Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 62.201.90.90 Egg Source List: 62.201.90.90 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 00:20:28.845 PDT Gen. Time: 05/03/2013 00:20:32.163 PDT INBOUND SCAN EXPLOIT 62.201.90.90 (00:20:28.845 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3676 (00:20:28.845 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 62.201.90.90 (00:20:32.163 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49455<-9092 (00:20:32.163 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367565628.845 1367565628.846 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 62.201.90.90, 95.167.211.7 Egg Source List: 62.201.90.90, 95.167.211.7 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 00:20:28.845 PDT Gen. Time: 05/03/2013 04:34:51.593 PDT INBOUND SCAN EXPLOIT 62.201.90.90 (16) (00:20:28.845 PDT) event=1:22009201 (16) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3676 (00:20:28.845 PDT) 445<-4962 (00:20:48.707 PDT) 445<-2531 (00:21:14.263 PDT) 445<-3912 (00:21:38.686 PDT) 445<-1430 (00:21:58.919 PDT) 445<-2831 (00:22:22.870 PDT) 445<-4103 (00:22:38.893 PDT) 445<-1346 (00:22:57.103 PDT) 445<-2500 (00:23:13.841 PDT) 445<-3508 (00:23:32.593 PDT) 445<-4736 (00:23:49.427 PDT) 445<-1915 (00:24:09.413 PDT) 445<-3110 (00:24:25.197 PDT) 445<-4085 (00:24:44.737 PDT) 445<-1447 (00:25:00.463 PDT) 445<-2596 (00:25:21.825 PDT) 95.167.211.7 (00:20:57.826 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3488 (00:20:57.826 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 62.201.90.90 (16) (00:20:32.163 PDT) event=1:2001685 (16) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49455<-9092 (00:20:32.163 PDT) 36158<-9092 (00:20:55.007 PDT) 36180<-9092 (00:21:18.543 PDT) 36207<-9092 (00:21:42.265 PDT) 36251<-9092 (00:22:03.855 PDT) 36292<-9092 (00:22:26.079 PDT) 36329<-9092 (00:22:42.615 PDT) 36370<-9092 (00:23:01.635 PDT) 36416<-9092 (00:23:18.073 PDT) 36432<-9092 (00:23:37.427 PDT) 36450<-9092 (00:23:54.402 PDT) 36490<-9092 (00:24:14.757 PDT) 36519<-9092 (00:24:28.769 PDT) 36539<-9092 (00:24:48.617 PDT) 36556<-9092 (00:25:07.093 PDT) 36584<-9092 (00:25:25.375 PDT) 95.167.211.7 (00:21:05.566 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51981<-5738 (00:21:05.566 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367565628.845 1367565628.846 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 37.147.38.95 Egg Source List: 37.147.38.95 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 06:20:35.035 PDT Gen. Time: 05/03/2013 06:20:38.045 PDT INBOUND SCAN EXPLOIT 37.147.38.95 (06:20:35.035 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3466 (06:20:35.035 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 37.147.38.95 (06:20:38.045 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33779<-9657 (06:20:38.045 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367587235.035 1367587235.036 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.255.231.218 Egg Source List: 111.255.231.218 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 06:57:30.145 PDT Gen. Time: 05/03/2013 06:57:43.012 PDT INBOUND SCAN EXPLOIT 111.255.231.218 (06:57:30.145 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4182 (06:57:30.145 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.255.231.218 (06:57:43.012 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36072<-5428 (06:57:43.012 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367589450.145 1367589450.146 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 07:05:26.212 PDT Gen. Time: 05/03/2013 07:05:29.312 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (07:05:26.212 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3574 (07:05:26.212 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (07:05:29.312 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32926<-5588 (07:05:29.312 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367589926.212 1367589926.213 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 07:05:26.212 PDT Gen. Time: 05/03/2013 07:09:49.329 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (2) (07:05:26.212 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3574 (07:05:26.212 PDT) 445<-1496 (07:06:18.941 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (2) (07:05:29.312 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32926<-5588 (07:05:29.312 PDT) 54246<-5588 (07:06:22.169 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367589926.212 1367589926.213 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.79.40.183 Egg Source List: 190.79.40.183 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 07:14:01.090 PDT Gen. Time: 05/03/2013 07:14:05.349 PDT INBOUND SCAN EXPLOIT 190.79.40.183 (07:14:01.090 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3463 (07:14:01.090 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.79.40.183 (07:14:05.349 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47330<-9802 (07:14:05.349 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367590441.090 1367590441.091 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 99.62.141.244 Egg Source List: 99.62.141.244 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 07:18:55.551 PDT Gen. Time: 05/03/2013 07:18:58.271 PDT INBOUND SCAN EXPLOIT 99.62.141.244 (07:18:55.551 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1172 (07:18:55.551 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 99.62.141.244 (07:18:58.271 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58884<-8864 (07:18:58.271 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367590735.551 1367590735.552 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 07:26:50.917 PDT Gen. Time: 05/03/2013 07:26:54.881 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (07:26:50.917 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4492 (07:26:50.917 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (07:26:54.881 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46287<-5588 (07:26:54.881 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367591210.917 1367591210.