Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 1.169.150.158, 62.211.168.67, 92.247.104.207, 92.86.71.45 Egg Source List: 1.169.150.158, 62.211.168.67, 92.247.104.207, 92.86.71.45 C & C List: Peer Coord. List: Resource List: Observed Start: 05/04/2013 23:47:37.820 PDT Gen. Time: 05/05/2013 00:28:53.595 PDT INBOUND SCAN EXPLOIT 1.169.150.158 (23:47:37.820 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2421 (23:47:37.820 PDT) 62.211.168.67 (23:47:42.296 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1149 (23:47:42.296 PDT) 92.247.104.207 (14) (23:50:58.957 PDT) event=1:22009201 (14) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1222 (23:50:58.957 PDT) 445<-1999 (23:51:21.456 PDT) 445<-2858 (23:51:49.306 PDT) 445<-3562 (23:52:03.818 PDT) 445<-4115 (23:52:20.114 PDT) 445<-4787 (23:52:36.190 PDT) 445<-1484 (23:52:53.017 PDT) 445<-2033 (23:53:10.678 PDT) 445<-2742 (23:53:27.225 PDT) 445<-3353 (23:53:45.852 PDT) 445<-3983 (23:54:01.065 PDT) 445<-4571 (23:54:19.149 PDT) 445<-1343 (23:54:34.562 PDT) 445<-1886 (23:54:51.989 PDT) 92.86.71.45 (23:48:28.604 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2237 (23:48:28.604 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.169.150.158 (23:47:42.350 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36079<-2083 (23:47:42.350 PDT) 62.211.168.67 (23:47:45.499 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35773<-4921 (23:47:45.499 PDT) 92.247.104.207 (14) (23:51:03.813 PDT) event=1:2001685 (14) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32937<-3977 (23:51:03.813 PDT) 32966<-3977 (23:51:30.474 PDT) 32993<-3977 (23:51:52.276 PDT) 33010<-3977 (23:52:09.059 PDT) 33029<-3977 (23:52:24.777 PDT) 33044<-3977 (23:52:41.051 PDT) 33072<-3977 (23:52:57.994 PDT) 33100<-3977 (23:53:15.130 PDT) 33130<-3977 (23:53:31.281 PDT) 33156<-3977 (23:53:49.839 PDT) 33168<-3977 (23:54:04.311 PDT) 33210<-3977 (23:54:24.029 PDT) 33253<-3977 (23:54:40.035 PDT) 33288<-3977 (23:54:55.884 PDT) 92.86.71.45 (23:48:32.503 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49635<-1335 (23:48:32.503 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367736457.820 1367736457.821 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.254.65.160 Egg Source List: 94.254.65.160 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 00:51:48.976 PDT Gen. Time: 05/05/2013 00:51:52.428 PDT INBOUND SCAN EXPLOIT 94.254.65.160 (00:51:48.976 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1701 (00:51:48.976 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.254.65.160 (00:51:52.428 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45204<-7464 (00:51:52.428 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367740308.976 1367740308.977 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.89.210.44, 94.254.65.160 Egg Source List: 94.254.65.160 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 00:51:48.976 PDT Gen. Time: 05/05/2013 00:57:11.324 PDT INBOUND SCAN EXPLOIT 95.89.210.44 (3) (00:53:29.197 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-51524 (00:53:29.205 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-51524 (00:53:29.202 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-51524 (00:53:29.197 PDT) 94.254.65.160 (00:51:48.976 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1701 (00:51:48.976 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.254.65.160 (00:51:52.428 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45204<-7464 (00:51:52.428 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367740308.976 1367740308.977 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.90.40.6 Egg Source List: 93.90.40.6 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 01:00:25.715 PDT Gen. Time: 05/05/2013 01:00:29.319 PDT INBOUND SCAN EXPLOIT 93.90.40.6 (01:00:25.715 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2186 (01:00:25.715 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 93.90.40.6 (01:00:29.319 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56257<-6272 (01:00:29.319 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367740825.715 1367740825.716 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.214.169.24 Egg Source List: 46.214.169.24 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 01:09:51.242 PDT Gen. Time: 05/05/2013 01:09:54.573 PDT INBOUND SCAN EXPLOIT 46.214.169.24 (01:09:51.242 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2820 (01:09:51.242 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.214.169.24 (01:09:54.573 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35684<-6782 (01:09:54.573 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367741391.242 1367741391.243 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.86.72.146, 46.214.169.24 Egg Source List: 92.86.72.146, 46.214.169.24 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 01:09:51.242 PDT Gen. Time: 05/05/2013 01:15:54.276 PDT INBOUND SCAN EXPLOIT 92.86.72.146 (01:12:23.050 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3671 (01:12:23.050 PDT) 46.214.169.24 (01:09:51.242 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2820 (01:09:51.242 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.86.72.146 (01:12:26.736 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57154<-7711 (01:12:26.736 PDT) 46.214.169.24 (01:09:54.573 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35684<-6782 (01:09:54.573 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367741391.242 1367741391.243 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 178.123.221.226, 91.67.113.48 Egg Source List: 91.67.113.48 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 01:32:28.838 PDT Gen. Time: 05/05/2013 01:32:51.054 PDT INBOUND SCAN EXPLOIT 178.123.221.226 (01:32:28.838 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59521 (01:32:28.838 PDT) 91.67.113.48 (01:32:46.809 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4288 (01:32:46.809 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 91.67.113.48 (01:32:51.054 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50384<-1796 (01:32:51.054 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367742748.838 1367742748.839 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.207 Egg Source List: 92.247.104.207 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 01:38:49.615 PDT Gen. Time: 05/05/2013 01:38:55.546 PDT INBOUND SCAN EXPLOIT 92.247.104.207 (01:38:49.615 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2910 (01:38:49.615 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.207 (01:38:55.546 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54759<-3977 (01:38:55.546 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367743129.615 1367743129.616 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.207 Egg Source List: 92.247.104.207 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 01:38:49.615 PDT Gen. Time: 05/05/2013 02:04:23.511 PDT INBOUND SCAN EXPLOIT 92.247.104.207 (17) (01:38:49.615 PDT) event=1:22009201 (17) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2910 (01:38:49.615 PDT) 445<-3530 (01:39:09.673 PDT) 445<-4163 (01:39:29.212 PDT) 445<-4815 (01:40:00.800 PDT) 445<-2151 (01:40:22.680 PDT) 445<-2777 (01:40:41.365 PDT) 445<-3574 (01:42:58.631 PDT) 445<-4259 (01:43:20.962 PDT) 445<-1075 (01:43:38.357 PDT) 445<-1701 (01:43:59.715 PDT) 445<-2455 (01:44:21.503 PDT) 445<-3227 (01:44:41.525 PDT) 445<-4094 (01:45:10.451 PDT) 445<-4979 (01:45:30.405 PDT) 445<-1686 (01:46:08.026 PDT) 445<-2953 (01:46:26.155 PDT) 445<-3553 (01:46:47.823 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.207 (17) (01:38:55.546 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54759<-3977 (01:38:55.546 PDT) 54776<-3977 (01:39:14.800 PDT) 54806<-3977 (01:39:35.096 PDT) 54849<-3977 (01:40:06.262 PDT) 54903<-3977 (01:40:28.814 PDT) 54921<-3977 (01:40:45.859 PDT) 58417<-3977 (01:43:03.491 PDT) 58450<-3977 (01:43:26.300 PDT) 58478<-3977 (01:43:43.871 PDT) 58508<-3977 (01:44:06.740 PDT) 58537<-3977 (01:44:25.866 PDT) 58561<-3977 (01:44:46.441 PDT) 58594<-3977 (01:45:15.321 PDT) 58619<-3977 (01:45:36.532 PDT) 50782<-3977 (01:46:13.369 PDT) 50808<-3977 (01:46:31.207 PDT) 50839<-3977 (01:46:52.375 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367743129.615 1367743129.616 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.207 Egg Source List: 92.247.104.207 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 02:04:50.844 PDT Gen. Time: 05/05/2013 02:04:53.940 PDT INBOUND SCAN EXPLOIT 92.247.104.207 (02:04:50.844 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2125 (02:04:50.844 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.207 (02:04:53.940 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53804<-3977 (02:04:53.940 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367744690.844 1367744690.845 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.207 Egg Source List: 92.247.104.207 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 02:04:50.844 PDT Gen. Time: 05/05/2013 02:37:00.233 PDT INBOUND SCAN EXPLOIT 92.247.104.207 (17) (02:04:50.844 PDT) event=1:22009201 (17) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2125 (02:04:50.844 PDT) 445<-2637 (02:05:04.353 PDT) 445<-3181 (02:05:19.905 PDT) 445<-3811 (02:05:37.954 PDT) 445<-4627 (02:05:58.085 PDT) 445<-1643 (02:06:14.577 PDT) 445<-2612 (02:06:34.839 PDT) 445<-3195 (02:06:50.372 PDT) 445<-3698 (02:07:09.330 PDT) 445<-4347 (02:07:24.249 PDT) 445<-1042 (02:07:39.608 PDT) 445<-1716 (02:07:59.023 PDT) 445<-2243 (02:08:13.500 PDT) 445<-2828 (02:08:32.552 PDT) 445<-3400 (02:08:48.270 PDT) 445<-3907 (02:09:02.945 PDT) 445<-4400 (02:09:17.314 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.207 (17) (02:04:53.940 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53804<-3977 (02:04:53.940 PDT) 53816<-3977 (02:05:07.221 PDT) 53840<-3977 (02:05:24.157 PDT) 53845<-3977 (02:05:44.859 PDT) 59668<-3977 (02:06:01.794 PDT) 59688<-3977 (02:06:17.910 PDT) 59705<-3977 (02:06:37.885 PDT) 59720<-3977 (02:06:54.588 PDT) 59739<-3977 (02:07:13.901 PDT) 59757<-3977 (02:07:28.447 PDT) 59780<-3977 (02:07:49.164 PDT) 59794<-3977 (02:08:02.592 PDT) 59816<-3977 (02:08:17.774 PDT) 59834<-3977 (02:08:36.241 PDT) 59852<-3977 (02:08:51.616 PDT) 59866<-3977 (02:09:07.896 PDT) 59888<-3977 (02:09:21.095 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 8.8.8.8 (5) (02:08:30.088 PDT) event=1:9910002 (5) {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 53007<-53 (02:08:30.088 PDT) 57539<-53 (02:12:26.132 PDT) 35089<-53 (02:18:50.540 PDT) 47133<-53 (02:22:09.904 PDT) 56707<-53 (02:29:18.267 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367744690.844 1367744690.845 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.69.153.20 Egg Source List: 95.69.153.