.070 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55621->22 (02:02:00.070 PDT) 152.3.138.7 (02:01:44.638 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51424->22 (02:01:44.638 PDT) 141.212.113.179 (02:02:21.634 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40477->22 (02:02:21.634 PDT) 152.3.138.6 (02:02:14.817 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38209->22 (02:02:14.817 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.52 (3) (02:02:33.668 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:02:33.668 PDT) 0->0 (02:04:03.209 PDT) 0->0 (02:05:33.982 PDT) tcpslice 1367139668.179 1367139668.180 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 02:12:56.722 PDT Gen. Time: 04/28/2013 02:12:56.722 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.52 (02:12:56.722 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:12:56.722 PDT) tcpslice 1367140376.722 1367140376.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 02:18:54.992 PDT Gen. Time: 04/28/2013 02:18:54.992 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.52 (02:18:54.992 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:18:54.992 PDT) tcpslice 1367140734.992 1367140734.993 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 02:18:54.992 PDT Gen. Time: 04/28/2013 02:28:36.142 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (02:21:44.013 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42710->22 (02:21:44.013 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42710->22 (02:21:44.013 PDT) 152.14.93.140 (02:22:13.545 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51578->22 (02:22:13.545 PDT) 131.179.150.70 (02:21:46.325 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36836->22 (02:21:46.325 PDT) 13.7.64.22 (02:22:17.188 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52628->22 (02:22:17.188 PDT) 158.130.6.254 (02:21:10.320 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33296->22 (02:21:10.320 PDT) 128.42.142.45 (02:20:55.695 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42065->22 (02:20:55.695 PDT) 192.52.240.214 (2) (02:21:18.387 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57523->22 (02:21:18.387 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57523->22 (02:21:18.387 PDT) 204.123.28.56 (02:20:58.294 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34740->22 (02:20:58.294 PDT) 204.8.155.227 (02:21:34.412 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57954->22 (02:21:34.412 PDT) 129.82.12.188 (02:21:52.410 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45797->22 (02:21:52.410 PDT) 141.212.113.180 (02:21:41.045 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55832->22 (02:21:41.045 PDT) 152.3.138.7 (02:21:26.836 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51635->22 (02:21:26.836 PDT) 141.212.113.179 (2) (02:22:06.743 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40693->22 (02:22:06.743 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40693->22 (02:22:06.743 PDT) 152.3.138.6 (02:22:00.056 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38425->22 (02:22:00.056 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.52 (5) (02:18:54.992 PDT-02:25:19.974 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (02:18:54.992 PDT-02:25:19.974 PDT) tcpslice 1367140734.992 1367141119.975 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 02:29:42.055 PDT Gen. Time: 04/28/2013 02:29:42.055 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.52 (02:29:42.055 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:29:42.055 PDT) tcpslice 1367141382.055 1367141382.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 02:34:22.869 PDT Gen. Time: 04/28/2013 02:34:22.869 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.52 (02:34:22.869 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:34:22.869 PDT) tcpslice 1367141662.869 1367141662.870 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 02:40:32.513 PDT Gen. Time: 04/28/2013 02:40:32.513 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.52 (02:40:32.513 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:40:32.513 PDT) tcpslice 1367142032.513 1367142032.514 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 02:40:32.513 PDT Gen. Time: 04/28/2013 02:49:29.315 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (02:41:29.151 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42925->22 (02:41:29.151 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42925->22 (02:41:29.151 PDT) 128.208.4.197 (02:42:02.649 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38494->22 (02:42:02.649 PDT) 152.14.93.140 (2) (02:41:54.705 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51788->22 (02:41:54.705 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51788->22 (02:41:54.705 PDT) 13.7.64.22 (02:41:59.128 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52838->22 (02:41:59.128 PDT) 158.130.6.254 (02:40:56.403 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33511->22 (02:40:56.403 PDT) 128.42.142.45 (02:40:39.501 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42280->22 (02:40:39.501 PDT) 192.52.240.214 (2) (02:41:04.229 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57738->22 (02:41:04.229 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57738->22 (02:41:04.229 PDT) 204.123.28.56 (02:40:42.258 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34955->22 (02:40:42.258 PDT) 204.8.155.227 (02:41:19.807 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58169->22 (02:41:19.807 PDT) 129.82.12.188 (02:41:33.509 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46007->22 (02:41:33.509 PDT) 141.212.113.180 (02:41:26.216 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56047->22 (02:41:26.216 PDT) 152.3.138.7 (02:41:11.934 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51850->22 (02:41:11.934 PDT) 141.212.113.179 (02:41:47.946 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40903->22 (02:41:47.946 PDT) 152.3.138.6 (02:41:40.980 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38635->22 (02:41:40.980 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.10.19.52 (4) (02:40:32.513 PDT-02:45:03.639 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (02:40:32.513 PDT-02:45:03.639 PDT) tcpslice 1367142032.513 1367142303.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 03:00:36.546 PDT Gen. Time: 04/28/2013 03:01:57.545 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (03:01:57.545 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:01:57.545 PDT) OUTBOUND SCAN 128.111.52.58 (2) (03:01:54.493 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43135->22 (03:01:54.493 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43136->22 (03:01:54.916 PDT) 131.179.150.70 (03:01:57.088 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37262->22 (03:01:57.088 PDT) 158.130.6.254 (03:01:21.951 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33722->22 (03:01:21.951 PDT) 128.42.142.45 (03:00:36.546 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42491->22 (03:00:36.546 PDT) 192.52.240.214 (03:01:30.209 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57949->22 (03:01:30.209 PDT) 204.123.28.56 (03:00:39.290 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35166->22 (03:00:39.290 PDT) 204.8.155.227 (03:01:45.511 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58380->22 (03:01:45.511 PDT) 141.212.113.180 (03:01:52.036 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56258->22 (03:01:52.036 PDT) 152.3.138.7 (03:01:37.817 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52061->22 (03:01:37.817 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367143236.546 1367143236.547 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 03:00:36.546 PDT Gen. Time: 04/28/2013 03:09:46.127 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (03:01:57.545 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:01:57.545 PDT) OUTBOUND SCAN 128.111.52.58 (2) (03:01:54.493 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43135->22 (03:01:54.493 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43136->22 (03:01:54.916 PDT) 128.208.4.197 (03:02:32.035 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38710->22 (03:02:32.035 PDT) 152.14.93.140 (03:02:24.728 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52004->22 (03:02:24.728 PDT) 131.179.150.70 (03:01:57.088 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37262->22 (03:01:57.088 PDT) 13.7.64.22 (03:02:28.407 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53054->22 (03:02:28.407 PDT) 158.130.6.254 (03:01:21.951 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33722->22 (03:01:21.951 PDT) 128.42.142.45 (03:00:36.546 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42491->22 (03:00:36.546 PDT) 192.52.240.214 (03:01:30.209 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57949->22 (03:01:30.209 PDT) 204.123.28.56 (03:00:39.290 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35166->22 (03:00:39.290 PDT) 204.8.155.227 (03:01:45.511 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58380->22 (03:01:45.511 PDT) 129.82.12.188 (03:02:02.553 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46223->22 (03:02:02.553 PDT) 141.212.113.180 (03:01:52.036 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56258->22 (03:01:52.036 PDT) 152.3.138.7 (03:01:37.817 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52061->22 (03:01:37.817 PDT) 141.212.113.179 (2) (03:02:16.475 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41118->22 (03:02:16.475 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41119->22 (03:02:17.654 PDT) 152.3.138.6 (03:02:10.871 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38851->22 (03:02:10.871 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (3) (03:03:16.871 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:03:16.871 PDT) 0->0 (03:04:46.809 PDT) 0->0 (03:07:18.980 PDT) tcpslice 1367143236.546 1367143236.547 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 03:20:51.071 PDT Gen. Time: 04/28/2013 03:21:50.842 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (03:21:50.842 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:21:50.842 PDT) OUTBOUND SCAN 128.111.52.58 (2) (03:21:47.987 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43351->22 (03:21:47.987 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43351->22 (03:21:47.987 PDT) 131.179.150.70 (03:21:50.463 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37477->22 (03:21:50.463 PDT) 158.130.6.254 (03:21:15.753 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33937->22 (03:21:15.753 PDT) 128.42.142.45 (03:20:51.071 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42706->22 (03:20:51.071 PDT) 192.52.240.214 (2) (03:21:23.273 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58164->22 (03:21:23.273 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58164->22 (03:21:23.273 PDT) 204.123.28.56 (03:20:53.808 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35381->22 (03:20:53.808 PDT) 204.8.155.227 (03:21:38.482 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58595->22 (03:21:38.482 PDT) 141.212.113.180 (03:21:44.892 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56473->22 (03:21:44.892 PDT) 152.3.138.7 (03:21:30.792 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52276->22 (03:21:30.792 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367144451.071 1367144451.072 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 03:20:51.071 PDT Gen. Time: 04/28/2013 03:27:51.269 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (03:21:50.842 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:21:50.842 PDT) OUTBOUND SCAN 128.111.52.58 (2) (03:21:47.987 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43351->22 (03:21:47.987 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43351->22 (03:21:47.987 PDT) 152.14.93.140 (03:22:21.166 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52219->22 (03:22:21.166 PDT) 131.179.150.70 (03:21:50.463 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37477->22 (03:21:50.463 PDT) 13.7.64.22 (03:22:25.016 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53269->22 (03:22:25.016 PDT) 158.130.6.254 (03:21:15.753 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33937->22 (03:21:15.753 PDT) 128.42.142.45 (03:20:51.071 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42706->22 (03:20:51.071 PDT) 192.52.240.214 (2) (03:21:23.273 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58164->22 (03:21:23.273 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58164->22 (03:21:23.273 PDT) 204.123.28.56 (03:20:53.808 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35381->22 (03:20:53.808 PDT) 204.8.155.227 (03:21:38.482 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58595->22 (03:21:38.482 PDT) 129.82.12.188 (03:21:56.124 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46438->22 (03:21:56.124 PDT) 141.212.113.180 (03:21:44.892 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56473->22 (03:21:44.892 PDT) 152.3.138.7 (03:21:30.792 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52276->22 (03:21:30.792 PDT) 141.212.113.179 (2) (03:22:14.327 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41334->22 (03:22:14.327 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41334->22 (03:22:14.327 PDT) 152.3.138.6 (03:22:07.648 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39066->22 (03:22:07.648 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (3) (03:23:12.685 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:23:12.685 PDT) 0->0 (03:24:43.127 PDT) 0->0 (03:26:34.233 PDT) tcpslice 1367144451.071 1367144451.072 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 03:40:44.813 PDT Gen. Time: 04/28/2013 03:41:48.241 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 139.78.141.243 (03:41:48.241 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:41:48.241 PDT) OUTBOUND SCAN 128.111.52.58 (2) (03:41:47.597 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43566->22 (03:41:47.597 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43566->22 (03:41:47.597 PDT) 204.8.155.227 (03:41:37.366 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58810->22 (03:41:37.366 PDT) 128.42.142.45 (03:40:44.813 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42921->22 (03:40:44.813 PDT) 152.3.138.7 (03:41:29.665 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52491->22 (03:41:29.665 PDT) 204.123.28.56 (03:40:47.645 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35596->22 (03:40:47.645 PDT) 141.212.113.180 (03:41:44.149 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56688->22 (03:41:44.149 PDT) 192.52.240.214 (2) (03:41:20.284 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58379->22 (03:41:20.284 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58379->22 (03:41:20.284 PDT) 158.130.6.254 (03:41:12.392 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34152->22 (03:41:12.392 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367145644.813 1367145644.814 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 03:40:44.813 PDT Gen. Time: 04/28/2013 03:48:45.858 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 139.78.141.243 (03:41:48.241 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:41:48.241 PDT) OUTBOUND SCAN 128.111.52.58 (2) (03:41:47.597 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43566->22 (03:41:47.597 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43566->22 (03:41:47.597 PDT) 152.14.93.140 (03:42:17.192 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52434->22 (03:42:17.192 PDT) 131.179.150.70 (03:41:50.045 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37692->22 (03:41:50.045 PDT) 13.7.64.22 (03:42:20.772 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53484->22 (03:42:20.772 PDT) 158.130.6.254 (03:41:12.392 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34152->22 (03:41:12.392 PDT) 128.42.142.45 (03:40:44.813 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42921->22 (03:40:44.813 PDT) 192.52.240.214 (2) (03:41:20.284 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58379->22 (03:41:20.284 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58379->22 (03:41:20.284 PDT) 204.123.28.56 (03:40:47.645 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35596->22 (03:40:47.645 PDT) 204.8.155.227 (03:41:37.366 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58810->22 (03:41:37.366 PDT) 129.82.12.188 (03:41:55.643 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46653->22 (03:41:55.643 PDT) 141.212.113.180 (03:41:44.149 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56688->22 (03:41:44.149 PDT) 152.3.138.7 (03:41:29.665 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52491->22 (03:41:29.665 PDT) 141.212.113.179 (2) (03:42:10.269 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41549->22 (03:42:10.269 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41549->22 (03:42:10.269 PDT) 152.3.138.6 (03:42:03.129 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39281->22 (03:42:03.129 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 139.78.141.243 (2) (03:42:42.519 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:42:42.519 PDT) 0->0 (03:44:14.081 PDT) tcpslice 1367145644.813 1367145644.814 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 03:45:33.804 PDT Gen. Time: 04/28/2013 03:45:33.804 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (03:45:33.804 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:45:33.804 PDT) tcpslice 1367145933.804 1367145933.805 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 04:00:39.866 PDT Gen. Time: 04/28/2013 04:01:36.929 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (04:01:36.929 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:01:36.929 PDT) OUTBOUND SCAN 204.8.155.227 (04:01:29.397 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59025->22 (04:01:29.397 PDT) 128.42.142.45 (04:00:39.866 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43136->22 (04:00:39.866 PDT) 152.3.138.7 (04:01:21.534 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52706->22 (04:01:21.534 PDT) 204.123.28.56 (04:00:42.847 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35811->22 (04:00:42.847 PDT) 141.212.113.180 (04:01:35.851 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56903->22 (04:01:35.851 PDT) 192.52.240.214 (2) (04:01:14.079 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58594->22 (04:01:14.079 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58594->22 (04:01:14.079 PDT) 158.130.6.254 (04:01:05.849 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34367->22 (04:01:05.849 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367146839.866 1367146839.867 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 04:00:39.866 PDT Gen. Time: 04/28/2013 04:07:55.458 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (04:01:36.929 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:01:36.929 PDT) OUTBOUND SCAN 128.111.52.58 (2) (04:01:39.891 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43781->22 (04:01:39.891 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43781->22 (04:01:39.891 PDT) 152.14.93.140 (04:02:12.102 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52649->22 (04:02:12.102 PDT) 131.179.150.70 (04:01:42.149 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37907->22 (04:01:42.149 PDT) 13.7.64.22 (04:02:15.754 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53699->22 (04:02:15.754 PDT) 158.130.6.254 (04:01:05.849 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34367->22 (04:01:05.849 PDT) 128.42.142.45 (04:00:39.866 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43136->22 (04:00:39.866 PDT) 192.52.240.214 (2) (04:01:14.079 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58594->22 (04:01:14.079 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58594->22 (04:01:14.079 PDT) 204.123.28.56 (04:00:42.847 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35811->22 (04:00:42.847 PDT) 204.8.155.227 (04:01:29.397 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59025->22 (04:01:29.397 PDT) 129.82.12.188 (04:01:48.176 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46868->22 (04:01:48.176 PDT) 141.212.113.180 (04:01:35.851 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56903->22 (04:01:35.851 PDT) 152.3.138.7 (04:01:21.534 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52706->22 (04:01:21.534 PDT) 141.212.113.179 (2) (04:02:05.297 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41764->22 (04:02:05.297 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41764->22 (04:02:05.297 PDT) 152.3.138.6 (04:01:58.010 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39496->22 (04:01:58.010 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (3) (04:02:22.408 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:02:22.408 PDT) 0->0 (04:03:52.295 PDT) 0->0 (04:05:22.644 PDT) tcpslice 1367146839.866 1367146839.867 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 04:11:34.854 PDT Gen. Time: 04/28/2013 04:11:34.854 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (04:11:34.854 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:11:34.854 PDT) tcpslice 1367147494.854 1367147494.855 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 04:11:34.854 PDT Gen. Time: 04/28/2013 04:14:01.624 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (2) (04:11:34.854 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:11:34.854 PDT) 0->0 (04:13:09.351 PDT) tcpslice 1367147494.854 1367147494.855 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 04:18:55.059 PDT Gen. Time: 04/28/2013 04:18:55.059 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (04:18:55.059 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:18:55.059 PDT) tcpslice 1367147935.059 1367147935.