Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.36.40.107 Egg Source List: 114.36.40.107 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 00:15:22.139 PDT Gen. Time: 05/06/2013 00:15:28.102 PDT INBOUND SCAN EXPLOIT 114.36.40.107 (00:15:22.139 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3502 (00:15:22.139 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.36.40.107 (00:15:28.102 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42434<-3453 (00:15:28.102 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367824522.139 1367824522.140 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 118.128.105.185, 114.36.40.107 Egg Source List: 118.128.105.185, 114.36.40.107 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 00:15:22.139 PDT Gen. Time: 05/06/2013 00:19:54.986 PDT INBOUND SCAN EXPLOIT 118.128.105.185 (00:15:57.481 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3150 (00:15:57.481 PDT) 114.36.40.107 (00:15:22.139 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3502 (00:15:22.139 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.128.105.185 (00:16:01.113 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60723<-3399 (00:16:01.113 PDT) 114.36.40.107 (00:15:28.102 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42434<-3453 (00:15:28.102 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367824522.139 1367824522.140 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.61.199.213 Egg Source List: 189.61.199.213 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 00:54:28.754 PDT Gen. Time: 05/06/2013 00:54:33.913 PDT INBOUND SCAN EXPLOIT 189.61.199.213 (00:54:28.754 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2443 (00:54:28.754 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.61.199.213 (00:54:33.913 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34115<-2283 (00:54:33.913 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367826868.754 1367826868.755 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 105.132.130.88 Egg Source List: 105.132.130.88 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 01:11:38.014 PDT Gen. Time: 05/06/2013 01:11:50.414 PDT INBOUND SCAN EXPLOIT 105.132.130.88 (01:11:38.014 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1380 (01:11:38.014 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 105.132.130.88 (01:11:50.414 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55051<-8582 (01:11:50.414 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367827898.014 1367827898.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 122.169.202.78, 71.187.75.37, 105.132.130.88 Egg Source List: 122.169.202.78, 105.132.130.88 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 01:11:38.014 PDT Gen. Time: 05/06/2013 01:17:26.381 PDT INBOUND SCAN EXPLOIT 122.169.202.78 (01:14:25.814 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4937 (01:14:25.814 PDT) 71.187.75.37 (01:12:46.242 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3876 (01:12:46.242 PDT) 105.132.130.88 (01:11:38.014 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1380 (01:11:38.014 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 122.169.202.78 (01:14:29.324 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44945<-9519 (01:14:29.324 PDT) 105.132.130.88 (01:11:50.414 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55051<-8582 (01:11:50.414 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367827898.014 1367827898.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.107.57.157 Egg Source List: 46.107.57.157 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 01:29:40.450 PDT Gen. Time: 05/06/2013 01:29:44.022 PDT INBOUND SCAN EXPLOIT 46.107.57.157 (01:29:40.450 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-6553 (01:29:40.450 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.107.57.157 (01:29:44.022 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50404<-9188 (01:29:44.022 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367828980.450 1367828980.451 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.246 Egg Source List: 92.247.104.246 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 01:55:08.098 PDT Gen. Time: 05/06/2013 01:55:11.080 PDT INBOUND SCAN EXPLOIT 92.247.104.246 (01:55:08.098 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1756 (01:55:08.098 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.246 (01:55:11.080 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43602<-3977 (01:55:11.080 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367830508.098 1367830508.099 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.247.104.246, 95.37.194.199 Egg Source List: 92.247.104.246, 95.37.194.199 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 01:55:08.098 PDT Gen. Time: 05/06/2013 02:01:17.233 PDT INBOUND SCAN EXPLOIT 92.247.104.246 (01:55:08.098 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1756 (01:55:08.098 PDT) 95.37.194.199 (01:56:55.934 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3783 (01:56:55.934 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.247.104.246 (01:55:11.080 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43602<-3977 (01:55:11.080 PDT) 95.37.194.199 (01:56:59.253 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59952<-6668 (01:56:59.253 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367830508.098 1367830508.099 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 118.69.195.248 Egg Source List: 118.69.195.248 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 02:06:54.375 PDT Gen. Time: 05/06/2013 02:06:59.155 PDT INBOUND SCAN EXPLOIT 118.69.195.248 (02:06:54.375 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4072 (02:06:54.375 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.69.195.248 (02:06:59.155 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49068<-6417 (02:06:59.155 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367831214.375 1367831214.376 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.39.81.81 Egg Source List: 114.39.81.81 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 02:42:46.221 PDT Gen. Time: 05/06/2013 02:42:49.054 PDT INBOUND SCAN EXPLOIT 114.39.81.81 (02:42:46.221 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2343 (02:42:46.221 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.39.81.81 (02:42:49.054 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47256<-1293 (02:42:49.054 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367833366.221 1367833366.222 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 203.81.72.82, 200.95.144.198, 212.225.205.9 Egg Source List: 200.95.144.198 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 02:47:27.100 PDT Gen. Time: 05/06/2013 02:48:04.699 PDT INBOUND SCAN EXPLOIT 203.81.72.82 (02:47:41.492 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-37501 (02:47:41.492 PDT) 200.95.144.198 (02:48:01.545 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4328 (02:48:01.545 PDT) 212.225.205.9 (02:47:27.100 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1101 (02:47:27.100 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.95.144.198 (02:48:04.699 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46399<-8939 (02:48:04.699 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367833647.100 1367833647.101 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 195.24.90.59 Egg Source List: 195.24.90.59 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 03:00:45.961 PDT Gen. Time: 05/06/2013 03:00:50.729 PDT INBOUND SCAN EXPLOIT 195.24.90.59 (03:00:45.961 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4974 (03:00:45.961 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 195.24.90.59 (03:00:50.729 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41656<-3120 (03:00:50.729 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367834445.961 1367834445.962 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 108.170.55.147 Egg Source List: 108.170.55.147 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 03:24:37.754 PDT Gen. Time: 05/06/2013 03:24:40.422 PDT INBOUND SCAN EXPLOIT 108.170.55.147 (03:24:37.754 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3598 (03:24:37.754 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 108.170.55.147 (03:24:40.422 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52974<-6584 (03:24:40.422 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367835877.754 1367835877.755 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.203.169.83, 31.176.186.9, 202.69.107.118, 108.170.55.147 Egg Source List: 108.170.55.147, 192.168.2.