Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.69.125.230 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 01:17:17.085 PDT Gen. Time: 05/02/2013 01:18:09.783 PDT INBOUND SCAN EXPLOIT 189.69.125.230 (01:18:09.783 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2463 (01:18:09.783 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 213.239.193.176 (01:17:17.085 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:EC:40 39900->53 (01:17:17.085 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367482637.085 1367482637.086 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 64.79.73.74 Egg Source List: 64.79.73.74 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 01:36:20.714 PDT Gen. Time: 05/02/2013 01:36:24.229 PDT INBOUND SCAN EXPLOIT 64.79.73.74 (01:36:20.714 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3599 (01:36:20.714 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 64.79.73.74 (01:36:24.229 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57173<-9487 (01:36:24.229 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367483780.714 1367483780.715 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 64.79.73.74 Egg Source List: 64.79.73.74 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 01:36:20.714 PDT Gen. Time: 05/02/2013 01:39:40.806 PDT INBOUND SCAN EXPLOIT 64.79.73.74 (01:36:20.714 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3599 (01:36:20.714 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 64.79.73.74 (01:36:24.229 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57173<-9487 (01:36:24.229 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 204.11.237.4 (01:38:44.791 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:EC:40 37445->53 (01:38:44.791 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367483780.714 1367483780.715 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 58.76.226.109 Egg Source List: 58.76.226.109 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 01:47:07.573 PDT Gen. Time: 05/02/2013 01:47:10.716 PDT INBOUND SCAN EXPLOIT 58.76.226.109 (01:47:07.573 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1693 (01:47:07.573 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 58.76.226.109 (01:47:10.716 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37538<-5766 (01:47:10.716 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367484427.573 1367484427.574 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 58.76.226.109, 124.205.203.134 Egg Source List: 58.76.226.109 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 01:47:07.573 PDT Gen. Time: 05/02/2013 01:52:45.553 PDT INBOUND SCAN EXPLOIT 58.76.226.109 (01:47:07.573 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1693 (01:47:07.573 PDT) 124.205.203.134 (01:49:31.006 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3450 (01:49:31.006 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 58.76.226.109 (01:47:10.716 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37538<-5766 (01:47:10.716 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367484427.573 1367484427.574 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.67.250.35 Egg Source List: 95.67.250.35 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 01:54:16.276 PDT Gen. Time: 05/02/2013 01:54:19.712 PDT INBOUND SCAN EXPLOIT 95.67.250.35 (01:54:16.276 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4370 (01:54:16.276 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.67.250.35 (01:54:19.712 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34611<-8567 (01:54:19.712 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367484856.276 1367484856.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.120.2.117, 200.204.2.164 Egg Source List: 188.120.2.117 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 02:29:32.150 PDT Gen. Time: 05/02/2013 02:30:21.999 PDT INBOUND SCAN EXPLOIT 188.120.2.117 (02:30:16.146 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2882 (02:30:16.146 PDT) 200.204.2.164 (02:29:32.150 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4261 (02:29:32.150 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 188.120.2.117 (02:30:21.999 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53302<-2411 (02:30:21.999 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367486972.150 1367486972.151 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 174.138.203.10 Egg Source List: 174.138.203.10 C & C List: 81.177.3.211 Peer Coord. List: Resource List: Observed Start: 05/02/2013 03:10:25.259 PDT Gen. Time: 05/02/2013 03:13:04.817 PDT INBOUND SCAN EXPLOIT 174.138.203.10 (03:13:01.840 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4031 (03:13:01.840 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 174.138.203.10 (03:13:04.817 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44689<-3855 (03:13:04.817 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 81.177.3.211 (03:10:25.259 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 59183->53 (03:10:25.259 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367489425.259 1367489425.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 61.7.221.103 Egg Source List: 61.7.221.103 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 03:19:29.550 PDT Gen. Time: 05/02/2013 03:19:33.294 PDT INBOUND SCAN EXPLOIT 61.7.221.103 (03:19:29.550 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1510 (03:19:29.550 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.7.221.103 (03:19:33.294 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57604<-1720 (03:19:33.294 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367489969.550 1367489969.551 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 61.7.221.103 Egg Source List: 61.7.221.103 C & C List: 210.145.102.19 Peer Coord. List: Resource List: Observed Start: 05/02/2013 03:19:29.550 PDT Gen. Time: 05/02/2013 03:23:35.645 PDT INBOUND SCAN EXPLOIT 61.7.221.103 (03:19:29.550 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1510 (03:19:29.550 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.7.221.103 (03:19:33.294 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57604<-1720 (03:19:33.294 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 210.145.102.19 (03:20:42.949 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 46869->53 (03:20:42.949 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367489969.550 1367489969.551 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 120.72.84.215 Egg Source List: 120.72.84.215 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 04:48:57.979 PDT Gen. Time: 05/02/2013 04:49:01.205 PDT INBOUND SCAN EXPLOIT 120.72.84.215 (04:48:57.979 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4261 (04:48:57.979 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 120.72.84.215 (04:49:01.205 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36147<-8511 (04:49:01.205 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367495337.979 1367495337.980 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.232.243.235, 120.72.84.215 Egg Source List: 120.72.84.215 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 04:48:57.979 PDT Gen. Time: 05/02/2013 04:55:27.097 PDT INBOUND SCAN EXPLOIT 111.232.243.235 (04:52:54.059 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-10249 (04:52:54.059 PDT) 120.72.84.215 (04:48:57.979 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4261 (04:48:57.979 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 120.72.84.215 (04:49:01.205 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36147<-8511 (04:49:01.205 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367495337.979 1367495337.980 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 203.94.64.41 Egg Source List: 203.94.64.41 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 04:56:40.343 PDT Gen. Time: 05/02/2013 04:56:44.249 PDT INBOUND SCAN EXPLOIT 203.94.64.41 (04:56:40.343 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4260 (04:56:40.343 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 203.94.64.41 (04:56:44.249 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47646<-5425 (04:56:44.249 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367495800.343 1367495800.344 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 70.154.50.185, 203.94.64.41, 186.89.23.108 Egg Source List: 203.94.64.41, 186.89.23.108 C & C List: 221.143.43.214 Peer Coord. List: Resource List: Observed Start: 05/02/2013 04:56:40.343 PDT Gen. Time: 05/02/2013 05:04:50.029 PDT INBOUND SCAN EXPLOIT 70.154.50.185 (05:00:15.007 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-57721 (05:00:15.007 PDT) 203.94.64.41 (04:56:40.343 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4260 (04:56:40.343 PDT) 186.89.23.108 (04:57:18.580 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3971 (04:57:18.580 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 203.94.64.41 (04:56:44.249 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47646<-5425 (04:56:44.249 PDT) 186.89.23.108 (04:57:21.153 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42320<-5590 (04:57:21.153 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 221.143.43.214 (05:04:06.254 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 33198->53 (05:04:06.254 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367495800.343 1367495800.344 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 64.79.73.74 Egg Source List: 64.79.73.74 C & C List: 82.146.33.103 Peer Coord. List: Resource List: Observed Start: 05/02/2013 05:16:43.815 PDT Gen. Time: 05/02/2013 05:17:27.258 PDT INBOUND SCAN EXPLOIT 64.79.73.74 (05:17:24.384 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2985 (05:17:24.384 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 64.79.73.74 (05:17:27.258 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38511<-9487 (05:17:27.258 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 82.146.33.103 (05:16:43.815 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 46773->53 (05:16:43.815 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367497003.815 1367497003.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.120.2.117 Egg Source List: 188.120.2.117 C & C List: 219.240.39.230 Peer Coord. List: Resource List: Observed Start: 05/02/2013 06:10:05.943 PDT Gen. Time: 05/02/2013 06:11:26.835 PDT INBOUND SCAN EXPLOIT 188.120.2.117 (06:11:23.980 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3407 (06:11:23.980 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 188.120.2.117 (06:11:26.835 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37883<-2411 (06:11:26.835 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 219.240.39.230 (06:10:05.943 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 44304->53 (06:10:05.943 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367500205.943 1367500205.944 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 58.76.226.109, 188.120.2.117 Egg Source List: 58.76.226.109, 188.120.2.117 C & C List: 219.240.39.230 Peer Coord. List: Resource List: Observed Start: 05/02/2013 06:10:05.943 PDT Gen. Time: 05/02/2013 06:16:00.096 PDT INBOUND SCAN EXPLOIT 58.76.226.109 (06:12:33.743 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2098 (06:12:33.743 PDT) 188.120.2.117 (06:11:23.980 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3407 (06:11:23.980 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 58.76.226.109 (06:12:36.681 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37444<-5766 (06:12:36.681 PDT) 188.120.2.117 (06:11:26.835 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37883<-2411 (06:11:26.835 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 219.240.39.230 (06:10:05.943 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 44304->53 (06:10:05.943 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 195.70.51.165 (06:14:33.369 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:EC:40 47126->53 (06:14:33.369 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367500205.943 1367500205.944 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 78.27.178.94 Egg Source List: 78.27.178.94 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 06:17:02.863 PDT Gen. Time: 05/02/2013 06:17:05.830 PDT INBOUND SCAN EXPLOIT 78.27.178.94 (06:17:02.863 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2240 (06:17:02.863 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 78.27.178.94 (06:17:05.830 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39690<-7373 (06:17:05.830 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367500622.863 1367500622.864 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 62.201.90.90 Egg Source List: 62.201.90.90 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 06:31:16.412 PDT Gen. Time: 05/02/2013 06:31:19.324 PDT INBOUND SCAN EXPLOIT 62.201.90.90 (06:31:16.412 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3399 (06:31:16.412 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 62.201.90.90 (06:31:19.324 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59643<-9092 (06:31:19.324 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367501476.412 1367501476.413 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 62.201.90.90 Egg Source List: 62.201.90.90 C & C List: 208.110.73.34 Peer Coord. List: Resource List: Observed Start: 05/02/2013 06:31:16.412 PDT Gen. Time: 05/02/2013 06:34:51.583 PDT INBOUND SCAN EXPLOIT 62.201.90.90 (06:31:16.412 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3399 (06:31:16.412 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 62.201.90.90 (06:31:19.324 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59643<-9092 (06:31:19.324 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 208.110.73.34 (06:31:27.390 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 43012->53 (06:31:27.390 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367501476.412 1367501476.413 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.89.48.42 Egg Source List: 186.89.48.42 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 06:45:52.687 PDT Gen. Time: 05/02/2013 06:46:04.746 PDT INBOUND SCAN EXPLOIT 186.89.48.42 (06:45:52.687 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3426 (06:45:52.687 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.89.48.42 (06:46:04.746 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46385<-5952 (06:46:04.746 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367502352.687 1367502352.688 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.89.48.42, 59.151.18.108 Egg Source List: 186.89.48.42, 59.151.18.108 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 06:45:52.687 PDT Gen. Time: 05/02/2013 06:47:57.148 PDT INBOUND SCAN EXPLOIT 186.89.48.42 (06:45:52.687 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3426 (06:45:52.687 PDT) 59.151.18.108 (06:46:11.758 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3779 (06:46:11.758 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.89.48.42 (06:46:04.746 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46385<-5952 (06:46:04.746 PDT) 59.151.18.108 (06:46:18.414 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58714<-8255 (06:46:18.414 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367502352.687 1367502352.688 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 61.7.221.103 Egg Source List: 61.7.221.103 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 07:00:40.924 PDT Gen. Time: 05/02/2013 07:00:46.091 PDT INBOUND SCAN EXPLOIT 61.7.221.103 (07:00:40.924 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1686 (07:00:40.924 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.7.221.103 (07:00:46.091 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38413<-1720 (07:00:46.091 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367503240.924 1367503240.