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 04:18:55.059 PDT Gen. Time: 04/28/2013 04:28:14.142 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (04:21:36.909 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43996->22 (04:21:36.909 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43996->22 (04:21:36.909 PDT) 152.14.93.140 (04:22:06.822 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52864->22 (04:22:06.822 PDT) 131.179.150.70 (04:21:39.127 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38122->22 (04:21:39.127 PDT) 13.7.64.22 (04:22:10.419 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53914->22 (04:22:10.419 PDT) 158.130.6.254 (04:21:03.727 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34582->22 (04:21:03.727 PDT) 128.42.142.45 (04:20:38.243 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43351->22 (04:20:38.243 PDT) 192.52.240.214 (2) (04:21:12.295 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58809->22 (04:21:12.295 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58809->22 (04:21:12.295 PDT) 204.123.28.56 (04:20:41.056 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36026->22 (04:20:41.056 PDT) 204.8.155.227 (04:21:27.541 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59240->22 (04:21:27.541 PDT) 129.82.12.188 (04:21:44.914 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47083->22 (04:21:44.914 PDT) 141.212.113.180 (04:21:34.070 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57118->22 (04:21:34.070 PDT) 152.3.138.7 (04:21:19.886 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52921->22 (04:21:19.886 PDT) 141.212.113.179 (2) (04:21:59.449 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41979->22 (04:21:59.449 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41979->22 (04:21:59.449 PDT) 152.3.138.6 (04:21:52.722 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39711->22 (04:21:52.722 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (5) (04:18:55.059 PDT-04:25:04.045 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (04:18:55.059 PDT-04:25:04.045 PDT) tcpslice 1367147935.059 1367148304.046 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 04:29:42.110 PDT Gen. Time: 04/28/2013 04:29:42.110 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (04:29:42.110 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:29:42.110 PDT) tcpslice 1367148582.110 1367148582.111 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 04:34:22.941 PDT Gen. Time: 04/28/2013 04:34:22.941 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (04:34:22.941 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:34:22.941 PDT) tcpslice 1367148862.941 1367148862.942 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 04:40:33.720 PDT Gen. Time: 04/28/2013 04:40:33.720 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (04:40:33.720 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:40:33.720 PDT) tcpslice 1367149233.720 1367149233.721 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 04:40:33.720 PDT Gen. Time: 04/28/2013 04:49:22.279 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (04:41:44.641 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44211->22 (04:41:44.641 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44211->22 (04:41:44.641 PDT) 152.14.93.140 (04:42:14.361 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53079->22 (04:42:14.361 PDT) 131.179.150.70 (04:41:46.814 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38337->22 (04:41:46.814 PDT) 13.7.64.22 (04:42:17.990 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54129->22 (04:42:17.990 PDT) 158.130.6.254 (04:41:09.476 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34797->22 (04:41:09.476 PDT) 128.42.142.45 (04:40:39.790 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43566->22 (04:40:39.790 PDT) 192.52.240.214 (2) (04:41:17.753 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59024->22 (04:41:17.753 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59024->22 (04:41:17.753 PDT) 204.123.28.56 (04:40:42.690 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36241->22 (04:40:42.690 PDT) 204.8.155.227 (04:41:35.211 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59455->22 (04:41:35.211 PDT) 129.82.12.188 (04:41:52.267 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47298->22 (04:41:52.267 PDT) 141.212.113.180 (04:41:41.688 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57333->22 (04:41:41.688 PDT) 152.3.138.7 (04:41:27.417 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53136->22 (04:41:27.417 PDT) 141.212.113.179 (2) (04:42:07.551 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42194->22 (04:42:07.551 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42194->22 (04:42:07.551 PDT) 152.3.138.6 (04:41:59.835 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39926->22 (04:41:59.835 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (4) (04:40:33.720 PDT-04:45:10.261 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (04:40:33.720 PDT-04:45:10.261 PDT) tcpslice 1367149233.720 1367149510.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 05:00:55.868 PDT Gen. Time: 04/28/2013 05:03:15.004 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (05:03:15.004 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:03:15.004 PDT) OUTBOUND SCAN 128.111.52.58 (05:03:14.484 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44427->22 (05:03:14.484 PDT) 204.8.155.227 (05:03:05.009 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59671->22 (05:03:05.009 PDT) 128.42.142.45 (05:00:55.868 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43782->22 (05:00:55.868 PDT) 152.3.138.7 (05:02:56.884 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53352->22 (05:02:56.884 PDT) 204.123.28.56 (05:00:59.083 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36457->22 (05:00:59.083 PDT) 141.212.113.180 (05:03:11.626 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57549->22 (05:03:11.626 PDT) 192.52.240.214 (05:02:49.439 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59240->22 (05:02:49.439 PDT) 158.130.6.254 (05:02:34.527 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35013->22 (05:02:34.527 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367150455.868 1367150455.869 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 05:00:55.868 PDT Gen. Time: 04/28/2013 05:11:10.904 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (05:03:15.004 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:03:15.004 PDT) OUTBOUND SCAN 128.111.52.58 (05:03:14.484 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44427->22 (05:03:14.484 PDT) 128.208.4.197 (05:03:48.782 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39996->22 (05:03:48.782 PDT) 152.14.93.140 (05:03:40.992 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53290->22 (05:03:40.992 PDT) 13.7.64.22 (2) (05:03:44.585 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54339->22 (05:03:44.585 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54340->22 (05:03:45.245 PDT) 158.130.6.254 (05:02:34.527 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35013->22 (05:02:34.527 PDT) 128.42.142.45 (05:00:55.868 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43782->22 (05:00:55.868 PDT) 192.52.240.214 (05:02:49.439 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59240->22 (05:02:49.439 PDT) 204.123.28.56 (05:00:59.083 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36457->22 (05:00:59.083 PDT) 204.8.155.227 (05:03:05.009 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59671->22 (05:03:05.009 PDT) 129.82.12.188 (2) (05:03:17.571 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47508->22 (05:03:17.571 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47509->22 (05:03:19.008 PDT) 141.212.113.180 (05:03:11.626 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57549->22 (05:03:11.626 PDT) 152.3.138.7 (05:02:56.884 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53352->22 (05:02:56.884 PDT) 141.212.113.179 (05:03:33.859 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42405->22 (05:03:33.859 PDT) 128.111.52.59 (05:03:51.581 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39266->22 (05:03:51.581 PDT) 152.3.138.6 (05:03:26.156 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40137->22 (05:03:26.156 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.227 (2) (05:04:19.845 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:04:19.845 PDT) 0->0 (05:05:49.292 PDT) tcpslice 1367150455.868 1367150455.869 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 05:07:07.205 PDT Gen. Time: 04/28/2013 05:07:07.205 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.227 (05:07:07.205 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (27 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:07:07.205 PDT) tcpslice 1367150827.205 1367150827.206 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 05:22:13.833 PDT Gen. Time: 04/28/2013 05:25:31.793 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (05:25:31.793 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (05:25:31.793 PDT) OUTBOUND SCAN 128.111.52.58 (05:25:28.503 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45548->22 (05:25:28.503 PDT) 204.8.155.227 (05:25:17.984 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60747->22 (05:25:17.984 PDT) 128.42.142.45 (05:22:13.833 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44246->22 (05:22:13.833 PDT) 152.3.138.7 (05:25:09.900 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54388->22 (05:25:09.900 PDT) 131.179.150.70 (05:25:30.770 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39684->22 (05:25:30.770 PDT) 204.123.28.56 (05:22:16.595 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36923->22 (05:22:16.595 PDT) 141.212.113.180 (2) (05:25:24.810 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58655->22 (05:25:24.810 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58655->22 (05:25:24.810 PDT) 192.52.240.214 (05:25:00.200 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60236->22 (05:25:00.200 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367151733.833 1367151733.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 05:22:13.833 PDT Gen. Time: 04/28/2013 05:31:27.358 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (05:25:31.793 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (05:25:31.793 PDT) OUTBOUND SCAN 128.111.52.58 (05:25:28.503 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45548->22 (05:25:28.503 PDT) 128.208.4.197 (2) (05:26:05.129 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41280->22 (05:26:05.129 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41280->22 (05:26:05.129 PDT) 152.14.93.140 (05:25:57.255 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54539->22 (05:25:57.255 PDT) 131.179.150.70 (05:25:30.770 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39684->22 (05:25:30.770 PDT) 13.7.64.22 (05:26:01.653 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55609->22 (05:26:01.653 PDT) 128.42.142.45 (05:22:13.833 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44246->22 (05:22:13.833 PDT) 192.52.240.214 (05:25:00.200 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60236->22 (05:25:00.200 PDT) 204.123.28.56 (05:22:16.595 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36923->22 (05:22:16.595 PDT) 204.8.155.227 (05:25:17.984 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60747->22 (05:25:17.984 PDT) 129.82.12.188 (05:25:36.013 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48667->22 (05:25:36.013 PDT) 141.212.113.180 (2) (05:25:24.810 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58655->22 (05:25:24.810 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58655->22 (05:25:24.810 PDT) 152.3.138.7 (05:25:09.900 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54388->22 (05:25:09.900 PDT) 141.212.113.179 (05:25:50.299 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43624->22 (05:25:50.299 PDT) 152.3.138.6 (2) (05:25:43.351 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41327->22 (05:25:43.351 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41327->22 (05:25:43.351 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (05:26:52.623 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (05:26:52.623 PDT) 128.42.142.44 (05:28:22.888 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (05:28:22.888 PDT) tcpslice 1367151733.833 1367151733.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 05:29:16.570 PDT Gen. Time: 04/28/2013 05:29:16.570 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (05:29:16.570 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (05:29:16.570 PDT) tcpslice 1367152156.570 1367152156.571 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 05:44:22.977 PDT Gen. Time: 04/28/2013 05:45:24.241 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (05:45:24.241 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (05:45:24.241 PDT) OUTBOUND SCAN 204.8.155.227 (05:45:22.798 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40042->22 (05:45:22.798 PDT) 128.42.142.45 (05:44:22.977 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51981->22 (05:44:22.977 PDT) 152.3.138.7 (05:45:14.836 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33668->22 (05:45:14.836 PDT) 204.123.28.56 (05:44:25.815 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44676->22 (05:44:25.815 PDT) 192.52.240.214 (2) (05:45:06.199 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39498->22 (05:45:06.199 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39498->22 (05:45:06.199 PDT) 158.130.6.254 (05:44:57.766 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43447->22 (05:44:57.766 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367153062.977 1367153062.978 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 05:44:22.977 PDT Gen. Time: 04/28/2013 05:53:47.505 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (05:45:24.241 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (05:45:24.241 PDT) OUTBOUND SCAN 128.111.52.58 (2) (05:45:32.429 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53096->22 (05:45:32.429 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53096->22 (05:45:32.429 PDT) 128.208.4.197 (05:46:05.752 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48889->22 (05:46:05.752 PDT) 152.14.93.140 (2) (05:45:57.091 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33891->22 (05:45:57.091 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33891->22 (05:45:57.091 PDT) 13.7.64.22 (05:46:02.463 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34979->22 (05:46:02.463 PDT) 158.130.6.254 (05:44:57.766 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43447->22 (05:44:57.766 PDT) 128.42.142.45 (05:44:22.977 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51981->22 (05:44:22.977 PDT) 192.52.240.214 (2) (05:45:06.199 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39498->22 (05:45:06.199 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39498->22 (05:45:06.199 PDT) 204.123.28.56 (05:44:25.815 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44676->22 (05:44:25.815 PDT) 204.8.155.227 (05:45:22.798 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40042->22 (05:45:22.798 PDT) 129.82.12.188 (05:45:35.946 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56200->22 (05:45:35.946 PDT) 141.212.113.180 (05:45:29.558 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37966->22 (05:45:29.558 PDT) 152.3.138.7 (05:45:14.836 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33668->22 (05:45:14.836 PDT) 141.212.113.179 (05:45:50.080 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51195->22 (05:45:50.080 PDT) 152.3.138.6 (05:45:42.645 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48877->22 (05:45:42.645 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (2) (05:47:56.732 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (20 /24s) (# pkts S/M/O/I=0/27/0/0): 22:27, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (05:47:56.732 PDT) 0->0 (05:49:28.209 PDT) 141.212.113.180 (05:46:26.378 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (05:46:26.378 PDT) tcpslice 1367153062.977 1367153062.978 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 06:02:50.045 PDT Gen. Time: 04/28/2013 06:04:56.431 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.84.154.45 (06:02:50.045 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (7 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:02:50.045 PDT) 131.179.150.70 (06:04:21.152 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 16 IPs (11 /24s) (# pkts S/M/O/I=0/16/0/0): 22:16, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:04:21.152 PDT) OUTBOUND SCAN 128.42.142.45 (06:04:56.431 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60400->22 (06:04:56.431 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367154170.045 1367154170.046 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 06:02:50.045 PDT Gen. Time: 04/28/2013 06:13:52.867 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.84.154.45 (06:02:50.045 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (7 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:02:50.045 PDT) 131.179.150.70 (06:04:21.152 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 16 IPs (11 /24s) (# pkts S/M/O/I=0/16/0/0): 22:16, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:04:21.152 PDT) OUTBOUND SCAN 128.111.52.58 (2) (06:05:53.695 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33044->22 (06:05:53.695 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33044->22 (06:05:53.695 PDT) 152.14.93.140 (06:06:23.740 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41944->22 (06:06:23.740 PDT) 131.179.150.70 (06:05:55.998 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55404->22 (06:05:55.998 PDT) 13.7.64.22 (06:06:27.367 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42995->22 (06:06:27.367 PDT) 158.130.6.254 (06:05:18.035 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51772->22 (06:05:18.035 PDT) 128.42.142.45 (06:04:56.431 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60400->22 (06:04:56.431 PDT) 192.52.240.214 (2) (06:05:25.991 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47818->22 (06:05:25.991 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47818->22 (06:05:25.991 PDT) 204.123.28.56 (06:04:59.175 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53094->22 (06:04:59.175 PDT) 204.8.155.227 (06:05:43.625 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48285->22 (06:05:43.625 PDT) 129.82.12.188 (06:06:01.655 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36135->22 (06:06:01.655 PDT) 141.212.113.180 (06:05:50.263 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46166->22 (06:05:50.263 PDT) 152.3.138.7 (06:05:35.522 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41964->22 (06:05:35.522 PDT) 141.212.113.179 (2) (06:06:16.881 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59289->22 (06:06:16.881 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59289->22 (06:06:16.881 PDT) 152.3.138.6 (06:06:09.499 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57006->22 (06:06:09.499 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (5) (06:05:11.923 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:05:11.923 PDT) 0->0 (06:06:41.487 PDT) 0->0 (06:08:11.682 PDT) 0->0 (06:09:41.672 PDT) 0->0 (06:12:56.856 PDT) tcpslice 1367154170.045 1367154170.046 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 06:18:55.114 PDT Gen. Time: 04/28/2013 06:18:55.114 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (06:18:55.114 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:18:55.114 PDT) tcpslice 1367155135.114 1367155135.115 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 06:25:07.606 PDT Gen. Time: 04/28/2013 06:25:07.606 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (06:25:07.606 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:25:07.606 PDT) tcpslice 1367155507.606 1367155507.607 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 06:25:07.606 PDT Gen. Time: 04/28/2013 06:34:12.959 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (06:26:09.863 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39544->22 (06:26:09.863 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39544->22 (06:26:09.863 PDT) 128.208.4.197 (06:26:45.178 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35325->22 (06:26:45.178 PDT) 152.14.93.140 (2) (06:26:37.093 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48568->22 (06:26:37.093 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48568->22 (06:26:37.093 PDT) 13.7.64.22 (06:26:41.559 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49646->22 (06:26:41.559 PDT) 158.130.6.254 (06:25:36.503 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58149->22 (06:25:36.503 PDT) 128.42.142.45 (06:25:13.540 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38542->22 (06:25:13.540 PDT) 192.52.240.214 (2) (06:25:44.590 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54192->22 (06:25:44.590 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54192->22 (06:25:44.590 PDT) 204.123.28.56 (06:25:16.419 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59467->22 (06:25:16.419 PDT) 204.8.155.227 (06:26:00.310 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54725->22 (06:26:00.310 PDT) 129.82.12.188 (06:26:14.761 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42657->22 (06:26:14.761 PDT) 141.212.113.180 (06:26:06.906 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52645->22 (06:26:06.906 PDT) 152.3.138.7 (06:25:52.183 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48354->22 (06:25:52.183 PDT) 141.212.113.179 (06:26:29.751 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37631->22 (06:26:29.751 PDT) 152.3.138.6 (06:26:22.325 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35334->22 (06:26:22.325 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (4) (06:25:07.606 PDT-06:29:37.319 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (06:25:07.606 PDT-06:29:37.319 PDT) tcpslice 1367155507.606 1367155777.320 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 06:34:23.009 PDT Gen. Time: 04/28/2013 06:34:23.009 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (06:34:23.009 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:34:23.009 PDT) tcpslice 1367156063.009 1367156063.010 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 06:35:09.031 PDT Gen. Time: 04/28/2013 06:35:09.031 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (06:35:09.031 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:35:09.031 PDT) tcpslice 1367156109.031 1367156109.032 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 06:45:05.924 PDT Gen. Time: 04/28/2013 06:46:08.505 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 129.82.12.188 (06:46:08.505 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:46:08.505 PDT) OUTBOUND SCAN 128.111.52.58 (2) (06:46:07.311 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47501->22 (06:46:07.311 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47501->22 (06:46:07.311 PDT) 204.8.155.227 (06:45:57.007 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34446->22 (06:45:57.007 PDT) 128.42.142.45 (06:45:05.924 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46460->22 (06:45:05.924 PDT) 152.3.138.7 (06:45:48.785 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56308->22 (06:45:48.785 PDT) 204.123.28.56 (06:45:08.884 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39155->22 (06:45:08.884 PDT) 141.212.113.180 (06:46:04.363 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60604->22 (06:46:04.363 PDT) 192.52.240.214 (2) (06:45:41.284 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33912->22 (06:45:41.284 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33912->22 (06:45:41.284 PDT) 158.130.6.254 (06:45:32.673 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37862->22 (06:45:32.673 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367156705.924 1367156705.