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 03:24:37.754 PDT Gen. Time: 05/06/2013 03:34:09.057 PDT INBOUND SCAN EXPLOIT 190.203.169.83 (03:29:48.193 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4103 (03:29:48.193 PDT) 31.176.186.9 (03:27:32.263 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4292 (03:27:32.263 PDT) 202.69.107.118 (03:31:12.392 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1932 (03:31:12.392 PDT) 108.170.55.147 (03:24:37.754 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3598 (03:24:37.754 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 108.170.55.147 (03:24:40.422 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52974<-6584 (03:24:40.422 PDT) 192.168.2.101 (16) (03:25:11.668 PDT-03:25:36.956 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 37648->69 (03:25:11.668 PDT-03:25:31.783 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 37648->69 (03:25:11.668 PDT-03:25:31.783 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 37648->69 (03:25:11.668 PDT-03:25:36.956 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367835877.754 1367835936.957 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.46.14.142 Egg Source List: 89.46.14.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 03:36:40.049 PDT Gen. Time: 05/06/2013 03:36:42.919 PDT INBOUND SCAN EXPLOIT 89.46.14.142 (03:36:40.049 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1781 (03:36:40.049 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.46.14.142 (03:36:42.919 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35735<-3838 (03:36:42.919 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367836600.049 1367836600.050 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.6.49.15, 89.46.14.142, 84.2.254.108, 213.171.97.86 Egg Source List: 89.46.14.142, 84.2.254.108, 192.168.0.100 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 03:36:40.049 PDT Gen. Time: 05/06/2013 04:45:43.783 PDT INBOUND SCAN EXPLOIT 188.6.49.15 (03:52:02.382 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1451 (03:52:02.382 PDT) 89.46.14.142 (14) (03:36:40.049 PDT) event=1:22009201 (14) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1781 (03:36:40.049 PDT) 445<-2052 (03:44:11.964 PDT) 445<-3269 (03:45:19.880 PDT) 445<-1806 (03:46:48.777 PDT) 445<-3677 (03:48:06.316 PDT) 445<-1766 (03:50:56.335 PDT) 445<-1211 (03:52:16.461 PDT) 445<-2483 (03:53:14.647 PDT) 445<-1363 (03:54:25.843 PDT) 445<-3855 (03:55:44.791 PDT) 445<-2593 (03:56:57.241 PDT) 445<-4186 (03:58:02.245 PDT) 445<-2715 (03:59:11.475 PDT) 445<-4090 (04:00:21.056 PDT) 84.2.254.108 (03:38:40.206 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2347 (03:38:40.206 PDT) 213.171.97.86 (03:51:16.469 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4932 (03:51:16.469 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.46.14.142 (03:36:42.919 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35735<-3838 (03:36:42.919 PDT) 84.2.254.108 (03:38:44.154 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45223<-8669 (03:38:44.154 PDT) 192.168.0.100 (15) (03:42:02.614 PDT-03:42:22.837 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 53160->69 (03:42:02.614 PDT-03:42:22.837 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 53160->69 (03:42:02.614 PDT-03:42:22.837 PDT) ------------------------- event=1:3001441 (5) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 53160->69 (03:42:02.614 PDT-03:42:22.837 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367836600.049 1367836942.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.61.199.213 Egg Source List: 189.61.199.213 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 04:46:10.950 PDT Gen. Time: 05/06/2013 04:46:13.975 PDT INBOUND SCAN EXPLOIT 189.61.199.213 (04:46:10.950 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2097 (04:46:10.950 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.61.199.213 (04:46:13.975 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43638<-2283 (04:46:13.975 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367840770.950 1367840770.951 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 122.169.202.78 Egg Source List: 122.169.202.78 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 04:55:36.522 PDT Gen. Time: 05/06/2013 04:55:39.827 PDT INBOUND SCAN EXPLOIT 122.169.202.78 (04:55:36.522 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2101 (04:55:36.522 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 122.169.202.78 (04:55:39.827 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51607<-9519 (04:55:39.827 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367841336.522 1367841336.523 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 120.88.40.71 Egg Source List: 120.88.40.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 05:05:27.955 PDT Gen. Time: 05/06/2013 05:05:31.843 PDT INBOUND SCAN EXPLOIT 120.88.40.71 (05:05:27.955 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2498 (05:05:27.955 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 120.88.40.71 (05:05:31.843 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34818<-5472 (05:05:31.843 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367841927.955 1367841927.956 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 60.35.6.113, 120.88.40.71 Egg Source List: 120.88.40.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 05:05:27.955 PDT Gen. Time: 05/06/2013 05:08:32.622 PDT INBOUND SCAN EXPLOIT 60.35.6.113 (05:07:16.988 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-55040 (05:07:16.988 PDT) 120.88.40.71 (05:05:27.955 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2498 (05:05:27.955 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 120.88.40.71 (05:05:31.843 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34818<-5472 (05:05:31.843 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367841927.955 1367841927.956 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 194.63.141.65 Egg Source List: 194.63.141.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 05:46:21.414 PDT Gen. Time: 05/06/2013 05:46:24.271 PDT INBOUND SCAN EXPLOIT 194.63.141.65 (05:46:21.414 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4557 (05:46:21.414 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 194.63.141.65 (05:46:24.271 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57223<-9303 (05:46:24.271 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367844381.414 1367844381.415 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 118.69.195.248, 194.63.141.65 Egg Source List: 118.69.195.248, 194.63.141.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 05:46:21.414 PDT Gen. Time: 05/06/2013 05:51:39.759 PDT INBOUND SCAN EXPLOIT 118.69.195.248 (05:48:08.724 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1882 (05:48:08.724 PDT) 194.63.141.65 (05:46:21.414 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4557 (05:46:21.414 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.69.195.248 (05:48:12.031 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38822<-6417 (05:48:12.031 PDT) 194.63.141.65 (05:46:24.271 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57223<-9303 (05:46:24.271 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367844381.414 1367844381.415 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.107.229.194 Egg Source List: 212.107.229.194 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 06:01:28.289 PDT Gen. Time: 05/06/2013 06:01:31.616 PDT INBOUND SCAN EXPLOIT 212.107.229.194 (06:01:28.289 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2406 (06:01:28.289 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.107.229.194 (06:01:31.616 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40708<-6242 (06:01:31.616 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367845288.289 1367845288.290 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.107.229.194 Egg Source List: 212.107.229.194 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 06:01:28.289 PDT Gen. Time: 05/06/2013 06:16:55.088 PDT INBOUND SCAN EXPLOIT 212.107.229.194 (16) (06:01:28.289 PDT) event=1:22009201 (16) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2406 (06:01:28.289 PDT) 445<-1404 (06:02:27.070 PDT) 445<-3646 (06:03:20.281 PDT) 445<-2597 (06:04:21.042 PDT) 445<-1279 (06:05:20.472 PDT) 445<-3519 (06:06:09.828 PDT) 445<-2377 (06:07:13.600 PDT) 445<-1179 (06:08:11.399 PDT) 445<-3311 (06:09:03.659 PDT) 445<-2199 (06:10:02.615 PDT) 445<-1093 (06:11:06.394 PDT) 445<-3317 (06:11:55.237 PDT) 445<-2073 (06:12:56.888 PDT) 445<-1254 (06:13:58.361 PDT) 445<-4188 (06:14:49.450 PDT) 445<-3257 (06:15:47.251 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.107.229.194 (16) (06:01:31.616 PDT) event=1:2001685 (16) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40708<-6242 (06:01:31.616 PDT) 40745<-6242 (06:02:31.148 PDT) 40772<-6242 (06:03:23.233 PDT) 40811<-6242 (06:04:24.072 PDT) 40853<-6242 (06:05:23.354 PDT) 45133<-6242 (06:06:13.541 PDT) 45177<-6242 (06:07:17.235 PDT) 45309<-6242 (06:08:15.651 PDT) 45403<-6242 (06:09:07.423 PDT) 45440<-6242 (06:10:07.744 PDT) 48467<-6242 (06:11:09.465 PDT) 48507<-6242 (06:11:58.756 PDT) 48595<-6242 (06:12:59.846 PDT) 48635<-6242 (06:14:01.643 PDT) 48663<-6242 (06:14:52.446 PDT) 48702<-6242 (06:15:52.133 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367845288.289 1367845288.290 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.107.229.194 Egg Source List: 212.107.229.194 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 06:16:56.759 PDT Gen. Time: 05/06/2013 06:17:01.121 PDT INBOUND SCAN EXPLOIT 212.107.229.194 (06:16:56.759 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2228 (06:16:56.759 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.107.229.194 (06:17:01.121 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37986<-6242 (06:17:01.121 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367846216.759 1367846216.760 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.95.144.198 Egg Source List: 200.95.144.198 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 06:29:06.995 PDT Gen. Time: 05/06/2013 06:29:09.698 PDT INBOUND SCAN EXPLOIT 200.95.144.198 (06:29:06.995 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4131 (06:29:06.995 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.95.144.198 (06:29:09.698 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42468<-8939 (06:29:09.698 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367846946.995 1367846946.