Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.164 Egg Source List: 92.247.104.164 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 00:36:09.529 PDT Gen. Time: 05/04/2013 00:36:13.311 PDT INBOUND SCAN EXPLOIT 92.247.104.164 (00:36:09.529 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4889 (00:36:09.529 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.164 (00:36:13.311 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51907<-3977 (00:36:13.311 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367652969.529 1367652969.530 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 80.66.157.34 Egg Source List: 80.66.157.34 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 00:46:44.129 PDT Gen. Time: 05/04/2013 00:46:47.923 PDT INBOUND SCAN EXPLOIT 80.66.157.34 (00:46:44.129 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3473 (00:46:44.129 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 80.66.157.34 (00:46:47.923 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39469<-6473 (00:46:47.923 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367653604.129 1367653604.130 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.44.189.64 Egg Source List: 114.44.189.64 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 00:54:48.302 PDT Gen. Time: 05/04/2013 00:54:53.214 PDT INBOUND SCAN EXPLOIT 114.44.189.64 (00:54:48.302 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1857 (00:54:48.302 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.44.189.64 (00:54:53.214 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41884<-3453 (00:54:53.214 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367654088.302 1367654088.303 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 184.106.144.25 Egg Source List: 184.106.144.25 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 00:59:52.518 PDT Gen. Time: 05/04/2013 00:59:55.936 PDT INBOUND SCAN EXPLOIT 184.106.144.25 (00:59:52.518 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4325 (00:59:52.518 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 184.106.144.25 (00:59:55.936 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53947<-6133 (00:59:55.936 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367654392.518 1367654392.519 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 62.201.90.90 Egg Source List: 62.201.90.90 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 01:11:32.527 PDT Gen. Time: 05/04/2013 01:11:35.373 PDT INBOUND SCAN EXPLOIT 62.201.90.90 (01:11:32.527 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2568 (01:11:32.527 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 62.201.90.90 (01:11:35.373 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59709<-9092 (01:11:35.373 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367655092.527 1367655092.528 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 62.201.90.90 Egg Source List: 62.201.90.90 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 01:11:32.527 PDT Gen. Time: 05/04/2013 03:48:33.532 PDT INBOUND SCAN EXPLOIT 62.201.90.90 (17) (01:11:32.527 PDT) event=1:22009201 (17) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2568 (01:11:32.527 PDT) 445<-3290 (01:11:47.769 PDT) 445<-4254 (01:12:03.507 PDT) 445<-1360 (01:12:16.913 PDT) 445<-2549 (01:12:38.011 PDT) 445<-3404 (01:12:55.441 PDT) 445<-4409 (01:13:10.437 PDT) 445<-1620 (01:13:22.337 PDT) 445<-2224 (01:13:37.085 PDT) 445<-3137 (01:13:49.073 PDT) 445<-3821 (01:14:04.411 PDT) 445<-4991 (01:14:17.639 PDT) 445<-1757 (01:14:31.675 PDT) 445<-2573 (01:14:43.461 PDT) 445<-3329 (01:14:58.609 PDT) 445<-4150 (01:15:10.207 PDT) 445<-1176 (01:15:23.881 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 62.201.90.90 (17) (01:11:35.373 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59709<-9092 (01:11:35.373 PDT) 59727<-9092 (01:11:51.185 PDT) 59735<-9092 (01:12:06.783 PDT) 59749<-9092 (01:12:21.129 PDT) 59770<-9092 (01:12:41.355 PDT) 59791<-9092 (01:12:59.857 PDT) 59807<-9092 (01:13:14.709 PDT) 59811<-9092 (01:13:26.907 PDT) 59827<-9092 (01:13:40.141 PDT) 59831<-9092 (01:13:53.321 PDT) 59843<-9092 (01:14:08.195 PDT) 59848<-9092 (01:14:21.127 PDT) 59855<-9092 (01:14:36.571 PDT) 59871<-9092 (01:14:47.411 PDT) 59880<-9092 (01:15:02.749 PDT) 59897<-9092 (01:15:14.353 PDT) 59900<-9092 (01:15:26.825 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 109.230.220.193 (02:52:45.004 PDT) event=1:2008578 {udp} E5[rb] ET SCAN Sipvicious Scan, [] MAC_Src: 00:21:5A:08:EC:40 5060->5060 (02:52:45.004 PDT) 5.152.204.218 (02:34:32.845 PDT) event=1:2008578 {udp} E5[rb] ET SCAN Sipvicious Scan, [] MAC_Src: 00:21:5A:08:EC:40 5060->5060 (02:34:32.845 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367655092.527 1367655092.528 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.36.217.11 Egg Source List: 92.36.217.11 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 03:50:57.459 PDT Gen. Time: 05/04/2013 03:51:02.836 PDT INBOUND SCAN EXPLOIT 92.36.217.11 (03:50:57.459 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3410 (03:50:57.459 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.36.217.11 (03:51:02.836 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58163<-1868 (03:51:02.836 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367664657.459 1367664657.460 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.36.217.11 Egg Source List: 92.36.217.11, 192.168.2.2 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 03:50:57.459 PDT Gen. Time: 05/04/2013 03:55:42.197 PDT INBOUND SCAN EXPLOIT 92.36.217.11 (03:50:57.459 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3410 (03:50:57.459 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.36.217.11 (03:51:02.836 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58163<-1868 (03:51:02.836 PDT) 192.168.2.2 (16) (03:51:39.690 PDT-03:52:04.896 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 50965->69 (03:51:39.690 PDT-03:51:59.791 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 50965->69 (03:51:39.690 PDT-03:51:59.791 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 50965->69 (03:51:39.690 PDT-03:52:04.896 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367664657.459 1367664724.897 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.20 Egg Source List: 95.28.103.