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 06:45:05.924 PDT Gen. Time: 04/28/2013 06:52:59.690 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 129.82.12.188 (06:46:08.505 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:46:08.505 PDT) OUTBOUND SCAN 128.111.52.58 (2) (06:46:07.311 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47501->22 (06:46:07.311 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47501->22 (06:46:07.311 PDT) 128.208.4.197 (06:46:42.642 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43292->22 (06:46:42.642 PDT) 152.14.93.140 (2) (06:46:33.863 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56529->22 (06:46:33.863 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56529->22 (06:46:33.863 PDT) 13.7.64.22 (06:46:39.303 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57615->22 (06:46:39.303 PDT) 158.130.6.254 (06:45:32.673 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37862->22 (06:45:32.673 PDT) 128.42.142.45 (06:45:05.924 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46460->22 (06:45:05.924 PDT) 192.52.240.214 (2) (06:45:41.284 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33912->22 (06:45:41.284 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33912->22 (06:45:41.284 PDT) 204.123.28.56 (06:45:08.884 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39155->22 (06:45:08.884 PDT) 204.8.155.227 (06:45:57.007 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34446->22 (06:45:57.007 PDT) 129.82.12.188 (06:46:11.081 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50606->22 (06:46:11.081 PDT) 141.212.113.180 (06:46:04.363 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60604->22 (06:46:04.363 PDT) 152.3.138.7 (06:45:48.785 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56308->22 (06:45:48.785 PDT) 141.212.113.179 (06:46:26.964 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45602->22 (06:46:26.964 PDT) 152.3.138.6 (06:46:18.942 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43284->22 (06:46:18.942 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.82.12.188 (06:47:36.034 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:47:36.034 PDT) 72.36.112.78 (06:49:06.919 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (22 /24s) (# pkts S/M/O/I=0/32/0/0): 22:32, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:49:06.919 PDT) tcpslice 1367156705.924 1367156705.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 06:55:04.995 PDT Gen. Time: 04/28/2013 06:55:04.995 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (06:55:04.995 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (27 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:55:04.995 PDT) tcpslice 1367157304.995 1367157304.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 07:05:14.800 PDT Gen. Time: 04/28/2013 07:06:12.868 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.7 (07:06:12.868 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:06:12.868 PDT) OUTBOUND SCAN 128.111.52.58 (2) (07:06:12.327 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55213->22 (07:06:12.327 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55213->22 (07:06:12.327 PDT) 204.8.155.227 (07:06:02.967 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42219->22 (07:06:02.967 PDT) 128.42.142.45 (07:05:14.800 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54453->22 (07:05:14.800 PDT) 152.3.138.7 (07:05:54.946 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35899->22 (07:05:54.946 PDT) 204.123.28.56 (07:05:17.758 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47146->22 (07:05:17.758 PDT) 141.212.113.180 (07:06:09.478 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40101->22 (07:06:09.478 PDT) 192.52.240.214 (2) (07:05:47.352 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41784->22 (07:05:47.352 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41784->22 (07:05:47.352 PDT) 158.130.6.254 (07:05:39.612 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45787->22 (07:05:39.612 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367157914.800 1367157914.801 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 07:05:14.800 PDT Gen. Time: 04/28/2013 07:13:59.284 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.7 (07:06:12.868 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:06:12.868 PDT) OUTBOUND SCAN 128.111.52.58 (2) (07:06:12.327 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55213->22 (07:06:12.327 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55213->22 (07:06:12.327 PDT) 128.208.4.197 (07:06:47.490 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50791->22 (07:06:47.490 PDT) 152.14.93.140 (2) (07:06:39.553 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35848->22 (07:06:39.553 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35848->22 (07:06:39.553 PDT) 13.7.64.22 (07:06:43.961 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36901->22 (07:06:43.961 PDT) 158.130.6.254 (07:05:39.612 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45787->22 (07:05:39.612 PDT) 128.42.142.45 (07:05:14.800 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54453->22 (07:05:14.800 PDT) 192.52.240.214 (2) (07:05:47.352 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41784->22 (07:05:47.352 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41784->22 (07:05:47.352 PDT) 204.123.28.56 (07:05:17.758 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47146->22 (07:05:17.758 PDT) 204.8.155.227 (07:06:02.967 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42219->22 (07:06:02.967 PDT) 129.82.12.188 (07:06:16.898 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58295->22 (07:06:16.898 PDT) 141.212.113.180 (07:06:09.478 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40101->22 (07:06:09.478 PDT) 152.3.138.7 (07:05:54.946 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35899->22 (07:05:54.946 PDT) 141.212.113.179 (07:06:32.101 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53195->22 (07:06:32.101 PDT) 152.3.138.6 (07:06:24.683 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50926->22 (07:06:24.683 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.3.138.7 (07:07:38.440 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:07:38.440 PDT) 128.252.19.19 (07:09:08.937 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:09:08.937 PDT) tcpslice 1367157914.800 1367157914.801 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 07:15:34.551 PDT Gen. Time: 04/28/2013 07:15:34.551 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (07:15:34.551 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:15:34.551 PDT) tcpslice 1367158534.551 1367158534.552 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 07:25:12.601 PDT Gen. Time: 04/28/2013 07:26:13.936 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (07:26:13.936 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:26:13.936 PDT) OUTBOUND SCAN 128.111.52.58 (2) (07:26:12.858 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58603->22 (07:26:12.858 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58603->22 (07:26:12.858 PDT) 204.8.155.227 (07:26:03.481 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45614->22 (07:26:03.481 PDT) 128.42.142.45 (07:25:12.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57958->22 (07:25:12.601 PDT) 152.3.138.7 (07:25:55.291 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39295->22 (07:25:55.291 PDT) 204.123.28.56 (07:25:15.523 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50633->22 (07:25:15.523 PDT) 141.212.113.180 (07:26:09.977 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43492->22 (07:26:09.977 PDT) 192.52.240.214 (2) (07:25:45.725 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45183->22 (07:25:45.725 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45183->22 (07:25:45.725 PDT) 158.130.6.254 (07:25:37.795 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49189->22 (07:25:37.795 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367159112.601 1367159112.602 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 07:25:12.601 PDT Gen. Time: 04/28/2013 07:34:08.625 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (07:26:13.936 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:26:13.936 PDT) OUTBOUND SCAN 128.111.52.58 (2) (07:26:12.858 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58603->22 (07:26:12.858 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58603->22 (07:26:12.858 PDT) 128.208.4.197 (07:26:48.785 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54172->22 (07:26:48.785 PDT) 152.14.93.140 (2) (07:26:39.852 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39233->22 (07:26:39.852 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39233->22 (07:26:39.852 PDT) 13.7.64.22 (07:26:45.430 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40283->22 (07:26:45.430 PDT) 158.130.6.254 (07:25:37.795 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49189->22 (07:25:37.795 PDT) 128.42.142.45 (07:25:12.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57958->22 (07:25:12.601 PDT) 192.52.240.214 (2) (07:25:45.725 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45183->22 (07:25:45.725 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45183->22 (07:25:45.725 PDT) 204.123.28.56 (07:25:15.523 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50633->22 (07:25:15.523 PDT) 204.8.155.227 (07:26:03.481 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45614->22 (07:26:03.481 PDT) 129.82.12.188 (07:26:16.734 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33452->22 (07:26:16.734 PDT) 141.212.113.180 (07:26:09.977 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43492->22 (07:26:09.977 PDT) 152.3.138.7 (07:25:55.291 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39295->22 (07:25:55.291 PDT) 141.212.113.179 (07:26:32.637 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56581->22 (07:26:32.637 PDT) 152.3.138.6 (07:26:23.634 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54313->22 (07:26:23.634 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (3) (07:27:20.459 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:27:20.459 PDT) 0->0 (07:28:51.819 PDT) 0->0 (07:32:21.259 PDT) tcpslice 1367159112.601 1367159112.602 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 07:45:15.016 PDT Gen. Time: 04/28/2013 07:46:09.195 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (07:46:09.195 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:46:09.195 PDT) OUTBOUND SCAN 128.111.52.58 (2) (07:46:08.743 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59122->22 (07:46:08.743 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59122->22 (07:46:08.743 PDT) 204.8.155.227 (07:45:59.290 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46133->22 (07:45:59.290 PDT) 128.42.142.45 (07:45:15.016 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58477->22 (07:45:15.016 PDT) 152.3.138.7 (07:45:50.991 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39814->22 (07:45:50.991 PDT) 204.123.28.56 (07:45:17.771 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51152->22 (07:45:17.771 PDT) 141.212.113.180 (07:46:05.872 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44011->22 (07:46:05.872 PDT) 192.52.240.214 (2) (07:45:43.520 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45702->22 (07:45:43.520 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45702->22 (07:45:43.520 PDT) 158.130.6.254 (07:45:35.759 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49708->22 (07:45:35.759 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367160315.016 1367160315.017 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 07:45:15.016 PDT Gen. Time: 04/28/2013 07:53:52.948 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (07:46:09.195 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:46:09.195 PDT) OUTBOUND SCAN 128.111.52.58 (2) (07:46:08.743 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59122->22 (07:46:08.743 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59122->22 (07:46:08.743 PDT) 128.208.4.197 (07:46:43.242 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54691->22 (07:46:43.242 PDT) 152.14.93.140 (2) (07:46:32.903 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39752->22 (07:46:32.903 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39752->22 (07:46:32.903 PDT) 13.7.64.22 (07:46:40.115 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40802->22 (07:46:40.115 PDT) 158.130.6.254 (07:45:35.759 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49708->22 (07:45:35.759 PDT) 128.42.142.45 (07:45:15.016 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58477->22 (07:45:15.016 PDT) 192.52.240.214 (2) (07:45:43.520 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45702->22 (07:45:43.520 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45702->22 (07:45:43.520 PDT) 204.123.28.56 (07:45:17.771 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51152->22 (07:45:17.771 PDT) 204.8.155.227 (07:45:59.290 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46133->22 (07:45:59.290 PDT) 129.82.12.188 (07:46:10.656 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33971->22 (07:46:10.656 PDT) 141.212.113.180 (07:46:05.872 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44011->22 (07:46:05.872 PDT) 152.3.138.7 (07:45:50.991 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39814->22 (07:45:50.991 PDT) 141.212.113.179 (07:46:25.565 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57100->22 (07:46:25.565 PDT) 152.3.138.6 (07:46:16.890 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54832->22 (07:46:16.890 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (3) (07:47:16.681 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:47:16.681 PDT) 0->0 (07:48:47.451 PDT) 0->0 (07:51:13.147 PDT) tcpslice 1367160315.016 1367160315.017 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 07:56:13.123 PDT Gen. Time: 04/28/2013 07:56:13.123 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (07:56:13.123 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (27 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:56:13.123 PDT) tcpslice 1367160973.123 1367160973.124 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 08:01:25.521 PDT Gen. Time: 04/28/2013 08:01:25.521 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (08:01:25.521 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (27 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:01:25.521 PDT) tcpslice 1367161285.521 1367161285.522 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 08:05:10.992 PDT Gen. Time: 04/28/2013 08:06:03.442 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.42.142.45 (08:05:10.992 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58687->22 (08:05:10.992 PDT) 152.3.138.7 (08:05:58.700 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40024->22 (08:05:58.700 PDT) 204.123.28.56 (08:05:13.966 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51362->22 (08:05:13.966 PDT) 192.52.240.214 (2) (08:05:51.134 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45912->22 (08:05:51.134 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45912->22 (08:05:51.134 PDT) 158.130.6.254 (08:05:42.407 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49918->22 (08:05:42.407 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (08:06:03.442 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (27 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:06:03.442 PDT) tcpslice 1367161510.992 1367161510.993 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 08:05:10.992 PDT Gen. Time: 04/28/2013 08:14:37.631 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (08:06:16.421 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59332->22 (08:06:16.421 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59332->22 (08:06:16.421 PDT) 128.208.4.197 (08:06:49.928 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54901->22 (08:06:49.928 PDT) 152.14.93.140 (2) (08:06:39.841 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39962->22 (08:06:39.841 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39962->22 (08:06:39.841 PDT) 13.7.64.22 (08:06:46.861 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41012->22 (08:06:46.861 PDT) 158.130.6.254 (08:05:42.407 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49918->22 (08:05:42.407 PDT) 128.42.142.45 (08:05:10.992 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58687->22 (08:05:10.992 PDT) 192.52.240.214 (2) (08:05:51.134 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45912->22 (08:05:51.134 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45912->22 (08:05:51.134 PDT) 204.123.28.56 (08:05:13.966 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51362->22 (08:05:13.966 PDT) 204.8.155.227 (08:06:06.887 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46343->22 (08:06:06.887 PDT) 129.82.12.188 (08:06:18.291 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34181->22 (08:06:18.291 PDT) 141.212.113.180 (08:06:13.578 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44221->22 (08:06:13.578 PDT) 152.3.138.7 (08:05:58.700 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40024->22 (08:05:58.700 PDT) 141.212.113.179 (08:06:32.574 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57310->22 (08:06:32.574 PDT) 152.3.138.6 (08:06:24.399 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55042->22 (08:06:24.399 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (4) (08:06:03.442 PDT-08:09:05.017 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (27 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (08:06:03.442 PDT-08:09:05.017 PDT) 0->0 (08:12:56.922 PDT) tcpslice 1367161510.992 1367161745.018 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 08:18:55.175 PDT Gen. Time: 04/28/2013 08:18:55.175 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (08:18:55.175 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:18:55.175 PDT) tcpslice 1367162335.175 1367162335.176 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 08:25:03.372 PDT Gen. Time: 04/28/2013 08:25:03.372 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (08:25:03.372 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:25:03.372 PDT) tcpslice 1367162703.372 1367162703.373 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 08:25:03.372 PDT Gen. Time: 04/28/2013 08:32:31.677 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (08:26:10.372 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59543->22 (08:26:10.372 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59543->22 (08:26:10.372 PDT) 128.208.4.197 (08:26:46.720 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55112->22 (08:26:46.720 PDT) 152.14.93.140 (2) (08:26:38.656 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40173->22 (08:26:38.656 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40173->22 (08:26:38.656 PDT) 13.7.64.22 (08:26:43.058 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41223->22 (08:26:43.058 PDT) 158.130.6.254 (08:25:34.268 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50129->22 (08:25:34.268 PDT) 128.42.142.45 (08:25:09.508 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58898->22 (08:25:09.508 PDT) 192.52.240.214 (2) (08:25:42.186 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46123->22 (08:25:42.186 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46123->22 (08:25:42.186 PDT) 204.123.28.56 (08:25:12.357 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51573->22 (08:25:12.357 PDT) 204.8.155.227 (08:26:00.654 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46554->22 (08:26:00.654 PDT) 129.82.12.188 (08:26:15.883 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34392->22 (08:26:15.883 PDT) 141.212.113.180 (08:26:07.230 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44432->22 (08:26:07.230 PDT) 152.3.138.7 (08:25:52.608 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40235->22 (08:25:52.608 PDT) 141.212.113.179 (08:26:31.208 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57521->22 (08:26:31.208 PDT) 152.3.138.6 (08:26:23.569 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55253->22 (08:26:23.569 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (4) (08:25:03.372 PDT-08:29:34.209 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (08:25:03.372 PDT-08:29:34.209 PDT) tcpslice 1367162703.372 1367162974.210 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 08:34:23.075 PDT Gen. Time: 04/28/2013 08:34:23.075 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (08:34:23.075 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:34:23.075 PDT) tcpslice 1367163263.075 1367163263.076 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 08:44:59.690 PDT Gen. Time: 