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208, 195.228.61.67, 216.249.90.237 Egg Source List: 2.95.53.208, 195.228.61.67, 216.249.90.237 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 07:26:50.917 PDT Gen. Time: 05/03/2013 07:33:21.958 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (07:26:50.917 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4492 (07:26:50.917 PDT) 195.228.61.67 (07:28:40.976 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2783 (07:28:40.976 PDT) 216.249.90.237 (07:29:12.810 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-47097 (07:29:12.810 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (07:26:54.881 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46287<-5588 (07:26:54.881 PDT) 195.228.61.67 (07:28:44.410 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59186<-3828 (07:28:44.410 PDT) 216.249.90.237 (07:29:16.627 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50019<-8539 (07:29:16.627 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367591210.917 1367591210.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 07:33:52.288 PDT Gen. Time: 05/03/2013 07:33:55.859 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (07:33:52.288 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1449 (07:33:52.288 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (07:33:55.859 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37991<-5588 (07:33:55.859 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367591632.288 1367591632.289 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 63.82.6.20 Egg Source List: 63.82.6.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 07:41:27.977 PDT Gen. Time: 05/03/2013 07:41:30.957 PDT INBOUND SCAN EXPLOIT 63.82.6.20 (07:41:27.977 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-46962 (07:41:27.977 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 63.82.6.20 (07:41:30.957 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35381<-7598 (07:41:30.957 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367592087.977 1367592087.978 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208, 78.31.58.203, 190.18.5.5, 219.109.48.49, 182.71.37.230, 63.82.6.20 Egg Source List: 2.95.53.208, 78.31.58.203, 190.18.5.5, 219.109.48.49, 182.71.37.230, 63.82.6.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 07:41:27.977 PDT Gen. Time: 05/03/2013 07:48:24.415 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (07:43:03.264 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1310 (07:43:03.264 PDT) 78.31.58.203 (07:41:49.618 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3182 (07:41:49.618 PDT) 190.18.5.5 (07:43:03.388 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1519 (07:43:03.388 PDT) 219.109.48.49 (07:45:19.950 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3690 (07:45:19.950 PDT) 182.71.37.230 (07:44:59.275 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2839 (07:44:59.275 PDT) 63.82.6.20 (07:41:27.977 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-46962 (07:41:27.977 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (07:43:10.482 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46837<-5588 (07:43:10.482 PDT) 78.31.58.203 (07:41:53.536 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36221<-2287 (07:41:53.536 PDT) 190.18.5.5 (07:43:10.432 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58356<-8028 (07:43:10.432 PDT) 219.109.48.49 (07:45:24.105 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35467<-4864 (07:45:24.105 PDT) 182.71.37.230 (07:45:03.236 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40176<-2401 (07:45:03.236 PDT) 63.82.6.20 (07:41:30.957 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35381<-7598 (07:41:30.957 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367592087.977 1367592087.978 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 08:05:00.942 PDT Gen. Time: 05/03/2013 08:05:04.182 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (08:05:00.942 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4697 (08:05:00.942 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (08:05:04.182 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57474<-5588 (08:05:04.182 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367593500.942 1367593500.943 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 08:09:59.436 PDT Gen. Time: 05/03/2013 08:10:03.392 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (08:09:59.436 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3394 (08:09:59.436 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (08:10:03.392 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60439<-5588 (08:10:03.392 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367593799.436 1367593799.437 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 08:15:05.989 PDT Gen. Time: 05/03/2013 08:15:09.655 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (08:15:05.989 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2549 (08:15:05.989 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (08:15:09.655 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34186<-5588 (08:15:09.655 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367594105.989 1367594105.990 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208, 27.50.30.200 Egg Source List: 2.95.53.208, 27.50.30.200 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 08:15:05.989 PDT Gen. Time: 05/03/2013 08:18:56.910 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (08:15:05.989 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2549 (08:15:05.989 PDT) 27.50.30.200 (08:16:01.315 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4544 (08:16:01.315 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (08:15:09.655 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34186<-5588 (08:15:09.655 PDT) 27.50.30.200 (08:16:05.693 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49665<-4444 (08:16:05.693 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367594105.989 1367594105.990 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 08:21:05.103 PDT Gen. Time: 05/03/2013 08:21:08.028 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (08:21:05.103 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3583 (08:21:05.103 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (08:21:08.028 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50109<-5588 (08:21:08.028 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367594465.103 1367594465.104 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208, 85.33.245.130 Egg Source List: 2.95.53.208, 85.33.245.130 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 08:21:05.103 PDT Gen. Time: 05/03/2013 08:23:59.046 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (08:21:05.103 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3583 (08:21:05.103 PDT) 85.33.245.130 (08:21:31.859 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3311 (08:21:31.859 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (08:21:08.028 