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.39.81.81, 200.95.144.198 Egg Source List: 114.39.81.81, 200.95.144.198 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 06:29:06.995 PDT Gen. Time: 05/06/2013 06:32:24.915 PDT INBOUND SCAN EXPLOIT 114.39.81.81 (06:30:17.090 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1157 (06:30:17.090 PDT) 200.95.144.198 (06:29:06.995 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4131 (06:29:06.995 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.39.81.81 (06:30:20.462 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42055<-1293 (06:30:20.462 PDT) 200.95.144.198 (06:29:09.698 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42468<-8939 (06:29:09.698 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367846946.995 1367846946.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 122.145.157.18, 84.252.23.72, 197.87.67.52 Egg Source List: 84.252.23.72 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 06:43:55.581 PDT Gen. Time: 05/06/2013 06:46:06.628 PDT INBOUND SCAN EXPLOIT 122.145.157.18 (06:43:55.581 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1496 (06:43:55.581 PDT) 84.252.23.72 (06:46:02.954 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2372 (06:46:02.954 PDT) 197.87.67.52 (06:45:22.513 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3235 (06:45:22.513 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.252.23.72 (06:46:06.628 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51433<-4062 (06:46:06.628 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367847835.581 1367847835.582 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.180.209.101, 122.145.157.18, 84.252.23.72, 197.87.67.52 Egg Source List: 84.252.23.72 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 06:43:55.581 PDT Gen. Time: 05/06/2013 06:51:51.338 PDT INBOUND SCAN EXPLOIT 89.180.209.101 (3) (06:48:37.627 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1337 (06:48:37.635 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-1337 (06:48:37.632 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1337 (06:48:37.627 PDT) 122.145.157.18 (06:43:55.581 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1496 (06:43:55.581 PDT) 84.252.23.72 (06:46:02.954 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2372 (06:46:02.954 PDT) 197.87.67.52 (06:45:22.513 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3235 (06:45:22.513 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.252.23.72 (06:46:06.628 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51433<-4062 (06:46:06.628 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367847835.581 1367847835.582 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.68.34.90 Egg Source List: 212.68.34.90 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 07:02:42.532 PDT Gen. Time: 05/06/2013 07:02:46.696 PDT INBOUND SCAN EXPLOIT 212.68.34.90 (07:02:42.532 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4329 (07:02:42.532 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.68.34.90 (07:02:46.696 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58175<-1701 (07:02:46.696 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367848962.532 1367848962.533 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 108.170.55.147, 190.36.70.194, 212.68.34.90 Egg Source List: 108.170.55.147, 212.68.34.90 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 07:02:42.532 PDT Gen. Time: 05/06/2013 07:09:53.250 PDT INBOUND SCAN EXPLOIT 108.170.55.147 (07:05:46.775 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1757 (07:05:46.775 PDT) 190.36.70.194 (07:04:47.938 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59235 (07:04:47.938 PDT) 212.68.34.90 (07:02:42.532 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4329 (07:02:42.532 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 108.170.55.147 (07:05:51.159 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59271<-6584 (07:05:51.159 PDT) 212.68.34.90 (07:02:46.696 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58175<-1701 (07:02:46.696 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367848962.532 1367848962.533 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.39.224.195 Egg Source List: 222.39.224.195 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 07:15:26.178 PDT Gen. Time: 05/06/2013 07:15:29.931 PDT INBOUND SCAN EXPLOIT 222.39.224.195 (07:15:26.178 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1721 (07:15:26.178 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 222.39.224.195 (07:15:29.931 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56237<-7988 (07:15:29.931 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367849726.178 1367849726.179 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 31.176.186.9, 202.69.107.118, 124.123.185.24, 178.44.173.170, 222.39.224.195 Egg Source List: 31.176.186.9, 202.69.107.118, 124.123.185.24, 178.44.173.170, 222.39.224.195 C & C List: 60.253.96.9 Peer Coord. List: Resource List: Observed Start: 05/06/2013 07:15:26.178 PDT Gen. Time: 05/06/2013 07:25:55.094 PDT INBOUND SCAN EXPLOIT 31.176.186.9 (07:21:10.566 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2108 (07:21:10.566 PDT) 202.69.107.118 (07:23:32.660 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4976 (07:23:32.660 PDT) 124.123.185.24 (07:22:19.093 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4275 (07:22:19.093 PDT) 178.44.173.170 (07:18:43.069 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1348 (07:18:43.069 PDT) 222.39.224.195 (07:15:26.178 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1721 (07:15:26.178 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 31.176.186.9 (07:21:14.185 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34950<-1118 (07:21:14.185 PDT) 202.69.107.118 (07:23:37.187 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56680<-2885 (07:23:37.187 PDT) 124.123.185.24 (07:22:22.323 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57113<-1433 (07:22:22.323 PDT) 178.44.173.170 (07:18:46.999 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58359<-2354 (07:18:46.999 PDT) 222.39.224.195 (07:15:29.931 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56237<-7988 (07:15:29.931 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 60.253.96.9 (07:18:19.587 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 43434->80 (07:18:19.587 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367849726.178 1367849726.179 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.0.5.196 Egg Source List: 95.0.5.196 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 07:30:26.342 PDT Gen. Time: 05/06/2013 07:30:30.276 PDT INBOUND SCAN EXPLOIT 95.0.5.196 (07:30:26.342 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1773 (07:30:26.342 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.0.5.196 (07:30:30.276 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36597<-5603 (07:30:30.276 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367850626.342 1367850626.343 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 194.44.108.207, 95.0.5.196 Egg Source List: 95.0.5.196, 192.168.0.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 07:30:26.342 PDT Gen. Time: 05/06/2013 07:37:10.863 PDT INBOUND SCAN EXPLOIT 194.44.108.207 (07:34:09.861 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2958 (07:34:09.861 PDT) 95.0.5.196 (07:30:26.342 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1773 (07:30:26.342 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.0.5.196 (07:30:30.276 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36597<-5603 (07:30:30.276 PDT) 192.168.0.101 (16) (07:33:41.120 PDT-07:34:06.580 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 56627->69 (07:33:41.120 PDT-07:34:01.272 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 56627->69 (07:33:41.120 PDT-07:34:01.272 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 56627->69 (07:33:41.120 PDT-07:34:06.580 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367850626.342 1367850846.