Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 60.249.217.192 Egg Source List: 60.249.217.192 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 00:28:37.553 PDT Gen. Time: 05/07/2013 00:28:40.754 PDT INBOUND SCAN EXPLOIT 60.249.217.192 (00:28:37.553 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1888 (00:28:37.553 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 60.249.217.192 (00:28:40.754 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56903<-5369 (00:28:40.754 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367911717.553 1367911717.554 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 60.249.217.192 Egg Source List: 192.168.100.3, 60.249.217.192 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 00:28:37.553 PDT Gen. Time: 05/07/2013 00:35:09.275 PDT INBOUND SCAN EXPLOIT 60.249.217.192 (00:28:37.553 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1888 (00:28:37.553 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.100.3 (16) (00:30:17.018 PDT-00:30:42.112 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 36563->69 (00:30:17.018 PDT-00:30:37.075 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 36563->69 (00:30:17.018 PDT-00:30:37.075 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 36563->69 (00:30:17.018 PDT-00:30:42.112 PDT) 60.249.217.192 (00:28:40.754 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56903<-5369 (00:28:40.754 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367911717.553 1367911842.113 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 122.117.210.199, 123.243.30.203 Egg Source List: 122.117.210.199 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 00:43:29.847 PDT Gen. Time: 05/07/2013 00:43:59.658 PDT INBOUND SCAN EXPLOIT 122.117.210.199 (00:43:56.636 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1113 (00:43:56.636 PDT) 123.243.30.203 (00:43:29.847 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-58455 (00:43:29.847 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 122.117.210.199 (00:43:59.658 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54468<-6002 (00:43:59.658 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367912609.847 1367912609.848 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 122.117.210.199, 123.243.30.203, 201.34.33.15 Egg Source List: 122.117.210.199, 201.34.33.15 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 00:43:29.847 PDT Gen. Time: 05/07/2013 00:49:41.119 PDT INBOUND SCAN EXPLOIT 122.117.210.199 (00:43:56.636 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1113 (00:43:56.636 PDT) 123.243.30.203 (00:43:29.847 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-58455 (00:43:29.847 PDT) 201.34.33.15 (00:45:31.105 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1094 (00:45:31.105 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 122.117.210.199 (00:43:59.658 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54468<-6002 (00:43:59.658 PDT) 201.34.33.15 (00:45:35.622 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50584<-1390 (00:45:35.622 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367912609.847 1367912609.848 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.183.1.42, 202.62.111.168 Egg Source List: 91.183.1.42 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 01:12:23.316 PDT Gen. Time: 05/07/2013 01:14:05.979 PDT INBOUND SCAN EXPLOIT 91.183.1.42 (01:14:02.481 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2829 (01:14:02.481 PDT) 202.62.111.168 (01:12:23.316 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1410 (01:12:23.316 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 91.183.1.42 (01:14:05.979 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45036<-6695 (01:14:05.979 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367914343.316 1367914343.317 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.183.1.42, 202.62.111.168, 84.46.170.250, 182.223.5.10 Egg Source List: 91.183.1.42, 84.46.170.250, 182.223.5.10 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 01:12:23.316 PDT Gen. Time: 05/07/2013 01:18:57.914 PDT INBOUND SCAN EXPLOIT 91.183.1.42 (01:14:02.481 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2829 (01:14:02.481 PDT) 202.62.111.168 (01:12:23.316 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1410 (01:12:23.316 PDT) 84.46.170.250 (01:14:40.596 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1415 (01:14:40.596 PDT) 182.223.5.10 (01:15:11.463 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1698 (01:15:11.463 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 91.183.1.42 (01:14:05.979 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45036<-6695 (01:14:05.979 PDT) 84.46.170.250 (01:14:44.556 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53055<-7054 (01:14:44.556 PDT) 182.223.5.10 (01:15:16.766 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49498<-1809 (01:15:16.766 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367914343.316 1367914343.317 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 207.44.146.50 Egg Source List: 207.44.146.50 