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50109<-5588 (08:21:08.028 PDT) 85.33.245.130 (08:21:36.234 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47994<-5977 (08:21:36.234 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367594465.103 1367594465.104 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 142.4.49.107 Egg Source List: 142.4.49.107 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 08:24:11.830 PDT Gen. Time: 05/03/2013 08:24:14.786 PDT INBOUND SCAN EXPLOIT 142.4.49.107 (08:24:11.830 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3306 (08:24:11.830 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 142.4.49.107 (08:24:14.786 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53724<-3017 (08:24:14.786 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367594651.830 1367594651.831 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208, 142.4.49.107, 208.115.230.78 Egg Source List: 2.95.53.208, 192.168.0.102, 142.4.49.107, 208.115.230.78 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 08:24:11.830 PDT Gen. Time: 05/03/2013 08:32:26.148 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (08:27:20.932 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1602 (08:27:20.932 PDT) 142.4.49.107 (08:24:11.830 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3306 (08:24:11.830 PDT) 208.115.230.78 (08:26:17.515 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2767 (08:26:17.515 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (08:27:24.369 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47124<-5588 (08:27:24.369 PDT) 192.168.0.102 (14) (08:28:11.485 PDT-08:28:31.501 PDT) event=1:1444 (4) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 4: 50549->69 (08:28:11.485 PDT-08:28:26.471 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 50549->69 (08:28:11.485 PDT-08:28:31.501 PDT) ------------------------- event=1:3001441 (5) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 50549->69 (08:28:11.485 PDT-08:28:31.501 PDT) 142.4.49.107 (08:24:14.786 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53724<-3017 (08:24:14.786 PDT) 208.115.230.78 (08:26:21.384 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57127<-9743 (08:26:21.384 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367594651.830 1367594911.502 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 08:34:14.964 PDT Gen. Time: 05/03/2013 08:34:18.240 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (08:34:14.964 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1917 (08:34:14.964 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (08:34:18.240 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49523<-5588 (08:34:18.240 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367595254.964 1367595254.965 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 08:44:03.198 PDT Gen. Time: 05/03/2013 08:44:06.560 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (08:44:03.198 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4723 (08:44:03.198 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (08:44:06.560 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58583<-5588 (08:44:06.560 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367595843.198 1367595843.199 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.60.106.99 Egg Source List: 187.60.106.99 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 08:51:31.326 PDT Gen. Time: 05/03/2013 08:51:34.886 PDT INBOUND SCAN EXPLOIT 187.60.106.99 (08:51:31.326 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3457 (08:51:31.326 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.60.106.99 (08:51:34.886 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35220<-2471 (08:51:34.886 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367596291.326 1367596291.327 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208, 187.60.106.99, 128.73.79.184 Egg Source List: 2.95.53.208, 187.60.106.99, 128.73.79.184 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 08:51:31.326 PDT Gen. Time: 05/03/2013 08:58:02.165 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (08:53:06.373 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1323 (08:53:06.373 PDT) 187.60.106.99 (08:51:31.326 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3457 (08:51:31.326 PDT) 128.73.79.184 (08:55:29.134 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2673 (08:55:29.134 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (08:53:09.174 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48849<-5588 (08:53:09.174 PDT) 187.60.106.99 (08:51:34.886 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35220<-2471 (08:51:34.886 PDT) 128.73.79.184 (08:55:33.674 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44156<-8149 (08:55:33.674 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367596291.326 1367596291.327 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208, 79.9.152.96 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 09:01:50.589 PDT Gen. Time: 05/03/2013 09:04:38.675 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (09:04:34.176 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3492 (09:04:34.176 PDT) 79.9.152.96 (09:01:50.589 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1376 (09:01:50.589 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (09:04:38.675 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51005<-5588 (09:04:38.675 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367596910.589 1367596910.590 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 09:14:19.220 PDT Gen. Time: 05/03/2013 09:14:23.377 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (09:14:19.220 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1576 (09:14:19.220 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (09:14:23.377 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35111<-5588 (09:14:23.377 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367597659.220 1367597659.221 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 09:21:07.824 PDT Gen. Time: 05/03/2013 09:21:11.198 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (09:21:07.824 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4916 (09:21:07.824 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (09:21:11.198 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49048<-5588 (09:21:11.198 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367598067.824 1367598067.825 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 09:28:28.007 PDT Gen. Time: 05/03/2013 09:28:32.728 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (09:28:28.007 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4657 (09:28:28.007 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (09:28:32.728 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45867<-5588 (09:28:32.728 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367598508.007 1367598508.