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 174.138.203.10, 61.7.221.103 Egg Source List: 174.138.203.10, 61.7.221.103 C & C List: 221.139.0.44 Peer Coord. List: Resource List: Observed Start: 05/02/2013 07:00:40.924 PDT Gen. Time: 05/02/2013 07:04:03.337 PDT INBOUND SCAN EXPLOIT 174.138.203.10 (07:01:37.236 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2345 (07:01:37.236 PDT) 61.7.221.103 (07:00:40.924 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1686 (07:00:40.924 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 174.138.203.10 (07:01:42.053 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60684<-3855 (07:01:42.053 PDT) 61.7.221.103 (07:00:46.091 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38413<-1720 (07:00:46.091 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 221.139.0.44 (07:02:15.447 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 38438->53 (07:02:15.447 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367503240.924 1367503240.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 83.234.82.236, 128.73.15.190 Egg Source List: 128.73.15.190 C & C List: 81.177.3.211 Peer Coord. List: Resource List: Observed Start: 05/02/2013 07:30:10.507 PDT Gen. Time: 05/02/2013 07:33:03.263 PDT INBOUND SCAN EXPLOIT 83.234.82.236 (07:31:59.876 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1149 (07:31:59.876 PDT) 128.73.15.190 (07:32:58.838 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3219 (07:32:58.838 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.73.15.190 (07:33:03.263 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47782<-2362 (07:33:03.263 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 81.177.3.211 (07:30:10.507 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 37682->53 (07:30:10.507 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367505010.507 1367505010.508 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 179.210.243.40, 190.36.70.194 Egg Source List: 179.210.243.40 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 08:00:54.979 PDT Gen. Time: 05/02/2013 08:02:30.603 PDT INBOUND SCAN EXPLOIT 179.210.243.40 (08:02:25.858 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1627 (08:02:25.858 PDT) 190.36.70.194 (08:00:54.979 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-63619 (08:00:54.979 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 179.210.243.40 (08:02:30.603 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59983<-2181 (08:02:30.603 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367506854.979 1367506854.980 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.11.16.201 Egg Source List: 187.11.16.201 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 08:24:18.464 PDT Gen. Time: 05/02/2013 08:24:23.106 PDT INBOUND SCAN EXPLOIT 187.11.16.201 (08:24:18.464 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1419 (08:24:18.464 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.11.16.201 (08:24:23.106 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50072<-2212 (08:24:23.106 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367508258.464 1367508258.465 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.123.61.66, 78.110.9.170, 78.92.20.163, 120.72.84.215, 117.6.85.208, 187.11.16.201, 203.94.64.41 Egg Source List: 93.123.61.66, 78.110.9.170, 78.92.20.163, 120.72.84.215, 187.11.16.201, 203.94.64.41 C & C List: 194.187.96.47, 84.22.106.30 Peer Coord. List: Resource List: Observed Start: 05/02/2013 08:24:18.464 PDT Gen. Time: 05/02/2013 08:41:06.940 PDT INBOUND SCAN EXPLOIT 93.123.61.66 (08:32:24.675 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4587 (08:32:24.675 PDT) 78.110.9.170 (08:29:03.268 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4132 (08:29:03.268 PDT) 78.92.20.163 (08:35:09.796 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4535 (08:35:09.796 PDT) 120.72.84.215 (08:30:09.916 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1393 (08:30:09.916 PDT) 117.6.85.208 (08:27:43.738 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1947 (08:27:43.738 PDT) 187.11.16.201 (08:24:18.464 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1419 (08:24:18.464 PDT) 203.94.64.41 (08:37:49.155 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1436 (08:37:49.155 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 93.123.61.66 (08:32:27.685 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53903<-8964 (08:32:27.685 PDT) 78.110.9.170 (08:29:07.330 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40175<-2595 (08:29:07.330 PDT) 78.92.20.163 (08:35:13.673 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59947<-6433 (08:35:13.673 PDT) 120.72.84.215 (08:30:14.615 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60493<-8511 (08:30:14.615 PDT) 187.11.16.201 (08:24:23.106 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50072<-2212 (08:24:23.106 PDT) 203.94.64.41 (08:37:54.493 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48586<-5425 (08:37:54.493 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 194.187.96.47 (08:37:06.464 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 46465->53 (08:37:06.464 PDT) 84.22.106.30 (08:25:30.621 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 58324->53 (08:25:30.621 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 195.70.51.165 (08:40:47.284 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:EC:40 60237->53 (08:40:47.284 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367508258.464 1367508258.465 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.89.23.108 Egg Source List: 186.89.23.108 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 08:51:11.788 PDT Gen. Time: 05/02/2013 08:51:15.238 PDT INBOUND SCAN EXPLOIT 186.89.23.108 (08:51:11.788 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3492 (08:51:11.788 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.89.23.108 (08:51:15.238 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59402<-5590 (08:51:15.238 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367509871.788 1367509871.789 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.58.10.249, 186.89.23.108 Egg Source List: 95.58.10.249, 186.89.23.108 C & C List: 62.212.130.107 Peer Coord. List: Resource List: Observed Start: 05/02/2013 08:51:11.788 PDT Gen. Time: 05/02/2013 08:55:43.096 PDT INBOUND SCAN EXPLOIT 95.58.10.249 (08:51:22.356 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2750 (08:51:22.356 PDT) 186.89.23.108 (08:51:11.788 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3492 (08:51:11.788 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.58.10.249 (08:51:26.097 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39234<-1886 (08:51:26.097 PDT) 186.89.23.108 (08:51:15.238 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59402<-5590 (08:51:15.238 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 62.212.130.107 (08:52:05.821 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 55335->53 (08:52:05.821 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367509871.788 1367509871.789 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.74.11.20 Egg Source List: 187.74.11.20 C & C List: 194.242.113.210 Peer Coord. List: Resource List: Observed Start: 05/02/2013 09:17:45.874 PDT Gen. Time: 05/02/2013 09:18:45.788 PDT INBOUND SCAN EXPLOIT 187.74.11.20 (09:18:40.997 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1509 (09:18:40.997 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.74.11.20 (09:18:45.788 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36885<-4997 (09:18:45.788 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 194.242.113.210 (09:17:45.874 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 42738->53 (09:17:45.874 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367511465.874 1367511465.875 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.208.120.121, 187.74.11.20, 188.32.249.181 Egg Source List: 190.208.120.121, 187.74.11.20, 188.32.249.181 C & C List: 194.242.113.210 Peer Coord. List: Resource List: Observed Start: 05/02/2013 09:17:45.874 PDT Gen. Time: 05/02/2013 09:24:10.686 PDT INBOUND SCAN EXPLOIT 190.208.120.121 (09:21:22.345 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1493 (09:21:22.345 PDT) 187.74.11.20 (09:18:40.997 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1509 (09:18:40.997 PDT) 188.32.249.181 (09:20:39.715 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1593 (09:20:39.715 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.208.120.121 (09:21:26.296 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51258<-5848 (09:21:26.296 PDT) 187.74.11.20 (09:18:45.788 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36885<-4997 (09:18:45.788 PDT) 188.32.249.181 (09:20:43.233 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37524<-2659 (09:20:43.233 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 194.242.113.210 (09:17:45.874 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 42738->53 (09:17:45.874 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367511465.874 1367511465.875 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.83.216.187 Egg Source List: 183.83.216.187 C & C List: 82.146.33.103 Peer Coord. List: Resource List: Observed Start: 05/02/2013 09:32:19.283 PDT Gen. Time: 05/02/2013 09:32:46.084 PDT INBOUND SCAN EXPLOIT 183.83.216.187 (09:32:41.533 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3692 (09:32:41.533 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.83.216.187 (09:32:46.084 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52550<-3910 (09:32:46.084 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 82.146.33.103 (09:32:19.283 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 38045->53 (09:32:19.283 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367512339.283 1367512339.284 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.83.216.187, 87.0.216.192 Egg Source List: 183.83.216.187, 87.0.216.192 C & C List: 82.146.33.103 Peer Coord. List: Resource List: Observed Start: 05/02/2013 09:32:19.283 PDT Gen. Time: 05/02/2013 09:38:15.153 PDT INBOUND SCAN EXPLOIT 183.83.216.187 (09:32:41.533 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3692 (09:32:41.533 PDT) 87.0.216.192 (09:34:11.233 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4864 (09:34:11.233 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.83.216.187 (09:32:46.084 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52550<-3910 (09:32:46.084 PDT) 87.0.216.192 (09:34:14.782 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50783<-9333 (09:34:14.782 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 82.146.33.103 (09:32:19.283 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 38045->53 (09:32:19.283 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367512339.283 1367512339.284 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.91.50.51 Egg Source List: 111.91.50.51 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 09:46:24.683 PDT Gen. Time: 05/02/2013 09:46:27.925 PDT INBOUND SCAN EXPLOIT 111.91.50.51 (09:46:24.683 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3739 (09:46:24.683 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.91.50.51 (09:46:27.925 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49960<-5192 (09:46:27.925 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367513184.683 1367513184.684 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.91.50.51 Egg Source List: 111.91.50.51 C & C List: 121.254.129.67 Peer Coord. List: Resource List: Observed Start: 05/02/2013 09:46:24.683 PDT Gen. Time: 05/02/2013 09:50:43.212 PDT INBOUND SCAN EXPLOIT 111.91.50.51 (09:46:24.683 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3739 (09:46:24.683 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.91.50.51 (09:46:27.925 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49960<-5192 (09:46:27.925 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 121.254.129.67 (09:48:15.801 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 33037->53 (09:48:15.801 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367513184.683 1367513184.684 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 177.64.1.180 Egg Source List: 177.64.1.180 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 09:59:53.329 PDT Gen. Time: 05/02/2013 09:59:57.559 PDT INBOUND SCAN EXPLOIT 177.64.1.180 (09:59:53.329 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3708 (09:59:53.329 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.64.1.180 (09:59:57.559 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47146<-6310 (09:59:57.559 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367513993.329 1367513993.330 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 177.64.1.180 Egg Source List: 177.64.1.180 C & C List: 221.143.43.214 Peer Coord. List: Resource List: Observed Start: 05/02/2013 09:59:53.329 PDT Gen. Time: 05/02/2013 10:04:11.986 PDT INBOUND SCAN EXPLOIT 177.64.1.180 (09:59:53.329 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3708 (09:59:53.329 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.64.1.180 (09:59:57.559 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47146<-6310 (09:59:57.559 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 221.143.43.214 (10:01:11.382 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 39217->53 (10:01:11.382 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367513993.329 1367513993.330 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.32.188.10 Egg Source List: 41.32.188.10 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 10:09:07.426 PDT Gen. Time: 05/02/2013 10:09:11.072 PDT INBOUND SCAN EXPLOIT 41.32.188.10 (10:09:07.426 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1724 (10:09:07.426 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 41.32.188.10 (10:09:11.072 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43207<-6764 (10:09:11.072 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367514547.426 1367514547.427 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.41.22.242 Egg Source List: 114.41.22.242 C & C List: 82.146.33.103 Peer Coord. List: Resource List: Observed Start: 05/02/2013 10:21:09.195 PDT Gen. Time: 05/02/2013 10:21:51.753 PDT INBOUND SCAN EXPLOIT 114.41.22.242 (10:21:48.371 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2828 (10:21:48.371 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.41.22.242 (10:21:51.753 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40745<-1717 (10:21:51.753 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 82.146.33.103 (10:21:09.195 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 44938->53 (10:21:09.195 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367515269.195 1367515269.196 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.41.22.242 Egg Source List: 114.41.22.242 C & C List: 82.146.33.103 Peer Coord. List: Resource List: Observed Start: 05/02/2013 10:21:09.195 PDT Gen. Time: 05/02/2013 10:24:49.500 PDT INBOUND SCAN EXPLOIT 114.41.22.242 (10:21:48.371 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2828 (10:21:48.371 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.41.22.242 (10:21:51.753 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40745<-1717 (10:21:51.753 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 82.146.33.103 (10:21:09.195 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 44938->53 (10:21:09.195 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 213.249.68.98 (10:23:22.346 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:EC:40 60013->53 (10:23:22.346 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367515269.195 1367515269.196 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.89.48.42 Egg Source List: 186.89.48.42 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 10:27:13.537 PDT Gen. Time: 05/02/2013 10:27:17.625 PDT INBOUND SCAN EXPLOIT 186.89.48.42 (10:27:13.537 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4393 (10:27:13.537 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.89.48.42 (10:27:17.625 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42480<-5952 (10:27:17.625 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367515633.537 1367515633.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.89.48.42, 59.151.18.108 Egg Source List: 186.89.48.42, 59.151.18.108 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 10:27:13.537 PDT Gen. Time: 05/02/2013 10:30:56.251 PDT INBOUND SCAN EXPLOIT 186.89.48.42 (10:27:13.537 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4393 (10:27:13.537 PDT) 59.151.18.108 (10:27:33.328 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2118 (10:27:33.328 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.89.48.42 (10:27:17.625 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42480<-5952 (10:27:17.625 PDT) 59.151.18.108 (10:27:36.882 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58205<-8255 (10:27:36.882 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367515633.537 1367515633.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:02:15.885 PDT Gen. Time: 05/02/2013 11:02:18.985 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (11:02:15.885 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3480 (11:02:15.885 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (11:02:18.985 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55757<-8404 (11:02:18.985 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367517735.885 1367517735.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:16:53.177 PDT Gen. Time: 05/02/2013 11:16:59.225 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (11:16:53.177 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4500 (11:16:53.177 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (11:16:59.225 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42060<-8404 (11:16:59.225 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367518613.177 1367518613.178 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: 221.143.43.214 Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:16:53.177 PDT Gen. Time: 05/02/2013 11:25:54.404 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (3) (11:16:53.177 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4500 (11:16:53.177 PDT) 445<-3533 (11:20:02.824 PDT) 445<-2496 (11:22:56.147 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (3) (11:16:59.225 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42060<-8404 (11:16:59.225 PDT) 42185<-8404 (11:20:12.358 PDT) 44727<-8404 (11:23:01.474 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 221.143.43.214 (11:25:40.994 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 55730->53 (11:25:40.994 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367518613.177 1367518613.178 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:25:55.734 PDT Gen. Time: 05/02/2013 11:26:03.171 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (11:25:55.734 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4416 (11:25:55.734 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (11:26:03.171 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45224<-8404 (11:26:03.171 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367519155.734 1367519155.735 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:25:55.734 PDT Gen. Time: 05/02/2013 11:33:30.312 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (3) (11:25:55.734 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4416 (11:25:55.734 PDT) 445<-3344 (11:28:44.767 PDT) 445<-1376 (11:31:29.349 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (3) (11:26:03.171 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45224<-8404 (11:26:03.171 PDT) 45345<-8404 (11:28:51.187 PDT) 35646<-8404 (11:31:34.683 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 213.239.193.176 (11:30:58.990 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:EC:40 47848->53 (11:30:58.990 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367519155.734 1367519155.735 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:34:27.083 PDT Gen. Time: 05/02/2013 11:34:30.159 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (11:34:27.083 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4217 (11:34:27.083 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (11:34:30.159 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35776<-8404 (11:34:30.159 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367519667.083 1367519667.084 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:37:08.865 PDT Gen. Time: 05/02/2013 11:37:13.108 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (11:37:08.865 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2579 (11:37:08.865 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (11:37:13.108 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33762<-8404 (11:37:13.108 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367519828.865 1367519828.866 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: 69.16.229.102 Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:37:08.865 PDT Gen. Time: 05/02/2013 11:42:21.091 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (2) (11:37:08.865 