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 02:39:03.656 PDT Gen. Time: 05/05/2013 02:39:06.812 PDT INBOUND SCAN EXPLOIT 95.69.153.20 (02:39:03.656 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2970 (02:39:03.656 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.69.153.20 (02:39:06.812 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48729<-2719 (02:39:06.812 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367746743.656 1367746743.657 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.207, 95.69.153.20 Egg Source List: 92.247.104.207, 95.69.153.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 02:39:03.656 PDT Gen. Time: 05/05/2013 02:44:47.576 PDT INBOUND SCAN EXPLOIT 92.247.104.207 (6) (02:39:40.269 PDT) event=1:22009201 (6) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1360 (02:39:40.269 PDT) 445<-1843 (02:39:55.263 PDT) 445<-2357 (02:40:07.635 PDT) 445<-2759 (02:40:21.667 PDT) 445<-3253 (02:40:34.840 PDT) 445<-3671 (02:40:49.564 PDT) 95.69.153.20 (02:39:03.656 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2970 (02:39:03.656 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.207 (6) (02:39:43.318 PDT) event=1:2001685 (6) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51477<-3977 (02:39:43.318 PDT) 51521<-3977 (02:39:58.443 PDT) 51560<-3977 (02:40:11.503 PDT) 51604<-3977 (02:40:25.033 PDT) 51633<-3977 (02:40:38.893 PDT) 51674<-3977 (02:40:53.962 PDT) 95.69.153.20 (02:39:06.812 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48729<-2719 (02:39:06.812 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367746743.656 1367746743.657 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89 Egg Source List: 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 02:48:36.619 PDT Gen. Time: 05/05/2013 02:48:42.627 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (02:48:36.619 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2701 (02:48:36.619 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (02:48:42.627 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50189<-8933 (02:48:42.627 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367747316.619 1367747316.620 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 03:01:30.677 PDT Gen. Time: 05/05/2013 03:01:30.677 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 8.8.8.8 (03:01:30.677 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 42102<-53 (03:01:30.677 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367748090.677 1367748090.678 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89 Egg Source List: 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 03:01:30.677 PDT Gen. Time: 05/05/2013 03:06:41.412 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (03:02:34.278 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2496 (03:02:34.278 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (03:02:37.638 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59189<-8933 (03:02:37.638 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 8.8.8.8 (03:01:30.677 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 42102<-53 (03:01:30.677 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367748090.677 1367748090.678 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89 Egg Source List: 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 03:17:11.861 PDT Gen. Time: 05/05/2013 03:17:16.076 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (03:17:11.861 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2306 (03:17:11.861 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (03:17:16.076 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44283<-8933 (03:17:16.076 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367749031.861 1367749031.862 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89 Egg Source List: 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 03:28:28.340 PDT Gen. Time: 05/05/2013 03:28:34.678 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (03:28:28.340 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4728 (03:28:28.340 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (03:28:34.678 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35582<-8933 (03:28:34.678 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367749708.340 1367749708.341 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.95.46.33, 95.28.103.89, 121.72.130.169, 92.86.71.45, 151.49.201.133 Egg Source List: 192.95.46.33, 95.28.103.89, 92.86.71.45 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 03:28:28.340 PDT Gen. Time: 05/05/2013 03:36:37.458 PDT INBOUND SCAN EXPLOIT 192.95.46.33 (03:32:55.745 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4085 (03:32:55.745 PDT) 95.28.103.89 (03:28:28.340 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4728 (03:28:28.340 PDT) 121.72.130.169 (3) (03:31:31.213 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2464 (03:31:31.231 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-2464 (03:31:31.227 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2464 (03:31:31.213 PDT) 92.86.71.45 (03:32:18.769 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2831 (03:32:18.769 PDT) 151.49.201.133 (2) (03:30:12.116 PDT-03:31:19.730 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 2: 445<-34427 (03:30:12.116 PDT-03:31:19.730 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.95.46.33 (03:32:59.686 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41241<-6822 (03:32:59.686 PDT) 95.28.103.89 (03:28:34.678 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35582<-8933 (03:28:34.678 PDT) 92.86.71.45 (03:32:24.808 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46655<-1335 (03:32:24.808 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367749708.340 1367749879.731 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89, 68.157.72.200 Egg Source List: 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 03:37:05.925 PDT Gen. Time: 05/05/2013 03:38:50.706 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (03:38:47.676 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4068 (03:38:47.676 PDT) 68.157.72.200 (03:37:05.925 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-64090 (03:37:05.925 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (03:38:50.706 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41798<-8933 (03:38:50.706 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367750225.925 1367750225.926 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 62.211.168.67, 95.28.103.89, 68.157.72.200 Egg Source List: 62.211.168.67, 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 03:37:05.925 PDT Gen. Time: 05/05/2013 03:46:28.592 PDT INBOUND SCAN EXPLOIT 62.211.168.67 (03:42:25.892 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2413 (03:42:25.892 PDT) 95.28.103.89 (03:38:47.676 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4068 (03:38:47.676 PDT) 68.157.72.200 (03:37:05.925 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-64090 (03:37:05.925 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 62.211.168.67 (03:42:29.189 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52518<-4921 (03:42:29.189 PDT) 95.28.103.89 (03:38:50.706 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41798<-8933 (03:38:50.706 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367750225.925 1367750225.926 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89 Egg Source List: 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 03:54:09.942 PDT Gen. Time: 05/05/2013 03:54:12.988 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (03:54:09.942 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4470 (03:54:09.942 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (03:54:12.988 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53509<-8933 (03:54:12.988 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367751249.942 1367751249.943 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89 Egg Source List: 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 03:54:09.942 PDT Gen. Time: 05/05/2013 03:58:17.953 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (03:54:09.942 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4470 (03:54:09.942 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (03:54:12.988 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53509<-8933 (03:54:12.988 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 8.8.8.8 (03:57:15.021 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 38596<-53 (03:57:15.021 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367751249.942 1367751249.943 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.107.229.194 Egg Source List: 212.107.229.194 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 