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.164, 2.95.53.208 Egg Source List: 92.247.104.164, 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 09:28:28.007 PDT Gen. Time: 05/03/2013 09:32:52.484 PDT INBOUND SCAN EXPLOIT 92.247.104.164 (09:29:31.114 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4201 (09:29:31.114 PDT) 2.95.53.208 (09:28:28.007 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4657 (09:28:28.007 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.164 (09:29:33.916 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43732<-3977 (09:29:33.916 PDT) 2.95.53.208 (09:28:32.728 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45867<-5588 (09:28:32.728 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367598508.007 1367598508.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 09:35:44.963 PDT Gen. Time: 05/03/2013 09:35:48.454 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (09:35:44.963 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4370 (09:35:44.963 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (09:35:48.454 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45545<-5588 (09:35:48.454 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367598944.963 1367598944.964 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208 Egg Source List: 2.95.53.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 09:42:40.805 PDT Gen. Time: 05/03/2013 09:42:45.866 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (09:42:40.805 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3490 (09:42:40.805 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (09:42:45.866 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42536<-5588 (09:42:45.866 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367599360.805 1367599360.806 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.53.208, 62.201.90.90 Egg Source List: 2.95.53.208, 62.201.90.90 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 09:42:40.805 PDT Gen. Time: 05/03/2013 10:08:32.409 PDT INBOUND SCAN EXPLOIT 2.95.53.208 (2) (09:42:40.805 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3490 (09:42:40.805 PDT) 445<-4502 (09:50:12.413 PDT) 62.201.90.90 (15) (09:46:24.512 PDT) event=1:22009201 (15) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4213 (09:46:24.512 PDT) 445<-1674 (09:46:39.672 PDT) 445<-2732 (09:46:58.898 PDT) 445<-4118 (09:47:15.676 PDT) 445<-1409 (09:47:33.166 PDT) 445<-2740 (09:47:51.694 PDT) 445<-3956 (09:48:11.462 PDT) 445<-1520 (09:48:25.896 PDT) 445<-2545 (09:48:44.310 PDT) 445<-3889 (09:49:01.276 PDT) 445<-1221 (09:49:21.193 PDT) 445<-2553 (09:49:35.988 PDT) 445<-3564 (09:49:55.384 PDT) 445<-1363 (09:50:17.464 PDT) 445<-2687 (09:50:36.202 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.53.208 (2) (09:42:45.866 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42536<-5588 (09:42:45.866 PDT) 57708<-5588 (09:50:16.831 PDT) 62.201.90.90 (15) (09:46:28.342 PDT) event=1:2001685 (15) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34333<-9092 (09:46:28.342 PDT) 34351<-9092 (09:46:45.002 PDT) 34368<-9092 (09:47:05.029 PDT) 34375<-9092 (09:47:19.051 PDT) 34394<-9092 (09:47:38.050 PDT) 34402<-9092 (09:47:55.706 PDT) 34426<-9092 (09:48:14.954 PDT) 34431<-9092 (09:48:30.150 PDT) 34445<-9092 (09:48:48.987 PDT) 34462<-9092 (09:49:05.236 PDT) 34474<-9092 (09:49:24.984 PDT) 34496<-9092 (09:49:40.078 PDT) 34507<-9092 (09:50:01.652 PDT) 34532<-9092 (09:50:21.724 PDT) 34551<-9092 (09:50:39.978 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367599360.805 1367599360.806 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.92.4.126 Egg Source List: 2.92.4.126 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 13:33:46.851 PDT Gen. Time: 05/03/2013 13:33:49.665 PDT INBOUND SCAN EXPLOIT 2.92.4.126 (13:33:46.851 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4193 (13:33:46.851 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.92.4.126 (13:33:49.665 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56671<-9963 (13:33:49.665 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367613226.851 1367613226.852 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.40.133.158 Egg Source List: 187.40.133.158 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 13:36:41.988 PDT Gen. Time: 05/03/2013 13:36:44.792 PDT INBOUND SCAN EXPLOIT 187.40.133.158 (13:36:41.988 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2580 (13:36:41.988 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.40.133.158 (13:36:44.792 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54823<-3346 (13:36:44.792 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367613401.988 1367613401.989 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 124.74.132.26 Egg Source List: 192.168.0.3 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 13:42:14.902 PDT Gen. Time: 05/03/2013 13:42:55.749 PDT INBOUND SCAN EXPLOIT 124.74.132.26 (13:42:55.749 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2725 (13:42:55.749 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.0.3 (17) (13:42:14.902 PDT-13:42:39.918 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 52032->69 (13:42:14.902 PDT-13:42:34.909 PDT) ------------------------- event=1:2008120 (6) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 6: 52032->69 (13:42:14.902 PDT-13:42:39.918 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 52032->69 (13:42:14.902 PDT-13:42:39.918 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367613734.902 1367613759.919 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.198.95.95 Egg Source List: 190.198.95.95 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 14:16:19.983 PDT Gen. Time: 05/03/2013 14:16:23.144 PDT INBOUND SCAN EXPLOIT 190.198.95.95 (14:16:19.983 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3106 (14:16:19.983 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.198.95.95 (14:16:23.144 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39800<-4978 (14:16:23.144 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367615779.983 1367615779.