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 03:58:19.913 PDT Gen. Time: 05/04/2013 03:58:22.787 PDT INBOUND SCAN EXPLOIT 95.28.103.20 (03:58:19.913 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1036 (03:58:19.913 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.20 (03:58:22.787 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45701<-8933 (03:58:22.787 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367665099.913 1367665099.914 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.20 Egg Source List: 95.28.103.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 04:11:07.178 PDT Gen. Time: 05/04/2013 04:11:13.951 PDT INBOUND SCAN EXPLOIT 95.28.103.20 (04:11:07.178 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3899 (04:11:07.178 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.20 (04:11:13.951 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54974<-8933 (04:11:13.951 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367665867.178 1367665867.179 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.20, 31.176.160.25 Egg Source List: 95.28.103.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 04:29:22.397 PDT Gen. Time: 05/04/2013 04:29:30.652 PDT INBOUND SCAN EXPLOIT 95.28.103.20 (04:29:22.397 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1592 (04:29:22.397 PDT) 31.176.160.25 (04:29:25.877 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1631 (04:29:25.877 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.20 (04:29:30.652 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35049<-8933 (04:29:30.652 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367666962.397 1367666962.398 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.20, 31.176.160.25 Egg Source List: 95.28.103.20, 31.176.160.25 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 04:29:22.397 PDT Gen. Time: 05/04/2013 04:33:32.480 PDT INBOUND SCAN EXPLOIT 95.28.103.20 (04:29:22.397 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1592 (04:29:22.397 PDT) 31.176.160.25 (04:29:25.877 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1631 (04:29:25.877 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.20 (04:29:30.652 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35049<-8933 (04:29:30.652 PDT) 31.176.160.25 (04:29:30.986 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49735<-4910 (04:29:30.986 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367666962.397 1367666962.398 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 85.117.4.111 Egg Source List: 85.117.4.111 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 04:39:22.860 PDT Gen. Time: 05/04/2013 04:39:27.642 PDT INBOUND SCAN EXPLOIT 85.117.4.111 (04:39:22.860 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4912 (04:39:22.860 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 85.117.4.111 (04:39:27.642 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47458<-7720 (04:39:27.642 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367667562.860 1367667562.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.32.31, 109.228.107.76 Egg Source List: 2.95.32.31 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 04:43:09.853 PDT Gen. Time: 05/04/2013 04:44:23.981 PDT INBOUND SCAN EXPLOIT 2.95.32.31 (04:44:13.082 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4703 (04:44:13.082 PDT) 109.228.107.76 (04:43:09.853 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2587 (04:43:09.853 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.32.31 (04:44:23.981 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40739<-5588 (04:44:23.981 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367667789.853 1367667789.854 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.95.188.15 Egg Source List: 93.95.188.15 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 05:24:10.146 PDT Gen. Time: 05/04/2013 05:24:12.912 PDT INBOUND SCAN EXPLOIT 93.95.188.15 (05:24:10.146 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4061 (05:24:10.146 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 93.95.188.15 (05:24:12.912 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53509<-4047 (05:24:12.912 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367670250.146 1367670250.147 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 62.201.90.90 Egg Source List: 62.201.90.90 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 05:27:53.235 PDT Gen. Time: 05/04/2013 05:27:56.364 PDT INBOUND SCAN EXPLOIT 62.201.90.90 (05:27:53.235 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1183 (05:27:53.235 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 62.201.90.90 (05:27:56.364 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47301<-9092 (05:27:56.364 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367670473.235 1367670473.236 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 62.201.90.90 Egg Source List: 62.201.90.90 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 05:27:53.235 PDT Gen. Time: 05/04/2013 06:02:51.051 PDT INBOUND SCAN EXPLOIT 62.201.90.90 (17) (05:27:53.235 PDT) event=1:22009201 (17) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1183 (05:27:53.235 PDT) 445<-1619 (05:28:06.861 PDT) 445<-2189 (05:28:23.475 PDT) 445<-2767 (05:28:42.191 PDT) 445<-3317 (05:28:56.301 PDT) 445<-3853 (05:29:12.297 PDT) 445<-4451 (05:29:30.913 PDT) 445<-1203 (05:29:45.009 PDT) 445<-1682 (05:29:58.415 PDT) 445<-2259 (05:30:17.423 PDT) 445<-2832 (05:30:29.427 PDT) 445<-3288 (05:30:47.077 PDT) 445<-3966 (05:31:03.287 PDT) 445<-4459 (05:31:20.167 PDT) 445<-1212 (05:31:33.553 PDT) 445<-1651 (05:31:50.249 PDT) 445<-2272 (05:32:05.487 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 62.201.90.90 (17) (05:27:56.364 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47301<-9092 (05:27:56.364 PDT) 47311<-9092 (05:28:10.351 PDT) 47322<-9092 (05:28:26.653 PDT) 47342<-9092 (05:29:00.503 PDT) 47359<-9092 (05:29:16.165 PDT) 47373<-9092 (05:29:35.063 PDT) 47384<-9092 (05:29:49.077 PDT) 47394<-9092 (05:30:02.559 PDT) 47410<-9092 (05:30:21.279 PDT) 47416<-9092 (05:30:34.131 PDT) 47430<-9092 (05:30:51.977 PDT) 