04:08:53.141 PDT Gen. Time: 05/05/2013 04:08:56.257 PDT INBOUND SCAN EXPLOIT 212.107.229.194 (04:08:53.141 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3347 (04:08:53.141 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.107.229.194 (04:08:56.257 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44931<-6242 (04:08:56.257 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367752133.141 1367752133.142 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.107.229.194, 186.89.54.120, 95.28.103.89 Egg Source List: 212.107.229.194, 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 04:08:53.141 PDT Gen. Time: 05/05/2013 04:15:07.229 PDT INBOUND SCAN EXPLOIT 212.107.229.194 (04:08:53.141 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3347 (04:08:53.141 PDT) 186.89.54.120 (04:09:40.216 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-55820 (04:09:40.216 PDT) 95.28.103.89 (04:11:32.662 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3330 (04:11:32.662 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.107.229.194 (04:08:56.257 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44931<-6242 (04:08:56.257 PDT) 95.28.103.89 (04:11:37.261 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44698<-8933 (04:11:37.261 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367752133.141 1367752133.142 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89, 223.219.228.101 Egg Source List: 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 04:23:53.149 PDT Gen. Time: 05/05/2013 04:27:52.290 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (04:27:47.524 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2719 (04:27:47.524 PDT) 223.219.228.101 (04:23:53.149 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4100 (04:23:53.149 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (04:27:52.290 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52631<-8933 (04:27:52.290 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367753033.149 1367753033.150 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89 Egg Source List: 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 04:43:47.484 PDT Gen. Time: 05/05/2013 04:43:51.965 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (04:43:47.484 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1310 (04:43:47.484 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (04:43:51.965 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40988<-8933 (04:43:51.965 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367754227.484 1367754227.485 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 195.226.239.13, 95.28.103.89, 62.215.220.134, 94.254.65.160 Egg Source List: 95.28.103.89, 94.254.65.160 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 04:43:47.484 PDT Gen. Time: 05/05/2013 04:52:48.524 PDT INBOUND SCAN EXPLOIT 195.226.239.13 (04:46:35.513 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59263 (04:46:35.513 PDT) 95.28.103.89 (04:43:47.484 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1310 (04:43:47.484 PDT) 62.215.220.134 (04:49:26.511 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-48530 (04:49:26.511 PDT) 94.254.65.160 (04:43:55.307 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4854 (04:43:55.307 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (04:43:51.965 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40988<-8933 (04:43:51.965 PDT) 94.254.65.160 (04:43:59.278 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36285<-7464 (04:43:59.278 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367754227.484 1367754227.485 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.90.40.6 Egg Source List: 93.90.40.6 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 04:54:19.310 PDT Gen. Time: 05/05/2013 04:54:22.517 PDT INBOUND SCAN EXPLOIT 93.90.40.6 (04:54:19.310 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4498 (04:54:19.310 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 93.90.40.6 (04:54:22.517 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34164<-6272 (04:54:22.517 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367754859.310 1367754859.311 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89, 93.90.40.6, 118.165.195.53 Egg Source List: 192.168.11.3, 93.90.40.6 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 04:54:19.310 PDT Gen. Time: 05/05/2013 05:01:24.456 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (04:57:17.937 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3746 (04:57:17.937 PDT) 93.90.40.6 (04:54:19.310 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4498 (04:54:19.310 PDT) 118.165.195.53 (3) (04:56:54.855 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4961 (04:56:54.860 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-4961 (04:56:54.859 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4961 (04:56:54.855 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.11.3 (16) (04:55:55.613 PDT-04:56:20.691 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 57796->69 (04:55:55.613 PDT-04:56:15.668 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 57796->69 (04:55:55.613 PDT-04:56:15.668 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 57796->69 (04:55:55.613 PDT-04:56:20.691 PDT) 93.90.40.6 (04:54:22.517 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34164<-6272 (04:54:22.517 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367754859.310 1367754980.692 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89 Egg Source List: 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 05:10:12.109 PDT Gen. Time: 05/05/2013 05:10:18.296 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (05:10:12.109 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3508 (05:10:12.109 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (05:10:18.296 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35759<-8933 (05:10:18.296 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367755812.109 1367755812.110 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89, 190.36.70.194 Egg Source List: 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 05:10:12.109 PDT Gen. Time: 05/05/2013 05:15:02.390 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (05:10:12.109 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3508 (05:10:12.109 PDT) 190.36.70.194 (05:11:29.682 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-49657 (05:11:29.682 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (05:10:18.296 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35759<-8933 (05:10:18.296 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367755812.109 1367755812.110 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.67.113.48 Egg Source List: 91.67.113.48 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 05:16:11.404 PDT Gen. Time: 05/05/2013 05:16:15.532 PDT INBOUND SCAN EXPLOIT 91.67.113.48 (05:16:11.404 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2445 (05:16:11.404 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 91.67.113.48 (05:16:15.532 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58254<-1796 (05:16:15.532 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367756171.404 1367756171.405 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.67.113.48, 95.28.103.89, 118.9.4.223 Egg Source List: 91.67.113.48, 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 05:16:11.404 PDT Gen. Time: 05/05/2013 05:25:18.937 PDT INBOUND SCAN EXPLOIT 91.67.113.48 (05:16:11.404 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2445 (05:16:11.404 PDT) 95.28.103.89 (05:21:00.519 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1036 (05:21:00.519 PDT) 118.9.4.223 (05:18:17.669 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2099 (05:18:17.669 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 91.67.113.48 (05:16:15.532 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58254<-1796 (05:16:15.532 PDT) 95.28.103.89 (05:21:04.950 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55463<-8933 (05:21:04.950 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367756171.404 1367756171.405 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89 Egg Source List: 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 05:35:22.452 PDT Gen. Time: 05/05/2013 05:35:27.807 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (05:35:22.452 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2133 (05:35:22.452 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (05:35:27.807 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57554<-8933 (05:35:27.807 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367757322.452 1367757322.453 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.28.103.89, 92.247.104.254 Egg Source List: 95.28.103.