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.143.197.53, 190.198.95.95 Egg Source List: 190.198.95.95 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 14:16:19.983 PDT Gen. Time: 05/03/2013 14:21:49.111 PDT INBOUND SCAN EXPLOIT 93.143.197.53 (7) (14:18:01.660 PDT-14:18:02.101 PDT) event=1:22000032 (2) {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 2: 445<-2735 (14:18:01.660 PDT-14:18:01.913 PDT) ------------------------- event=1:22000033 (3) {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 3: 445<-2735 (14:18:01.892 PDT-14:18:02.101 PDT) ------------------------- event=1:22514 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 2: 445<-2735 (14:18:01.675 PDT-14:18:01.877 PDT) 190.198.95.95 (14:16:19.983 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3106 (14:16:19.983 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.198.95.95 (14:16:23.144 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39800<-4978 (14:16:23.144 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367615779.983 1367615882.102 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.38.194.126 Egg Source List: 89.38.194.126 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 14:28:54.389 PDT Gen. Time: 05/03/2013 14:28:57.283 PDT INBOUND SCAN EXPLOIT 89.38.194.126 (14:28:54.389 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1680 (14:28:54.389 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.38.194.126 (14:28:57.283 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47054<-3229 (14:28:57.283 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367616534.389 1367616534.390 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.25.15.84, 89.38.194.126 Egg Source List: 95.25.15.84, 89.38.194.126 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 14:28:54.389 PDT Gen. Time: 05/03/2013 14:36:56.228 PDT INBOUND SCAN EXPLOIT 95.25.15.84 (14:32:36.438 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3585 (14:32:36.438 PDT) 89.38.194.126 (14:28:54.389 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1680 (14:28:54.389 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.25.15.84 (14:32:39.700 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53137<-5675 (14:32:39.700 PDT) 89.38.194.126 (14:28:57.283 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47054<-3229 (14:28:57.283 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367616534.389 1367616534.390 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 79.32.216.75 Egg Source List: 79.32.216.75 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 14:51:25.067 PDT Gen. Time: 05/03/2013 14:51:28.843 PDT INBOUND SCAN EXPLOIT 79.32.216.75 (14:51:25.067 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1348 (14:51:25.067 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 79.32.216.75 (14:51:28.843 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44211<-9630 (14:51:28.843 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367617885.067 1367617885.068 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 203.249.67.240 Egg Source List: 192.168.0.10 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 15:17:38.457 PDT Gen. Time: 05/03/2013 15:18:46.286 PDT INBOUND SCAN EXPLOIT 203.249.67.240 (15:18:46.286 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1792 (15:18:46.286 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.0.10 (17) (15:17:38.457 PDT-15:18:03.738 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 56701->69 (15:17:38.457 PDT-15:17:58.734 PDT) ------------------------- event=1:2008120 (6) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 6: 56701->69 (15:17:38.457 PDT-15:18:03.738 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 56701->69 (15:17:38.457 PDT-15:18:03.738 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367619458.457 1367619483.739 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.57.41.147 Egg Source List: 187.57.41.147 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 15:33:15.216 PDT Gen. Time: 05/03/2013 15:33:18.435 PDT INBOUND SCAN EXPLOIT 187.57.41.147 (15:33:15.216 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3531 (15:33:15.216 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.57.41.147 (15:33:18.435 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48874<-3924 (15:33:18.435 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367620395.216 1367620395.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.57.41.147, 2.192.104.135, 77.45.27.172 Egg Source List: 187.57.41.147, 2.192.104.135, 77.45.27.172 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 15:33:15.216 PDT Gen. Time: 05/03/2013 15:42:50.296 PDT INBOUND SCAN EXPLOIT 187.57.41.147 (15:33:15.216 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3531 (15:33:15.216 PDT) 2.192.104.135 (15:35:47.540 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2398 (15:35:47.540 PDT) 77.45.27.172 (15:38:36.871 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2191 (15:38:36.871 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.57.41.147 (15:33:18.435 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48874<-3924 (15:33:18.435 PDT) 2.192.104.135 (15:35:51.769 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42693<-9202 (15:35:51.769 PDT) 77.45.27.172 (15:38:40.084 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50531<-7659 (15:38:40.084 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367620395.216 1367620395.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.214.55.71 Egg Source List: 46.214.55.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:25:16.217 PDT Gen. Time: 05/03/2013 16:25:19.343 PDT INBOUND SCAN EXPLOIT 46.214.55.71 (16:25:16.217 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1097 (16:25:16.217 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.214.55.71 (16:25:19.343 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34442<-1026 (16:25:19.343 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367623516.217 1367623516.