Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 03:13:11.862 PDT Gen. Time: 05/03/2013 03:15:15.150 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 186.42.218.103 (03:13:11.862 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:13:11.862 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.125.220.4 (03:15:15.150 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:15:15.150 PDT) tcpslice 1367575991.862 1367575991.863 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 03:20:23.589 PDT Gen. Time: 05/03/2013 03:20:23.589 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 200.125.220.4 (03:20:23.589 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:20:23.589 PDT) tcpslice 1367576423.589 1367576423.590 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 09:31:25.948 PDT Gen. Time: 05/03/2013 09:34:14.075 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 190.69.213.99 (2) (09:31:25.948 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 19 IPs (19 /24s) (# pkts S/M/O/I=0/19/0/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:31:25.948 PDT) 0->0 (09:33:49.865 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.69.213.99 (09:34:14.075 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:34:14.075 PDT) tcpslice 1367598685.948 1367598685.949 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 09:37:55.974 PDT Gen. Time: 05/03/2013 09:37:55.974 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.69.213.99 (09:37:55.974 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:37:55.974 PDT) tcpslice 1367599075.974 1367599075.975 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 09:45:45.345 PDT Gen. Time: 05/03/2013 09:45:45.345 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.9.115.104 (09:45:45.345 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 (09:45:45.345 PDT) tcpslice 1367599545.345 1367599545.346 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 09:45:45.345 PDT Gen. Time: 05/03/2013 09:49:01.276 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.9.115.104 (09:45:45.345 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 (09:45:45.345 PDT) 186.47.17.13 (09:47:43.369 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:47:43.369 PDT) tcpslice 1367599545.345 1367599545.346 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:00:50.352 PDT Gen. Time: 05/03/2013 16:02:22.064 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 181.68.58.101 (16:00:50.352 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:00:50.352 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.58.101 (16:02:22.064 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:02:22.064 PDT) tcpslice 1367622050.352 1367622050.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:09:07.820 PDT Gen. Time: 05/03/2013 16:09:07.820 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.58.101 (16:09:07.820 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:09:07.820 PDT) tcpslice 1367622547.820 1367622547.821 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:15:51.127 PDT Gen. Time: 05/03/2013 16:15:51.127 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.58.101 (16:15:51.127 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:15:51.127 PDT) tcpslice 1367622951.127 1367622951.128 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:18:40.335 PDT Gen. Time: 05/03/2013 16:18:40.335 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.58.101 (16:18:40.335 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 (16:18:40.335 PDT) tcpslice 1367623120.335 1367623120.336 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:23:29.994 PDT Gen. Time: 05/03/2013 16:23:29.994 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.58.101 (16:23:29.994 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:23:29.994 PDT) tcpslice 1367623409.994 1367623409.995 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:23:29.994 PDT Gen. Time: 05/03/2013 16:27:14.807 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.58.101 (2) (16:23:29.994 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:23:29.994 PDT) 0->0 (16:25:28.372 PDT) tcpslice 1367623409.994 1367623409.995 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:27:34.938 PDT Gen. Time: 05/03/2013 16:27:34.938 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.58.101 (16:27:34.938 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:27:34.938 PDT) tcpslice 1367623654.938 1367623654.939 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:34:07.099 PDT Gen. Time: 05/03/2013 16:34:07.099 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.29 (16:34:07.099 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:34:07.099 PDT) tcpslice 1367624047.099 1367624047.100 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:39:29.150 PDT Gen. Time: 05/03/2013 16:39:29.150 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.29 (16:39:29.150 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:39:29.150 PDT) tcpslice 1367624369.150 1367624369.151 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:44:29.842 PDT Gen. Time: 05/03/2013 16:44:29.842 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.29 (16:44:29.842 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/33/0/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:44:29.842 PDT) tcpslice 1367624669.842 1367624669.843 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:44:29.842 PDT Gen. Time: 05/03/2013 16:48:43.939 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.29 (2) (16:44:29.842 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/33/0/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:44:29.842 PDT) 0->0 (16:47:43.468 PDT) tcpslice 1367624669.842 1367624669.843 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:50:15.296 PDT Gen. Time: 05/03/2013 16:50:15.296 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.29 (16:50:15.296 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/36/0/0): 445:36, [] MAC_Src: 00:21:1C:EE:14:00 (16:50:15.296 PDT) tcpslice 1367625015.296 1367625015.297 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:55:30.037 PDT Gen. Time: 05/03/2013 16:55:30.037 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.29 (16:55:30.037 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (37 /24s) (# pkts S/M/O/I=0/37/0/0): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:55:30.037 PDT) tcpslice 1367625330.037 1367625330.