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 05:46:02.557 PDT Gen. Time: 05/05/2013 05:47:09.301 PDT INBOUND SCAN EXPLOIT 95.28.103.89 (05:47:04.840 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2130 (05:47:04.840 PDT) 92.247.104.254 (05:46:02.557 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3428 (05:46:02.557 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.28.103.89 (05:47:09.301 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47357<-8933 (05:47:09.301 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367757962.557 1367757962.558 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.214.101.253 Egg Source List: 46.214.101.253 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 06:09:08.518 PDT Gen. Time: 05/05/2013 06:09:11.500 PDT INBOUND SCAN EXPLOIT 46.214.101.253 (06:09:08.518 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-12269 (06:09:08.518 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.214.101.253 (06:09:11.500 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36906<-6874 (06:09:11.500 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367759348.518 1367759348.519 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.107.229.194, 186.129.208.215, 46.214.101.253, 151.237.52.21 Egg Source List: 212.107.229.194, 186.129.208.215, 46.214.101.253 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 06:09:08.518 PDT Gen. Time: 05/05/2013 06:14:55.478 PDT INBOUND SCAN EXPLOIT 212.107.229.194 (06:09:34.521 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1169 (06:09:34.521 PDT) 186.129.208.215 (06:11:36.417 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3742 (06:11:36.417 PDT) 46.214.101.253 (06:09:08.518 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-12269 (06:09:08.518 PDT) 151.237.52.21 (3) (06:12:00.142 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1288 (06:12:00.144 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-1288 (06:12:00.143 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1288 (06:12:00.142 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.107.229.194 (06:09:39.070 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42195<-6242 (06:09:39.070 PDT) 186.129.208.215 (06:11:39.486 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40431<-7142 (06:11:39.486 PDT) 46.214.101.253 (06:09:11.500 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36906<-6874 (06:09:11.500 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367759348.518 1367759348.519 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 06:16:21.890 PDT Gen. Time: 05/05/2013 06:16:21.890 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 8.8.8.8 (06:16:21.890 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 52658<-53 (06:16:21.890 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367759781.890 1367759781.891 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 1.170.2.161 Egg Source List: 1.170.2.161 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 06:24:03.441 PDT Gen. Time: 05/05/2013 06:24:07.940 PDT INBOUND SCAN EXPLOIT 1.170.2.161 (06:24:03.441 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2584 (06:24:03.441 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.170.2.161 (06:24:07.940 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53439<-3410 (06:24:07.940 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367760243.441 1367760243.442 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 5.167.86.165, 1.170.2.161 Egg Source List: 5.167.86.165, 1.170.2.161 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 06:24:03.441 PDT Gen. Time: 05/05/2013 06:30:07.288 PDT INBOUND SCAN EXPLOIT 5.167.86.165 (06:26:01.182 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1369 (06:26:01.182 PDT) 1.170.2.161 (06:24:03.441 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2584 (06:24:03.441 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 5.167.86.165 (06:26:04.536 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45615<-3507 (06:26:04.536 PDT) 1.170.2.161 (06:24:07.940 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53439<-3410 (06:24:07.940 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367760243.441 1367760243.442 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.94.19.21 Egg Source List: 186.94.19.21 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 06:35:59.658 PDT Gen. Time: 05/05/2013 06:36:03.052 PDT INBOUND SCAN EXPLOIT 186.94.19.21 (06:35:59.658 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1844 (06:35:59.658 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.94.19.21 (06:36:03.052 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52646<-7236 (06:36:03.052 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367760959.658 1367760959.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 194.54.182.141 Egg Source List: 194.54.182.141 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 06:47:02.564 PDT Gen. Time: 05/05/2013 06:47:06.654 PDT INBOUND SCAN EXPLOIT 194.54.182.141 (06:47:02.564 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3088 (06:47:02.564 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 194.54.182.141 (06:47:06.654 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34667<-9231 (06:47:06.654 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367761622.564 1367761622.565 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.103.71.21 Egg Source List: 92.103.71.21 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 06:59:39.222 PDT Gen. Time: 05/05/2013 06:59:42.649 PDT INBOUND SCAN EXPLOIT 92.103.71.21 (06:59:39.222 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1408 (06:59:39.222 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.103.71.21 (06:59:42.649 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41731<-1398 (06:59:42.649 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367762379.222 1367762379.223 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.25.116.73, 83.60.2.204 Egg Source List: 114.25.116.73 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 07:03:25.470 PDT Gen. Time: 05/05/2013 07:05:19.818 PDT INBOUND SCAN EXPLOIT 114.25.116.73 (07:05:16.577 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2327 (07:05:16.577 PDT) 83.60.2.204 (4) (07:03:25.470 PDT-07:03:30.768 PDT) event=1:22000032 (2) {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 2: 445<-2135 (07:03:25.470 PDT-07:03:30.768 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-2135 (07:03:30.761 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2135 (07:03:30.483 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.25.116.73 (07:05:19.818 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44640<-3884 (07:05:19.818 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367762605.470 1367762610.769 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.95.46.33 Egg Source List: 192.95.46.33 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 07:14:04.859 PDT Gen. Time: 05/05/2013 07:14:08.211 PDT INBOUND SCAN EXPLOIT 192.95.46.33 (07:14:04.859 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3781 (07:14:04.859 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.95.46.33 (07:14:08.211 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49048<-6822 (07:14:08.211 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367763244.859 1367763244.860 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 80.164.187.146 Egg Source List: 80.164.187.146 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 07:27:23.828 PDT Gen. Time: 05/05/2013 07:27:27.036 PDT INBOUND SCAN EXPLOIT 80.164.187.146 (07:27:23.828 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4279 (07:27:23.828 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 80.164.187.146 (07:27:27.036 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48315<-6618 (07:27:27.036 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367764043.828 1367764043.829 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 80.164.187.146, 50.80.79.14 Egg Source List: 80.164.187.146, 50.80.79.14 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 07:27:23.828 PDT Gen. Time: 05/05/2013 07:30:54.341 PDT INBOUND SCAN EXPLOIT 80.164.187.146 (07:27:23.828 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4279 (07:27:23.828 PDT) 50.80.79.14 (07:27:48.955 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2569 (07:27:48.955 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 80.164.187.146 (07:27:27.036 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48315<-6618 (07:27:27.036 PDT) 50.80.79.14 (07:27:52.162 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59325<-6330 (07:27:52.162 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367764043.828 1367764043.829 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 151.31.221.45 Egg Source List: 151.31.221.45 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 08:19:52.337 PDT Gen. Time: 05/05/2013 08:19:55.245 PDT INBOUND SCAN EXPLOIT 151.31.221.45 (08:19:52.337 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2448 (08:19:52.337 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 151.31.221.45 (08:19:55.245 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41363<-4329 (08:19:55.245 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367767192.337 1367767192.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.55.153.243 Egg Source List: 46.55.153.243 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 08:22:58.502 PDT Gen. Time: 05/05/2013 08:23:01.848 PDT INBOUND SCAN EXPLOIT 46.55.153.243 (08:22:58.502 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2634 (08:22:58.502 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.55.153.243 (08:23:01.848 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43092<-4461 (08:23:01.848 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367767378.502 1367767378.503 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 181.95.162.197 Egg Source List: 181.95.162.197 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 08:30:01.781 PDT Gen. Time: 05/05/2013 08:30:05.118 PDT INBOUND SCAN EXPLOIT 181.95.162.197 (08:30:01.781 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4710 (08:30:01.781 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 181.95.162.197 (08:30:05.118 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40218<-4140 (08:30:05.118 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367767801.781 1367767801.782 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.25.55.17 Egg Source List: 95.25.55.17 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 08:46:26.503 PDT Gen. Time: 05/05/2013 08:46:33.112 PDT INBOUND SCAN EXPLOIT 95.25.55.17 (08:46:26.503 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1668 (08:46:26.503 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.25.55.17 (08:46:33.112 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57155<-2462 (08:46:33.112 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367768786.503 1367768786.504 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.63.85.208 Egg Source List: 86.63.85.