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.248.165.156 Egg Source List: 111.248.165.156 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:33:57.534 PDT Gen. Time: 05/03/2013 16:34:01.829 PDT INBOUND SCAN EXPLOIT 111.248.165.156 (16:33:57.534 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4832 (16:33:57.534 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.248.165.156 (16:34:01.829 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52962<-1384 (16:34:01.829 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367624037.534 1367624037.535 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 223.18.248.184 Egg Source List: 223.18.248.184 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 17:12:32.068 PDT Gen. Time: 05/03/2013 17:12:34.886 PDT INBOUND SCAN EXPLOIT 223.18.248.184 (17:12:32.068 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1398 (17:12:32.068 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 223.18.248.184 (17:12:34.886 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48053<-2636 (17:12:34.886 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367626352.068 1367626352.069 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.38.86.60, 223.18.248.184 Egg Source List: 190.38.86.60, 223.18.248.184 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 17:12:32.068 PDT Gen. Time: 05/03/2013 17:17:20.844 PDT INBOUND SCAN EXPLOIT 190.38.86.60 (17:14:09.089 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4190 (17:14:09.089 PDT) 223.18.248.184 (17:12:32.068 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1398 (17:12:32.068 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.38.86.60 (17:14:11.890 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57260<-8156 (17:14:11.890 PDT) 223.18.248.184 (17:12:34.886 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48053<-2636 (17:12:34.886 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367626352.068 1367626352.069 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.92.4.126 Egg Source List: 2.92.4.126 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 17:21:42.837 PDT Gen. Time: 05/03/2013 17:21:47.028 PDT INBOUND SCAN EXPLOIT 2.92.4.126 (17:21:42.837 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2441 (17:21:42.837 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.92.4.126 (17:21:47.028 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49209<-9963 (17:21:47.028 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367626902.837 1367626902.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.87.243.218 Egg Source List: 192.168.2.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 17:31:12.587 PDT Gen. Time: 05/03/2013 17:32:30.965 PDT INBOUND SCAN EXPLOIT 200.87.243.218 (17:31:12.587 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59935 (17:31:12.587 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.2.101 (17:32:30.965 PDT) event=1:3001441 {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 54289->69 (17:32:30.965 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367627472.587 1367627472.588 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.87.243.218 Egg Source List: 192.168.2.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 17:31:12.587 PDT Gen. Time: 05/03/2013 17:36:29.252 PDT INBOUND SCAN EXPLOIT 200.87.243.218 (17:31:12.587 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59935 (17:31:12.587 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.2.101 (17) (17:32:30.965 PDT-17:32:56.080 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 54289->69 (17:32:30.965 PDT-17:32:51.069 PDT) ------------------------- event=1:2008120 (6) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 6: 54289->69 (17:32:30.965 PDT-17:32:56.080 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 54289->69 (17:32:30.965 PDT-17:32:56.080 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367627472.587 1367627576.081 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.255.113.110 Egg Source List: 111.255.113.110 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 17:37:15.667 PDT Gen. Time: 05/03/2013 17:37:19.534 PDT INBOUND SCAN EXPLOIT 111.255.113.110 (17:37:15.667 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4907 (17:37:15.667 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.255.113.110 (17:37:19.534 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40410<-7606 (17:37:19.534 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367627835.667 1367627835.668 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.10.164.91, 111.255.113.110 Egg Source List: 187.10.164.91, 111.255.113.110 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 17:37:15.667 PDT Gen. Time: 05/03/2013 17:40:01.180 PDT INBOUND SCAN EXPLOIT 187.10.164.91 (17:38:50.218 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4532 (17:38:50.218 PDT) 111.255.113.110 (17:37:15.667 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4907 (17:37:15.667 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.10.164.91 (17:38:53.385 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33386<-7065 (17:38:53.385 PDT) 111.255.113.110 (17:37:19.534 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40410<-7606 (17:37:19.534 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367627835.667 1367627835.668 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.255.113.110 Egg Source List: 111.255.113.110 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 17:42:41.174 PDT Gen. Time: 05/03/2013 17:42:44.060 PDT INBOUND SCAN EXPLOIT 111.255.113.110 (17:42:41.174 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2194 (17:42:41.174 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.255.113.110 (17:42:44.060 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54775<-7606 (17:42:44.060 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367628161.174 1367628161.175 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.255.113.110, 190.50.122.167 Egg Source List: 111.255.113.110, 190.50.122.167 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 17:42:41.174 PDT Gen. Time: 05/03/2013 17:48:59.730 PDT INBOUND SCAN EXPLOIT 111.255.113.110 (17:42:41.174 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2194 (17:42:41.174 PDT) 190.50.122.167 (17:45:35.434 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1057 (17:45:35.434 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.255.113.110 (17:42:44.060 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54775<-7606 (17:42:44.060 PDT) 190.50.122.167 (17:45:39.411 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59088<-1113 (17:45:39.411 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367628161.174 1367628161.175 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.255.113.110 Egg Source List: 111.255.113.110 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 17:59:37.614 PDT Gen. Time: 05/03/2013 17:59:40.435 PDT INBOUND SCAN EXPLOIT 111.255.113.110 (17:59:37.614 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3704 (17:59:37.614 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.255.113.110 (17:59:40.435 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43238<-7606 (17:59:40.435 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367629177.614 1367629177.615 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.255.113.110 