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 36.76.134.79 Egg Source List: 36.76.134.79 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 07:52:43.215 PDT Gen. Time: 05/06/2013 07:52:46.462 PDT INBOUND SCAN EXPLOIT 36.76.134.79 (07:52:43.215 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-45820 (07:52:43.215 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 36.76.134.79 (07:52:46.462 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52255<-1180 (07:52:46.462 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367851963.215 1367851963.216 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.199.53.100, 46.248.38.227 Egg Source List: 46.248.38.227 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 07:57:35.314 PDT Gen. Time: 05/06/2013 07:57:59.020 PDT INBOUND SCAN EXPLOIT 190.199.53.100 (07:57:35.314 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3608 (07:57:35.314 PDT) 46.248.38.227 (2) (07:57:54.411 PDT-07:57:55.384 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2: 445<-1757 (07:57:54.411 PDT-07:57:55.384 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.248.38.227 (07:57:59.020 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42976<-3187 (07:57:59.020 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367852255.314 1367852275.385 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.167.117.82 Egg Source List: 95.167.117.82 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 08:06:13.008 PDT Gen. Time: 05/06/2013 08:06:16.788 PDT INBOUND SCAN EXPLOIT 95.167.117.82 (08:06:13.008 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3904 (08:06:13.008 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.167.117.82 (08:06:16.788 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54696<-4993 (08:06:16.788 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367852773.008 1367852773.009 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.167.117.82 Egg Source List: 192.168.0.104, 95.167.117.82 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 08:06:13.008 PDT Gen. Time: 05/06/2013 08:13:56.238 PDT INBOUND SCAN EXPLOIT 95.167.117.82 (08:06:13.008 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3904 (08:06:13.008 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.0.104 (16) (08:08:54.538 PDT-08:09:22.543 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 37166->69 (08:08:54.538 PDT-08:09:17.529 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 37166->69 (08:08:54.538 PDT-08:09:17.529 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 37166->69 (08:08:54.538 PDT-08:09:22.543 PDT) 95.167.117.82 (08:06:16.788 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54696<-4993 (08:06:16.788 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367852773.008 1367852962.544 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.72.17.141 Egg Source List: 190.72.17.141 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 08:14:01.892 PDT Gen. Time: 05/06/2013 08:14:08.865 PDT INBOUND SCAN EXPLOIT 190.72.17.141 (08:14:01.892 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3381 (08:14:01.892 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.72.17.141 (08:14:08.865 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49383<-5947 (08:14:08.865 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367853241.892 1367853241.893 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.124.55.142 Egg Source List: 186.124.55.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 08:44:53.378 PDT Gen. Time: 05/06/2013 08:44:56.305 PDT INBOUND SCAN EXPLOIT 186.124.55.142 (08:44:53.378 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1131 (08:44:53.378 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.124.55.142 (08:44:56.305 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44736<-2694 (08:44:56.305 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367855093.378 1367855093.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.87.3.61, 211.53.113.32, 186.124.55.142 Egg Source List: 95.87.3.61, 211.53.113.32, 186.124.55.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 08:44:53.378 PDT Gen. Time: 05/06/2013 08:52:39.226 PDT INBOUND SCAN EXPLOIT 95.87.3.61 (08:48:18.078 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2690 (08:48:18.078 PDT) 211.53.113.32 (08:46:51.316 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1615 (08:46:51.316 PDT) 186.124.55.142 (08:44:53.378 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1131 (08:44:53.378 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.87.3.61 (08:48:22.346 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36584<-1314 (08:48:22.346 PDT) 211.53.113.32 (08:46:54.802 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46752<-1623 (08:46:54.802 PDT) 186.124.55.142 (08:44:56.305 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44736<-2694 (08:44:56.305 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367855093.378 1367855093.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.228.44.104 Egg Source List: 84.228.44.104 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 08:55:19.467 PDT Gen. Time: 05/06/2013 08:55:23.307 PDT INBOUND SCAN EXPLOIT 84.228.44.104 (08:55:19.467 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3883 (08:55:19.467 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.228.44.104 (08:55:23.307 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44956<-5885 (08:55:23.307 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367855719.467 1367855719.468 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.25.70.152, 96.45.18.112, 177.223.184.140, 84.228.44.104 Egg Source List: 96.45.18.112, 84.228.44.104 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 08:55:19.467 PDT Gen. Time: 05/06/2013 09:00:43.079 PDT INBOUND SCAN EXPLOIT 189.25.70.152 (08:57:44.009 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2652 (08:57:44.009 PDT) 96.45.18.112 (08:57:52.566 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2862 (08:57:52.566 PDT) 177.223.184.140 (08:55:44.765 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4568 (08:55:44.765 PDT) 84.228.44.104 (08:55:19.467 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3883 (08:55:19.467 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 96.45.18.112 (08:57:55.718 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44868<-3238 (08:57:55.718 PDT) 84.228.44.104 (08:55:23.307 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44956<-5885 (08:55:23.307 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367855719.467 1367855719.468 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 77.38.60.172 Egg Source List: 77.38.60.172 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 09:06:01.194 PDT Gen. Time: 05/06/2013 09:06:08.684 PDT INBOUND SCAN EXPLOIT 77.38.60.172 (09:06:01.194 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1702 (09:06:01.194 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 77.38.60.172 (09:06:08.684 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60780<-3604 (09:06:08.684 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367856361.194 1367856361.195 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.156.155.47 Egg Source List: 94.156.155.47 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 09:20:46.007 PDT Gen. Time: 05/06/2013 09:20:50.682 PDT INBOUND SCAN EXPLOIT 94.156.155.47 (09:20:46.007 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2577 (09:20:46.007 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.156.155.47 (09:20:50.682 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33745<-7671 (09:20:50.682 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367857246.007 1367857246.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 194.63.141.65, 5.104.252.37, 94.156.155.47, 120.88.40.71, 190.200.16.93 Egg Source List: 194.63.141.65, 5.104.252.37, 94.156.155.47, 120.88.40.71, 190.200.16.93 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 09:20:46.007 PDT Gen. Time: 05/06/2013 09:32:02.683 PDT INBOUND SCAN EXPLOIT 194.63.141.65 (09:27:27.229 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2833 (09:27:27.229 PDT) 5.104.252.37 (09:26:58.137 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3401 (09:26:58.137 PDT) 94.156.155.47 (09:20:46.007 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2577 (09:20:46.007 PDT) 120.88.40.71 (09:28:03.530 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1503 (09:28:03.530 PDT) 190.200.16.93 (09:23:12.907 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4384 (09:23:12.907 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 194.63.141.65 (09:27:30.110 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43607<-9303 (09:27:30.110 PDT) 5.104.252.37 (09:27:00.954 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43181<-9655 (09:27:00.954 PDT) 94.156.155.47 (09:20:50.682 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33745<-7671 (09:20:50.682 PDT) 120.88.40.71 (09:28:07.471 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56900<-5472 (09:28:07.471 PDT) 190.200.16.93 (09:23:15.623 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38015<-1190 (09:23:15.623 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367857246.007 1367857246.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 176.73.215.62 Egg Source List: 176.73.215.62 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 09:50:35.570 PDT Gen. Time: 05/06/2013 09:50:39.422 PDT INBOUND SCAN EXPLOIT 176.73.215.62 (09:50:35.570 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2013 (09:50:35.570 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 176.73.215.62 (09:50:39.422 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58596<-3612 (09:50:39.422 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367859035.570 1367859035.571 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 181.29.79.142 Egg Source List: 181.29.79.