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2579 (11:37:08.865 PDT) 445<-4263 (11:39:55.500 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (2) (11:37:13.108 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33762<-8404 (11:37:13.108 PDT) 33891<-8404 (11:39:59.444 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 69.16.229.102 (11:39:17.887 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 49701->53 (11:39:17.887 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367519828.865 1367519828.866 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:42:37.309 PDT Gen. Time: 05/02/2013 11:42:41.797 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (11:42:37.309 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2243 (11:42:37.309 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (11:42:41.797 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51952<-8404 (11:42:41.797 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367520157.309 1367520157.310 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:42:37.309 PDT Gen. Time: 05/02/2013 11:45:14.404 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (11:42:37.309 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2243 (11:42:37.309 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (11:42:41.797 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51952<-8404 (11:42:41.797 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 213.249.68.98 (11:44:04.366 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:EC:40 37083->53 (11:44:04.366 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367520157.309 1367520157.310 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:45:31.232 PDT Gen. Time: 05/02/2013 11:45:38.213 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (11:45:31.232 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4409 (11:45:31.232 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (11:45:38.213 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52198<-8404 (11:45:38.213 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367520331.232 1367520331.233 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 217.218.223.232, 86.57.131.179 Egg Source List: 217.218.223.232, 86.57.131.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:45:31.232 PDT Gen. Time: 05/02/2013 11:50:22.122 PDT INBOUND SCAN EXPLOIT 217.218.223.232 (11:46:38.270 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3901 (11:46:38.270 PDT) 86.57.131.179 (2) (11:45:31.232 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4409 (11:45:31.232 PDT) 445<-2728 (11:48:15.480 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 217.218.223.232 (11:46:42.222 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56780<-5788 (11:46:42.222 PDT) 86.57.131.179 (2) (11:45:38.213 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52198<-8404 (11:45:38.213 PDT) 35556<-8404 (11:48:25.484 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367520331.232 1367520331.233 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:51:06.573 PDT Gen. Time: 05/02/2013 11:51:10.853 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (11:51:06.573 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1623 (11:51:06.573 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (11:51:10.853 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47963<-8404 (11:51:10.853 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367520666.573 1367520666.574 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:51:06.573 PDT Gen. Time: 05/02/2013 11:55:30.837 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (2) (11:51:06.573 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1623 (11:51:06.573 PDT) 445<-4580 (11:53:47.875 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (2) (11:51:10.853 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47963<-8404 (11:51:10.853 PDT) 48089<-8404 (11:53:50.959 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367520666.573 1367520666.574 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: 219.240.39.230 Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:55:31.581 PDT Gen. Time: 05/02/2013 11:56:35.444 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (11:56:31.851 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3492 (11:56:31.851 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (11:56:35.444 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42471<-8404 (11:56:35.444 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 219.240.39.230 (11:55:31.581 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 44947->53 (11:55:31.581 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367520931.581 1367520931.582 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 179.210.243.40, 78.110.9.170, 78.92.20.163, 86.57.131.179, 182.52.65.250 Egg Source List: 179.210.243.40, 78.110.9.170, 78.92.20.163, 86.57.131.179 C & C List: 219.240.39.230, 221.139.0.44, 75.126.150.82 Peer Coord. List: Resource List: Observed Start: 05/02/2013 11:55:31.581 PDT Gen. Time: 05/02/2013 12:17:57.105 PDT INBOUND SCAN EXPLOIT 179.210.243.40 (12:14:49.822 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2658 (12:14:49.822 PDT) 78.110.9.170 (12:10:12.530 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2280 (12:10:12.530 PDT) 78.92.20.163 (12:16:21.587 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3650 (12:16:21.587 PDT) 86.57.131.179 (8) (11:56:31.851 PDT) event=1:22009201 (8) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3492 (11:56:31.851 PDT) 445<-2587 (11:59:12.894 PDT) 445<-1522 (12:01:55.710 PDT) 445<-4352 (12:04:38.851 PDT) 445<-3758 (12:07:35.134 PDT) 445<-3092 (12:10:21.068 PDT) 445<-2062 (12:13:05.097 PDT) 445<-4222 (12:15:49.050 PDT) 182.52.65.250 (12:05:36.367 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4542 (12:05:36.367 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 179.210.243.40 (12:14:53.269 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44092<-2181 (12:14:53.269 PDT) 78.110.9.170 (12:10:16.475 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41827<-2595 (12:10:16.475 PDT) 78.92.20.163 (12:16:24.718 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33705<-6433 (12:16:24.718 PDT) 86.57.131.179 (8) (11:56:35.444 PDT) event=1:2001685 (8) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42471<-8404 (11:56:35.444 PDT) 42646<-8404 (11:59:16.073 PDT) 33652<-8404 (12:01:58.800 PDT) 33916<-8404 (12:04:42.984 PDT) 46570<-8404 (12:07:41.634 PDT) 46683<-8404 (12:10:24.252 PDT) 57007<-8404 (12:13:09.167 PDT) 52002<-8404 (12:15:55.024 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 219.240.39.230 (11:55:31.581 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 44947->53 (11:55:31.581 PDT) 221.139.0.44 (12:15:52.128 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 56124->53 (12:15:52.128 PDT) 75.126.150.82 (12:05:34.592 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 38459->53 (12:05:34.592 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 213.249.68.98 (11:58:52.472 PDT) event=1:9920020 {udp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:EC:40 47607->53 (11:58:52.472 PDT) DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367520931.581 1367520931.582 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.57.131.179 Egg Source List: 86.57.131.