04/28/2013 08:44:59.690 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (08:44:59.690 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:44:59.690 PDT) tcpslice 1367163899.690 1367163899.691 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 08:44:59.690 PDT Gen. Time: 04/28/2013 08:54:08.145 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (08:46:09.554 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59754->22 (08:46:09.554 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59754->22 (08:46:09.554 PDT) 128.208.4.197 (08:46:44.129 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55323->22 (08:46:44.129 PDT) 152.14.93.140 (2) (08:46:36.178 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40384->22 (08:46:36.178 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40384->22 (08:46:36.178 PDT) 13.7.64.22 (08:46:40.567 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41434->22 (08:46:40.567 PDT) 158.130.6.254 (08:45:36.278 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50340->22 (08:45:36.278 PDT) 128.42.142.45 (08:45:05.662 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59109->22 (08:45:05.662 PDT) 192.52.240.214 (2) (08:45:44.197 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46334->22 (08:45:44.197 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46334->22 (08:45:44.197 PDT) 204.123.28.56 (08:45:08.440 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51784->22 (08:45:08.440 PDT) 204.8.155.227 (08:45:59.995 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46765->22 (08:45:59.995 PDT) 129.82.12.188 (08:46:14.122 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34603->22 (08:46:14.122 PDT) 141.212.113.180 (08:46:06.674 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44643->22 (08:46:06.674 PDT) 152.3.138.7 (08:45:51.897 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40446->22 (08:45:51.897 PDT) 141.212.113.179 (08:46:29.051 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57732->22 (08:46:29.051 PDT) 152.3.138.6 (08:46:21.491 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55464->22 (08:46:21.491 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (4) (08:44:59.690 PDT-08:49:29.846 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (08:44:59.690 PDT-08:49:29.846 PDT) tcpslice 1367163899.690 1367164169.847 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 09:05:09.778 PDT Gen. Time: 04/28/2013 09:07:25.065 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (09:07:25.065 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:07:25.065 PDT) OUTBOUND SCAN 128.111.52.58 (09:07:22.375 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59965->22 (09:07:22.375 PDT) 131.179.150.70 (2) (09:07:24.684 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54091->22 (09:07:24.684 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54091->22 (09:07:24.684 PDT) 158.130.6.254 (09:06:37.753 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50551->22 (09:06:37.753 PDT) 128.42.142.45 (09:05:09.778 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59320->22 (09:05:09.778 PDT) 192.52.240.214 (09:06:56.667 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46545->22 (09:06:56.667 PDT) 204.123.28.56 (09:05:12.831 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51995->22 (09:05:12.831 PDT) 204.8.155.227 (09:07:12.606 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46976->22 (09:07:12.606 PDT) 141.212.113.180 (09:07:19.419 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44854->22 (09:07:19.419 PDT) 152.3.138.7 (09:07:04.387 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40657->22 (09:07:04.387 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367165109.778 1367165109.779 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 09:05:09.778 PDT Gen. Time: 04/28/2013 09:15:15.356 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (09:07:25.065 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:07:25.065 PDT) OUTBOUND SCAN 128.111.52.58 (09:07:22.375 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59965->22 (09:07:22.375 PDT) 128.208.4.197 (09:08:01.913 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55539->22 (09:08:01.913 PDT) 152.14.93.140 (2) (09:07:54.389 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40600->22 (09:07:54.389 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40600->22 (09:07:54.389 PDT) 131.179.150.70 (2) (09:07:24.684 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54091->22 (09:07:24.684 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54091->22 (09:07:24.684 PDT) 13.7.64.22 (09:07:58.206 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41650->22 (09:07:58.206 PDT) 158.130.6.254 (09:06:37.753 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50551->22 (09:06:37.753 PDT) 128.42.142.45 (09:05:09.778 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59320->22 (09:05:09.778 PDT) 192.52.240.214 (09:06:56.667 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46545->22 (09:06:56.667 PDT) 204.123.28.56 (09:05:12.831 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51995->22 (09:05:12.831 PDT) 204.8.155.227 (09:07:12.606 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46976->22 (09:07:12.606 PDT) 129.82.12.188 (09:07:30.221 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34819->22 (09:07:30.221 PDT) 141.212.113.180 (09:07:19.419 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44854->22 (09:07:19.419 PDT) 152.3.138.7 (09:07:04.387 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40657->22 (09:07:04.387 PDT) 141.212.113.179 (09:07:47.093 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57948->22 (09:07:47.093 PDT) 152.3.138.6 (09:07:39.947 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55680->22 (09:07:39.947 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.52.240.214 (09:08:45.556 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:08:45.556 PDT) 204.123.28.55 (2) (09:10:15.464 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:10:15.464 PDT) 0->0 (09:13:14.344 PDT) tcpslice 1367165109.778 1367165109.779 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 09:26:21.143 PDT Gen. Time: 04/28/2013 09:27:15.779 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (09:27:15.779 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:27:15.779 PDT) OUTBOUND SCAN 128.111.52.58 (2) (09:27:15.227 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60180->22 (09:27:15.227 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60180->22 (09:27:15.227 PDT) 204.8.155.227 (09:27:05.699 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47191->22 (09:27:05.699 PDT) 128.42.142.45 (09:26:21.143 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59535->22 (09:26:21.143 PDT) 152.3.138.7 (09:26:57.685 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40872->22 (09:26:57.685 PDT) 204.123.28.56 (09:26:24.006 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52210->22 (09:26:24.006 PDT) 141.212.113.180 (09:27:12.415 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45069->22 (09:27:12.415 PDT) 192.52.240.214 (2) (09:26:50.080 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46760->22 (09:26:50.080 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46760->22 (09:26:50.080 PDT) 158.130.6.254 (09:26:42.280 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50766->22 (09:26:42.280 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367166381.143 1367166381.144 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 09:26:21.143 PDT Gen. Time: 04/28/2013 09:33:58.364 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (09:27:15.779 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:27:15.779 PDT) OUTBOUND SCAN 128.111.52.58 (2) (09:27:15.227 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60180->22 (09:27:15.227 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60180->22 (09:27:15.227 PDT) 128.208.4.197 (09:27:49.442 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55749->22 (09:27:49.442 PDT) 152.14.93.140 (2) (09:27:41.537 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40810->22 (09:27:41.537 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40810->22 (09:27:41.537 PDT) 13.7.64.22 (09:27:45.899 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41860->22 (09:27:45.899 PDT) 158.130.6.254 (09:26:42.280 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50766->22 (09:26:42.280 PDT) 128.42.142.45 (09:26:21.143 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59535->22 (09:26:21.143 PDT) 192.52.240.214 (2) (09:26:50.080 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46760->22 (09:26:50.080 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46760->22 (09:26:50.080 PDT) 204.123.28.56 (09:26:24.006 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52210->22 (09:26:24.006 PDT) 204.8.155.227 (09:27:05.699 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47191->22 (09:27:05.699 PDT) 129.82.12.188 (09:27:20.111 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35029->22 (09:27:20.111 PDT) 141.212.113.180 (09:27:12.415 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45069->22 (09:27:12.415 PDT) 152.3.138.7 (09:26:57.685 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40872->22 (09:26:57.685 PDT) 141.212.113.179 (09:27:34.547 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58158->22 (09:27:34.547 PDT) 152.3.138.6 (09:27:27.474 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55890->22 (09:27:27.474 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (09:28:37.025 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:28:37.025 PDT) 131.193.34.38 (09:30:08.135 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:30:08.135 PDT) tcpslice 1367166381.143 1367166381.144 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 09:31:10.678 PDT Gen. Time: 04/28/2013 09:31:10.678 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.139 (09:31:10.678 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:31:10.678 PDT) tcpslice 1367166670.678 1367166670.679 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 09:46:17.357 PDT Gen. Time: 04/28/2013 09:47:16.624 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (09:47:16.624 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:47:16.624 PDT) OUTBOUND SCAN 128.111.52.58 (2) (09:47:16.234 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60391->22 (09:47:16.234 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60391->22 (09:47:16.234 PDT) 204.8.155.227 (09:47:05.814 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47402->22 (09:47:05.814 PDT) 128.42.142.45 (09:46:17.357 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59746->22 (09:46:17.357 PDT) 152.3.138.7 (09:46:57.466 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41083->22 (09:46:57.466 PDT) 204.123.28.56 (09:46:20.160 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52421->22 (09:46:20.160 PDT) 141.212.113.180 (09:47:12.765 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45280->22 (09:47:12.765 PDT) 192.52.240.214 (2) (09:46:49.866 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46971->22 (09:46:49.866 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46971->22 (09:46:49.866 PDT) 158.130.6.254 (09:46:41.476 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50977->22 (09:46:41.476 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367167577.357 1367167577.358 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 09:46:17.357 PDT Gen. Time: 04/28/2013 09:54:03.533 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (09:47:16.624 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:47:16.624 PDT) OUTBOUND SCAN 128.111.52.58 (2) (09:47:16.234 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60391->22 (09:47:16.234 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60391->22 (09:47:16.234 PDT) 128.208.4.197 (09:47:49.747 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55960->22 (09:47:49.747 PDT) 152.14.93.140 (2) (09:47:40.976 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41021->22 (09:47:40.976 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41021->22 (09:47:40.976 PDT) 13.7.64.22 (09:47:46.353 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42071->22 (09:47:46.353 PDT) 158.130.6.254 (09:46:41.476 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50977->22 (09:46:41.476 PDT) 128.42.142.45 (09:46:17.357 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59746->22 (09:46:17.357 PDT) 192.52.240.214 (2) (09:46:49.866 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46971->22 (09:46:49.866 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46971->22 (09:46:49.866 PDT) 204.123.28.56 (09:46:20.160 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52421->22 (09:46:20.160 PDT) 204.8.155.227 (09:47:05.814 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47402->22 (09:47:05.814 PDT) 129.82.12.188 (09:47:19.763 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35240->22 (09:47:19.763 PDT) 141.212.113.180 (09:47:12.765 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45280->22 (09:47:12.765 PDT) 152.3.138.7 (09:46:57.466 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41083->22 (09:46:57.466 PDT) 141.212.113.179 (09:47:34.241 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58369->22 (09:47:34.241 PDT) 152.3.138.6 (09:47:26.628 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56101->22 (09:47:26.628 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (09:48:21.699 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:48:21.699 PDT) 72.36.112.78 (2) (09:49:51.885 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (22 /24s) (# pkts S/M/O/I=0/32/0/0): 22:32, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:49:51.885 PDT) 0->0 (09:51:25.530 PDT) tcpslice 1367167577.357 1367167577.358 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 09:57:20.734 PDT Gen. Time: 04/28/2013 09:57:20.734 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (09:57:20.734 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:57:20.734 PDT) tcpslice 1367168240.734 1367168240.735 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 10:01:25.594 PDT Gen. Time: 04/28/2013 10:01:25.594 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (10:01:25.594 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:01:25.594 PDT) tcpslice 1367168485.594 1367168485.595 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 10:04:33.350 PDT Gen. Time: 04/28/2013 10:04:33.350 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (10:04:33.350 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:04:33.350 PDT) tcpslice 1367168673.350 1367168673.351 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 10:04:33.350 PDT Gen. Time: 04/28/2013 10:14:09.012 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (10:07:11.470 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60599->22 (10:07:11.470 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60599->22 (10:07:11.470 PDT) 128.208.4.197 (10:07:46.272 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56168->22 (10:07:46.272 PDT) 152.14.93.140 (2) (10:07:36.901 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41229->22 (10:07:36.901 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41229->22 (10:07:36.901 PDT) 13.7.64.22 (10:07:42.956 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42279->22 (10:07:42.956 PDT) 158.130.6.254 (10:06:37.646 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51185->22 (10:06:37.646 PDT) 128.42.142.45 (10:06:16.875 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59954->22 (10:06:16.875 PDT) 192.52.240.214 (2) (10:06:45.657 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47179->22 (10:06:45.657 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47179->22 (10:06:45.657 PDT) 204.123.28.56 (10:06:19.714 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52629->22 (10:06:19.714 PDT) 204.8.155.227 (10:07:01.685 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47610->22 (10:07:01.685 PDT) 129.82.12.188 (10:07:14.308 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35448->22 (10:07:14.308 PDT) 141.212.113.180 (10:07:08.325 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45488->22 (10:07:08.325 PDT) 152.3.138.7 (10:06:53.490 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41291->22 (10:06:53.490 PDT) 141.212.113.179 (10:07:30.092 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58577->22 (10:07:30.092 PDT) 152.3.138.6 (10:07:20.887 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56309->22 (10:07:20.887 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (5) (10:04:33.350 PDT-10:10:42.351 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (10:04:33.350 PDT-10:10:42.351 PDT) tcpslice 1367168673.350 1367169042.352 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 10:15:31.051 PDT Gen. Time: 04/28/2013 10:15:31.051 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (10:15:31.051 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:15:31.051 PDT) tcpslice 1367169331.051 1367169331.052 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 10:26:03.109 PDT Gen. Time: 04/28/2013 10:26:03.109 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (10:26:03.109 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:26:03.109 PDT) tcpslice 1367169963.109 1367169963.110 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 10:26:03.109 PDT Gen. Time: 04/28/2013 10:34:30.547 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (10:27:05.843 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60809->22 (10:27:05.843 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60809->22 (10:27:05.843 PDT) 128.208.4.197 (10:27:40.535 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56378->22 (10:27:40.535 PDT) 152.14.93.140 (2) (10:27:31.731 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41439->22 (10:27:31.731 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41439->22 (10:27:31.731 PDT) 13.7.64.22 (10:27:37.103 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42489->22 (10:27:37.103 PDT) 158.130.6.254 (10:26:33.431 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51395->22 (10:26:33.431 PDT) 128.42.142.45 (10:26:09.214 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60164->22 (10:26:09.214 PDT) 192.52.240.214 (2) (10:26:40.898 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47389->22 (10:26:40.898 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47389->22 (10:26:40.898 PDT) 204.123.28.56 (10:26:12.027 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52839->22 (10:26:12.027 PDT) 204.8.155.227 (10:26:56.439 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47820->22 (10:26:56.439 PDT) 129.82.12.188 (10:27:09.709 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35658->22 (10:27:09.709 PDT) 141.212.113.180 (10:27:03.018 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45698->22 (10:27:03.018 PDT) 152.3.138.7 (10:26:48.465 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41501->22 (10:26:48.465 PDT) 141.212.113.179 (10:27:25.032 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58787->22 (10:27:25.032 PDT) 152.3.138.6 (10:27:17.533 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56519->22 (10:27:17.533 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (5) (10:26:03.109 PDT-10:34:23.144 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (10:26:03.109 PDT-10:34:23.144 PDT) tcpslice 1367169963.109 1367170463.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 10:37:12.812 PDT Gen. Time: 04/28/2013 10:37:12.812 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (10:37:12.812 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:37:12.812 PDT) tcpslice 1367170632.812 1367170632.813 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 10:45:51.301 PDT Gen. Time: 04/28/2013 10:45:51.301 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (10:45:51.301 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:45:51.301 PDT) tcpslice 1367171151.301 1367171151.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 10:45:51.301 PDT Gen. Time: 04/28/2013 10:54:14.633 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (10:47:02.001 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 32785->22 (10:47:02.001 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32785->22 (10:47:02.001 PDT) 152.14.93.140 (10:47:31.531 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41653->22 (10:47:31.531 PDT) 131.179.150.70 (10:47:04.334 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55144->22 (10:47:04.334 PDT) 13.7.64.22 (10:47:35.235 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42703->22 (10:47:35.235 PDT) 158.130.6.254 (10:46:27.372 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51604->22 (10:46:27.372 PDT) 128.42.142.45 (10:45:57.519 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60373->22 (10:45:57.519 PDT) 192.52.240.214 (2) (10:46:35.247 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47598->22 (10:46:35.247 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47598->22 (10:46:35.247 PDT) 204.123.28.56 (10:46:00.656 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53048->22 (10:46:00.656 PDT) 204.8.155.227 (10:46:52.147 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48029->22 (10:46:52.147 PDT) 129.82.12.188 (10:47:09.549 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35872->22 (10:47:09.549 PDT) 141.212.113.180 (10:46:59.017 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45907->22 (10:46:59.017 PDT) 152.3.138.7 (10:46:43.920 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41710->22 (10:46:43.920 PDT) 141.212.113.179 (2) (10:47:24.344 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59001->22 (10:47:24.344 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59001->22 (10:47:24.344 PDT) 152.3.138.6 (10:47:17.318 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56733->22 (10:47:17.318 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.78 (4) (10:45:51.301 PDT-10:50:27.318 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (10:45:51.301 PDT-10:50:27.318 PDT) tcpslice 1367171151.301 1367171427.319 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 11:06:09.600 PDT Gen. Time: 04/28/2013 11:07:49.302 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.7 (11:07:49.302 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:07:49.302 PDT) OUTBOUND SCAN 204.8.155.227 (2) (11:07:48.056 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48240->22 (11:07:48.056 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48240->22 (11:07:48.056 PDT) 128.42.142.45 (11:06:09.600 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60584->22 (11:06:09.600 PDT) 152.3.138.7 (11:07:40.125 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41921->22 (11:07:40.125 PDT) 204.123.28.56 (11:06:12.465 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53259->22 (11:06:12.465 PDT) 192.52.240.214 (11:07:32.290 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47809->22 (11:07:32.290 PDT) 158.130.6.254 (11:07:24.623 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51815->22 (11:07:24.623 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367172369.600 1367172369.601 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 11:06:09.600 PDT Gen. Time: 04/28/2013 11:15:05.320 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.7 (11:07:49.302 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:07:49.302 PDT) OUTBOUND SCAN 128.111.52.58 (11:07:57.