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 01:25:49.881 PDT Gen. Time: 05/07/2013 01:25:56.599 PDT INBOUND SCAN EXPLOIT 207.44.146.50 (01:25:49.881 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2168 (01:25:49.881 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 207.44.146.50 (01:25:56.599 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47686<-9946 (01:25:56.599 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367915149.881 1367915149.882 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 65.15.113.12, 207.44.146.50 Egg Source List: 65.15.113.12, 207.44.146.50 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 01:25:49.881 PDT Gen. Time: 05/07/2013 01:28:39.813 PDT INBOUND SCAN EXPLOIT 65.15.113.12 (01:26:29.863 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1845 (01:26:29.863 PDT) 207.44.146.50 (01:25:49.881 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2168 (01:25:49.881 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 65.15.113.12 (01:26:35.551 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41766<-3449 (01:26:35.551 PDT) 207.44.146.50 (01:25:56.599 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47686<-9946 (01:25:56.599 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367915149.881 1367915149.882 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.72.120.123 Egg Source List: 190.72.120.123 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 01:33:13.172 PDT Gen. Time: 05/07/2013 01:33:17.038 PDT INBOUND SCAN EXPLOIT 190.72.120.123 (01:33:13.172 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1219 (01:33:13.172 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.72.120.123 (01:33:17.038 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39116<-6788 (01:33:17.038 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367915593.172 1367915593.173 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.46.170.250 Egg Source List: 84.46.170.250 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 01:46:13.816 PDT Gen. Time: 05/07/2013 01:46:17.600 PDT INBOUND SCAN EXPLOIT 84.46.170.250 (01:46:13.816 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2954 (01:46:13.816 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.46.170.250 (01:46:17.600 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36627<-7054 (01:46:17.600 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367916373.816 1367916373.817 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.46.170.250 Egg Source List: 84.46.170.250 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 01:46:13.816 PDT Gen. Time: 05/07/2013 01:55:22.645 PDT INBOUND SCAN EXPLOIT 84.46.170.250 (17) (01:46:13.816 PDT) event=1:22009201 (17) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2954 (01:46:13.816 PDT) 445<-3586 (01:46:29.411 PDT) 445<-4256 (01:46:47.521 PDT) 445<-1135 (01:47:03.931 PDT) 445<-1812 (01:47:21.356 PDT) 445<-2540 (01:47:34.716 PDT) 445<-3037 (01:47:48.796 PDT) 445<-3612 (01:48:02.946 PDT) 445<-4209 (01:48:19.171 PDT) 445<-4959 (01:48:30.776 PDT) 445<-1769 (01:48:59.441 PDT) 445<-2984 (01:49:13.176 PDT) 445<-3629 (01:49:30.896 PDT) 445<-4440 (01:49:42.441 PDT) 445<-1188 (01:49:58.116 PDT) 445<-1953 (01:50:11.681 PDT) 445<-2681 (01:50:31.471 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.46.170.250 (17) (01:46:17.600 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36627<-7054 (01:46:17.600 PDT) 36639<-7054 (01:46:33.821 PDT) 36646<-7054 (01:46:51.985 PDT) 36663<-7054 (01:47:08.040 PDT) 36687<-7054 (01:47:27.131 PDT) 36690<-7054 (01:47:38.355 PDT) 36696<-7054 (01:47:53.590 PDT) 36708<-7054 (01:48:07.541 PDT) 36716<-7054 (01:48:22.626 PDT) 36726<-7054 (01:48:34.950 PDT) 36750<-7054 (01:49:05.325 PDT) 36755<-7054 (01:49:16.830 PDT) 36770<-7054 (01:49:34.075 PDT) 36774<-7054 (01:49:45.920 PDT) 36788<-7054 (01:50:01.625 PDT) 36800<-7054 (01:50:16.120 PDT) 36817<-7054 (01:50:34.941 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367916373.816 1367916373.817 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.242.155.119 Egg Source List: 94.242.155.119 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 02:07:36.196 PDT Gen. Time: 05/07/2013 02:07:39.163 PDT INBOUND SCAN EXPLOIT 94.242.155.119 (02:07:36.196 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1187 (02:07:36.196 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.242.155.119 (02:07:39.163 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50034<-3711 (02:07:39.163 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367917656.196 1367917656.197 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 64.55.150.146 Egg Source List: 192.168.0.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 02:53:08.530 PDT Gen. Time: 05/07/2013 02:56:08.323 PDT INBOUND SCAN EXPLOIT 64.55.150.146 (2) (02:53:08.530 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-35384 (02:53:08.530 PDT) 445<-50908 (02:55:37.299 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.0.101 (02:56:08.323 PDT) event=1:3001441 {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 37786->69 (02:56:08.323 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367920388.530 1367920388.531 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 64.55.150.146 Egg Source List: 192.168.0.