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 08:57:45.082 PDT Gen. Time: 05/05/2013 08:57:49.533 PDT INBOUND SCAN EXPLOIT 86.63.85.208 (08:57:45.082 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2390 (08:57:45.082 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.63.85.208 (08:57:49.533 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39191<-1302 (08:57:49.533 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367769465.082 1367769465.083 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 79.126.167.183 Egg Source List: 79.126.167.183 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 09:05:16.884 PDT Gen. Time: 05/05/2013 09:05:23.466 PDT INBOUND SCAN EXPLOIT 79.126.167.183 (09:05:16.884 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-5543 (09:05:16.884 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 79.126.167.183 (09:05:23.466 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40887<-4469 (09:05:23.466 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367769916.884 1367769916.885 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.68.53.38, 79.126.167.183 Egg Source List: 128.68.53.38, 79.126.167.183 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 09:05:16.884 PDT Gen. Time: 05/05/2013 09:12:21.993 PDT INBOUND SCAN EXPLOIT 128.68.53.38 (09:08:35.161 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3059 (09:08:35.161 PDT) 79.126.167.183 (09:05:16.884 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-5543 (09:05:16.884 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.68.53.38 (09:08:40.429 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44130<-9328 (09:08:40.429 PDT) 79.126.167.183 (09:05:23.466 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40887<-4469 (09:05:23.466 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367769916.884 1367769916.885 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.241.175.78 Egg Source List: 46.241.175.78 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 09:39:02.647 PDT Gen. Time: 05/05/2013 09:39:08.126 PDT INBOUND SCAN EXPLOIT 46.241.175.78 (09:39:02.647 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2701 (09:39:02.647 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.241.175.78 (09:39:08.126 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54889<-7623 (09:39:08.126 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367771942.647 1367771942.648 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 59.144.167.146 Egg Source List: 59.144.167.146 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 10:13:59.525 PDT Gen. Time: 05/05/2013 10:14:04.030 PDT INBOUND SCAN EXPLOIT 59.144.167.146 (10:13:59.525 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2869 (10:13:59.525 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 59.144.167.146 (10:14:04.030 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46614<-8996 (10:14:04.030 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367774039.525 1367774039.526 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.36.70.194, 59.144.167.146 Egg Source List: 59.144.167.146 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 10:13:59.525 PDT Gen. Time: 05/05/2013 10:16:51.560 PDT INBOUND SCAN EXPLOIT 190.36.70.194 (10:14:34.708 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-50901 (10:14:34.708 PDT) 59.144.167.146 (10:13:59.525 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2869 (10:13:59.525 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 59.144.167.146 (10:14:04.030 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46614<-8996 (10:14:04.030 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367774039.525 1367774039.526 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.158.154.44 Egg Source List: 190.158.154.44 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 10:21:08.716 PDT Gen. Time: 05/05/2013 10:21:12.923 PDT INBOUND SCAN EXPLOIT 190.158.154.44 (10:21:08.716 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4039 (10:21:08.716 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.158.154.44 (10:21:12.923 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49053<-4851 (10:21:12.923 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367774468.716 1367774468.717 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.103.71.21 Egg Source List: 92.103.71.21 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 10:40:46.345 PDT Gen. Time: 05/05/2013 10:40:49.341 PDT INBOUND SCAN EXPLOIT 92.103.71.21 (10:40:46.345 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4501 (10:40:46.345 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.103.71.21 (10:40:49.341 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47429<-1398 (10:40:49.341 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367775646.345 1367775646.346 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.103.71.21, 187.66.17.153 Egg Source List: 92.103.71.21, 187.66.17.153 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 10:40:46.345 PDT Gen. Time: 05/05/2013 10:47:30.516 PDT INBOUND SCAN EXPLOIT 92.103.71.21 (10:40:46.345 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4501 (10:40:46.345 PDT) 187.66.17.153 (10:44:11.040 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1629 (10:44:11.040 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.103.71.21 (10:40:49.341 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47429<-1398 (10:40:49.341 PDT) 187.66.17.153 (10:44:15.106 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41385<-3813 (10:44:15.106 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367775646.345 1367775646.346 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.25.116.73 Egg Source List: 114.25.116.73 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 10:51:14.861 PDT Gen. Time: 05/05/2013 10:51:20.139 PDT INBOUND SCAN EXPLOIT 114.25.116.73 (10:51:14.861 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3698 (10:51:14.861 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.25.116.73 (10:51:20.139 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55539<-3884 (10:51:20.139 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367776274.861 1367776274.862 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.25.116.73, 193.107.102.52 Egg Source List: 114.25.116.73 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 10:51:14.861 PDT Gen. Time: 05/05/2013 10:57:04.085 PDT INBOUND SCAN EXPLOIT 114.25.116.73 (10:51:14.861 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3698 (10:51:14.861 PDT) 193.107.102.52 (5) (10:53:02.009 PDT-10:53:02.499 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1172 (10:53:02.009 PDT) ------------------------- event=1:22000033 (2) {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 2: 445<-1172 (10:53:02.236 PDT-10:53:02.499 PDT) ------------------------- event=1:22514 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 2: 445<-1172 (10:53:02.010 PDT-10:53:02.235 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.25.116.73 (10:51:20.139 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55539<-3884 (10:51:20.139 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367776274.861 1367776382.500 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 80.164.187.146 Egg Source List: 80.164.187.146 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 11:08:44.601 PDT Gen. Time: 05/05/2013 11:08:48.829 PDT INBOUND SCAN EXPLOIT 80.164.187.146 (11:08:44.601 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3353 (11:08:44.601 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 80.164.187.146 (11:08:48.829 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44767<-6618 (11:08:48.829 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367777324.601 1367777324.602 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.66.17.153 Egg Source List: 187.66.17.153 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 11:15:36.621 PDT Gen. Time: 05/05/2013 11:15:42.922 PDT INBOUND SCAN EXPLOIT 187.66.17.153 (11:15:36.621 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2386 (11:15:36.621 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.66.17.153 (11:15:42.922 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53693<-3813 (11:15:42.922 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367777736.621 1367777736.622 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.66.17.153 Egg Source List: 187.66.17.153 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 11:28:48.998 PDT Gen. Time: 05/05/2013 11:28:54.070 PDT INBOUND SCAN EXPLOIT 187.66.17.153 (11:28:48.998 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4524 (11:28:48.998 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.66.17.153 (11:28:54.070 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43007<-3813 (11:28:54.070 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367778528.998 1367778528.