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32996->22 (11:07:57.601 PDT) 152.14.93.140 (11:08:27.968 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41864->22 (11:08:27.968 PDT) 131.179.150.70 (11:07:59.933 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55355->22 (11:07:59.933 PDT) 13.7.64.22 (2) (11:08:31.733 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42914->22 (11:08:31.733 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42914->22 (11:08:31.733 PDT) 158.130.6.254 (11:07:24.623 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51815->22 (11:07:24.623 PDT) 128.42.142.45 (11:06:09.600 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60584->22 (11:06:09.600 PDT) 192.52.240.214 (11:07:32.290 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47809->22 (11:07:32.290 PDT) 204.123.28.56 (11:06:12.465 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53259->22 (11:06:12.465 PDT) 204.8.155.227 (2) (11:07:48.056 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48240->22 (11:07:48.056 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48240->22 (11:07:48.056 PDT) 129.82.12.188 (2) (11:08:05.643 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36083->22 (11:08:05.643 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36083->22 (11:08:05.643 PDT) 141.212.113.180 (11:07:54.649 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46118->22 (11:07:54.649 PDT) 152.3.138.7 (11:07:40.125 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41921->22 (11:07:40.125 PDT) 141.212.113.179 (11:08:20.632 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59212->22 (11:08:20.632 PDT) 152.3.138.6 (11:08:13.701 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56944->22 (11:08:13.701 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (2) (11:08:55.960 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:08:55.960 PDT) 0->0 (11:10:25.474 PDT) 152.14.93.139 (11:13:14.175 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:13:14.175 PDT) tcpslice 1367172369.600 1367172369.601 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 11:27:00.695 PDT Gen. Time: 04/28/2013 11:28:01.330 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (11:28:01.330 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:28:01.330 PDT) OUTBOUND SCAN 128.111.52.58 (2) (11:27:59.442 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33212->22 (11:27:59.442 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33212->22 (11:27:59.442 PDT) 204.8.155.227 (11:27:49.965 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48456->22 (11:27:49.965 PDT) 128.42.142.45 (11:27:00.695 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60800->22 (11:27:00.695 PDT) 152.3.138.7 (11:27:41.915 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42137->22 (11:27:41.915 PDT) 204.123.28.56 (11:27:03.622 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53475->22 (11:27:03.622 PDT) 141.212.113.180 (11:27:56.605 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46334->22 (11:27:56.605 PDT) 192.52.240.214 (2) (11:27:33.382 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48025->22 (11:27:33.382 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48025->22 (11:27:33.382 PDT) 158.130.6.254 (11:27:25.687 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52031->22 (11:27:25.687 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367173620.695 1367173620.696 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 11:27:00.695 PDT Gen. Time: 04/28/2013 11:33:15.302 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (11:28:01.330 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:28:01.330 PDT) OUTBOUND SCAN 128.111.52.58 (2) (11:27:59.442 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33212->22 (11:27:59.442 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33212->22 (11:27:59.442 PDT) 128.208.4.197 (11:28:32.333 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57014->22 (11:28:32.333 PDT) 152.14.93.140 (2) (11:28:22.270 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42075->22 (11:28:22.270 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42075->22 (11:28:22.270 PDT) 13.7.64.22 (11:28:29.307 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43125->22 (11:28:29.307 PDT) 158.130.6.254 (11:27:25.687 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52031->22 (11:27:25.687 PDT) 128.42.142.45 (11:27:00.695 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60800->22 (11:27:00.695 PDT) 192.52.240.214 (2) (11:27:33.382 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48025->22 (11:27:33.382 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48025->22 (11:27:33.382 PDT) 204.123.28.56 (11:27:03.622 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53475->22 (11:27:03.622 PDT) 204.8.155.227 (11:27:49.965 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48456->22 (11:27:49.965 PDT) 129.82.12.188 (11:28:01.330 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36294->22 (11:28:01.330 PDT) 141.212.113.180 (11:27:56.605 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46334->22 (11:27:56.605 PDT) 152.3.138.7 (11:27:41.915 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42137->22 (11:27:41.915 PDT) 141.212.113.179 (11:28:15.802 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59423->22 (11:28:15.802 PDT) 152.3.138.6 (11:28:07.795 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57155->22 (11:28:07.795 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.8 (11:29:20.734 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:29:20.734 PDT) 131.193.34.38 (11:30:51.147 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (22 /24s) (# pkts S/M/O/I=0/32/0/0): 22:32, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:30:51.147 PDT) tcpslice 1367173620.695 1367173620.696 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 11:36:53.668 PDT Gen. Time: 04/28/2013 11:36:53.668 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (11:36:53.668 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:36:53.668 PDT) tcpslice 1367174213.668 1367174213.669 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 11:39:56.079 PDT Gen. Time: 04/28/2013 11:39:56.079 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (11:39:56.079 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:39:56.079 PDT) tcpslice 1367174396.079 1367174396.080 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 11:47:00.504 PDT Gen. Time: 04/28/2013 11:47:00.504 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (11:47:00.504 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:47:00.504 PDT) tcpslice 1367174820.504 1367174820.505 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 11:47:00.504 PDT Gen. Time: 04/28/2013 11:56:09.695 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (11:48:13.485 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33426->22 (11:48:13.485 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33426->22 (11:48:13.485 PDT) 128.208.4.197 (11:48:48.466 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57228->22 (11:48:48.466 PDT) 152.14.93.140 (2) (11:48:40.545 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42289->22 (11:48:40.545 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42289->22 (11:48:40.545 PDT) 13.7.64.22 (11:48:44.923 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43339->22 (11:48:44.923 PDT) 158.130.6.254 (11:47:38.190 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52245->22 (11:47:38.190 PDT) 128.42.142.45 (11:47:06.757 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32781->22 (11:47:06.757 PDT) 192.52.240.214 (2) (11:47:45.940 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48239->22 (11:47:45.940 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48239->22 (11:47:45.940 PDT) 204.123.28.56 (11:47:09.761 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53689->22 (11:47:09.761 PDT) 204.8.155.227 (11:48:03.708 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48670->22 (11:48:03.708 PDT) 129.82.12.188 (11:48:18.227 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36508->22 (11:48:18.227 PDT) 141.212.113.180 (11:48:10.586 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46548->22 (11:48:10.586 PDT) 152.3.138.7 (11:47:55.629 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42351->22 (11:47:55.629 PDT) 141.212.113.179 (11:48:33.151 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59637->22 (11:48:33.151 PDT) 152.3.138.6 (11:48:25.807 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57369->22 (11:48:25.807 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (4) (11:47:00.504 PDT-11:51:31.349 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (11:47:00.504 PDT-11:51:31.349 PDT) tcpslice 1367174820.504 1367175091.350 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 12:04:21.331 PDT Gen. Time: 04/28/2013 12:07:16.443 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.252.19.18 (2) (12:04:21.331 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:04:21.331 PDT) 0->0 (12:06:06.438 PDT) OUTBOUND SCAN 128.42.142.45 (12:07:16.443 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33006->22 (12:07:16.443 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367175861.331 1367175861.332 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 12:04:21.331 PDT Gen. Time: 04/28/2013 12:14:52.912 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.252.19.18 (3) (12:04:21.331 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:04:21.331 PDT) 0->0 (12:06:06.438 PDT) 0->0 (12:07:38.001 PDT) OUTBOUND SCAN 128.111.52.58 (2) (12:08:18.460 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33651->22 (12:08:18.460 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33651->22 (12:08:18.460 PDT) 128.208.4.197 (12:08:51.853 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57453->22 (12:08:51.853 PDT) 152.14.93.140 (2) (12:08:41.441 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42514->22 (12:08:41.441 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42514->22 (12:08:41.441 PDT) 13.7.64.22 (12:08:48.688 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43564->22 (12:08:48.688 PDT) 158.130.6.254 (12:07:44.229 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52470->22 (12:07:44.229 PDT) 128.42.142.45 (12:07:16.443 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33006->22 (12:07:16.443 PDT) 192.52.240.214 (2) (12:07:52.016 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48464->22 (12:07:52.016 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48464->22 (12:07:52.016 PDT) 204.123.28.56 (12:07:19.370 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53914->22 (12:07:19.370 PDT) 204.8.155.227 (12:08:08.541 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48895->22 (12:08:08.541 PDT) 129.82.12.188 (12:08:20.450 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36733->22 (12:08:20.450 PDT) 141.212.113.180 (12:08:15.272 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46773->22 (12:08:15.272 PDT) 152.3.138.7 (12:08:00.592 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42576->22 (12:08:00.592 PDT) 141.212.113.179 (12:08:34.656 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59862->22 (12:08:34.656 PDT) 152.3.138.6 (12:08:26.583 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57594->22 (12:08:26.583 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (3) (12:08:41.441 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:08:41.441 PDT) 0->0 (12:10:11.957 PDT) 0->0 (12:11:42.136 PDT) tcpslice 1367175861.331 1367175861.332 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 12:18:55.290 PDT Gen. Time: 04/28/2013 12:18:55.290 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (12:18:55.290 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:18:55.290 PDT) tcpslice 1367176735.290 1367176735.291 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 12:27:13.588 PDT Gen. Time: 04/28/2013 12:27:13.588 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (12:27:13.588 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:27:13.588 PDT) tcpslice 1367177233.588 1367177233.589 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 12:27:13.588 PDT Gen. Time: 04/28/2013 12:37:56.550 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (12:29:27.286 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36319->22 (12:29:27.286 PDT) 128.208.4.197 (2) (12:30:05.054 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60400->22 (12:30:07.760 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60379->22 (12:30:05.054 PDT) 152.14.93.140 (12:29:52.645 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45345->22 (12:29:52.645 PDT) 13.7.64.22 (12:30:01.831 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46468->22 (12:30:01.831 PDT) 158.130.6.254 (12:28:41.585 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54825->22 (12:28:41.585 PDT) 128.42.142.45 (12:27:19.902 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34820->22 (12:27:19.902 PDT) 192.52.240.214 (12:29:01.274 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50956->22 (12:29:01.274 PDT) 204.123.28.56 (12:27:22.804 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55749->22 (12:27:22.804 PDT) 204.8.155.227 (12:29:17.512 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51496->22 (12:29:17.512 PDT) 129.82.12.188 (12:29:29.207 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39412->22 (12:29:29.207 PDT) 141.212.113.180 (2) (12:29:21.574 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49400->22 (12:29:21.574 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49419->22 (12:29:24.225 PDT) 152.3.138.7 (12:29:09.198 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45127->22 (12:29:09.198 PDT) 141.212.113.179 (12:29:45.916 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34417->22 (12:29:45.916 PDT) 152.3.138.6 (2) (12:29:37.832 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60367->22 (12:29:43.156 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60331->22 (12:29:37.832 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (7) (12:27:13.588 PDT-12:37:12.868 PDT) event=777:7777008 (7) {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 7: 0->0 (12:27:13.588 PDT-12:37:12.868 PDT) tcpslice 1367177233.588 1367177832.869 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 12:48:35.850 PDT Gen. Time: 04/28/2013 12:49:44.438 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (12:49:44.438 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:49:44.438 PDT) OUTBOUND SCAN 128.111.52.58 (2) (12:49:41.680 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44535->22 (12:49:41.680 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44535->22 (12:49:41.680 PDT) 131.179.150.70 (12:49:44.028 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38676->22 (12:49:44.028 PDT) 158.130.6.254 (12:49:08.189 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34894->22 (12:49:08.189 PDT) 128.42.142.45 (12:48:35.850 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43453->22 (12:48:35.850 PDT) 192.52.240.214 (2) (12:49:16.175 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59175->22 (12:49:16.175 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59175->22 (12:49:16.175 PDT) 204.123.28.56 (12:48:38.513 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36144->22 (12:48:38.513 PDT) 204.8.155.227 (12:49:32.023 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59714->22 (12:49:32.023 PDT) 141.212.113.180 (12:49:38.767 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57636->22 (12:49:38.767 PDT) 152.3.138.7 (12:49:23.849 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53338->22 (12:49:23.849 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367178515.850 1367178515.851 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 12:48:35.850 PDT Gen. Time: 04/28/2013 12:57:11.364 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (12:49:44.438 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:49:44.438 PDT) OUTBOUND SCAN 128.111.52.58 (2) (12:49:41.680 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44535->22 (12:49:41.680 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44535->22 (12:49:41.680 PDT) 152.14.93.140 (12:50:11.360 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53595->22 (12:50:11.360 PDT) 131.179.150.70 (12:49:44.028 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38676->22 (12:49:44.028 PDT) 13.7.64.22 (12:50:14.906 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54673->22 (12:50:14.906 PDT) 158.130.6.254 (12:49:08.189 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34894->22 (12:49:08.189 PDT) 128.42.142.45 (12:48:35.850 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43453->22 (12:48:35.850 PDT) 192.52.240.214 (2) (12:49:16.175 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59175->22 (12:49:16.175 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59175->22 (12:49:16.175 PDT) 204.123.28.56 (12:48:38.513 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36144->22 (12:48:38.513 PDT) 204.8.155.227 (12:49:32.023 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59714->22 (12:49:32.023 PDT) 129.82.12.188 (12:49:49.669 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47675->22 (12:49:49.669 PDT) 141.212.113.180 (12:49:38.767 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57636->22 (12:49:38.767 PDT) 152.3.138.7 (12:49:23.849 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53338->22 (12:49:23.849 PDT) 141.212.113.179 (2) (12:50:04.206 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42661->22 (12:50:04.206 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42661->22 (12:50:04.206 PDT) 152.3.138.6 (12:49:57.529 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40349->22 (12:49:57.529 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.179 (2) (12:51:04.655 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:51:04.655 PDT) 0->0 (12:52:35.100 PDT) tcpslice 1367178515.850 1367178515.851 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 12:53:43.846 PDT Gen. Time: 04/28/2013 12:53:43.846 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.179 (12:53:43.846 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:53:43.846 PDT) tcpslice 1367178823.846 1367178823.847 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 13:08:50.300 PDT Gen. Time: 04/28/2013 13:10:03.885 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (13:10:03.885 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:10:03.885 PDT) OUTBOUND SCAN 128.111.52.58 (2) (13:10:00.802 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51959->22 (13:10:00.802 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51959->22 (13:10:00.802 PDT) 131.179.150.70 (13:10:03.405 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46099->22 (13:10:03.405 PDT) 158.130.6.254 (13:09:26.891 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42341->22 (13:09:26.891 PDT) 128.42.142.45 (13:08:50.300 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50891->22 (13:08:50.300 PDT) 192.52.240.214 (2) (13:09:34.651 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38383->22 (13:09:34.651 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38383->22 (13:09:34.651 PDT) 204.123.28.56 (13:08:53.240 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43587->22 (13:08:53.240 PDT) 204.8.155.227 (13:09:50.807 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38908->22 (13:09:50.807 PDT) 141.212.113.180 (13:09:57.614 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36830->22 (13:09:57.614 PDT) 152.3.138.7 (13:09:42.528 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60777->22 (13:09:42.528 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367179730.300 1367179730.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 13:08:50.300 PDT Gen. Time: 04/28/2013 13:17:59.581 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (13:10:03.885 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:10:03.885 PDT) OUTBOUND SCAN 128.111.52.58 (2) (13:10:00.802 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51959->22 (13:10:00.802 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51959->22 (13:10:00.802 PDT) 152.14.93.140 (13:10:33.000 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32783->22 (13:10:33.000 PDT) 131.179.150.70 (13:10:03.405 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46099->22 (13:10:03.405 PDT) 13.7.64.22 (13:10:36.660 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33861->22 (13:10:36.660 PDT) 158.130.6.254 (13:09:26.891 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42341->22 (13:09:26.891 PDT) 128.42.142.45 (13:08:50.300 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50891->22 (13:08:50.300 PDT) 192.52.240.214 (2) (13:09:34.651 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 38383->22 (13:09:34.651 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38383->22 (13:09:34.651 PDT) 204.123.28.56 (13:08:53.240 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43587->22 (13:08:53.240 PDT) 204.8.155.227 (13:09:50.807 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38908->22 (13:09:50.807 PDT) 129.82.12.188 (13:10:09.135 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55091->22 (13:10:09.135 PDT) 141.212.113.180 (13:09:57.614 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36830->22 (13:09:57.614 PDT) 152.3.138.7 (13:09:42.528 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60777->22 (13:09:42.528 PDT) 141.212.113.179 (2) (13:10:26.034 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50088->22 (13:10:26.034 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50088->22 (13:10:26.034 PDT) 152.3.138.6 (13:10:19.116 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47775->22 (13:10:19.116 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (2) (13:11:29.869 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:11:29.869 PDT) 0->0 (13:13:00.071 PDT) tcpslice 1367179730.300 1367179730.