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:55:30.037 PDT Gen. Time: 05/03/2013 16:58:10.295 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.29 (2) (16:55:30.037 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (37 /24s) (# pkts S/M/O/I=0/37/0/0): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:55:30.037 PDT) 0->0 (16:57:02.702 PDT) tcpslice 1367625330.037 1367625330.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:59:02.689 PDT Gen. Time: 05/03/2013 16:59:02.689 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.29 (16:59:02.689 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 (16:59:02.689 PDT) tcpslice 1367625542.689 1367625542.690 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 16:59:02.689 PDT Gen. Time: 05/03/2013 17:03:10.125 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.29 (2) (16:59:02.689 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 (16:59:02.689 PDT) 0->0 (17:00:46.272 PDT) tcpslice 1367625542.689 1367625542.690 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:10:39.751 PDT Gen. Time: 05/03/2013 18:10:39.751 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (18:10:39.751 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:10:39.751 PDT) tcpslice 1367629839.751 1367629839.752 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:10:39.751 PDT Gen. Time: 05/03/2013 18:13:55.952 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (2) (18:10:39.751 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:10:39.751 PDT) 0->0 (18:13:20.275 PDT) tcpslice 1367629839.751 1367629839.752 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:15:16.671 PDT Gen. Time: 05/03/2013 18:15:16.671 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (18:15:16.671 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/24/1/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:15:16.671 PDT) tcpslice 1367630116.671 1367630116.672 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:15:16.671 PDT Gen. Time: 05/03/2013 18:18:43.719 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (2) (18:15:16.671 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/24/1/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:15:16.671 PDT) 0->0 (18:17:06.683 PDT) tcpslice 1367630116.671 1367630116.672 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:21:27.150 PDT Gen. Time: 05/03/2013 18:21:27.150 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (18:21:27.150 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/27/1/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:21:27.150 PDT) tcpslice 1367630487.150 1367630487.151 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:21:27.150 PDT Gen. Time: 05/03/2013 18:25:15.759 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (2) (18:21:27.150 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/27/1/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:21:27.150 PDT) 0->0 (18:23:23.767 PDT) tcpslice 1367630487.150 1367630487.151 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:25:27.008 PDT Gen. Time: 05/03/2013 18:25:27.008 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (18:25:27.008 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/30/1/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:25:27.008 PDT) tcpslice 1367630727.008 1367630727.009 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:32:11.932 PDT Gen. Time: 05/03/2013 18:32:11.932 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (18:32:11.932 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/32/1/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 (18:32:11.932 PDT) tcpslice 1367631131.932 1367631131.933 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:32:11.932 PDT Gen. Time: 05/03/2013 18:35:39.801 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (2) (18:32:11.932 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/32/1/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 (18:32:11.932 PDT) 0->0 (18:35:01.331 PDT) tcpslice 1367631131.932 1367631131.933 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:38:07.726 PDT Gen. Time: 05/03/2013 18:38:07.726 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (18:38:07.726 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/35/1/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:38:07.726 PDT) tcpslice 1367631487.726 1367631487.727 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:38:07.726 PDT Gen. Time: 05/03/2013 18:41:55.651 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (2) (18:38:07.726 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/35/1/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:38:07.726 PDT) 0->0 (18:39:51.283 PDT) tcpslice 1367631487.726 1367631487.727 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:42:54.723 PDT Gen. Time: 05/03/2013 18:42:54.723 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (18:42:54.723 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (39 /24s) (# pkts S/M/O/I=0/38/1/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:42:54.723 PDT) tcpslice 1367631774.723 1367631774.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:42:54.723 PDT Gen. Time: 05/03/2013 18:46:33.443 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (2) (18:42:54.723 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (39 /24s) (# pkts S/M/O/I=0/38/1/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:42:54.723 PDT) (18:44:35.024 PDT) tcpslice 1367631774.723 1367631774.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:46:47.995 PDT Gen. Time: 05/03/2013 18:46:47.995 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (18:46:47.995 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (42 /24s) (# pkts S/M/O/I=0/41/1/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:46:47.995 PDT) tcpslice 1367632007.995 1367632007.