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 10:02:13.731 PDT Gen. Time: 05/06/2013 10:02:18.934 PDT INBOUND SCAN EXPLOIT 181.29.79.142 (10:02:13.731 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1651 (10:02:13.731 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 181.29.79.142 (10:02:18.934 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44465<-5030 (10:02:18.934 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367859733.731 1367859733.732 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.4.15.147 Egg Source List: 210.4.15.147 C & C List: 78.47.111.243 Peer Coord. List: Resource List: Observed Start: 05/06/2013 10:16:20.259 PDT Gen. Time: 05/06/2013 10:17:00.706 PDT INBOUND SCAN EXPLOIT 210.4.15.147 (10:16:57.787 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2371 (10:16:57.787 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.4.15.147 (10:17:00.706 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59629<-5688 (10:17:00.706 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 78.47.111.243 (10:16:20.259 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->64114 (10:16:20.259 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367860580.259 1367860580.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.4.15.147 Egg Source List: 210.4.15.147, 192.168.0.177 C & C List: 78.47.111.243 Peer Coord. List: Resource List: Observed Start: 05/06/2013 10:16:20.259 PDT Gen. Time: 05/06/2013 10:20:06.073 PDT INBOUND SCAN EXPLOIT 210.4.15.147 (10:16:57.787 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2371 (10:16:57.787 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.4.15.147 (10:17:00.706 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59629<-5688 (10:17:00.706 PDT) 192.168.0.177 (16) (10:17:42.341 PDT-10:18:06.689 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 38524->69 (10:17:42.341 PDT-10:18:01.653 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 38524->69 (10:17:42.341 PDT-10:18:01.653 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 38524->69 (10:17:42.341 PDT-10:18:06.689 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 78.47.111.243 (10:16:20.259 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->64114 (10:16:20.259 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367860580.259 1367860686.690 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.252.23.72 Egg Source List: 84.252.23.72 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 10:23:51.372 PDT Gen. Time: 05/06/2013 10:23:55.639 PDT INBOUND SCAN EXPLOIT 84.252.23.72 (10:23:51.372 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1751 (10:23:51.372 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.252.23.72 (10:23:55.639 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48481<-4062 (10:23:55.639 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367861031.372 1367861031.373 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.38.0.247 Egg Source List: 190.38.0.247 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 11:06:34.517 PDT Gen. Time: 05/06/2013 11:06:38.308 PDT INBOUND SCAN EXPLOIT 190.38.0.247 (11:06:34.517 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3981 (11:06:34.517 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.38.0.247 (11:06:38.308 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49954<-1959 (11:06:38.308 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367863594.517 1367863594.518 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 194.44.108.207, 95.0.5.196, 128.73.89.175, 190.38.0.247, 109.237.157.21, 222.39.224.195 Egg Source List: 194.44.108.207, 95.0.5.196, 128.73.89.175, 190.38.0.247, 109.237.157.21, 222.39.224.195 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 11:06:34.517 PDT Gen. Time: 05/06/2013 11:18:50.773 PDT INBOUND SCAN EXPLOIT 194.44.108.207 (11:15:24.027 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2531 (11:15:24.027 PDT) 95.0.5.196 (11:11:36.984 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2086 (11:11:36.984 PDT) 128.73.89.175 (11:07:20.912 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3732 (11:07:20.912 PDT) 190.38.0.247 (11:06:34.517 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3981 (11:06:34.517 PDT) 109.237.157.21 (11:08:38.349 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4178 (11:08:38.349 PDT) 222.39.224.195 (11:07:53.648 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4245 (11:07:53.648 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 194.44.108.207 (11:15:28.696 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60012<-7579 (11:15:28.696 PDT) 95.0.5.196 (11:11:39.994 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39980<-5603 (11:11:39.994 PDT) 128.73.89.175 (11:07:25.996 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46788<-2979 (11:07:25.996 PDT) 190.38.0.247 (11:06:38.308 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49954<-1959 (11:06:38.308 PDT) 109.237.157.21 (11:08:42.827 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52874<-7564 (11:08:42.827 PDT) 222.39.224.195 (11:07:56.783 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55791<-7988 (11:07:56.783 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367863594.517 1367863594.518 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.167.117.82 Egg Source List: 95.167.117.82 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 11:47:58.235 PDT Gen. Time: 05/06/2013 11:48:13.254 PDT INBOUND SCAN EXPLOIT 95.167.117.82 (11:47:58.235 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3340 (11:47:58.235 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.167.117.82 (11:48:13.254 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56526<-4993 (11:48:13.254 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367866078.235 1367866078.236 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 79.52.73.243 Egg Source List: 79.52.73.243 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 11:52:17.310 PDT Gen. Time: 05/06/2013 11:52:26.601 PDT INBOUND SCAN EXPLOIT 79.52.73.243 (11:52:17.310 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4099 (11:52:17.310 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 79.52.73.243 (11:52:26.601 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50415<-5336 (11:52:26.601 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367866337.310 1367866337.311 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 182.71.87.75 Egg Source List: 182.71.87.75 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 11:56:23.655 PDT Gen. Time: 05/06/2013 11:56:28.506 PDT INBOUND SCAN EXPLOIT 182.71.87.75 (11:56:23.655 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3341 (11:56:23.655 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 182.71.87.75 (11:56:28.506 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49853<-5661 (11:56:28.506 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367866583.655 1367866583.656 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.92.198.115, 182.71.87.75, 190.72.17.141 Egg Source List: 2.92.198.115, 182.71.87.75, 190.72.17.141 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 11:56:23.655 PDT Gen. Time: 05/06/2013 12:01:10.780 PDT INBOUND SCAN EXPLOIT 2.92.198.115 (11:57:25.976 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1918 (11:57:25.976 PDT) 182.71.87.75 (11:56:23.655 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3341 (11:56:23.655 PDT) 190.72.17.141 (11:57:04.160 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4033 (11:57:04.160 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.92.198.115 (11:57:32.288 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47934<-6567 (11:57:32.288 PDT) 182.71.87.75 (11:56:28.506 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49853<-5661 (11:56:28.506 PDT) 190.72.17.141 (11:57:08.628 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60448<-5947 (11:57:08.628 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367866583.655 1367866583.656 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 74.86.159.21 Egg Source List: 74.86.159.21 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 12:10:14.144 PDT Gen. Time: 05/06/2013 12:10:17.343 PDT INBOUND SCAN EXPLOIT 74.86.159.21 (12:10:14.144 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2751 (12:10:14.144 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 74.86.159.21 (12:10:17.343 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60810<-9254 (12:10:17.343 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367867414.144 1367867414.