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.66.17.153 Egg Source List: 187.66.17.153 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 11:55:16.165 PDT Gen. Time: 05/05/2013 11:55:23.701 PDT INBOUND SCAN EXPLOIT 187.66.17.153 (11:55:16.165 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2763 (11:55:16.165 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.66.17.153 (11:55:23.701 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43278<-3813 (11:55:23.701 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367780116.165 1367780116.166 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.66.17.153 Egg Source List: 187.66.17.153 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 12:08:05.227 PDT Gen. Time: 05/05/2013 12:08:09.902 PDT INBOUND SCAN EXPLOIT 187.66.17.153 (12:08:05.227 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3680 (12:08:05.227 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.66.17.153 (12:08:09.902 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48705<-3813 (12:08:09.902 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367780885.227 1367780885.228 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 181.95.162.197 Egg Source List: 181.95.162.197 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 12:11:45.209 PDT Gen. Time: 05/05/2013 12:11:54.161 PDT INBOUND SCAN EXPLOIT 181.95.162.197 (12:11:45.209 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1494 (12:11:45.209 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 181.95.162.197 (12:11:54.161 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48389<-4140 (12:11:54.161 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367781105.209 1367781105.210 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 87.121.5.213 Egg Source List: 87.121.5.213 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 12:15:57.255 PDT Gen. Time: 05/05/2013 12:16:06.345 PDT INBOUND SCAN EXPLOIT 87.121.5.213 (12:15:57.255 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4270 (12:15:57.255 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 87.121.5.213 (12:16:06.345 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54759<-4994 (12:16:06.345 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367781357.255 1367781357.256 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 87.121.5.213, 151.31.221.45 Egg Source List: 87.121.5.213, 151.31.221.45 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 12:15:57.255 PDT Gen. Time: 05/05/2013 12:22:18.545 PDT INBOUND SCAN EXPLOIT 87.121.5.213 (12:15:57.255 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4270 (12:15:57.255 PDT) 151.31.221.45 (12:18:12.722 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2416 (12:18:12.722 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 87.121.5.213 (12:16:06.345 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54759<-4994 (12:16:06.345 PDT) 151.31.221.45 (12:18:17.865 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35001<-4329 (12:18:17.865 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367781357.255 1367781357.256 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.25.55.17 Egg Source List: 95.25.55.17 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 12:27:59.873 PDT Gen. Time: 05/05/2013 12:28:05.244 PDT INBOUND SCAN EXPLOIT 95.25.55.17 (12:27:59.873 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2184 (12:27:59.873 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.25.55.17 (12:28:05.244 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40167<-2462 (12:28:05.244 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367782079.873 1367782079.874 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 109.54.165.124, 185.18.154.30, 41.254.8.159, 159.0.114.197 Egg Source List: 185.18.154.30 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 12:35:39.227 PDT Gen. Time: 05/05/2013 12:42:18.776 PDT INBOUND SCAN EXPLOIT 109.54.165.124 (12:35:39.227 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4651 (12:35:39.227 PDT) 185.18.154.30 (12:42:13.856 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2309 (12:42:13.856 PDT) 41.254.8.159 (12:38:24.145 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-7844 (12:38:24.145 PDT) 159.0.114.197 (2) (12:39:13.185 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2465 (12:39:13.185 PDT) 445<-4079 (12:42:11.414 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 185.18.154.30 (12:42:18.776 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33874<-2359 (12:42:18.776 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367782539.227 1367782539.228 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 79.126.167.183 Egg Source List: 79.126.167.183 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 12:47:26.334 PDT Gen. Time: 05/05/2013 12:47:32.000 PDT INBOUND SCAN EXPLOIT 79.126.167.183 (12:47:26.334 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-48247 (12:47:26.334 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 79.126.167.183 (12:47:32.000 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44958<-4469 (12:47:32.000 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367783246.334 1367783246.335 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.73.72.76 Egg Source List: 190.73.72.76 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 13:06:43.195 PDT Gen. Time: 05/05/2013 13:06:45.878 PDT INBOUND SCAN EXPLOIT 190.73.72.76 (13:06:43.195 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4542 (13:06:43.195 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.73.72.76 (13:06:45.878 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54193<-5372 (13:06:45.878 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367784403.195 1367784403.196 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.68.53.38 Egg Source List: 128.68.53.38 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 13:11:46.500 PDT Gen. Time: 05/05/2013 13:11:49.586 PDT INBOUND SCAN EXPLOIT 128.68.53.38 (13:11:46.500 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2278 (13:11:46.500 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.68.53.38 (13:11:49.586 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58148<-9328 (13:11:49.586 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367784706.500 1367784706.501 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.52.163.207 Egg Source List: 186.52.163.207 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 13:24:10.730 PDT Gen. Time: 05/05/2013 13:24:16.206 PDT INBOUND SCAN EXPLOIT 186.52.163.207 (13:24:10.730 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2774 (13:24:10.730 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.52.163.207 (13:24:16.206 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37433<-6575 (13:24:16.206 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367785450.730 1367785450.731 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 59.144.167.146 Egg Source List: 59.144.167.146 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 13:55:15.918 PDT Gen. Time: 05/05/2013 13:55:19.583 PDT INBOUND SCAN EXPLOIT 59.144.167.146 (13:55:15.918 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2693 (13:55:15.918 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 59.144.167.146 (13:55:19.583 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36897<-8996 (13:55:19.583 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367787315.918 1367787315.919 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 220.128.249.91 Egg Source List: 220.128.249.91 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 14:02:52.560 PDT Gen. Time: 05/05/2013 14:02:58.245 PDT INBOUND SCAN EXPLOIT 220.128.249.91 (14:02:52.560 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3002 (14:02:52.560 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 220.128.249.91 (14:02:58.245 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54851<-8945 (14:02:58.245 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367787772.560 1367787772.561 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 85.65.239.74, 220.128.249.91, 82.58.166.110 Egg Source List: 85.65.239.74, 220.128.249.91 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 14:02:52.560 PDT Gen. Time: 05/05/2013 14:10:27.611 PDT INBOUND SCAN EXPLOIT 85.65.239.74 (14:06:38.278 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1558 (14:06:38.278 PDT) 220.128.249.91 (14:02:52.560 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3002 (14:02:52.560 PDT) 82.58.166.110 (3) (14:08:11.066 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3883 (14:08:11.095 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-3883 (14:08:11.088 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3883 (14:08:11.066 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 85.65.239.74 (14:06:41.886 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42210<-8194 (14:06:41.886 PDT) 220.128.249.91 (14:02:58.245 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54851<-8945 (14:02:58.245 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367787772.560 1367787772.561 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.158.154.44 Egg Source List: 190.158.154.44 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 14:27:43.068 PDT Gen. Time: 05/05/2013 14:27:47.203 PDT INBOUND SCAN EXPLOIT 190.158.154.44 (14:27:43.068 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1700 (14:27:43.068 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.158.154.44 (14:27:47.203 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51195<-4851 (14:27:47.203 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367789263.068 1367789263.069 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 59.120.219.113 Egg Source List: 59.120.219.113 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 14:40:45.505 PDT Gen. Time: 05/05/2013 14:40:48.612 PDT INBOUND SCAN EXPLOIT 59.120.219.113 (14:40:45.505 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4593 (14:40:45.505 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 59.120.219.113 (14:40:48.612 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46266<-2034 (14:40:48.612 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367790045.505 