44371<-9092 (05:31:08.125 PDT) 44385<-9092 (05:31:23.927 PDT) 44391<-9092 (05:31:37.343 PDT) 44412<-9092 (05:31:55.205 PDT) 44427<-9092 (05:32:10.293 PDT) 44435<-9092 (05:32:28.849 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367670473.235 1367670473.236 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.130 Egg Source List: 92.247.104.130 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 06:25:22.407 PDT Gen. Time: 05/04/2013 06:25:25.971 PDT INBOUND SCAN EXPLOIT 92.247.104.130 (06:25:22.407 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3265 (06:25:22.407 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.130 (06:25:25.971 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39720<-3977 (06:25:25.971 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367673922.407 1367673922.408 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.130 Egg Source List: 92.247.104.130 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 06:25:22.407 PDT Gen. Time: 05/04/2013 06:46:45.992 PDT INBOUND SCAN EXPLOIT 92.247.104.130 (17) (06:25:22.407 PDT) event=1:22009201 (17) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3265 (06:25:22.407 PDT) 445<-4129 (06:25:35.530 PDT) 445<-1209 (06:25:54.292 PDT) 445<-2749 (06:26:17.574 PDT) 445<-3961 (06:26:34.676 PDT) 445<-1383 (06:26:51.642 PDT) 445<-2826 (06:28:12.939 PDT) 445<-3799 (06:28:30.839 PDT) 445<-1247 (06:28:48.409 PDT) 445<-4930 (06:29:41.032 PDT) 445<-2063 (06:30:01.368 PDT) 445<-3335 (06:30:21.597 PDT) 445<-1515 (06:30:52.033 PDT) 445<-2403 (06:31:06.795 PDT) 445<-3364 (06:31:24.563 PDT) 445<-4865 (06:31:48.837 PDT) 445<-2099 (06:32:05.314 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.130 (17) (06:25:25.971 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39720<-3977 (06:25:25.971 PDT) 39733<-3977 (06:25:39.852 PDT) 55961<-3977 (06:25:59.793 PDT) 55983<-3977 (06:26:23.448 PDT) 56001<-3977 (06:26:38.771 PDT) 56029<-3977 (06:26:56.594 PDT) 56091<-3977 (06:28:16.694 PDT) 56098<-3977 (06:28:35.314 PDT) 56125<-3977 (06:28:53.130 PDT) 56203<-3977 (06:29:45.841 PDT) 56223<-3977 (06:30:06.866 PDT) 56243<-3977 (06:30:26.654 PDT) 59506<-3977 (06:30:55.196 PDT) 59527<-3977 (06:31:10.883 PDT) 59541<-3977 (06:31:28.768 PDT) 59569<-3977 (06:31:52.455 PDT) 59585<-3977 (06:32:11.052 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367673922.407 1367673922.408 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.117.43.184 Egg Source List: 212.117.43.184 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 07:08:50.794 PDT Gen. Time: 05/04/2013 07:08:54.615 PDT INBOUND SCAN EXPLOIT 212.117.43.184 (07:08:50.794 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3408 (07:08:50.794 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.117.43.184 (07:08:54.615 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59340<-2889 (07:08:54.615 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367676530.794 1367676530.795 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.95.32.31 Egg Source List: 2.95.32.31 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 09:00:43.205 PDT Gen. Time: 05/04/2013 09:00:46.575 PDT INBOUND SCAN EXPLOIT 2.95.32.31 (09:00:43.205 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1631 (09:00:43.205 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.95.32.31 (09:00:46.575 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55509<-5588 (09:00:46.575 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367683243.205 1367683243.206 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.74.160.99 Egg Source List: 94.74.160.99 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 09:07:58.071 PDT Gen. Time: 05/04/2013 09:08:03.810 PDT INBOUND SCAN EXPLOIT 94.74.160.99 (09:07:58.071 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1709 (09:07:58.071 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.74.160.99 (09:08:03.810 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48070<-1988 (09:08:03.810 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367683678.071 1367683678.072 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.149.198.134 Egg Source List: 192.168.0.103 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 09:14:18.408 PDT Gen. Time: 05/04/2013 09:14:40.808 PDT INBOUND SCAN EXPLOIT 186.149.198.134 (09:14:18.408 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-31110 (09:14:18.408 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.0.103 (09:14:40.808 PDT) event=1:3001441 {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 60003->69 (09:14:40.808 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367684058.408 1367684058.409 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.149.198.134 Egg Source List: 192.168.0.103 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 09:14:18.408 PDT Gen. Time: 05/04/2013 09:18:30.487 PDT INBOUND SCAN EXPLOIT 186.149.198.134 (09:14:18.408 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-31110 (09:14:18.408 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.0.103 (17) (09:14:40.808 PDT-09:15:06.050 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 60003->69 (09:14:40.808 PDT-09:15:01.043 PDT) ------------------------- event=1:2008120 (6) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 6: 60003->69 (09:14:40.808 PDT-09:15:06.050 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 60003->69 (09:14:40.808 PDT-09:15:06.050 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367684058.408 1367684106.