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.102.0.70, 94.73.63.61, 114.42.88.171, 201.122.75.18, 74.86.159.21 Egg Source List: 94.102.0.70, 94.73.63.61, 114.42.88.171, 74.86.159.21 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 12:10:14.144 PDT Gen. Time: 05/06/2013 12:15:51.347 PDT INBOUND SCAN EXPLOIT 94.102.0.70 (12:11:25.578 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4661 (12:11:25.578 PDT) 94.73.63.61 (12:11:18.069 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2534 (12:11:18.069 PDT) 114.42.88.171 (12:12:10.767 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2391 (12:12:10.767 PDT) 201.122.75.18 (12:13:31.542 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2851 (12:13:31.542 PDT) 74.86.159.21 (12:10:14.144 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2751 (12:10:14.144 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.102.0.70 (12:11:32.309 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44245<-5851 (12:11:32.309 PDT) 94.73.63.61 (12:11:23.442 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45614<-4576 (12:11:23.442 PDT) 114.42.88.171 (12:12:14.561 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52654<-6499 (12:12:14.561 PDT) 74.86.159.21 (12:10:17.343 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60810<-9254 (12:10:17.343 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367867414.144 1367867414.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 196.41.126.24, 173.221.131.83 Egg Source List: 196.41.126.24 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 12:16:04.895 PDT Gen. Time: 05/06/2013 12:17:21.078 PDT INBOUND SCAN EXPLOIT 196.41.126.24 (12:17:18.121 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1570 (12:17:18.121 PDT) 173.221.131.83 (12:16:04.895 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-24752 (12:16:04.895 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 196.41.126.24 (12:17:21.078 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58083<-6030 (12:17:21.078 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367867764.895 1367867764.896 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 217.145.255.75, 219.84.100.46, 196.41.126.24, 173.221.131.83 Egg Source List: 219.84.100.46, 196.41.126.24 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 12:16:04.895 PDT Gen. Time: 05/06/2013 12:22:41.870 PDT INBOUND SCAN EXPLOIT 217.145.255.75 (12:18:23.061 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1274 (12:18:23.061 PDT) 219.84.100.46 (12:18:05.339 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3136 (12:18:05.339 PDT) 196.41.126.24 (12:17:18.121 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1570 (12:17:18.121 PDT) 173.221.131.83 (12:16:04.895 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-24752 (12:16:04.895 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 219.84.100.46 (12:18:08.543 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41087<-1039 (12:18:08.543 PDT) 196.41.126.24 (12:17:21.078 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58083<-6030 (12:17:21.078 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367867764.895 1367867764.896 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 211.53.113.32 Egg Source List: 211.53.113.32 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 12:27:58.846 PDT Gen. Time: 05/06/2013 12:28:02.251 PDT INBOUND SCAN EXPLOIT 211.53.113.32 (12:27:58.846 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2845 (12:27:58.846 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 211.53.113.32 (12:28:02.251 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33890<-1623 (12:28:02.251 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367868478.846 1367868478.847 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 96.45.18.112 Egg Source List: 96.45.18.112 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 12:38:58.166 PDT Gen. Time: 05/06/2013 12:39:01.357 PDT INBOUND SCAN EXPLOIT 96.45.18.112 (12:38:58.166 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4975 (12:38:58.166 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 96.45.18.112 (12:39:01.357 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36183<-3238 (12:39:01.357 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367869138.166 1367869138.167 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.228.44.104 Egg Source List: 84.228.44.104 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 12:51:59.572 PDT Gen. Time: 05/06/2013 12:52:06.832 PDT INBOUND SCAN EXPLOIT 84.228.44.104 (12:51:59.572 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3330 (12:51:59.572 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.228.44.104 (12:52:06.832 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51885<-5885 (12:52:06.832 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367869919.572 1367869919.573 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.228.44.104 Egg Source List: 192.168.0.35, 84.228.44.104 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 12:51:59.572 PDT Gen. Time: 05/06/2013 12:57:02.786 PDT INBOUND SCAN EXPLOIT 84.228.44.104 (12:51:59.572 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3330 (12:51:59.572 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.0.35 (16) (12:52:10.504 PDT-12:52:35.607 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 55381->69 (12:52:10.504 PDT-12:52:30.731 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 55381->69 (12:52:10.504 PDT-12:52:30.731 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 55381->69 (12:52:10.504 PDT-12:52:35.607 PDT) 84.228.44.104 (12:52:06.832 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51885<-5885 (12:52:06.832 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367869919.572 1367869955.608 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 77.38.60.172 Egg Source List: 77.38.60.172 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 13:20:54.085 PDT Gen. Time: 05/06/2013 13:20:58.971 PDT INBOUND SCAN EXPLOIT 77.38.60.172 (13:20:54.085 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4039 (13:20:54.085 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 77.38.60.172 (13:20:58.971 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32793<-3604 (13:20:58.971 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367871654.085 1367871654.086 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 77.36.38.18 Egg Source List: 77.36.38.18 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 13:26:46.581 PDT Gen. Time: 05/06/2013 13:26:50.057 PDT INBOUND SCAN EXPLOIT 77.36.38.18 (13:26:46.581 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2529 (13:26:46.581 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 77.36.38.18 (13:26:50.057 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59527<-9747 (13:26:50.057 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367872006.581 1367872006.582 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 64.105.200.28 Egg Source List: 64.105.200.28 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 13:43:40.532 PDT Gen. Time: 05/06/2013 13:43:44.615 PDT INBOUND SCAN EXPLOIT 64.105.200.28 (13:43:40.532 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1696 (13:43:40.532 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 64.105.200.28 (13:43:44.615 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55296<-3793 (13:43:44.615 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367873020.532 1367873020.533 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 64.105.200.28, 190.200.16.93 Egg Source List: 64.105.200.28, 190.200.16.93 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 13:43:40.532 PDT Gen. Time: 05/06/2013 13:48:57.393 PDT INBOUND SCAN EXPLOIT 64.105.200.28 (13:43:40.532 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1696 (13:43:40.532 PDT) 190.200.16.93 (13:45:26.144 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4119 (13:45:26.144 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 64.105.200.28 (13:43:44.615 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55296<-3793 (13:43:44.615 PDT) 190.200.16.93 (13:45:29.057 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33368<-1190 (13:45:29.057 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367873020.532 1367873020.533 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.4.15.147 Egg Source List: 210.4.15.147 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 13:58:06.998 PDT Gen. Time: 05/06/2013 13:58:11.333 PDT INBOUND SCAN EXPLOIT 210.4.15.147 (13:58:06.998 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3874 (13:58:06.998 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.4.15.147 (13:58:11.333 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45759<-5688 (13:58:11.333 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367873886.998 1367873886.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 181.29.79.142 Egg Source List: 181.29.79.