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:50:25.653 PDT Gen. Time: 05/03/2013 18:50:25.653 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (18:50:25.653 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (43 /24s) (# pkts S/M/O/I=0/42/1/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:50:25.653 PDT) tcpslice 1367632225.653 1367632225.654 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:50:25.653 PDT Gen. Time: 05/03/2013 18:54:03.016 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (2) (18:50:25.653 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (43 /24s) (# pkts S/M/O/I=0/42/1/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:50:25.653 PDT) 0->0 (18:52:37.968 PDT) tcpslice 1367632225.653 1367632225.654 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:54:18.370 PDT Gen. Time: 05/03/2013 18:54:18.370 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (18:54:18.370 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (46 /24s) (# pkts S/M/O/I=0/45/1/0): 445:45, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:54:18.370 PDT) tcpslice 1367632458.370 1367632458.371 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 18:58:57.600 PDT Gen. Time: 05/03/2013 18:58:57.600 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (18:58:57.600 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 48 IPs (48 /24s) (# pkts S/M/O/I=0/47/1/0): 445:47, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:58:57.600 PDT) tcpslice 1367632737.600 1367632737.601 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:04:55.001 PDT Gen. Time: 05/03/2013 19:04:55.001 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (19:04:55.001 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 50 IPs (50 /24s) (# pkts S/M/O/I=0/49/1/0): 445:49, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:04:55.001 PDT) tcpslice 1367633095.001 1367633095.002 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:11:04.705 PDT Gen. Time: 05/03/2013 19:11:04.705 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (19:11:04.705 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 51 IPs (51 /24s) (# pkts S/M/O/I=0/50/1/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:11:04.705 PDT) tcpslice 1367633464.705 1367633464.706 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:16:22.958 PDT Gen. Time: 05/03/2013 19:16:22.958 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (19:16:22.958 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/52/1/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:16:22.958 PDT) tcpslice 1367633782.958 1367633782.959 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:16:22.958 PDT Gen. Time: 05/03/2013 19:20:26.028 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (2) (19:16:22.958 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/52/1/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:16:22.958 PDT) 0->0 (19:18:00.628 PDT) tcpslice 1367633782.958 1367633782.959 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:23:42.927 PDT Gen. Time: 05/03/2013 19:23:42.927 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (19:23:42.927 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 57 IPs (57 /24s) (# pkts S/M/O/I=0/56/1/0): 445:56, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:23:42.927 PDT) tcpslice 1367634222.927 1367634222.928 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:23:42.927 PDT Gen. Time: 05/03/2013 19:27:44.456 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (2) (19:23:42.927 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 57 IPs (57 /24s) (# pkts S/M/O/I=0/56/1/0): 445:56, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:23:42.927 PDT) 0->0 (19:26:19.703 PDT) tcpslice 1367634222.927 1367634222.928 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:32:30.013 PDT Gen. Time: 05/03/2013 19:32:30.013 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (19:32:30.013 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 62 IPs (62 /24s) (# pkts S/M/O/I=0/61/1/0): 445:61, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:32:30.013 PDT) tcpslice 1367634750.013 1367634750.014 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:32:30.013 PDT Gen. Time: 05/03/2013 19:34:58.393 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.66.64 (2) (19:32:30.013 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 62 IPs (62 /24s) (# pkts S/M/O/I=0/61/1/0): 445:61, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:32:30.013 PDT) 0->0 (19:34:43.019 PDT) tcpslice 1367634750.013 1367634750.014 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:37:16.630 PDT Gen. Time: 05/03/2013 19:37:16.630 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.220.103 (19:37:16.630 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 66 IPs (66 /24s) (# pkts S/M/O/I=0/65/1/0): 445:65, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:37:16.630 PDT) tcpslice 1367635036.630 1367635036.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:37:16.630 PDT Gen. Time: 05/03/2013 19:41:04.830 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.159.30 (19:39:39.369 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 67 IPs (67 /24s) (# pkts S/M/O/I=0/66/1/0): 445:66, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:39:39.369 PDT) 181.68.220.103 (19:37:16.630 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 66 IPs (66 /24s) (# pkts S/M/O/I=0/65/1/0): 445:65, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:37:16.630 PDT) tcpslice 1367635036.630 1367635036.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:42:46.440 PDT Gen. Time: 05/03/2013 19:42:46.440 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.159.30 (19:42:46.440 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 68 IPs (68 /24s) (# pkts S/M/O/I=0/67/1/0): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 (19:42:46.440 PDT) tcpslice 1367635366.440 1367635366.441 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:47:02.839 PDT Gen. Time: 05/03/2013 19:47:02.839 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.159.30 (19:47:02.839 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 70 IPs (70 /24s) (# pkts S/M/O/I=0/69/1/0): 445:69, [] MAC_Src: 00:21:1C:EE:14:00 (19:47:02.839 PDT) tcpslice 1367635622.839 1367635622.840 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:47:02.839 PDT Gen. Time: 05/03/2013 19:51:09.704 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.159.30 (2) (19:47:02.839 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 70 IPs (70 /24s) (# pkts S/M/O/I=0/69/1/0): 445:69, [] MAC_Src: 00:21:1C:EE:14:00 (19:47:02.839 PDT) 0->0 (19:51:09.704 PDT) tcpslice 1367635622.839 1367635622.840 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 19:53:21.012 PDT Gen. Time: 05/03/2013 19:53:21.012 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.159.30 (19:53:21.012 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 73 IPs (73 /24s) (# pkts S/M/O/I=0/72/1/0): 445:72, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:53:21.012 PDT) tcpslice 1367636001.012 1367636001.013 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/03/2013 20:01:25.869 PDT Gen. Time: 05/03/2013 20:01:25.869 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.159.30 (20:01:25.869 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 75 IPs (75 /24s) (# pkts S/M/O/I=0/74/1/0): 445:74, [] MAC_Src: 00:21:1C:EE:14:00 (20:01:25.869 PDT) tcpslice 1367636485.869 1367636485.870 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================