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.95.188.15 Egg Source List: 93.95.188.15 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 09:46:30.363 PDT Gen. Time: 05/04/2013 09:46:33.462 PDT INBOUND SCAN EXPLOIT 93.95.188.15 (09:46:30.363 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4365 (09:46:30.363 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 93.95.188.15 (09:46:33.462 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32910<-4047 (09:46:33.462 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367685990.363 1367685990.364 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 203.123.223.75 Egg Source List: 203.123.223.75 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 10:05:12.471 PDT Gen. Time: 05/04/2013 10:05:17.052 PDT INBOUND SCAN EXPLOIT 203.123.223.75 (10:05:12.471 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2596 (10:05:12.471 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 203.123.223.75 (10:05:17.052 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55418<-2794 (10:05:17.052 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367687112.471 1367687112.472 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 203.123.223.75, 176.104.187.234 Egg Source List: 203.123.223.75, 176.104.187.234 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 10:05:12.471 PDT Gen. Time: 05/04/2013 10:13:26.460 PDT INBOUND SCAN EXPLOIT 203.123.223.75 (10:05:12.471 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2596 (10:05:12.471 PDT) 176.104.187.234 (10:09:05.926 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2300 (10:09:05.926 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 203.123.223.75 (10:05:17.052 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55418<-2794 (10:05:17.052 PDT) 176.104.187.234 (10:09:09.856 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40081<-9868 (10:09:09.856 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367687112.471 1367687112.472 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 83.102.131.178 Egg Source List: 83.102.131.178 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 10:21:30.727 PDT Gen. Time: 05/04/2013 10:21:34.042 PDT INBOUND SCAN EXPLOIT 83.102.131.178 (10:21:30.727 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4891 (10:21:30.727 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 83.102.131.178 (10:21:34.042 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43452<-2479 (10:21:34.042 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367688090.727 1367688090.728 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 70.154.50.185, 83.102.131.178 Egg Source List: 83.102.131.178 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 10:21:30.727 PDT Gen. Time: 05/04/2013 10:26:54.339 PDT INBOUND SCAN EXPLOIT 70.154.50.185 (10:24:10.984 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-50346 (10:24:10.984 PDT) 83.102.131.178 (10:21:30.727 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4891 (10:21:30.727 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 83.102.131.178 (10:21:34.042 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43452<-2479 (10:21:34.042 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367688090.727 1367688090.728 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 176.73.170.19 Egg Source List: 176.73.170.19 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 10:55:36.806 PDT Gen. Time: 05/04/2013 10:55:40.216 PDT INBOUND SCAN EXPLOIT 176.73.170.19 (10:55:36.806 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4705 (10:55:36.806 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 176.73.170.19 (10:55:40.216 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52836<-5847 (10:55:40.216 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367690136.806 1367690136.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 176.73.170.19, 46.196.19.128 Egg Source List: 176.73.170.19, 46.196.19.128 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 10:55:36.806 PDT Gen. Time: 05/04/2013 11:00:33.393 PDT INBOUND SCAN EXPLOIT 176.73.170.19 (10:55:36.806 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4705 (10:55:36.806 PDT) 46.196.19.128 (10:57:04.395 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3678 (10:57:04.395 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 176.73.170.19 (10:55:40.216 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52836<-5847 (10:55:40.216 PDT) 46.196.19.128 (10:57:07.220 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39533<-8562 (10:57:07.220 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367690136.806 1367690136.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.14 Egg Source List: 92.247.104.14 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 11:21:39.243 PDT Gen. Time: 05/04/2013 11:21:44.562 PDT INBOUND SCAN EXPLOIT 92.247.104.14 (11:21:39.243 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2048 (11:21:39.243 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.14 (11:21:44.562 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39301<-3977 (11:21:44.562 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367691699.243 1367691699.244 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.157, 92.247.104.14 Egg Source List: 212.117.43.184, 92.247.104.14 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 11:21:39.243 PDT Gen. Time: 05/04/2013 11:45:26.361 PDT INBOUND SCAN EXPLOIT 92.247.104.157 (10) (11:24:06.930 PDT) event=1:22009201 (10) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1685 (11:24:06.930 PDT) 445<-1849 (11:24:18.834 PDT) 445<-2102 (11:24:32.346 PDT) 445<-2463 (11:24:49.013 PDT) 445<-2823 (11:25:06.314 PDT) 445<-3076 (11:25:22.265 PDT) 445<-3434 (11:25:35.464 PDT) 445<-3710 (11:25:51.473 PDT) 445<-4166 (11:26:18.128 PDT) 445<-4591 (11:26:35.619 PDT) 92.247.104.14 (7) (11:21:39.243 PDT) event=1:22009201 (7) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2048 (11:21:39.243 PDT) 445<-2479 (11:22:00.239 PDT) 445<-2990 (11:22:19.998 PDT) 445<-3459 (11:22:39.083 PDT) 445<-3954 (11:23:00.783 PDT) 445<-4525 (11:23:19.928 PDT) 445<-1117 (11:23:38.296 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.117.43.184 (11:31:46.916 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38242<-2889 (11:31:46.916 PDT) 92.247.104.14 (7) (11:21:44.562 PDT) event=1:2001685 (7) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39301<-3977 (11:21:44.562 PDT) 39363<-3977 (11:22:07.716 PDT) 39422<-3977 (11:22:24.681 PDT) 39487<-3977 (11:22:45.625 PDT) 39516<-3977 (11:23:06.305 PDT) 39544<-3977 (11:23:24.307 PDT) 39584<-3977 (11:23:41.958 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367691699.243 1367691699.244 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 201.208.19.52 Egg Source List: 201.208.19.52 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 12:01:52.379 PDT Gen. Time: 05/04/2013 12:01:56.096 PDT INBOUND SCAN EXPLOIT 201.208.19.52 (12:01:52.379 