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 14:27:45.727 PDT Gen. Time: 05/06/2013 14:27:49.879 PDT INBOUND SCAN EXPLOIT 181.29.79.142 (14:27:45.727 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3178 (14:27:45.727 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 181.29.79.142 (14:27:49.879 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40542<-5030 (14:27:49.879 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367875665.727 1367875665.728 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 119.242.120.113, 85.130.15.86 Egg Source List: 85.130.15.86 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 14:43:04.193 PDT Gen. Time: 05/06/2013 14:47:15.684 PDT INBOUND SCAN EXPLOIT 119.242.120.113 (6) (14:43:04.193 PDT-14:43:59.107 PDT) event=1:22000032 (2) {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 2: 445<-3401 (14:43:59.088 PDT-14:43:59.107 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-3401 (14:43:58.879 PDT) ------------------------- event=1:22514 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1229 (14:43:04.193 PDT) 2: 445<-3401 (14:43:58.879 PDT-14:43:58.979 PDT) 85.130.15.86 (14:47:11.902 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3407 (14:47:11.902 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 85.130.15.86 (14:47:15.684 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48171<-1685 (14:47:15.684 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367876584.193 1367876639.108 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 112.78.3.136 Egg Source List: 112.78.3.136 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 15:01:28.582 PDT Gen. Time: 05/06/2013 15:01:32.563 PDT INBOUND SCAN EXPLOIT 112.78.3.136 (15:01:28.582 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4287 (15:01:28.582 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 112.78.3.136 (15:01:32.563 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34787<-6697 (15:01:32.563 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367877688.582 1367877688.583 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.72.128.138 Egg Source List: 94.72.128.138 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 15:13:53.057 PDT Gen. Time: 05/06/2013 15:13:57.427 PDT INBOUND SCAN EXPLOIT 94.72.128.138 (15:13:53.057 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-11336 (15:13:53.057 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.72.128.138 (15:13:57.427 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37031<-8601 (15:13:57.427 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367878433.057 1367878433.058 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 74.86.159.21 Egg Source List: 74.86.159.21 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 15:51:36.011 PDT Gen. Time: 05/06/2013 15:51:38.936 PDT INBOUND SCAN EXPLOIT 74.86.159.21 (15:51:36.011 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2130 (15:51:36.011 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 74.86.159.21 (15:51:38.936 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43100<-9254 (15:51:38.936 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367880696.011 1367880696.012 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.102.0.70, 94.73.63.61, 114.42.88.171, 74.86.159.21 Egg Source List: 94.102.0.70, 94.73.63.61, 114.42.88.171, 74.86.159.21 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 15:51:36.011 PDT Gen. Time: 05/06/2013 15:56:56.139 PDT INBOUND SCAN EXPLOIT 94.102.0.70 (15:53:04.073 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4142 (15:53:04.073 PDT) 94.73.63.61 (15:52:32.334 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1603 (15:52:32.334 PDT) 114.42.88.171 (15:53:19.127 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3107 (15:53:19.127 PDT) 74.86.159.21 (15:51:36.011 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2130 (15:51:36.011 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.102.0.70 (15:53:06.884 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37446<-5851 (15:53:06.884 PDT) 94.73.63.61 (15:52:35.394 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47783<-4576 (15:52:35.394 PDT) 114.42.88.171 (15:53:22.990 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46229<-6499 (15:53:22.990 PDT) 74.86.159.21 (15:51:38.936 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43100<-9254 (15:51:38.936 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367880696.011 1367880696.012 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 196.41.126.24 Egg Source List: 196.41.126.24 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 15:58:32.665 PDT Gen. Time: 05/06/2013 15:58:36.496 PDT INBOUND SCAN EXPLOIT 196.41.126.24 (15:58:32.665 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4005 (15:58:32.665 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 196.41.126.24 (15:58:36.496 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43076<-6030 (15:58:36.496 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367881112.665 1367881112.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 219.84.100.46, 196.41.126.24, 58.91.171.64 Egg Source List: 219.84.100.46, 196.41.126.24, 58.91.171.64 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 15:58:32.665 PDT Gen. Time: 05/06/2013 16:04:18.773 PDT INBOUND SCAN EXPLOIT 219.84.100.46 (15:59:17.239 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3184 (15:59:17.239 PDT) 196.41.126.24 (15:58:32.665 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4005 (15:58:32.665 PDT) 58.91.171.64 (16:00:15.352 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3019 (16:00:15.352 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 219.84.100.46 (15:59:20.642 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57708<-1039 (15:59:20.642 PDT) 196.41.126.24 (15:58:36.496 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43076<-6030 (15:58:36.496 PDT) 58.91.171.64 (16:00:18.185 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57474<-7423 (16:00:18.185 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367881112.665 1367881112.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 109.173.51.95 Egg Source List: 109.173.51.95 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 16:08:11.469 PDT Gen. Time: 05/06/2013 16:08:14.945 PDT INBOUND SCAN EXPLOIT 109.173.51.95 (16:08:11.469 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2867 (16:08:11.469 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.173.51.95 (16:08:14.945 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44557<-1161 (16:08:14.945 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367881691.469 1367881691.470 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 77.36.38.18 Egg Source List: 77.36.38.18 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 17:15:06.845 PDT Gen. Time: 05/06/2013 17:15:10.317 PDT INBOUND SCAN EXPLOIT 77.36.38.18 (17:15:06.845 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2777 (17:15:06.845 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 77.36.38.18 (17:15:10.317 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49870<-9747 (17:15:10.317 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367885706.845 1367885706.846 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 119.46.162.98, 109.237.157.21 Egg Source List: 109.237.157.21 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 17:41:23.960 PDT Gen. Time: 05/06/2013 17:41:34.191 PDT INBOUND SCAN EXPLOIT 119.46.162.98 (17:41:34.256 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-19414 (17:41:34.256 PDT) 109.237.157.21 (17:41:23.960 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2068 (17:41:23.960 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.237.157.21 (17:41:34.191 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35880<-7564 (17:41:34.191 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367887283.960 1367887283.961 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 119.46.162.98, 109.237.157.21, 187.10.244.138 Egg Source List: 109.237.157.21, 187.10.244.138 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 17:41:23.960 PDT Gen. Time: 05/06/2013 17:46:04.551 PDT INBOUND SCAN EXPLOIT 119.46.162.98 (17:41:34.256 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-19414 (17:41:34.256 PDT) 109.237.157.21 (17:41:23.960 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2068 (17:41:23.960 PDT) 187.10.244.138 (17:42:46.603 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1445 (17:42:46.603 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.237.157.21 (17:41:34.191 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35880<-7564 (17:41:34.191 PDT) 187.10.244.138 (17:42:54.575 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50210<-7935 (17:42:54.575 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367887283.960 1367887283.961 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 85.130.15.86 Egg Source List: 85.130.15.86 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 18:29:58.212 PDT Gen. Time: 05/06/2013 18:30:01.274 PDT INBOUND SCAN EXPLOIT 85.130.15.86 (18:29:58.212 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3417 (18:29:58.212 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 85.130.15.86 (18:30:01.274 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57662<-1685 (18:30:01.274 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367890198.212 1367890198.213 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 112.78.3.136 Egg Source List: 112.78.3.136 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 18:42:43.537 PDT Gen. Time: 05/06/2013 18:42:46.437 PDT INBOUND SCAN EXPLOIT 112.78.3.136 (18:42:43.537 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3629 (18:42:43.537 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 112.78.3.136 (18:42:46.437 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45012<-6697 (18:42:46.437 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367890963.537 1367890963.