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 12:18:39.750 PDT Gen. Time: 05/02/2013 12:18:44.233 PDT INBOUND SCAN EXPLOIT 86.57.131.179 (12:18:39.750 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2265 (12:18:39.750 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.57.131.179 (12:18:44.233 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52127<-8404 (12:18:44.233 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367522319.750 1367522319.751 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 62.201.90.90 Egg Source List: 62.201.90.90 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 12:28:46.181 PDT Gen. Time: 05/02/2013 12:28:50.887 PDT INBOUND SCAN EXPLOIT 62.201.90.90 (12:28:46.181 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2875 (12:28:46.181 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 62.201.90.90 (12:28:50.887 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46273<-9092 (12:28:50.887 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367522926.181 1367522926.182 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 80.117.232.210, 62.201.90.90, 77.69.219.85, 84.2.151.20 Egg Source List: 95.68.75.225, 62.201.90.90, 84.2.151.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 12:28:46.181 PDT Gen. Time: 05/02/2013 13:33:21.831 PDT INBOUND SCAN EXPLOIT 80.117.232.210 (12:38:39.346 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2419 (12:38:39.346 PDT) 62.201.90.90 (14) (12:28:46.181 PDT) event=1:22009201 (14) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2875 (12:28:46.181 PDT) 445<-3404 (12:30:23.181 PDT) 445<-4073 (12:31:59.554 PDT) 445<-4573 (12:33:34.939 PDT) 445<-1264 (12:35:11.497 PDT) 445<-1940 (12:36:48.481 PDT) 445<-2684 (12:38:29.847 PDT) 445<-3449 (12:40:06.737 PDT) 445<-4054 (12:41:54.143 PDT) 445<-1857 (12:43:42.033 PDT) 445<-2778 (12:45:21.831 PDT) 445<-3484 (12:46:59.901 PDT) 445<-3938 (12:48:32.853 PDT) 445<-4363 (12:50:06.627 PDT) 77.69.219.85 (12:41:41.944 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-56076 (12:41:41.944 PDT) 84.2.151.20 (12:49:21.347 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1235 (12:49:21.347 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.68.75.225 (12:53:13.567 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47334<-4432 (12:53:13.567 PDT) 62.201.90.90 (15) (12:28:50.887 PDT) event=1:2001685 (15) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46273<-9092 (12:28:50.887 PDT) 46703<-9092 (12:30:29.359 PDT) 57209<-9092 (12:32:03.931 PDT) 57723<-9092 (12:33:38.841 PDT) 58205<-9092 (12:35:15.875 PDT) 48091<-9092 (12:36:53.083 PDT) 48533<-9092 (12:38:34.415 PDT) 48975<-9092 (12:40:10.721 PDT) 50736<-9092 (12:42:03.607 PDT) 50967<-9092 (12:43:46.369 PDT) 51171<-9092 (12:45:25.771 PDT) 38463<-9092 (12:47:03.931 PDT) 38689<-9092 (12:48:37.239 PDT) 39061<-9092 (12:50:10.617 PDT) 52045<-9092 (12:51:44.337 PDT) 84.2.151.20 (12:49:26.261 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50058<-7665 (12:49:26.261 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367522926.181 1367522926.182 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.208.120.121 Egg Source List: 190.208.120.121 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 13:40:09.396 PDT Gen. Time: 05/02/2013 13:40:14.393 PDT INBOUND SCAN EXPLOIT 190.208.120.121 (13:40:09.396 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1191 (13:40:09.396 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.208.120.121 (13:40:14.393 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44855<-5848 (13:40:14.393 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367527209.396 1367527209.397 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 87.0.216.192, 190.208.120.121 Egg Source List: 87.0.216.192, 190.208.120.121 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 13:40:09.396 PDT Gen. Time: 05/02/2013 13:43:00.579 PDT INBOUND SCAN EXPLOIT 87.0.216.192 (13:40:47.642 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3729 (13:40:47.642 PDT) 190.208.120.121 (13:40:09.396 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1191 (13:40:09.396 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 87.0.216.192 (13:40:52.429 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59374<-9333 (13:40:52.429 PDT) 190.208.120.121 (13:40:14.393 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44855<-5848 (13:40:14.393 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367527209.396 1367527209.397 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.32.188.10 Egg Source List: 41.32.188.10 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 13:50:18.785 PDT Gen. Time: 05/02/2013 13:50:23.096 PDT INBOUND SCAN EXPLOIT 41.32.188.10 (13:50:18.785 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3869 (13:50:18.785 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 41.32.188.10 (13:50:23.096 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48637<-6764 (13:50:23.096 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367527818.785 1367527818.786 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.78.47.134 Egg Source List: 190.78.47.134 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 13:56:30.537 PDT Gen. Time: 05/02/2013 13:56:34.515 PDT INBOUND SCAN EXPLOIT 190.78.47.134 (13:56:30.537 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3736 (13:56:30.537 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.78.47.134 (13:56:34.515 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50938<-3387 (13:56:34.515 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367528190.537 1367528190.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.91.50.51 Egg Source List: 111.91.50.51 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 14:01:45.935 PDT Gen. Time: 05/02/2013 14:01:51.106 PDT INBOUND SCAN EXPLOIT 111.91.50.51 (14:01:45.935 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4754 (14:01:45.935 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.91.50.51 (14:01:51.106 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58875<-5192 (14:01:51.106 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367528505.935 1367528505.936 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.91.50.51, 114.41.22.242 Egg Source List: 111.91.50.51, 114.41.22.242 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 14:01:45.935 PDT Gen. Time: 05/02/2013 14:06:44.352 PDT INBOUND SCAN EXPLOIT 111.91.50.51 (14:01:45.935 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4754 (14:01:45.935 PDT) 114.41.22.242 (14:03:04.504 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2019 (14:03:04.504 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.91.50.51 (14:01:51.106 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58875<-5192 (14:01:51.106 PDT) 114.41.22.242 (14:03:09.322 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34747<-1717 (14:03:09.322 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367528505.935 1367528505.936 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 177.64.1.180 Egg Source List: 177.64.1.180 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 14:25:31.316 PDT Gen. Time: 05/02/2013 14:25:34.903 PDT INBOUND SCAN EXPLOIT 177.64.1.180 (14:25:31.316 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2970 (14:25:31.316 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.64.1.180 (14:25:34.903 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57969<-6310 (14:25:34.903 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367529931.316 1367529931.317 