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1158 (12:01:52.379 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 201.208.19.52 (12:01:56.096 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44498<-1985 (12:01:56.096 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367694112.379 1367694112.380 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 61.41.1.42 Egg Source List: 61.41.1.42 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 12:28:10.627 PDT Gen. Time: 05/04/2013 12:28:13.309 PDT INBOUND SCAN EXPLOIT 61.41.1.42 (12:28:10.627 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1936 (12:28:10.627 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.41.1.42 (12:28:13.309 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53169<-6443 (12:28:13.309 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367695690.627 1367695690.628 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 202.78.227.111 Egg Source List: 202.78.227.111 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 12:36:44.927 PDT Gen. Time: 05/04/2013 12:36:48.538 PDT INBOUND SCAN EXPLOIT 202.78.227.111 (12:36:44.927 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1748 (12:36:44.927 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 202.78.227.111 (12:36:48.538 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46800<-9653 (12:36:48.538 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367696204.927 1367696204.928 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 70.136.39.56, 202.78.227.111 Egg Source List: 202.78.227.111 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 12:36:44.927 PDT Gen. Time: 05/04/2013 12:41:50.351 PDT INBOUND SCAN EXPLOIT 70.136.39.56 (12:38:42.621 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-17756 (12:38:42.621 PDT) 202.78.227.111 (12:36:44.927 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1748 (12:36:44.927 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 202.78.227.111 (12:36:48.538 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46800<-9653 (12:36:48.538 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367696204.927 1367696204.928 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.74.160.99, 113.160.178.155 Egg Source List: 94.74.160.99 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 12:46:30.910 PDT Gen. Time: 05/04/2013 12:49:16.925 PDT INBOUND SCAN EXPLOIT 94.74.160.99 (12:49:13.891 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3252 (12:49:13.891 PDT) 113.160.178.155 (12:46:30.910 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2681 (12:46:30.910 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.74.160.99 (12:49:16.925 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52210<-1988 (12:49:16.925 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367696790.910 1367696790.911 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.229.65.26 Egg Source List: 94.229.65.26 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 13:09:55.388 PDT Gen. Time: 05/04/2013 13:09:58.247 PDT INBOUND SCAN EXPLOIT 94.229.65.26 (13:09:55.388 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3482 (13:09:55.388 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.229.65.26 (13:09:58.247 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50298<-6801 (13:09:58.247 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367698195.388 1367698195.389 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.32.253.82 Egg Source List: 188.32.253.82 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 13:31:45.632 PDT Gen. Time: 05/04/2013 13:31:49.133 PDT INBOUND SCAN EXPLOIT 188.32.253.82 (13:31:45.632 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2084 (13:31:45.632 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 188.32.253.82 (13:31:49.133 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42917<-5755 (13:31:49.133 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367699505.632 1367699505.633 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 83.102.131.178 Egg Source List: 83.102.131.178 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 14:02:39.665 PDT Gen. Time: 05/04/2013 14:02:43.809 PDT INBOUND SCAN EXPLOIT 83.102.131.178 (14:02:39.665 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3019 (14:02:39.665 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 83.102.131.178 (14:02:43.809 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48914<-2479 (14:02:43.809 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367701359.665 1367701359.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.108.87.45 Egg Source List: 210.108.87.45 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 14:27:14.794 PDT Gen. Time: 05/04/2013 14:27:19.067 PDT INBOUND SCAN EXPLOIT 210.108.87.45 (14:27:14.794 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2312 (14:27:14.794 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.108.87.45 (14:27:19.067 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41637<-7033 (14:27:19.067 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367702834.794 1367702834.795 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.230.108.15, 210.108.87.45 Egg Source List: 210.108.87.45 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 14:27:14.794 PDT Gen. Time: 05/04/2013 14:34:23.377 PDT INBOUND SCAN EXPLOIT 93.230.108.15 (3) (14:30:11.231 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2002 (14:30:11.247 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-2002 (14:30:11.243 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2002 (14:30:11.231 PDT) 210.108.87.45 (14:27:14.794 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2312 (14:27:14.794 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.108.87.45 (14:27:19.067 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41637<-7033 (14:27:19.067 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367702834.794 1367702834.795 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 176.73.170.19 Egg Source List: 176.73.170.19 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 14:36:48.262 PDT Gen. Time: 05/04/2013 14:36:53.434 PDT INBOUND SCAN EXPLOIT 176.73.170.19 (14:36:48.262 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2857 (14:36:48.262 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 176.73.170.19 (14:36:53.434 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42602<-5847 (14:36:53.434 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367703408.262 1367703408.263 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 123.29.69.83 Egg Source List: 123.29.69.83 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 14:59:39.622 PDT Gen. Time: 05/04/2013 14:59:43.545 PDT INBOUND SCAN EXPLOIT 123.29.69.83 (14:59:39.622 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4542 (14:59:39.622 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 123.29.69.83 (14:59:43.545 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58363<-7944 (14:59:43.545 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367704779.622 1367704779.623 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.228.57.66 Egg Source List: 84.228.57.66 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 15:16:04.144 PDT Gen. Time: 05/04/2013 15:16:08.639 PDT INBOUND SCAN EXPLOIT 84.228.57.66 (15:16:04.144 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2060 (15:16:04.144 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.228.57.66 (15:16:08.639 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43918<-7397 (15:16:08.639 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367705764.144 1367705764.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 216.24.251.5, 84.228.57.66 Egg Source List: 216.24.251.5, 84.228.57.66 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 15:16:04.144 PDT Gen. Time: 05/04/2013 15:22:00.721 PDT INBOUND SCAN EXPLOIT 216.24.251.5 (15:17:56.468 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4128 (15:17:56.468 PDT) 84.228.57.66 (15:16:04.144 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2060 (15:16:04.144 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 216.24.251.5 (15:18:00.634 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36468<-9056 (15:18:00.634 PDT) 84.228.57.66 (15:16:08.639 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43918<-7397 (15:16:08.639 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367705764.144 1367705764.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 116.193.77.99 Egg Source List: 116.193.77.99 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 15:22:55.356 PDT Gen. Time: 05/04/2013 15:22:59.179 PDT INBOUND SCAN EXPLOIT 116.193.77.99 (15:22:55.356 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4170 (15:22:55.356 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 116.193.77.99 (15:22:59.179 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57524<-8713 (15:22:59.179 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367706175.356 1367706175.357 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 87.97.228.172 Egg Source List: 87.97.228.172 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 15:42:45.665 PDT Gen. Time: 05/04/2013 15:42:48.860 PDT INBOUND SCAN EXPLOIT 87.97.228.172 (15:42:45.665 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2591 (15:42:45.665 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 87.97.228.172 (15:42:48.860 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48632<-8750 (15:42:48.860 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367707365.665 1367707365.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 61.41.1.42 Egg Source List: 61.41.1.42 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 16:09:17.698 PDT Gen. Time: 05/04/2013 16:09:21.051 PDT INBOUND SCAN EXPLOIT 61.41.1.42 (16:09:17.698 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3639 (16:09:17.698 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.41.1.42 (16:09:21.051 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47631<-6443 (16:09:21.051 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367708957.698 1367708957.699 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.94.252.217, 61.41.1.42 Egg Source List: 61.41.1.42 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 16:09:17.698 PDT Gen. Time: 05/04/2013 16:13:05.171 PDT INBOUND SCAN EXPLOIT 186.94.252.217 (16:09:35.437 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-13523 (16:09:35.437 PDT) 61.41.1.42 (16:09:17.698 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3639 (16:09:17.698 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.41.1.42 (16:09:21.051 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47631<-6443 (16:09:21.051 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367708957.698 1367708957.699 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 202.78.227.111 Egg Source List: 202.78.227.111 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 16:17:56.306 PDT Gen. Time: 05/04/2013 16:18:00.090 PDT INBOUND SCAN EXPLOIT 202.78.227.111 (16:17:56.306 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3640 (16:17:56.306 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 202.78.227.111 (16:18:00.090 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56481<-9653 (16:18:00.090 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367709476.306 1367709476.307 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 201.209.41.2 Egg Source List: 201.209.41.2 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 16:26:02.343 PDT Gen. Time: 05/04/2013 16:26:06.727 PDT INBOUND SCAN EXPLOIT 201.209.41.2 (16:26:02.343 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3224 (16:26:02.343 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 201.209.41.2 (16:26:06.727 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51413<-1090 (16:26:06.727 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367709962.343 1367709962.344 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.229.65.26 Egg Source List: 94.229.65.26 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 16:51:06.675 PDT Gen. Time: 05/04/2013 16:51:11.548 PDT INBOUND SCAN EXPLOIT 94.229.65.26 (16:51:06.675 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3236 (16:51:06.675 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.229.65.26 (16:51:11.548 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53903<-6801 (16:51:11.548 