1367790045.506 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 77.42.119.14 Egg Source List: 77.42.119.14 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 14:51:54.601 PDT Gen. Time: 05/05/2013 14:51:58.007 PDT INBOUND SCAN EXPLOIT 77.42.119.14 (14:51:54.601 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1144 (14:51:54.601 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 77.42.119.14 (14:51:58.007 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56359<-8629 (14:51:58.007 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367790714.601 1367790714.602 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 195.246.41.197 Egg Source List: 195.246.41.197 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 15:03:14.878 PDT Gen. Time: 05/05/2013 15:03:18.974 PDT INBOUND SCAN EXPLOIT 195.246.41.197 (15:03:14.878 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-29896 (15:03:14.878 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 195.246.41.197 (15:03:18.974 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48149<-2523 (15:03:18.974 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367791394.878 1367791394.879 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 194.225.182.10 Egg Source List: 194.225.182.10 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 15:28:19.665 PDT Gen. Time: 05/05/2013 15:28:23.522 PDT INBOUND SCAN EXPLOIT 194.225.182.10 (15:28:19.665 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1986 (15:28:19.665 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 194.225.182.10 (15:28:23.522 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45886<-5271 (15:28:23.522 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367792899.665 1367792899.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.56.249.244 Egg Source List: 88.56.249.244 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 15:32:41.815 PDT Gen. Time: 05/05/2013 15:32:44.707 PDT INBOUND SCAN EXPLOIT 88.56.249.244 (15:32:41.815 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3709 (15:32:41.815 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 88.56.249.244 (15:32:44.707 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45248<-2443 (15:32:44.707 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367793161.815 1367793161.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 69.7.34.11 Egg Source List: 69.7.34.11 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 15:37:05.023 PDT Gen. Time: 05/05/2013 15:37:07.549 PDT INBOUND SCAN EXPLOIT 69.7.34.11 (15:37:05.023 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4079 (15:37:05.023 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 69.7.34.11 (15:37:07.549 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41479<-2588 (15:37:07.549 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367793425.023 1367793425.024 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 87.121.5.213 Egg Source List: 87.121.5.213 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 15:57:14.854 PDT Gen. Time: 05/05/2013 15:57:18.570 PDT INBOUND SCAN EXPLOIT 87.121.5.213 (15:57:14.854 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1877 (15:57:14.854 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 87.121.5.213 (15:57:18.570 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39725<-4994 (15:57:18.570 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367794634.854 1367794634.855 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.73.72.76 Egg Source List: 190.73.72.76 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 16:50:39.807 PDT Gen. Time: 05/05/2013 16:50:43.782 PDT INBOUND SCAN EXPLOIT 190.73.72.76 (16:50:39.807 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2697 (16:50:39.807 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.73.72.76 (16:50:43.782 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46471<-5372 (16:50:43.782 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367797839.807 1367797839.808 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.89.97.133 Egg Source List: 186.89.97.133 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 17:33:01.524 PDT Gen. Time: 05/05/2013 17:33:06.038 PDT INBOUND SCAN EXPLOIT 186.89.97.133 (17:33:01.524 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3982 (17:33:01.524 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.89.97.133 (17:33:06.038 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35729<-3065 (17:33:06.038 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367800381.524 1367800381.525 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 177.68.211.109, 186.89.97.133 Egg Source List: 177.68.211.109, 186.89.97.133 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 17:33:01.524 PDT Gen. Time: 05/05/2013 17:36:47.779 PDT INBOUND SCAN EXPLOIT 177.68.211.109 (17:33:36.007 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4343 (17:33:36.007 PDT) 186.89.97.133 (17:33:01.524 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3982 (17:33:01.524 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.68.211.109 (17:33:39.987 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47952<-9060 (17:33:39.987 PDT) 186.89.97.133 (17:33:06.038 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35729<-3065 (17:33:06.038 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367800381.524 1367800381.525 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 220.128.249.91 Egg Source List: 220.128.249.91 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 17:44:02.014 PDT Gen. Time: 05/05/2013 17:44:04.834 PDT INBOUND SCAN EXPLOIT 220.128.249.91 (17:44:02.014 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2604 (17:44:02.014 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 220.128.249.91 (17:44:04.834 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42519<-8945 (17:44:04.834 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367801042.014 1367801042.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.71.176.118 Egg Source List: 128.71.176.118 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 18:08:18.676 PDT Gen. Time: 05/05/2013 18:08:22.609 PDT INBOUND SCAN EXPLOIT 128.71.176.118 (18:08:18.676 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2913 (18:08:18.676 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.71.176.118 (18:08:22.609 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49837<-4139 (18:08:22.609 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367802498.676 1367802498.677 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 217.114.176.227 Egg Source List: 217.114.176.227 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 18:14:46.685 PDT Gen. Time: 05/05/2013 18:14:49.941 PDT INBOUND SCAN EXPLOIT 217.114.176.227 (18:14:46.685 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3951 (18:14:46.685 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 217.114.176.227 (18:14:49.941 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57598<-2071 (18:14:49.941 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367802886.685 1367802886.686 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 59.120.219.113 Egg Source List: 59.120.219.113 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 18:22:03.979 PDT Gen. Time: 05/05/2013 18:22:09.885 PDT INBOUND SCAN EXPLOIT 59.120.219.113 (18:22:03.979 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1988 (18:22:03.979 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 59.120.219.113 (18:22:09.885 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43019<-2034 (18:22:09.885 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367803323.979 1367803323.980 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 77.42.119.14 Egg Source List: 77.42.119.14 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 18:33:03.111 PDT Gen. Time: 05/05/2013 18:33:06.206 PDT INBOUND SCAN EXPLOIT 77.42.119.14 (18:33:03.111 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4044 (18:33:03.111 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 77.42.119.14 (18:33:06.206 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39164<-8629 (18:33:06.206 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367803983.111 1367803983.112 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 158.182.74.120 Egg Source List: 158.182.74.120 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 18:37:13.466 PDT Gen. Time: 05/05/2013 18:37:16.220 PDT INBOUND SCAN EXPLOIT 158.182.74.120 (18:37:13.466 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2999 (18:37:13.466 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 158.182.74.120 (18:37:16.220 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40340<-3877 (18:37:16.220 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367804233.466 1367804233.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 78.92.37.224, 158.182.74.120, 177.188.141.249 Egg Source List: 78.92.37.224, 158.182.74.120, 177.188.141.249 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 18:37:13.466 PDT Gen. Time: 05/05/2013 18:44:34.215 PDT INBOUND SCAN EXPLOIT 78.92.37.224 (18:38:28.803 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4141 (18:38:28.803 PDT) 158.182.74.120 (18:37:13.466 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2999 (18:37:13.466 PDT) 177.188.141.249 (18:40:17.136 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3258 (18:40:17.136 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 78.92.37.224 (18:38:32.237 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60487<-5799 (18:38:32.237 PDT) 158.182.74.120 (18:37:16.220 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40340<-3877 (18:37:16.220 PDT) 177.188.141.249 (18:40:20.088 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48963<-1883 (18:40:20.088 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367804233.466 1367804233.