Egg Source List: 111.255.113.110 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:14:29.058 PDT Gen. Time: 05/03/2013 18:14:31.864 PDT INBOUND SCAN EXPLOIT 111.255.113.110 (18:14:29.058 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1346 (18:14:29.058 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.255.113.110 (18:14:31.864 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44916<-7606 (18:14:31.864 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367630069.058 1367630069.059 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.71.95.237 Egg Source List: 128.71.95.237 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:23:29.366 PDT Gen. Time: 05/03/2013 18:23:32.983 PDT INBOUND SCAN EXPLOIT 128.71.95.237 (18:23:29.366 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1263 (18:23:29.366 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.71.95.237 (18:23:32.983 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52564<-5588 (18:23:32.983 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367630609.366 1367630609.367 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.255.113.110 Egg Source List: 111.255.113.110 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:28:59.857 PDT Gen. Time: 05/03/2013 18:29:02.825 PDT INBOUND SCAN EXPLOIT 111.255.113.110 (18:28:59.857 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3933 (18:28:59.857 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.255.113.110 (18:29:02.825 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53148<-7606 (18:29:02.825 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367630939.857 1367630939.858 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.71.95.237 Egg Source List: 128.71.95.237 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:40:14.004 PDT Gen. Time: 05/03/2013 18:40:19.113 PDT INBOUND SCAN EXPLOIT 128.71.95.237 (18:40:14.004 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4344 (18:40:14.004 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.71.95.237 (18:40:19.113 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52073<-5588 (18:40:19.113 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367631614.004 1367631614.005 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.255.113.110, 128.71.95.237, 79.32.216.75 Egg Source List: 111.255.113.110, 128.71.95.237, 79.32.216.75 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:40:14.004 PDT Gen. Time: 05/03/2013 18:49:18.136 PDT INBOUND SCAN EXPLOIT 111.255.113.110 (18:43:00.824 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4549 (18:43:00.824 PDT) 128.71.95.237 (18:40:14.004 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4344 (18:40:14.004 PDT) 79.32.216.75 (18:45:09.969 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4276 (18:45:09.969 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.255.113.110 (18:43:03.858 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49477<-7606 (18:43:03.858 PDT) 128.71.95.237 (18:40:19.113 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52073<-5588 (18:40:19.113 PDT) 79.32.216.75 (18:45:12.819 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49370<-9630 (18:45:12.819 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367631614.004 1367631614.005 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.38.194.126 Egg Source List: 89.38.194.126 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:54:39.706 PDT Gen. Time: 05/03/2013 18:54:43.235 PDT INBOUND SCAN EXPLOIT 89.38.194.126 (18:54:39.706 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4186 (18:54:39.706 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.38.194.126 (18:54:43.235 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46834<-3229 (18:54:43.235 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367632479.706 1367632479.707 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.255.113.110, 89.38.194.126 Egg Source List: 111.255.113.110, 89.38.194.126 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:54:39.706 PDT Gen. Time: 05/03/2013 19:01:22.976 PDT INBOUND SCAN EXPLOIT 111.255.113.110 (18:57:18.097 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2164 (18:57:18.097 PDT) 89.38.194.126 (18:54:39.706 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4186 (18:54:39.706 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.255.113.110 (18:57:20.587 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35656<-7606 (18:57:20.587 PDT) 89.38.194.126 (18:54:43.235 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46834<-3229 (18:54:43.235 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367632479.706 1367632479.707 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.71.95.237 Egg Source List: 128.71.95.237 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:02:08.503 PDT Gen. Time: 05/03/2013 19:02:11.454 PDT INBOUND SCAN EXPLOIT 128.71.95.237 (19:02:08.503 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2118 (19:02:08.503 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.71.95.237 (19:02:11.454 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45126<-5588 (19:02:11.454 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367632928.503 1367632928.504 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 203.249.67.240 Egg Source List: 203.249.67.240 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:09:24.861 PDT Gen. Time: 05/03/2013 19:09:27.551 PDT INBOUND SCAN EXPLOIT 203.249.67.240 (19:09:24.861 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1739 (19:09:24.861 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 203.249.67.240 (19:09:27.551 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34800<-4884 (19:09:27.551 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367633364.861 1367633364.862 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.91.126.94 Egg Source List: 95.91.126.94 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:20:45.104 PDT Gen. Time: 05/03/2013 19:20:49.374 PDT INBOUND SCAN EXPLOIT 95.91.126.94 (19:20:45.104 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1910 (19:20:45.104 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.91.126.94 (19:20:49.374 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55262<-9540 (19:20:49.374 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367634045.104 1367634045.