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367711466.675 1367711466.676 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.107.55.107 Egg Source List: 210.107.55.107 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 16:58:08.843 PDT Gen. Time: 05/04/2013 16:58:11.591 PDT INBOUND SCAN EXPLOIT 210.107.55.107 (16:58:08.843 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1970 (16:58:08.843 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.107.55.107 (16:58:11.591 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36209<-6443 (16:58:11.591 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367711888.843 1367711888.844 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.49.168.253 Egg Source List: 92.49.168.253 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 17:48:47.805 PDT Gen. Time: 05/04/2013 17:48:51.966 PDT INBOUND SCAN EXPLOIT 92.49.168.253 (17:48:47.805 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-12586 (17:48:47.805 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.49.168.253 (17:48:51.966 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46175<-5454 (17:48:51.966 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367714927.805 1367714927.806 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.49.168.253, 189.18.57.32 Egg Source List: 92.49.168.253, 189.18.57.32 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 17:48:47.805 PDT Gen. Time: 05/04/2013 17:54:17.930 PDT INBOUND SCAN EXPLOIT 92.49.168.253 (17:48:47.805 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-12586 (17:48:47.805 PDT) 189.18.57.32 (2) (17:49:54.026 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3825 (17:49:54.026 PDT) 445<-2027 (17:51:05.037 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.49.168.253 (17:48:51.966 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46175<-5454 (17:48:51.966 PDT) 189.18.57.32 (2) (17:49:57.628 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40911<-5191 (17:49:57.628 PDT) 52262<-5191 (17:51:09.696 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367714927.805 1367714927.806 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.18.57.32 Egg Source List: 189.18.57.32 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 17:54:59.128 PDT Gen. Time: 05/04/2013 17:55:03.788 PDT INBOUND SCAN EXPLOIT 189.18.57.32 (17:54:59.128 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1418 (17:54:59.128 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.18.57.32 (17:55:03.788 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52635<-5191 (17:55:03.788 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367715299.128 1367715299.129 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.18.57.32 Egg Source List: 189.18.57.32 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 17:58:24.131 PDT Gen. Time: 05/04/2013 17:58:28.273 PDT INBOUND SCAN EXPLOIT 189.18.57.32 (17:58:24.131 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3873 (17:58:24.131 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.18.57.32 (17:58:28.273 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42375<-5191 (17:58:28.273 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367715504.131 1367715504.132 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.18.57.32 Egg Source List: 189.18.57.32 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 18:01:28.206 PDT Gen. Time: 05/04/2013 18:01:31.074 PDT INBOUND SCAN EXPLOIT 189.18.57.32 (18:01:28.206 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1852 (18:01:28.206 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.18.57.32 (18:01:31.074 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34219<-5191 (18:01:31.074 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367715688.206 1367715688.207 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.18.57.32 Egg Source List: 189.18.57.32 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 18:01:28.206 PDT Gen. Time: 05/04/2013 18:17:56.553 PDT INBOUND SCAN EXPLOIT 189.18.57.32 (7) (18:01:28.206 PDT) event=1:22009201 (7) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1852 (18:01:28.206 PDT) 445<-4758 (18:05:07.508 PDT) 445<-1306 (18:07:25.467 PDT) 445<-1148 (18:09:25.558 PDT) 445<-4627 (18:11:17.322 PDT) 445<-1040 (18:13:29.881 PDT) 445<-1222 (18:15:44.908 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.18.57.32 (7) (18:01:31.074 PDT) event=1:2001685 (7) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34219<-5191 (18:01:31.074 PDT) 34484<-5191 (18:05:12.231 PDT) 41060<-5191 (18:07:28.981 PDT) 41184<-5191 (18:09:29.158 PDT) 34456<-5191 (18:11:21.186 PDT) 34593<-5191 (18:13:33.962 PDT) 34754<-5191 (18:15:49.327 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367715688.206 1367715688.207 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 123.29.69.83 Egg Source List: 123.29.69.83 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 18:40:50.331 PDT Gen. Time: 05/04/2013 18:40:55.361 PDT INBOUND SCAN EXPLOIT 123.29.69.83 (18:40:50.331 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-16172 (18:40:50.331 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 123.29.69.83 (18:40:55.361 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53584<-7944 (18:40:55.361 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367718050.331 1367718050.332 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.108.87.45 Egg Source List: 210.108.87.45 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 18:52:48.308 PDT Gen. Time: 05/04/2013 18:52:52.398 PDT INBOUND SCAN EXPLOIT 210.108.87.45 (18:52:48.308 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2947 (18:52:48.308 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.108.87.45 (18:52:52.398 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40687<-7033 (18:52:52.398 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367718768.308 1367718768.