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 194.225.182.10, 201.69.40.172 Egg Source List: 194.225.182.10 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 19:09:03.618 PDT Gen. Time: 05/05/2013 19:09:33.130 PDT INBOUND SCAN EXPLOIT 194.225.182.10 (19:09:30.127 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3505 (19:09:30.127 PDT) 201.69.40.172 (19:09:03.618 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1454 (19:09:03.618 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 194.225.182.10 (19:09:33.130 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36920<-5271 (19:09:33.130 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367806143.618 1367806143.619 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.56.249.244 Egg Source List: 88.56.249.244 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 19:15:26.766 PDT Gen. Time: 05/05/2013 19:15:30.982 PDT INBOUND SCAN EXPLOIT 88.56.249.244 (19:15:26.766 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4501 (19:15:26.766 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 88.56.249.244 (19:15:30.982 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57760<-2443 (19:15:30.982 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367806526.766 1367806526.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 69.7.34.11 Egg Source List: 69.7.34.11 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 19:19:49.562 PDT Gen. Time: 05/05/2013 19:19:52.085 PDT INBOUND SCAN EXPLOIT 69.7.34.11 (19:19:49.562 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2916 (19:19:49.562 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 69.7.34.11 (19:19:52.085 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55265<-2588 (19:19:52.085 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367806789.562 1367806789.563 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 195.246.41.197 Egg Source List: 195.246.41.197 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 20:57:03.751 PDT Gen. Time: 05/05/2013 20:57:08.093 PDT INBOUND SCAN EXPLOIT 195.246.41.197 (20:57:03.751 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-12474 (20:57:03.751 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 195.246.41.197 (20:57:08.093 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52196<-2523 (20:57:08.093 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367812623.751 1367812623.752 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 217.114.176.227 Egg Source List: 217.114.176.227 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 21:07:22.803 PDT Gen. Time: 05/05/2013 21:07:26.503 PDT INBOUND SCAN EXPLOIT 217.114.176.227 (21:07:22.803 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3509 (21:07:22.803 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 217.114.176.227 (21:07:26.503 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34563<-2071 (21:07:26.503 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367813242.803 1367813242.804 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.246 Egg Source List: 92.247.104.246 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 21:16:52.458 PDT Gen. Time: 05/05/2013 21:16:55.636 PDT INBOUND SCAN EXPLOIT 92.247.104.246 (21:16:52.458 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1347 (21:16:52.458 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.246 (21:16:55.636 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60301<-3977 (21:16:55.636 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367813812.458 1367813812.459 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.246 Egg Source List: 92.247.104.246 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 21:16:52.458 PDT Gen. Time: 05/05/2013 21:30:23.933 PDT INBOUND SCAN EXPLOIT 92.247.104.246 (17) (21:16:52.458 PDT) event=1:22009201 (17) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1347 (21:16:52.458 PDT) 445<-1706 (21:17:04.614 PDT) 445<-2073 (21:17:18.835 PDT) 445<-2509 (21:17:36.143 PDT) 445<-2989 (21:17:50.997 PDT) 445<-3410 (21:18:08.659 PDT) 445<-3942 (21:18:27.141 PDT) 445<-4750 (21:18:53.778 PDT) 445<-1392 (21:19:09.775 PDT) 445<-1828 (21:19:23.479 PDT) 445<-2244 (21:19:38.944 PDT) 445<-2597 (21:19:55.985 PDT) 445<-2991 (21:20:11.324 PDT) 445<-3407 (21:20:27.944 PDT) 445<-4057 (21:20:53.344 PDT) 445<-4430 (21:21:10.787 PDT) 445<-4893 (21:21:27.740 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.246 (17) (21:16:55.636 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60301<-3977 (21:16:55.636 PDT) 60315<-3977 (21:17:07.746 PDT) 60339<-3977 (21:17:22.409 PDT) 60358<-3977 (21:17:39.854 PDT) 60381<-3977 (21:17:55.008 PDT) 60396<-3977 (21:18:11.896 PDT) 60432<-3977 (21:18:32.019 PDT) 60471<-3977 (21:18:57.958 PDT) 60483<-3977 (21:19:12.863 PDT) 60501<-3977 (21:19:26.811 PDT) 60512<-3977 (21:19:42.381 PDT) 60538<-3977 (21:20:00.659 PDT) 60556<-3977 (21:20:15.074 PDT) 60575<-3977 (21:20:32.069 PDT) 32940<-3977 (21:20:58.389 PDT) 32958<-3977 (21:21:14.251 PDT) 32981<-3977 (21:21:31.321 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367813812.458 1367813812.459 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.71.176.118 Egg Source List: 128.71.176.118 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 21:53:50.442 PDT Gen. Time: 05/05/2013 21:53:53.746 PDT INBOUND SCAN EXPLOIT 128.71.176.118 (21:53:50.442 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4389 (21:53:50.442 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.71.176.118 (21:53:53.746 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35081<-4139 (21:53:53.746 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367816030.442 1367816030.443 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.71.176.118, 213.171.97.86 Egg Source List: 128.71.176.118, 192.168.0.4 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 21:53:50.442 PDT Gen. Time: 05/05/2013 22:03:32.584 PDT INBOUND SCAN EXPLOIT 128.71.176.118 (21:53:50.442 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4389 (21:53:50.442 PDT) 213.171.97.86 (21:54:46.880 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4561 (21:54:46.880 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.71.176.118 (21:53:53.746 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35081<-4139 (21:53:53.746 PDT) 192.168.0.4 (16) (21:58:12.574 PDT-21:58:37.913 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 39625->69 (21:58:12.574 PDT-21:58:32.814 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 39625->69 (21:58:12.574 PDT-21:58:32.814 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 39625->69 (21:58:12.574 PDT-21:58:37.913 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367816030.442 1367816317.914 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.246 Egg Source List: 92.247.104.246 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 22:12:44.552 PDT Gen. Time: 05/05/2013 22:12:48.192 PDT INBOUND SCAN EXPLOIT 92.247.104.246 (22:12:44.552 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4490 (22:12:44.552 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.246 (22:12:48.192 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52018<-3977 (22:12:48.192 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367817164.552 1367817164.553 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.246 Egg Source List: 92.247.104.246 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 22:12:44.552 PDT Gen. Time: 05/05/2013 22:37:00.129 PDT INBOUND SCAN EXPLOIT 92.247.104.246 (17) (22:12:44.552 PDT) event=1:22009201 (17) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4490 (22:12:44.552 PDT) 445<-4834 (22:12:56.902 PDT) 445<-1268 (22:13:12.104 PDT) 445<-1676 (22:13:30.774 PDT) 445<-2148 (22:13:45.004 PDT) 445<-2492 (22:14:00.563 PDT) 445<-2930 (22:14:16.354 PDT) 445<-3390 (22:14:34.793 PDT) 445<-3756 (22:14:48.931 PDT) 445<-4122 (22:15:02.997 PDT) 445<-4518 (22:15:20.359 PDT) 445<-1039 (22:15:37.834 PDT) 445<-1466 (22:15:53.129 PDT) 445<-1901 (22:16:11.507 PDT) 445<-2434 (22:16:29.140 PDT) 445<-2799 (22:16:45.075 PDT) 445<-3183 (22:17:00.229 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.246 (17) (22:12:48.192 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52018<-3977 (22:12:48.192 PDT) 52026<-3977 (22:13:00.189 PDT) 52038<-3977 (22:13:17.724 PDT) 52060<-3977 (22:13:34.906 PDT) 52073<-3977 (22:13:48.671 PDT) 52092<-3977 (22:14:07.221 PDT) 52100<-3977 (22:14:19.861 PDT) 52120<-3977 (22:14:38.660 PDT) 52142<-3977 (22:14:52.863 PDT) 52152<-3977 (22:15:06.917 PDT) 52167<-3977 (22:15:23.798 PDT) 52178<-3977 (22:15:41.565 PDT) 54755<-3977 (22:15:56.367 PDT) 54765<-3977 (22:16:14.760 PDT) 54783<-3977 (22:16:33.187 PDT) 54796<-3977 (22:16:50.130 PDT) 54815<-3977 (22:17:03.501 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367817164.552 1367817164.553 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 195.24.90.59, 82.135.138.91 Egg Source List: 195.24.90.59 C & C List: Peer Coord. List: Resource List: Observed Start: 05/05/2013 22:38:40.302 PDT Gen. Time: 05/05/2013 22:41:25.346 PDT INBOUND SCAN EXPLOIT 195.24.90.59 (22:41:20.073 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4911 (22:41:20.073 PDT) 82.135.138.91 (2) (22:38:40.302 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2063 (22:38:40.308 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-2063 (22:38:40.302 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 195.24.90.59 (22:41:25.346 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45810<-3120 (22:41:25.346 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367818720.302 1367818720.303 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================