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.72.128.138 Egg Source List: 94.72.128.138 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 18:55:03.640 PDT Gen. Time: 05/06/2013 18:55:07.010 PDT INBOUND SCAN EXPLOIT 94.72.128.138 (18:55:03.640 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-15726 (18:55:03.640 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.72.128.138 (18:55:07.010 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43828<-8601 (18:55:07.010 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367891703.640 1367891703.641 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.200.16.93 Egg Source List: 190.200.16.93 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 18:59:01.888 PDT Gen. Time: 05/06/2013 18:59:05.865 PDT INBOUND SCAN EXPLOIT 190.200.16.93 (18:59:01.888 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2262 (18:59:01.888 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.200.16.93 (18:59:05.865 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35311<-1190 (18:59:05.865 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367891941.888 1367891941.889 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.200.16.93 Egg Source List: 190.200.16.93 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 18:59:01.888 PDT Gen. Time: 05/06/2013 19:07:08.874 PDT INBOUND SCAN EXPLOIT 190.200.16.93 (18:59:01.888 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2262 (18:59:01.888 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.200.16.93 (18:59:05.865 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35311<-1190 (18:59:05.865 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.242.123.155 (19:03:11.956 PDT) event=1:2008578 {udp} E5[rb] ET SCAN Sipvicious Scan, [] MAC_Src: 00:21:5A:08:EC:40 5060->5060 (19:03:11.956 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367891941.888 1367891941.889 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 218.173.48.87 Egg Source List: 218.173.48.87 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 19:09:12.251 PDT Gen. Time: 05/06/2013 19:09:15.067 PDT INBOUND SCAN EXPLOIT 218.173.48.87 (19:09:12.251 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4115 (19:09:12.251 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 218.173.48.87 (19:09:15.067 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41346<-6214 (19:09:15.067 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367892552.251 1367892552.252 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.40.29.68 Egg Source List: 94.40.29.68 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 19:29:04.961 PDT Gen. Time: 05/06/2013 19:29:08.265 PDT INBOUND SCAN EXPLOIT 94.40.29.68 (19:29:04.961 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2343 (19:29:04.961 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.40.29.68 (19:29:08.265 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45550<-1215 (19:29:08.265 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367893744.961 1367893744.962 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 109.173.51.95 Egg Source List: 109.173.51.95 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 19:50:18.223 PDT Gen. Time: 05/06/2013 19:50:22.067 PDT INBOUND SCAN EXPLOIT 109.173.51.95 (19:50:18.223 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3883 (19:50:18.223 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.173.51.95 (19:50:22.067 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58931<-1161 (19:50:22.067 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367895018.223 1367895018.224 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 176.14.128.146 Egg Source List: 176.14.128.146 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 20:02:59.075 PDT Gen. Time: 05/06/2013 20:03:03.242 PDT INBOUND SCAN EXPLOIT 176.14.128.146 (20:02:59.075 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3824 (20:02:59.075 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 176.14.128.146 (20:03:03.242 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49131<-7800 (20:03:03.242 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367895779.075 1367895779.076 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 81.13.75.182 Egg Source List: 192.168.2.100 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 20:09:00.995 PDT Gen. Time: 05/06/2013 20:11:40.265 PDT INBOUND SCAN EXPLOIT 81.13.75.182 (20:11:40.265 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3465 (20:11:40.265 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.2.100 (17) (20:09:00.995 PDT-20:09:26.197 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 40605->69 (20:09:00.995 PDT-20:09:21.002 PDT) ------------------------- event=1:2008120 (6) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 6: 40605->69 (20:09:00.995 PDT-20:09:26.197 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 40605->69 (20:09:00.995 PDT-20:09:26.197 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367896140.995 1367896166.198 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 61.36.83.77 Egg Source List: 61.36.83.77 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 20:36:14.190 PDT Gen. Time: 05/06/2013 20:36:17.804 PDT INBOUND SCAN EXPLOIT 61.36.83.77 (20:36:14.190 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1518 (20:36:14.190 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.36.83.77 (20:36:17.804 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33464<-6387 (20:36:17.804 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367897774.190 1367897774.191 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.10.244.138 Egg Source List: 187.10.244.138 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 21:24:00.727 PDT Gen. Time: 05/06/2013 21:24:05.369 PDT INBOUND SCAN EXPLOIT 187.10.244.138 (21:24:00.727 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3050 (21:24:00.727 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.10.244.138 (21:24:05.369 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53207<-7935 (21:24:05.369 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367900640.727 1367900640.728 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.183.1.42 Egg Source List: 91.183.1.42 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 21:33:30.894 PDT Gen. Time: 05/06/2013 21:33:36.812 PDT INBOUND SCAN EXPLOIT 91.183.1.42 (21:33:30.894 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1926 (21:33:30.894 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 91.183.1.42 (21:33:36.812 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60169<-6695 (21:33:36.812 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367901210.894 1367901210.895 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 207.44.146.50 Egg Source List: 207.44.146.50 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 21:44:36.508 PDT Gen. Time: 05/06/2013 21:44:41.042 PDT INBOUND SCAN EXPLOIT 207.44.146.50 (21:44:36.508 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3261 (21:44:36.508 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 207.44.146.50 (21:44:41.042 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53516<-9946 (21:44:41.042 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367901876.508 1367901876.509 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 176.73.79.71 Egg Source List: 176.73.79.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 22:00:55.383 PDT Gen. Time: 05/06/2013 22:00:59.082 PDT INBOUND SCAN EXPLOIT 176.73.79.71 (22:00:55.383 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4382 (22:00:55.383 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 176.73.79.71 (22:00:59.082 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54962<-7615 (22:00:59.082 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367902855.383 1367902855.384 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 87.247.93.165 Egg Source List: 87.247.93.165 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 22:14:01.470 PDT Gen. Time: 05/06/2013 22:14:08.120 PDT INBOUND SCAN EXPLOIT 87.247.93.165 (22:14:01.470 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1428 (22:14:01.470 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 87.247.93.165 (22:14:08.120 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41393<-8131 (22:14:08.120 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367903641.470 1367903641.471 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.200.16.93 Egg Source List: 190.200.16.93 C & C List: Peer Coord. List: Resource List: Observed Start: 05/06/2013 22:40:23.637 PDT Gen. Time: 05/06/2013 22:40:29.202 PDT INBOUND SCAN EXPLOIT 190.200.16.93 (22:40:23.637 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4492 (22:40:23.637 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.200.16.93 (22:40:29.202 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50089<-1190 (22:40:29.202 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367905223.637 1367905223.638 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================