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.228.57.66 Egg Source List: 84.228.57.66 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 18:57:17.428 PDT Gen. Time: 05/04/2013 18:57:21.549 PDT INBOUND SCAN EXPLOIT 84.228.57.66 (18:57:17.428 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1741 (18:57:17.428 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.228.57.66 (18:57:21.549 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55642<-7397 (18:57:21.549 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367719037.428 1367719037.429 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 216.24.251.5, 84.228.57.66 Egg Source List: 216.24.251.5, 84.228.57.66 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 18:57:17.428 PDT Gen. Time: 05/04/2013 19:03:14.873 PDT INBOUND SCAN EXPLOIT 216.24.251.5 (18:59:05.603 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2042 (18:59:05.603 PDT) 84.228.57.66 (18:57:17.428 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1741 (18:57:17.428 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 216.24.251.5 (18:59:08.702 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55238<-9056 (18:59:08.702 PDT) 84.228.57.66 (18:57:21.549 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55642<-7397 (18:57:21.549 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367719037.428 1367719037.429 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 116.193.77.99 Egg Source List: 116.193.77.99 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 19:04:38.292 PDT Gen. Time: 05/04/2013 19:04:46.025 PDT INBOUND SCAN EXPLOIT 116.193.77.99 (19:04:38.292 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1453 (19:04:38.292 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 116.193.77.99 (19:04:46.025 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49935<-8713 (19:04:46.025 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367719478.292 1367719478.293 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 108.14.195.182 Egg Source List: 108.14.195.182 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 19:10:00.701 PDT Gen. Time: 05/04/2013 19:10:05.505 PDT INBOUND SCAN EXPLOIT 108.14.195.182 (19:10:00.701 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4605 (19:10:00.701 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 108.14.195.182 (19:10:05.505 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35999<-1659 (19:10:05.505 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367719800.701 1367719800.702 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 50.56.96.63 Egg Source List: 50.56.96.63 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 19:25:21.603 PDT Gen. Time: 05/04/2013 19:25:25.037 PDT INBOUND SCAN EXPLOIT 50.56.96.63 (19:25:21.603 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2563 (19:25:21.603 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 50.56.96.63 (19:25:25.037 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50612<-6133 (19:25:25.037 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367720721.603 1367720721.604 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.107.55.107 Egg Source List: 210.107.55.107 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 20:39:17.580 PDT Gen. Time: 05/04/2013 20:39:20.902 PDT INBOUND SCAN EXPLOIT 210.107.55.107 (20:39:17.580 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2452 (20:39:17.580 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.107.55.107 (20:39:20.902 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36512<-6443 (20:39:20.902 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367725157.580 1367725157.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.75.97.151 Egg Source List: 187.75.97.151 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 20:53:43.015 PDT Gen. Time: 05/04/2013 20:53:46.623 PDT INBOUND SCAN EXPLOIT 187.75.97.151 (20:53:43.015 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2616 (20:53:43.015 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.75.97.151 (20:53:46.623 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39476<-6878 (20:53:46.623 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367726023.015 1367726023.016 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 5.149.103.217 Egg Source List: 5.149.103.217 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 21:46:34.887 PDT Gen. Time: 05/04/2013 21:46:39.646 PDT INBOUND SCAN EXPLOIT 5.149.103.217 (21:46:34.887 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4015 (21:46:34.887 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 5.149.103.217 (21:46:39.646 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39741<-9724 (21:46:39.646 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367729194.887 1367729194.888 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 5.53.246.199 Egg Source List: 5.53.246.199 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 22:13:08.000 PDT Gen. Time: 05/04/2013 22:13:11.883 PDT INBOUND SCAN EXPLOIT 5.53.246.199 (22:13:08.000 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3276 (22:13:08.000 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 5.53.246.199 (22:13:11.883 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60807<-6914 (22:13:11.883 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367730788.000 1367730788.001 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 49.147.185.41 Egg Source List: 49.147.185.41 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 22:21:44.629 PDT Gen. Time: 05/04/2013 22:21:47.702 PDT INBOUND SCAN EXPLOIT 49.147.185.41 (22:21:44.629 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-26184 (22:21:44.629 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 49.147.185.41 (22:21:47.702 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52490<-4682 (22:21:47.702 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367731304.629 1367731304.630 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.69.153.20 Egg Source List: 95.69.153.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 22:55:31.747 PDT Gen. Time: 05/04/2013 22:55:35.074 PDT INBOUND SCAN EXPLOIT 95.69.153.20 (22:55:31.747 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1345 (22:55:31.747 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.69.153.20 (22:55:35.074 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39416<-2719 (22:55:35.074 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367733331.747 1367733331.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================