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 13:14:01.173 PDT Gen. Time: 04/28/2013 13:14:01.173 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.198 (13:14:01.173 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:14:01.173 PDT) tcpslice 1367180041.173 1367180041.174 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 13:29:07.221 PDT Gen. Time: 04/28/2013 13:30:07.661 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (13:30:07.661 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:30:07.661 PDT) OUTBOUND SCAN 128.111.52.58 (2) (13:30:06.889 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58605->22 (13:30:06.889 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58605->22 (13:30:06.889 PDT) 204.8.155.227 (13:29:56.806 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45553->22 (13:29:56.806 PDT) 128.42.142.45 (13:29:07.221 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57599->22 (13:29:07.221 PDT) 152.3.138.7 (13:29:48.542 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39183->22 (13:29:48.542 PDT) 204.123.28.56 (13:29:09.899 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50291->22 (13:29:09.899 PDT) 141.212.113.180 (13:30:03.544 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43472->22 (13:30:03.544 PDT) 192.52.240.214 (2) (13:29:40.797 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45025->22 (13:29:40.797 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45025->22 (13:29:40.797 PDT) 158.130.6.254 (13:29:32.928 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48985->22 (13:29:32.928 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367180947.221 1367180947.222 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 13:29:07.221 PDT Gen. Time: 04/28/2013 13:38:00.818 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (13:30:07.661 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:30:07.661 PDT) OUTBOUND SCAN 128.111.52.58 (2) (13:30:06.889 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58605->22 (13:30:06.889 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58605->22 (13:30:06.889 PDT) 128.208.4.197 (13:30:44.087 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54400->22 (13:30:44.087 PDT) 152.14.93.140 (2) (13:30:35.955 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39406->22 (13:30:35.955 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39406->22 (13:30:35.955 PDT) 13.7.64.22 (13:30:40.511 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40488->22 (13:30:40.511 PDT) 158.130.6.254 (13:29:32.928 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48985->22 (13:29:32.928 PDT) 128.42.142.45 (13:29:07.221 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57599->22 (13:29:07.221 PDT) 192.52.240.214 (2) (13:29:40.797 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45025->22 (13:29:40.797 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45025->22 (13:29:40.797 PDT) 204.123.28.56 (13:29:09.899 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50291->22 (13:29:09.899 PDT) 204.8.155.227 (13:29:56.806 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45553->22 (13:29:56.806 PDT) 129.82.12.188 (13:30:12.068 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33482->22 (13:30:12.068 PDT) 141.212.113.180 (13:30:03.544 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43472->22 (13:30:03.544 PDT) 152.3.138.7 (13:29:48.542 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39183->22 (13:29:48.542 PDT) 141.212.113.179 (13:30:28.908 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56709->22 (13:30:28.908 PDT) 152.3.138.6 (13:30:21.368 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54396->22 (13:30:21.368 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (3) (13:31:31.314 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:31:31.314 PDT) 0->0 (13:33:01.629 PDT) 0->0 (13:36:43.871 PDT) tcpslice 1367180947.221 1367180947.222 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 13:49:07.831 PDT Gen. Time: 04/28/2013 13:50:09.867 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (13:50:09.867 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:50:09.867 PDT) OUTBOUND SCAN 128.111.52.58 (2) (13:50:09.269 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37951->22 (13:50:09.269 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37951->22 (13:50:09.269 PDT) 204.8.155.227 (13:49:59.115 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53128->22 (13:49:59.115 PDT) 128.42.142.45 (13:49:07.831 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36924->22 (13:49:07.831 PDT) 152.3.138.7 (13:49:50.852 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46759->22 (13:49:50.852 PDT) 204.123.28.56 (13:49:10.624 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57850->22 (13:49:10.624 PDT) 141.212.113.180 (13:50:05.885 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51051->22 (13:50:05.885 PDT) 192.52.240.214 (2) (13:49:42.914 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52598->22 (13:49:42.914 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52598->22 (13:49:42.914 PDT) 158.130.6.254 (13:49:35.100 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56557->22 (13:49:35.100 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367182147.831 1367182147.832 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 13:49:07.831 PDT Gen. Time: 04/28/2013 13:57:50.519 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (13:50:09.867 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:50:09.867 PDT) OUTBOUND SCAN 128.111.52.58 (2) (13:50:09.269 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37951->22 (13:50:09.269 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37951->22 (13:50:09.269 PDT) 128.208.4.197 (13:50:44.201 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33734->22 (13:50:44.201 PDT) 152.14.93.140 (2) (13:50:36.068 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46977->22 (13:50:36.068 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46977->22 (13:50:36.068 PDT) 13.7.64.22 (13:50:40.582 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48056->22 (13:50:40.582 PDT) 158.130.6.254 (13:49:35.100 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56557->22 (13:49:35.100 PDT) 128.42.142.45 (13:49:07.831 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36924->22 (13:49:07.831 PDT) 192.52.240.214 (2) (13:49:42.914 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52598->22 (13:49:42.914 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52598->22 (13:49:42.914 PDT) 204.123.28.56 (13:49:10.624 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57850->22 (13:49:10.624 PDT) 204.8.155.227 (13:49:59.115 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53128->22 (13:49:59.115 PDT) 129.82.12.188 (13:50:14.050 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41061->22 (13:50:14.050 PDT) 141.212.113.180 (13:50:05.885 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51051->22 (13:50:05.885 PDT) 152.3.138.7 (13:49:50.852 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46759->22 (13:49:50.852 PDT) 141.212.113.179 (13:50:29.018 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36049->22 (13:50:29.018 PDT) 152.3.138.6 (13:50:21.739 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33734->22 (13:50:21.739 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (13:51:30.524 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:51:30.524 PDT) 128.42.142.44 (2) (13:53:00.367 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (21 /24s) (# pkts S/M/O/I=0/30/0/0): 22:30, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:53:00.367 PDT) 0->0 (13:54:30.662 PDT) tcpslice 1367182147.831 1367182147.832 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 14:00:31.977 PDT Gen. Time: 04/28/2013 14:00:31.977 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (14:00:31.977 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:00:31.977 PDT) tcpslice 1367182831.977 1367182831.978 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 14:04:21.391 PDT Gen. Time: 04/28/2013 14:04:21.391 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (14:04:21.391 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:04:21.391 PDT) tcpslice 1367183061.391 1367183061.392 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 14:09:45.597 PDT Gen. Time: 04/28/2013 14:11:14.652 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.42.142.45 (14:09:45.597 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44199->22 (14:09:45.597 PDT) 204.123.28.56 (14:09:49.159 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36897->22 (14:09:49.159 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (14:11:14.652 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:11:14.652 PDT) tcpslice 1367183385.597 1367183385.598 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 14:09:45.597 PDT Gen. Time: 04/28/2013 14:19:57.069 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (14:11:57.988 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45630->22 (14:11:57.988 PDT) 152.14.93.140 (14:12:29.240 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54676->22 (14:12:29.240 PDT) 131.179.150.70 (14:12:00.420 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39770->22 (14:12:00.420 PDT) 13.7.64.22 (2) (14:12:33.121 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55748->22 (14:12:33.121 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55748->22 (14:12:33.121 PDT) 158.130.6.254 (14:11:23.386 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36013->22 (14:11:23.386 PDT) 128.42.142.45 (14:09:45.597 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44199->22 (14:09:45.597 PDT) 192.52.240.214 (14:11:31.968 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60289->22 (14:11:31.968 PDT) 204.123.28.56 (14:09:49.159 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36897->22 (14:09:49.159 PDT) 204.8.155.227 (2) (14:11:47.852 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60812->22 (14:11:47.852 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60812->22 (14:11:47.852 PDT) 129.82.12.188 (2) (14:12:07.055 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48771->22 (14:12:07.055 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48771->22 (14:12:07.055 PDT) 141.212.113.180 (14:11:55.003 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58733->22 (14:11:55.003 PDT) 152.3.138.7 (14:11:39.759 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54446->22 (14:11:39.759 PDT) 141.212.113.179 (14:12:22.017 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43747->22 (14:12:22.017 PDT) 152.3.138.6 (14:12:14.924 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41440->22 (14:12:14.924 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (5) (14:11:14.652 PDT-14:18:55.356 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (14:11:14.652 PDT-14:18:55.356 PDT) tcpslice 1367183385.597 1367183935.357 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 14:20:27.364 PDT Gen. Time: 04/28/2013 14:20:27.364 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (14:20:27.364 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:20:27.364 PDT) tcpslice 1367184027.364 1367184027.365 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 14:27:16.243 PDT Gen. Time: 04/28/2013 14:27:16.243 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (14:27:16.243 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:27:16.243 PDT) tcpslice 1367184436.243 1367184436.244 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 14:27:16.243 PDT Gen. Time: 04/28/2013 14:39:03.171 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (14:32:24.648 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:32:24.648 PDT) OUTBOUND SCAN 128.111.52.58 (2) (14:32:24.182 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47183->22 (14:32:24.182 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47183->22 (14:32:24.182 PDT) 128.208.4.197 (14:33:00.225 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42752->22 (14:33:00.225 PDT) 152.14.93.140 (2) (14:32:52.206 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56046->22 (14:32:52.206 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56046->22 (14:32:52.206 PDT) 13.7.64.22 (14:32:56.552 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57096->22 (14:32:56.552 PDT) 158.130.6.254 (14:31:46.140 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37769->22 (14:31:46.140 PDT) 128.42.142.45 (14:31:18.754 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46538->22 (14:31:18.754 PDT) 192.52.240.214 (2) (14:31:54.598 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33763->22 (14:31:54.598 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33763->22 (14:31:54.598 PDT) 204.123.28.56 (14:31:21.549 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39213->22 (14:31:21.549 PDT) 204.8.155.227 (14:32:13.746 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34194->22 (14:32:13.746 PDT) 129.82.12.188 (14:32:29.186 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50265->22 (14:32:29.186 PDT) 141.212.113.180 (14:32:20.944 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60305->22 (14:32:20.944 PDT) 152.3.138.7 (14:32:05.336 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56108->22 (14:32:05.336 PDT) 141.212.113.179 (14:32:45.110 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45161->22 (14:32:45.110 PDT) 152.3.138.6 (14:32:38.049 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42893->22 (14:32:38.049 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (2) (14:33:45.444 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:33:45.444 PDT) 0->0 (14:35:15.246 PDT) 128.42.142.44 (14:27:16.243 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (27 /24s) (# pkts S/M/O/I=0/42/1/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:27:16.243 PDT) tcpslice 1367184436.243 1367184436.244 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 14:41:53.865 PDT Gen. Time: 04/28/2013 14:41:53.865 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (14:41:53.865 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:41:53.865 PDT) tcpslice 1367185313.865 1367185313.866 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 14:45:55.381 PDT Gen. Time: 04/28/2013 14:45:55.381 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (14:45:55.381 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:45:55.381 PDT) tcpslice 1367185555.381 1367185555.382 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 14:51:28.450 PDT Gen. Time: 04/28/2013 14:51:28.450 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (14:51:28.450 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:51:28.450 PDT) tcpslice 1367185888.450 1367185888.451 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 14:51:28.450 PDT Gen. Time: 04/28/2013 15:02:16.103 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (14:54:05.904 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47689->22 (14:54:05.904 PDT) 128.208.4.197 (2) (14:54:40.892 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43258->22 (14:54:40.892 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43258->22 (14:54:40.892 PDT) 152.14.93.140 (14:54:31.898 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56552->22 (14:54:31.898 PDT) 13.7.64.22 (14:54:37.389 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57602->22 (14:54:37.389 PDT) 158.130.6.254 (14:53:32.257 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38275->22 (14:53:32.257 PDT) 128.42.142.45 (14:51:34.671 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47044->22 (14:51:34.671 PDT) 192.52.240.214 (14:53:39.996 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34269->22 (14:53:39.996 PDT) 204.123.28.56 (14:51:37.457 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39719->22 (14:51:37.457 PDT) 204.8.155.227 (2) (14:53:55.965 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 34700->22 (14:53:55.965 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34700->22 (14:53:55.965 PDT) 129.82.12.188 (14:54:09.778 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50771->22 (14:54:09.778 PDT) 141.212.113.180 (14:54:02.920 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60811->22 (14:54:02.920 PDT) 152.3.138.7 (14:53:47.842 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56614->22 (14:53:47.842 PDT) 141.212.113.179 (14:54:24.710 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45667->22 (14:54:24.710 PDT) 152.3.138.6 (2) (14:54:16.787 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43399->22 (14:54:16.787 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43399->22 (14:54:16.787 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 155.246.12.164 (5) (14:51:28.450 PDT-14:57:53.459 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (14:51:28.450 PDT-14:57:53.459 PDT) tcpslice 1367185888.450 1367186273.460 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 15:13:16.072 PDT Gen. Time: 04/28/2013 15:15:38.923 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.7 (15:15:38.923 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:15:38.923 PDT) OUTBOUND SCAN 128.111.52.58 (15:15:38.051 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47896->22 (15:15:38.051 PDT) 204.8.155.227 (2) (15:15:25.653 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 34908->22 (15:15:25.653 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34908->22 (15:15:25.653 PDT) 128.42.142.45 (15:13:16.072 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47252->22 (15:13:16.072 PDT) 152.3.138.7 (15:15:17.736 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56822->22 (15:15:17.736 PDT) 204.123.28.56 (15:13:18.980 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39927->22 (15:13:18.980 PDT) 141.212.113.180 (15:15:32.425 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32786->22 (15:15:32.425 PDT) 192.52.240.214 (15:15:07.773 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34477->22 (15:15:07.773 PDT) 158.130.6.254 (15:14:59.760 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38483->22 (15:14:59.760 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367187196.072 1367187196.073 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 15:13:16.072 PDT Gen. Time: 04/28/2013 15:23:42.690 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.7 (15:15:38.923 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:15:38.923 PDT) OUTBOUND SCAN 128.111.52.58 (15:15:38.051 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47896->22 (15:15:38.051 PDT) 152.14.93.140 (15:16:07.652 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56764->22 (15:16:07.652 PDT) 131.179.150.70 (15:15:40.485 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42022->22 (15:15:40.485 PDT) 13.7.64.22 (2) (15:16:12.109 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57814->22 (15:16:12.109 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57814->22 (15:16:12.109 PDT) 158.130.6.254 (15:14:59.760 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38483->22 (15:14:59.760 PDT) 128.42.142.45 (15:13:16.072 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47252->22 (15:13:16.072 PDT) 192.52.240.214 (15:15:07.773 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34477->22 (15:15:07.773 PDT) 204.123.28.56 (15:13:18.980 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39927->22 (15:13:18.980 PDT) 204.8.155.227 (2) (15:15:25.653 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 34908->22 (15:15:25.653 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34908->22 (15:15:25.653 PDT) 129.82.12.188 (2) (15:15:45.726 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50983->22 (15:15:45.726 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50983->22 (15:15:45.726 PDT) 141.212.113.180 (15:15:32.425 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32786->22 (15:15:32.425 PDT) 152.3.138.7 (15:15:17.736 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56822->22 (15:15:17.736 PDT) 141.212.113.179 (15:16:00.630 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45879->22 (15:16:00.630 PDT) 152.3.138.6 (15:15:53.357 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43611->22 (15:15:53.357 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (2) (15:20:10.480 PDT-15:23:16.257 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (15:20:10.480 PDT-15:23:16.257 PDT) 152.3.138.7 (15:16:48.103 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:16:48.103 PDT) 128.42.142.44 (15:18:19.352 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (22 /24s) (# pkts S/M/O/I=0/31/0/0): 22:31, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:18:19.352 PDT) tcpslice 1367187196.072 1367187796.258 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 15:34:42.425 PDT Gen. Time: 04/28/2013 15:35:50.290 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (15:35:50.290 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:35:50.290 PDT) OUTBOUND SCAN 128.111.52.58 (2) (15:35:47.354 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48112->22 (15:35:47.354 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48112->22 (15:35:47.354 PDT) 131.179.150.70 (15:35:49.849 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42238->22 (15:35:49.849 PDT) 158.130.6.254 (15:35:13.379 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38698->22 (15:35:13.379 PDT) 128.42.142.45 (15:34:42.425 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47467->22 (15:34:42.425 PDT) 192.52.240.214 (2) (15:35:21.365 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 34692->22 (15:35:21.365 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34692->22 (15:35:21.365 PDT) 204.123.28.56 (15:34:45.344 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40142->22 (15:34:45.344 PDT) 204.8.155.227 (15:35:37.265 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35123->22 (15:35:37.265 PDT) 141.212.113.180 (15:35:44.119 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33001->22 (15:35:44.119 PDT) 152.3.138.7 (15:35:29.134 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57037->22 (15:35:29.134 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367188482.425 1367188482.426 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 15:34:42.425 PDT Gen. Time: 04/28/2013 15:42:48.412 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.123.28.56 (15:35:50.290 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:35:50.290 PDT) OUTBOUND SCAN 128.111.52.58 (2) (15:35:47.354 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48112->22 (15:35:47.354 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48112->22 (15:35:47.354 PDT) 152.14.93.140 (15:36:17.957 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56980->22 (15:36:17.957 PDT) 131.179.150.70 (15:35:49.849 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42238->22 (15:35:49.849 PDT) 13.7.64.22 (15:36:21.727 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58030->22 (15:36:21.727 PDT) 158.130.6.254 (15:35:13.379 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38698->22 (15:35:13.379 PDT) 128.42.142.45 (15:34:42.425 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47467->22 (15:34:42.425 PDT) 192.52.240.214 (2) (15:35:21.365 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 34692->22 (15:35:21.365 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34692->22 (15:35:21.365 PDT) 204.123.28.56 (15:34:45.344 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40142->22 (15:34:45.344 PDT) 204.8.155.227 (15:35:37.265 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35123->22 (15:35:37.265 PDT) 129.82.12.188 (15:35:55.614 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51199->22 (15:35:55.614 PDT) 141.212.113.180 (15:35:44.119 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33001->22 (15:35:44.119 PDT) 152.3.138.7 (15:35:29.134 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57037->22 (15:35:29.134 PDT) 141.212.113.179 (2) (15:36:10.692 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46095->22 (15:36:10.692 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46095->22 (15:36:10.692 PDT) 152.3.138.6 (15:36:03.387 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43827->22 (15:36:03.387 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.127.39.153 (15:38:45.554 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (22 /24s) (# pkts S/M/O/I=0/31/0/0): 22:31, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:38:45.554 PDT) 13.7.64.22 (15:37:15.672 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:37:15.672 PDT) tcpslice 1367188482.425 1367188482.426 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 15:40:05.141 PDT Gen. Time: 04/28/2013 15:40:05.141 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 130.127.39.153 (15:40:05.141 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:40:05.141 PDT) tcpslice 1367188805.141 1367188805.142 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 15:55:11.516 PDT Gen. Time: 04/28/2013 15:57:32.240 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (15:57:32.240 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:57:32.240 PDT) OUTBOUND SCAN 128.111.52.58 (15:57:30.238 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48325->22 (15:57:30.238 PDT) 131.179.150.70 (15:57:30.634 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42447->22 (15:57:30.634 PDT) 158.130.6.254 (15:56:45.738 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38910->22 (15:56:45.738 PDT) 128.42.142.45 (15:55:11.516 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47679->22 (15:55:11.516 PDT) 192.52.240.214 (15:57:04.805 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34904->22 (15:57:04.805 PDT) 204.123.28.56 (15:55:14.360 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40354->22 (15:55:14.360 PDT) 204.8.155.227 (15:57:20.591 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35336->22 (15:57:20.591 PDT) 141.212.113.180 (15:57:27.335 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33214->22 (15:57:27.335 PDT) 152.3.138.7 (15:57:12.544 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57249->22 (15:57:12.544 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367189711.516 1367189711.517 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 15:55:11.516 PDT Gen. Time: 04/28/2013 16:04:53.218 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (15:57:32.240 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:57:32.240 PDT) OUTBOUND SCAN 128.111.52.58 (15:57:30.238 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48325->22 (15:57:30.238 PDT) 128.208.4.197 (15:58:04.444 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43894->22 (15:58:04.444 PDT) 152.14.93.140 (2) (15:57:54.050 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57189->22 (15:57:55.776 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57188->22 (15:57:54.050 PDT) 131.179.150.70 (15:57:30.634 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 42447->22 (15:57:30.634 PDT) 13.7.64.22 (15:58:01.257 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58238->22 (15:58:01.257 PDT) 158.130.6.254 (15:56:45.738 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38910->22 (15:56:45.738 PDT) 128.42.142.45 (15:55:11.516 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47679->22 (15:55:11.516 PDT) 192.52.240.214 (15:57:04.805 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34904->22 (15:57:04.805 PDT) 204.123.28.56 (15:55:14.360 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40354->22 (15:55:14.360 PDT) 204.8.155.227 (15:57:20.591 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35336->22 (15:57:20.591 PDT) 129.82.12.188 (15:57:32.240 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51407->22 (15:57:32.240 PDT) 141.212.113.180 (15:57:27.335 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33214->22 (15:57:27.335 PDT) 152.3.138.7 (15:57:12.544 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57249->22 (15:57:12.544 PDT) 141.212.113.179 (15:57:47.303 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46303->22 (15:57:47.303 PDT) 128.111.52.59 (15:58:08.235 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43164->22 (15:58:08.235 PDT) 152.3.138.6 (15:57:38.838 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44035->22 (15:57:38.838 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (4) (15:58:52.784 PDT-16:04:33.570 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (16:02:55.823 PDT-16:04:33.570 PDT) 0->0 (16:00:22.569 PDT) 0->0 (15:58:52.784 PDT) tcpslice 1367189711.516 1367190273.571 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 16:06:24.355 PDT Gen. Time: 04/28/2013 16:06:24.355 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (16:06:24.355 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:06:24.355 PDT) tcpslice 1367190384.355 1367190384.356 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 16:11:53.471 PDT Gen. Time: 04/28/2013 16:11:53.471 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (16:11:53.471 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:11:53.471 PDT) tcpslice 1367190713.471 1367190713.472 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 16:16:33.458 PDT Gen. Time: 04/28/2013 16:16:33.458 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (16:16:33.458 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:16:33.458 PDT) tcpslice 1367190993.458 1367190993.459 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 16:16:33.458 PDT Gen. Time: 04/28/2013 16:25:31.188 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (16:18:41.375 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48537->22 (16:18:41.375 PDT) 128.208.4.197 (2) (16:19:16.315 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44106->22 (16:19:16.315 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44106->22 (16:19:16.315 PDT) 152.14.93.140 (16:19:06.726 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57400->22 (16:19:06.726 PDT) 13.7.64.22 (16:19:12.996 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58450->22 (16:19:12.996 PDT) 158.130.6.254 (16:18:06.680 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39123->22 (16:18:06.680 PDT) 128.42.142.45 (16:16:39.804 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47892->22 (16:16:39.804 PDT) 192.52.240.214 (16:18:14.809 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35117->22 (16:18:14.809 PDT) 204.123.28.56 (16:16:42.637 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40567->22 (16:16:42.637 PDT) 204.8.155.227 (2) (16:18:31.395 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35548->22 (16:18:31.395 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35548->22 (16:18:31.395 PDT) 129.82.12.188 (16:18:44.788 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51619->22 (16:18:44.788 PDT) 141.212.113.180 (16:18:38.314 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33426->22 (16:18:38.314 PDT) 152.3.138.7 (16:18:22.756 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57462->22 (16:18:22.756 PDT) 141.212.113.179 (16:18:59.564 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46515->22 (16:18:59.564 PDT) 152.3.138.6 (2) (16:18:51.703 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44247->22 (16:18:51.703 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44247->22 (16:18:51.703 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (6) (16:16:33.458 PDT-16:22:36.300 PDT) event=777:7777008 (6) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (16:16:33.458 PDT-16:22:36.300 PDT) (16:24:41.173 PDT) tcpslice 1367190993.458 1367191356.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 16:37:53.389 PDT Gen. Time: 04/28/2013 16:38:51.800 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (16:38:51.800 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:38:51.800 PDT) OUTBOUND SCAN 128.111.52.58 (2) (16:38:50.387 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48749->22 (16:38:50.387 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48749->22 (16:38:50.387 PDT) 204.8.155.227 (16:38:40.822 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35760->22 (16:38:40.822 PDT) 128.42.142.45 (16:37:53.389 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48104->22 (16:37:53.389 PDT) 152.3.138.7 (16:38:32.470 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57674->22 (16:38:32.470 PDT) 204.123.28.56 (16:37:56.182 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40779->22 (16:37:56.182 PDT) 141.212.113.180 (16:38:47.509 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33638->22 (16:38:47.509 PDT) 192.52.240.214 (2) (16:38:24.535 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35329->22 (16:38:24.535 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35329->22 (16:38:24.535 PDT) 158.130.6.254 (16:38:16.588 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39335->22 (16:38:16.588 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367192273.389 1367192273.390 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 16:37:53.389 PDT Gen. Time: 04/28/2013 16:47:18.708 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (16:38:51.800 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:38:51.800 PDT) OUTBOUND SCAN 128.111.52.58 (2) (16:38:50.387 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48749->22 (16:38:50.387 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48749->22 (16:38:50.387 PDT) 128.208.4.197 (16:39:27.165 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44318->22 (16:39:27.165 PDT) 152.14.93.140 (2) (16:39:17.710 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57612->22 (16:39:17.710 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57612->22 (16:39:17.710 PDT) 13.7.64.22 (16:39:23.787 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58662->22 (16:39:23.787 PDT) 158.130.6.254 (16:38:16.588 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39335->22 (16:38:16.588 PDT) 128.42.142.45 (16:37:53.389 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48104->22 (16:37:53.389 PDT) 192.52.240.214 (2) (16:38:24.535 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35329->22 (16:38:24.535 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35329->22 (16:38:24.535 PDT) 204.123.28.56 (16:37:56.182 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40779->22 (16:37:56.182 PDT) 204.8.155.227 (16:38:40.822 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35760->22 (16:38:40.822 PDT) 129.82.12.188 (16:38:53.322 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51831->22 (16:38:53.322 PDT) 141.212.113.180 (16:38:47.509 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33638->22 (16:38:47.509 PDT) 152.3.138.7 (16:38:32.470 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57674->22 (16:38:32.470 PDT) 141.212.113.179 (16:39:10.807 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46727->22 (16:39:10.807 PDT) 152.3.138.6 (16:39:02.999 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44459->22 (16:39:02.999 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.52.240.214 (2) (16:40:17.294 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:40:17.294 PDT) 0->0 (16:41:48.557 PDT) tcpslice 1367192273.389 1367192273.390 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 16:49:05.906 PDT Gen. Time: 04/28/2013 16:49:05.906 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.52.240.214 (16:49:05.906 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:49:05.906 PDT) tcpslice 1367192945.906 1367192945.907 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 16:58:10.843 PDT Gen. Time: 04/28/2013 16:59:09.432 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (16:59:09.432 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:59:09.432 PDT) OUTBOUND SCAN 128.111.52.58 (2) (16:59:08.990 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48959->22 (16:59:08.990 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48959->22 (16:59:08.990 PDT) 204.8.155.227 (16:58:58.640 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35970->22 (16:58:58.640 PDT) 128.42.142.45 (16:58:10.843 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48314->22 (16:58:10.843 PDT) 152.3.138.7 (16:58:50.402 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57884->22 (16:58:50.402 PDT) 204.123.28.56 (16:58:13.709 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40989->22 (16:58:13.709 PDT) 141.212.113.180 (16:59:05.666 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33848->22 (16:59:05.666 PDT) 192.52.240.214 (2) (16:58:42.271 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35539->22 (16:58:42.271 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35539->22 (16:58:42.271 PDT) 158.130.6.254 (16:58:34.380 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39545->22 (16:58:34.380 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367193490.843 1367193490.844 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 16:58:10.843 PDT Gen. Time: 04/28/2013 17:07:21.653 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (16:59:09.432 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:59:09.432 PDT) OUTBOUND SCAN 128.111.52.58 (2) (16:59:08.990 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48959->22 (16:59:08.990 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48959->22 (16:59:08.990 PDT) 152.14.93.140 (16:59:39.869 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57827->22 (16:59:39.869 PDT) 131.179.150.70 (16:59:11.493 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43085->22 (16:59:11.493 PDT) 13.7.64.22 (16:59:43.612 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58877->22 (16:59:43.612 PDT) 158.130.6.254 (16:58:34.380 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39545->22 (16:58:34.380 PDT) 128.42.142.45 (16:58:10.843 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48314->22 (16:58:10.843 PDT) 192.52.240.214 (2) (16:58:42.271 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35539->22 (16:58:42.271 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35539->22 (16:58:42.271 PDT) 204.123.28.56 (16:58:13.709 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40989->22 (16:58:13.709 PDT) 204.8.155.227 (16:58:58.640 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35970->22 (16:58:58.640 PDT) 129.82.12.188 (16:59:17.005 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52046->22 (16:59:17.005 PDT) 141.212.113.180 (16:59:05.666 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33848->22 (16:59:05.666 PDT) 152.3.138.7 (16:58:50.402 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57884->22 (16:58:50.402 PDT) 141.212.113.179 (2) (16:59:32.664 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46942->22 (16:59:32.664 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46942->22 (16:59:32.664 PDT) 152.3.138.6 (16:59:25.030 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44674->22 (16:59:25.030 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (3) (17:00:18.136 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:00:18.136 PDT) 0->0 (17:01:48.632 PDT) 0->0 (17:06:47.208 PDT) tcpslice 1367193490.843 1367193490.844 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 17:08:39.908 PDT Gen. Time: 04/28/2013 17:08:39.908 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (17:08:39.908 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (26 /24s) (# pkts S/M/O/I=0/42/0/0): 22:42, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:08:39.908 PDT) tcpslice 1367194119.908 1367194119.909 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 17:18:23.313 PDT Gen. Time: 04/28/2013 17:19:39.392 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (17:19:39.392 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:19:39.392 PDT) OUTBOUND SCAN 128.111.52.58 (2) (17:19:38.976 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49172->22 (17:19:38.976 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49172->22 (17:19:38.976 PDT) 204.8.155.227 (17:19:28.598 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36183->22 (17:19:28.598 PDT) 128.42.142.45 (17:18:23.313 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48527->22 (17:18:23.313 PDT) 152.3.138.7 (17:19:20.287 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58097->22 (17:19:20.287 PDT) 204.123.28.56 (17:18:26.235 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41202->22 (17:18:26.235 PDT) 141.212.113.180 (17:19:35.874 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34061->22 (17:19:35.874 PDT) 192.52.240.214 (2) (17:19:12.435 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35752->22 (17:19:12.435 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35752->22 (17:19:12.435 PDT) 158.130.6.254 (17:19:03.333 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39758->22 (17:19:03.333 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367194703.313 1367194703.314 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 17:18:23.313 PDT Gen. Time: 04/28/2013 17:26:05.095 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (17:19:39.392 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:19:39.392 PDT) OUTBOUND SCAN 128.111.52.58 (2) (17:19:38.976 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49172->22 (17:19:38.976 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49172->22 (17:19:38.976 PDT) 152.14.93.140 (17:20:11.621 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58040->22 (17:20:11.621 PDT) 131.179.150.70 (17:19:41.379 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43298->22 (17:19:41.379 PDT) 13.7.64.22 (17:20:15.252 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59090->22 (17:20:15.252 PDT) 158.130.6.254 (17:19:03.333 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39758->22 (17:19:03.333 PDT) 128.42.142.45 (17:18:23.313 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48527->22 (17:18:23.313 PDT) 192.52.240.214 (2) (17:19:12.435 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35752->22 (17:19:12.435 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35752->22 (17:19:12.435 PDT) 204.123.28.56 (17:18:26.235 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41202->22 (17:18:26.235 PDT) 204.8.155.227 (17:19:28.598 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36183->22 (17:19:28.598 PDT) 129.82.12.188 (17:19:47.594 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52259->22 (17:19:47.594 PDT) 141.212.113.180 (17:19:35.874 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34061->22 (17:19:35.874 PDT) 152.3.138.7 (17:19:20.287 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58097->22 (17:19:20.287 PDT) 141.212.113.179 (2) (17:20:04.479 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47155->22 (17:20:04.479 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47155->22 (17:20:04.479 PDT) 152.3.138.6 (17:19:57.546 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44887->22 (17:19:57.546 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (3) (17:20:39.623 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:20:39.623 PDT) 0->0 (17:22:10.104 PDT) 0->0 (17:23:41.791 PDT) tcpslice 1367194703.313 1367194703.314 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 17:39:03.056 PDT Gen. Time: 04/28/2013 17:40:07.141 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.7 (17:40:07.141 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:40:07.141 PDT) OUTBOUND SCAN 204.8.155.227 (17:39:59.076 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36398->22 (17:39:59.076 PDT) 128.42.142.45 (17:39:03.056 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48742->22 (17:39:03.056 PDT) 152.3.138.7 (17:39:51.082 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58312->22 (17:39:51.082 PDT) 204.123.28.56 (17:39:05.915 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41417->22 (17:39:05.915 PDT) 141.212.113.180 (17:40:06.028 