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.57.41.147, 95.91.126.94 Egg Source List: 187.57.41.147, 95.91.126.94 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:20:45.104 PDT Gen. Time: 05/03/2013 19:25:09.068 PDT INBOUND SCAN EXPLOIT 187.57.41.147 (19:20:54.132 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1741 (19:20:54.132 PDT) 95.91.126.94 (19:20:45.104 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1910 (19:20:45.104 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.57.41.147 (19:21:01.676 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54379<-3924 (19:21:01.676 PDT) 95.91.126.94 (19:20:49.374 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55262<-9540 (19:20:49.374 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367634045.104 1367634045.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 118.167.228.132, 77.45.27.172 Egg Source List: 77.45.27.172 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 20:03:28.114 PDT Gen. Time: 05/03/2013 20:04:10.166 PDT INBOUND SCAN EXPLOIT 118.167.228.132 (20:03:28.114 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-29578 (20:03:28.114 PDT) 77.45.27.172 (20:04:07.501 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2294 (20:04:07.501 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 77.45.27.172 (20:04:10.166 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36804<-7659 (20:04:10.166 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367636608.114 1367636608.115 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.248.165.156 Egg Source List: 111.248.165.156 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 20:16:05.792 PDT Gen. Time: 05/03/2013 20:16:09.719 PDT INBOUND SCAN EXPLOIT 111.248.165.156 (20:16:05.792 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3600 (20:16:05.792 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.248.165.156 (20:16:09.719 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44992<-1384 (20:16:09.719 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367637365.792 1367637365.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.103.225.126 Egg Source List: 189.103.225.126 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 20:39:12.090 PDT Gen. Time: 05/03/2013 20:39:14.870 PDT INBOUND SCAN EXPLOIT 189.103.225.126 (20:39:12.090 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3575 (20:39:12.090 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.103.225.126 (20:39:14.870 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35818<-2656 (20:39:14.870 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367638752.090 1367638752.091 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.164 Egg Source List: 92.247.104.164 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 20:55:26.253 PDT Gen. Time: 05/03/2013 20:55:28.986 PDT INBOUND SCAN EXPLOIT 92.247.104.164 (20:55:26.253 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1867 (20:55:26.253 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.164 (20:55:28.986 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58981<-3977 (20:55:28.986 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367639726.253 1367639726.254 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.38.86.60, 92.247.104.164 Egg Source List: 190.38.86.60, 92.247.104.164 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 20:55:26.253 PDT Gen. Time: 05/03/2013 21:00:08.049 PDT INBOUND SCAN EXPLOIT 190.38.86.60 (20:56:06.199 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3230 (20:56:06.199 PDT) 92.247.104.164 (3) (20:55:26.253 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1867 (20:55:26.253 PDT) 445<-2148 (20:55:38.097 PDT) 445<-2419 (20:55:54.002 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.38.86.60 (20:56:09.969 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41600<-8156 (20:56:09.969 PDT) 92.247.104.164 (3) (20:55:28.986 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58981<-3977 (20:55:28.986 PDT) 58989<-3977 (20:55:41.864 PDT) 57966<-3977 (20:55:58.365 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367639726.253 1367639726.254 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 184.106.144.25 Egg Source List: 184.106.144.25 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 21:18:43.722 PDT Gen. Time: 05/03/2013 21:18:47.768 PDT INBOUND SCAN EXPLOIT 184.106.144.25 (21:18:43.722 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1149 (21:18:43.722 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 184.106.144.25 (21:18:47.768 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36163<-6133 (21:18:47.768 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367641123.722 1367641123.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 184.106.144.25, 218.173.79.121 Egg Source List: 184.106.144.25, 218.173.79.121 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 21:18:43.722 PDT Gen. Time: 05/03/2013 21:24:29.499 PDT INBOUND SCAN EXPLOIT 184.106.144.25 (21:18:43.722 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1149 (21:18:43.722 PDT) 218.173.79.121 (21:20:38.773 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2499 (21:20:38.773 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 184.106.144.25 (21:18:47.768 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36163<-6133 (21:18:47.768 PDT) 218.173.79.121 (21:20:42.722 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56676<-2145 (21:20:42.722 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367641123.722 1367641123.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 1.169.140.133, 1.172.132.49 Egg Source List: 1.172.132.49 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 21:24:44.846 PDT Gen. Time: 05/03/2013 21:28:22.582 PDT INBOUND SCAN EXPLOIT 1.169.140.133 (21:24:44.846 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2457 (21:24:44.846 PDT) 1.172.132.49 (21:28:19.945 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2814 (21:28:19.945 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.172.132.49 (21:28:22.582 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47299<-3721 (21:28:22.582 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367641484.846 1367641484.847 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 220.108.56.38 Egg Source List: 220.108.56.38 C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 21:37:12.322 PDT Gen. Time: 05/03/2013 21:37:15.392 PDT INBOUND SCAN EXPLOIT 220.108.56.38 (21:37:12.322 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3175 (21:37:12.322 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 220.108.56.38 (21:37:15.392 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58280<-9413 (21:37:15.392 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367642232.322 1367642232.323 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================