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.182.248.167, 177.64.1.180, 115.89.173.100 Egg Source List: 210.182.248.167, 177.64.1.180, 115.89.173.100 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 14:25:31.316 PDT Gen. Time: 05/02/2013 14:30:56.931 PDT INBOUND SCAN EXPLOIT 210.182.248.167 (14:25:39.404 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2050 (14:25:39.404 PDT) 177.64.1.180 (14:25:31.316 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2970 (14:25:31.316 PDT) 115.89.173.100 (14:27:46.866 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2803 (14:27:46.866 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.182.248.167 (14:25:43.993 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50452<-7033 (14:25:43.993 PDT) 177.64.1.180 (14:25:34.903 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57969<-6310 (14:25:34.903 PDT) 115.89.173.100 (14:27:50.059 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60002<-6443 (14:27:50.059 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367529931.316 1367529931.317 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 67.65.194.140 Egg Source List: 67.65.194.140 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 15:11:04.103 PDT Gen. Time: 05/02/2013 15:11:09.570 PDT INBOUND SCAN EXPLOIT 67.65.194.140 (15:11:04.103 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1906 (15:11:04.103 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 67.65.194.140 (15:11:09.570 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53973<-6238 (15:11:09.570 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367532664.103 1367532664.104 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 115.177.115.243 Egg Source List: 115.177.115.243 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 15:36:15.779 PDT Gen. Time: 05/02/2013 15:36:19.271 PDT INBOUND SCAN EXPLOIT 115.177.115.243 (15:36:15.779 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3354 (15:36:15.779 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 115.177.115.243 (15:36:19.271 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38979<-2541 (15:36:19.271 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367534175.779 1367534175.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.40.126.44 Egg Source List: 84.40.126.44 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 16:21:38.505 PDT Gen. Time: 05/02/2013 16:21:41.291 PDT INBOUND SCAN EXPLOIT 84.40.126.44 (16:21:38.505 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1593 (16:21:38.505 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.40.126.44 (16:21:41.291 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36539<-5286 (16:21:41.291 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367536898.505 1367536898.506 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 98.92.214.104 Egg Source List: 98.92.214.104 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 18:04:31.624 PDT Gen. Time: 05/02/2013 18:04:34.226 PDT INBOUND SCAN EXPLOIT 98.92.214.104 (18:04:31.624 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1688 (18:04:31.624 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 98.92.214.104 (18:04:34.226 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58328<-3104 (18:04:34.226 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367543071.624 1367543071.625 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 115.89.173.100 Egg Source List: 115.89.173.100 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 18:08:54.394 PDT Gen. Time: 05/02/2013 18:08:57.222 PDT INBOUND SCAN EXPLOIT 115.89.173.100 (18:08:54.394 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3283 (18:08:54.394 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 115.89.173.100 (18:08:57.222 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59441<-6443 (18:08:57.222 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367543334.394 1367543334.395 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.182.248.167 Egg Source List: 210.182.248.167 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 18:51:09.202 PDT Gen. Time: 05/02/2013 18:51:12.400 PDT INBOUND SCAN EXPLOIT 210.182.248.167 (18:51:09.202 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1793 (18:51:09.202 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.182.248.167 (18:51:12.400 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60067<-7033 (18:51:12.400 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367545869.202 1367545869.203 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.207.225.75 Egg Source List: 200.207.225.75 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 18:59:26.294 PDT Gen. Time: 05/02/2013 18:59:30.017 PDT INBOUND SCAN EXPLOIT 200.207.225.75 (18:59:26.294 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2481 (18:59:26.294 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.207.225.75 (18:59:30.017 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43588<-5121 (18:59:30.017 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367546366.294 1367546366.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.40.126.44 Egg Source List: 84.40.126.44 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 20:02:46.098 PDT Gen. Time: 05/02/2013 20:02:49.664 PDT INBOUND SCAN EXPLOIT 84.40.126.44 (20:02:46.098 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1949 (20:02:46.098 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.40.126.44 (20:02:49.664 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43877<-5286 (20:02:49.664 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367550166.098 1367550166.099 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 116.193.74.218 Egg Source List: 116.193.74.218 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 21:45:21.747 PDT Gen. Time: 05/02/2013 21:45:26.988 PDT INBOUND SCAN EXPLOIT 116.193.74.218 (21:45:21.747 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3156 (21:45:21.747 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 116.193.74.218 (21:45:26.988 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36508<-8094 (21:45:26.988 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367556321.747 1367556321.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 98.92.214.104 Egg Source List: 98.92.214.104 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 21:56:38.718 PDT Gen. Time: 05/02/2013 21:56:44.344 PDT INBOUND SCAN EXPLOIT 98.92.214.104 (21:56:38.718 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1346 (21:56:38.718 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 98.92.214.104 (21:56:44.344 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45643<-3104 (21:56:44.344 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367556998.718 1367556998.719 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 49.124.189.183 Egg Source List: 49.124.189.183 C & C List: Peer Coord. List: Resource List: Observed Start: 05/02/2013 22:14:11.533 PDT Gen. Time: 05/02/2013 22:14:15.775 PDT INBOUND SCAN EXPLOIT 49.124.189.183 (22:14:11.533 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3481 (22:14:11.533 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 49.124.189.183 (22:14:15.775 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50986<-4054 (22:14:15.775 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367558051.533 1367558051.534 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================