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34276->22 (17:40:06.028 PDT) 192.52.240.214 (2) (17:39:43.069 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35967->22 (17:39:43.069 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35967->22 (17:39:43.069 PDT) 158.130.6.254 (17:39:34.897 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39973->22 (17:39:34.897 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367195943.056 1367195943.057 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 17:39:03.056 PDT Gen. Time: 04/28/2013 17:47:27.454 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.7 (17:40:07.141 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:40:07.141 PDT) OUTBOUND SCAN 128.111.52.58 (2) (17:40:09.609 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49387->22 (17:40:09.609 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49387->22 (17:40:09.609 PDT) 128.208.4.197 (17:40:44.756 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44956->22 (17:40:44.756 PDT) 152.14.93.140 (2) (17:40:35.659 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58250->22 (17:40:35.659 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58250->22 (17:40:35.659 PDT) 13.7.64.22 (17:40:41.308 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59300->22 (17:40:41.308 PDT) 158.130.6.254 (17:39:34.897 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39973->22 (17:39:34.897 PDT) 128.42.142.45 (17:39:03.056 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48742->22 (17:39:03.056 PDT) 192.52.240.214 (2) (17:39:43.069 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 35967->22 (17:39:43.069 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35967->22 (17:39:43.069 PDT) 204.123.28.56 (17:39:05.915 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41417->22 (17:39:05.915 PDT) 204.8.155.227 (17:39:59.076 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36398->22 (17:39:59.076 PDT) 129.82.12.188 (17:40:13.373 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52469->22 (17:40:13.373 PDT) 141.212.113.180 (17:40:06.028 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34276->22 (17:40:06.028 PDT) 152.3.138.7 (17:39:51.082 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58312->22 (17:39:51.082 PDT) 141.212.113.179 (17:40:28.795 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47365->22 (17:40:28.795 PDT) 152.3.138.6 (17:40:20.785 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45097->22 (17:40:20.785 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (2) (17:41:16.270 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:41:16.270 PDT) 0->0 (17:42:48.504 PDT) 152.14.93.139 (17:44:18.002 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (26 /24s) (# pkts S/M/O/I=0/40/0/0): 22:40, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:44:18.002 PDT) tcpslice 1367195943.056 1367195943.057 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 17:50:47.861 PDT Gen. Time: 04/28/2013 17:50:47.861 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (17:50:47.861 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:50:47.861 PDT) tcpslice 1367196647.861 1367196647.862 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 17:59:26.537 PDT Gen. Time: 04/28/2013 18:00:35.596 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (18:00:35.596 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:00:35.596 PDT) OUTBOUND SCAN 128.111.52.58 (2) (18:00:34.135 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49595->22 (18:00:34.135 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49595->22 (18:00:34.135 PDT) 204.8.155.227 (18:00:24.287 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36606->22 (18:00:24.287 PDT) 128.42.142.45 (17:59:26.537 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48950->22 (17:59:26.537 PDT) 152.3.138.7 (18:00:16.116 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58520->22 (18:00:16.116 PDT) 204.123.28.56 (17:59:29.506 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41625->22 (17:59:29.506 PDT) 141.212.113.180 (18:00:31.116 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34484->22 (18:00:31.116 PDT) 192.52.240.214 (2) (18:00:08.190 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36175->22 (18:00:08.190 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36175->22 (18:00:08.190 PDT) 158.130.6.254 (17:59:59.871 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40181->22 (17:59:59.871 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367197166.537 1367197166.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 17:59:26.537 PDT Gen. Time: 04/28/2013 18:08:51.338 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (18:00:35.596 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:00:35.596 PDT) OUTBOUND SCAN 128.111.52.58 (2) (18:00:34.135 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49595->22 (18:00:34.135 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49595->22 (18:00:34.135 PDT) 128.208.4.197 (18:01:09.560 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45164->22 (18:01:09.560 PDT) 152.14.93.140 (2) (18:01:00.448 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58458->22 (18:01:00.448 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58458->22 (18:01:00.448 PDT) 13.7.64.22 (18:01:06.131 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59508->22 (18:01:06.131 PDT) 158.130.6.254 (17:59:59.871 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40181->22 (17:59:59.871 PDT) 128.42.142.45 (17:59:26.537 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48950->22 (17:59:26.537 PDT) 192.52.240.214 (2) (18:00:08.190 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36175->22 (18:00:08.190 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36175->22 (18:00:08.190 PDT) 204.123.28.56 (17:59:29.506 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41625->22 (17:59:29.506 PDT) 204.8.155.227 (18:00:24.287 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36606->22 (18:00:24.287 PDT) 129.82.12.188 (18:00:38.198 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52677->22 (18:00:38.198 PDT) 141.212.113.180 (18:00:31.116 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34484->22 (18:00:31.116 PDT) 152.3.138.7 (18:00:16.116 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58520->22 (18:00:16.116 PDT) 141.212.113.179 (18:00:53.244 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47573->22 (18:00:53.244 PDT) 152.3.138.6 (18:00:45.404 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45305->22 (18:00:45.404 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (4) (18:01:42.671 PDT-18:06:33.318 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (21 /24s) (# pkts S/M/O/I=0/30/0/0): 22:30, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:03:16.710 PDT) 0->0 (18:01:42.671 PDT) 2: 0->0 (18:04:51.030 PDT-18:06:33.318 PDT) tcpslice 1367197166.537 1367197593.319 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 18:11:53.550 PDT Gen. Time: 04/28/2013 18:11:53.550 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (18:11:53.550 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:11:53.550 PDT) tcpslice 1367197913.550 1367197913.551 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 18:19:45.142 PDT Gen. Time: 04/28/2013 18:19:45.142 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (18:19:45.142 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:19:45.142 PDT) tcpslice 1367198385.142 1367198385.143 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 18:19:45.142 PDT Gen. Time: 04/28/2013 18:29:13.695 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (18:21:08.979 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49803->22 (18:21:08.979 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49803->22 (18:21:08.979 PDT) 128.208.4.197 (18:21:45.228 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45372->22 (18:21:45.228 PDT) 152.14.93.140 (2) (18:21:36.220 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58666->22 (18:21:36.220 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58666->22 (18:21:36.220 PDT) 13.7.64.22 (18:21:41.797 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59716->22 (18:21:41.797 PDT) 158.130.6.254 (18:20:34.075 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40389->22 (18:20:34.075 PDT) 128.42.142.45 (18:19:51.616 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49158->22 (18:19:51.616 PDT) 192.52.240.214 (2) (18:20:42.250 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36383->22 (18:20:42.250 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36383->22 (18:20:42.250 PDT) 204.123.28.56 (18:19:54.491 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41833->22 (18:19:54.491 PDT) 204.8.155.227 (18:20:58.920 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36814->22 (18:20:58.920 PDT) 129.82.12.188 (18:21:13.289 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52885->22 (18:21:13.289 PDT) 141.212.113.180 (18:21:05.873 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34692->22 (18:21:05.873 PDT) 152.3.138.7 (18:20:50.633 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58728->22 (18:20:50.633 PDT) 141.212.113.179 (18:21:28.963 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47781->22 (18:21:28.963 PDT) 152.3.138.6 (18:21:20.664 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45513->22 (18:21:20.664 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (5) (18:19:45.142 PDT-18:27:55.394 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (18:19:45.142 PDT-18:27:55.394 PDT) tcpslice 1367198385.142 1367198875.395 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 18:40:33.419 PDT Gen. Time: 04/28/2013 18:41:53.282 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (18:41:53.282 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:41:53.282 PDT) OUTBOUND SCAN 128.111.52.58 (2) (18:41:50.325 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50015->22 (18:41:50.325 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50015->22 (18:41:50.325 PDT) 131.179.150.70 (18:41:52.836 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44141->22 (18:41:52.836 PDT) 158.130.6.254 (18:41:15.334 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40601->22 (18:41:15.334 PDT) 128.42.142.45 (18:40:33.419 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49370->22 (18:40:33.419 PDT) 192.52.240.214 (2) (18:41:23.839 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36595->22 (18:41:23.839 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36595->22 (18:41:23.839 PDT) 204.123.28.56 (18:40:36.248 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42045->22 (18:40:36.248 PDT) 204.8.155.227 (18:41:40.628 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37026->22 (18:41:40.628 PDT) 141.212.113.180 (18:41:47.346 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34904->22 (18:41:47.346 PDT) 152.3.138.7 (18:41:32.229 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58940->22 (18:41:32.229 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367199633.419 1367199633.420 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 18:40:33.419 PDT Gen. Time: 04/28/2013 18:50:42.814 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (18:41:53.282 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:41:53.282 PDT) OUTBOUND SCAN 128.111.52.58 (2) (18:41:50.325 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50015->22 (18:41:50.325 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50015->22 (18:41:50.325 PDT) 152.14.93.140 (18:42:21.482 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58883->22 (18:42:21.482 PDT) 131.179.150.70 (18:41:52.836 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44141->22 (18:41:52.836 PDT) 13.7.64.22 (18:42:25.542 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59933->22 (18:42:25.542 PDT) 158.130.6.254 (18:41:15.334 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40601->22 (18:41:15.334 PDT) 128.42.142.45 (18:40:33.419 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49370->22 (18:40:33.419 PDT) 192.52.240.214 (2) (18:41:23.839 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36595->22 (18:41:23.839 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36595->22 (18:41:23.839 PDT) 204.123.28.56 (18:40:36.248 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42045->22 (18:40:36.248 PDT) 204.8.155.227 (18:41:40.628 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37026->22 (18:41:40.628 PDT) 129.82.12.188 (18:41:58.805 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53102->22 (18:41:58.805 PDT) 141.212.113.180 (18:41:47.346 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34904->22 (18:41:47.346 PDT) 152.3.138.7 (18:41:32.229 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58940->22 (18:41:32.229 PDT) 141.212.113.179 (2) (18:42:14.322 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 47998->22 (18:42:14.322 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47998->22 (18:42:14.322 PDT) 152.3.138.6 (18:42:07.138 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45730->22 (18:42:07.138 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (3) (18:43:20.878 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:43:20.878 PDT) 0->0 (18:44:50.205 PDT) 0->0 (18:49:05.986 PDT) tcpslice 1367199633.419 1367199633.420 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 18:57:09.861 PDT Gen. Time: 04/28/2013 18:57:09.861 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (18:57:09.861 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:57:09.861 PDT) tcpslice 1367200629.861 1367200629.862 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 19:01:20.112 PDT Gen. Time: 04/28/2013 19:01:20.112 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (19:01:20.112 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:01:20.112 PDT) tcpslice 1367200880.112 1367200880.113 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 19:01:20.112 PDT Gen. Time: 04/28/2013 19:10:00.169 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (2) (19:02:28.903 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50226->22 (19:02:28.903 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50226->22 (19:02:28.903 PDT) 128.208.4.197 (19:03:04.567 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45795->22 (19:03:04.567 PDT) 152.14.93.140 (2) (19:02:56.287 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59089->22 (19:02:56.287 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59089->22 (19:02:56.287 PDT) 13.7.64.22 (19:03:00.779 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60139->22 (19:03:00.779 PDT) 158.130.6.254 (19:01:53.282 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40812->22 (19:01:53.282 PDT) 128.42.142.45 (19:01:26.386 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49581->22 (19:01:26.386 PDT) 192.52.240.214 (2) (19:02:02.515 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36806->22 (19:02:02.515 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36806->22 (19:02:02.515 PDT) 204.123.28.56 (19:01:29.175 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42256->22 (19:01:29.175 PDT) 204.8.155.227 (19:02:18.676 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37237->22 (19:02:18.676 PDT) 129.82.12.188 (19:02:33.604 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53308->22 (19:02:33.604 PDT) 141.212.113.180 (19:02:25.468 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35115->22 (19:02:25.468 PDT) 152.3.138.7 (19:02:10.463 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59151->22 (19:02:10.463 PDT) 141.212.113.179 (19:02:48.843 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48204->22 (19:02:48.843 PDT) 152.3.138.6 (19:02:41.329 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45936->22 (19:02:41.329 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (5) (19:01:20.112 PDT-19:08:10.056 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (19:01:20.112 PDT-19:08:10.056 PDT) tcpslice 1367200880.112 1367201290.057 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 19:17:40.383 PDT Gen. Time: 04/28/2013 19:17:40.383 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (19:17:40.383 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:17:40.383 PDT) tcpslice 1367201860.383 1367201860.384 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 19:21:34.954 PDT Gen. Time: 04/28/2013 19:21:34.954 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (19:21:34.954 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:21:34.954 PDT) tcpslice 1367202094.954 1367202094.955 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 19:21:34.954 PDT Gen. Time: 04/28/2013 19:31:25.047 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (19:24:14.545 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50431->22 (19:24:14.545 PDT) 128.208.4.197 (2) (19:24:41.129 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45992->22 (19:24:41.129 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45995->22 (19:24:43.696 PDT) 152.14.93.140 (19:24:35.409 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59289->22 (19:24:35.409 PDT) 13.7.64.22 (19:24:40.012 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60339->22 (19:24:40.012 PDT) 158.130.6.254 (19:23:36.745 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41022->22 (19:23:36.745 PDT) 128.42.142.45 (19:21:41.367 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49791->22 (19:21:41.367 PDT) 192.52.240.214 (19:23:54.572 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37016->22 (19:23:54.572 PDT) 204.123.28.56 (19:21:44.157 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42466->22 (19:21:44.157 PDT) 204.8.155.227 (19:24:11.006 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37447->22 (19:24:11.006 PDT) 192.52.240.213 (19:24:52.976 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41423->22 (19:24:52.976 PDT) 129.82.12.188 (2) (19:24:15.044 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53510->22 (19:24:15.044 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53513->22 (19:24:19.678 PDT) 204.8.155.226 (19:25:01.308 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57687->22 (19:25:01.308 PDT) 152.3.138.7 (19:24:02.555 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59361->22 (19:24:02.555 PDT) 128.111.52.59 (19:24:46.709 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45265->22 (19:24:46.709 PDT) 152.3.138.6 (19:24:27.368 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46141->22 (19:24:27.368 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (5) (19:21:34.954 PDT-19:27:49.871 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (26 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (19:21:34.954 PDT-19:27:49.871 PDT) tcpslice 1367202094.954 1367202469.872 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 19:43:26.221 PDT Gen. Time: 04/28/2013 19:45:01.873 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (19:45:01.873 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:45:01.873 PDT) OUTBOUND SCAN 192.52.240.213 (19:44:26.728 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41565->22 (19:44:26.728 PDT) 155.246.12.164 (19:44:36.054 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52893->22 (19:44:36.054 PDT) 128.42.142.45 (19:43:26.221 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49973->22 (19:43:26.221 PDT) 13.7.64.22 (19:44:21.393 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60491->22 (19:44:21.393 PDT) 204.123.28.56 (19:43:29.284 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42648->22 (19:43:29.284 PDT) 128.84.154.44 (2) (19:44:55.476 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51904->22 (19:44:55.476 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51904->22 (19:44:55.476 PDT) 192.52.240.214 (2) (19:44:18.054 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37198->22 (19:44:18.054 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37198->22 (19:44:18.054 PDT) 158.130.6.254 (19:44:09.821 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41204->22 (19:44:09.821 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367203406.221 1367203406.222 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 04/28/2013 19:43:26.221 PDT Gen. Time: 04/28/2013 19:50:10.605 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (19:45:01.873 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:45:01.873 PDT) OUTBOUND SCAN 158.130.6.254 (19:44:09.821 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41204->22 (19:44:09.821 PDT) 13.7.64.22 (19:44:21.393 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60491->22 (19:44:21.393 PDT) 155.246.12.164 (19:44:36.054 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52893->22 (19:44:36.054 PDT) 128.84.154.45 (19:45:54.883 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34567->22 (19:45:54.883 PDT) 128.42.142.45 (19:43:26.221 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49973->22 (19:43:26.221 PDT) 158.130.6.253 (2) (19:45:28.083 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37224->22 (19:45:28.083 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37224->22 (19:45:28.083 PDT) 192.52.240.214 (2) (19:44:18.054 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37198->22 (19:44:18.054 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37198->22 (19:44:18.054 PDT) 128.84.154.44 (2) (19:44:55.476 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51904->22 (19:44:55.476 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51904->22 (19:44:55.476 PDT) 204.123.28.56 (19:43:29.284 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42648->22 (19:43:29.284 PDT) 13.7.64.20 (19:45:18.534 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54699->22 (19:45:18.534 PDT) 192.52.240.213 (19:44:26.728 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41565->22 (19:44:26.728 PDT) 204.123.28.55 (19:45:16.064 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57224->22 (19:45:16.064 PDT) 128.252.19.19 (19:45:07.213 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35406->22 (19:45:07.213 PDT) 128.252.19.18 (19:45:42.767 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47517->22 (19:45:42.767 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367203406.221 1367203406.222 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================