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 02:53:08.530 PDT Gen. Time: 05/07/2013 03:00:24.599 PDT INBOUND SCAN EXPLOIT 64.55.150.146 (2) (02:53:08.530 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-35384 (02:53:08.530 PDT) 445<-50908 (02:55:37.299 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.0.101 (17) (02:56:08.323 PDT-02:56:33.304 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 37786->69 (02:56:08.323 PDT-02:56:28.288 PDT) ------------------------- event=1:2008120 (6) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 6: 37786->69 (02:56:08.323 PDT-02:56:33.304 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 37786->69 (02:56:08.323 PDT-02:56:33.304 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367920388.530 1367920593.305 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 64.79.73.73 Egg Source List: 64.79.73.73 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 03:09:54.146 PDT Gen. Time: 05/07/2013 03:09:57.481 PDT INBOUND SCAN EXPLOIT 64.79.73.73 (03:09:54.146 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3084 (03:09:54.146 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 64.79.73.73 (03:09:57.481 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56110<-9487 (03:09:57.481 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367921394.146 1367921394.147 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 64.79.73.73, 60.236.145.173 Egg Source List: 64.79.73.73 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 03:09:54.146 PDT Gen. Time: 05/07/2013 03:15:39.916 PDT INBOUND SCAN EXPLOIT 64.79.73.73 (03:09:54.146 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3084 (03:09:54.146 PDT) 60.236.145.173 (03:11:51.463 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-45503 (03:11:51.463 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 64.79.73.73 (03:09:57.481 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56110<-9487 (03:09:57.481 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367921394.146 1367921394.147 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.241.212.27 Egg Source List: 188.241.212.27 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 03:49:59.197 PDT Gen. Time: 05/07/2013 03:50:02.247 PDT INBOUND SCAN EXPLOIT 188.241.212.27 (03:49:59.197 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4672 (03:49:59.197 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 188.241.212.27 (03:50:02.247 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37497<-9948 (03:50:02.247 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367923799.197 1367923799.198 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 219.85.227.92 Egg Source List: 219.85.227.92 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 04:04:17.347 PDT Gen. Time: 05/07/2013 04:04:20.040 PDT INBOUND SCAN EXPLOIT 219.85.227.92 (04:04:17.347 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2239 (04:04:17.347 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 219.85.227.92 (04:04:20.040 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38012<-4318 (04:04:20.040 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367924657.347 1367924657.348 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 219.85.227.92, 176.227.213.165 Egg Source List: 219.85.227.92, 176.227.213.165 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 04:04:17.347 PDT Gen. Time: 05/07/2013 04:09:25.747 PDT INBOUND SCAN EXPLOIT 219.85.227.92 (04:04:17.347 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2239 (04:04:17.347 PDT) 176.227.213.165 (04:05:25.337 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4928 (04:05:25.337 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 219.85.227.92 (04:04:20.040 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38012<-4318 (04:04:20.040 PDT) 176.227.213.165 (04:05:34.692 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39491<-7367 (04:05:34.692 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367924657.347 1367924657.348 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 60.249.217.192 Egg Source List: 60.249.217.192 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 04:11:08.250 PDT Gen. Time: 05/07/2013 04:11:13.582 PDT INBOUND SCAN EXPLOIT 60.249.217.192 (04:11:08.250 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2456 (04:11:08.250 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 60.249.217.192 (04:11:13.582 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38293<-5369 (04:11:13.582 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367925068.250 1367925068.251 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.214.51.181 Egg Source List: 46.214.51.181 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 04:19:12.389 PDT Gen. Time: 05/07/2013 04:19:15.202 PDT INBOUND SCAN EXPLOIT 46.214.51.181 (04:19:12.389 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1160 (04:19:12.389 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.214.51.181 (04:19:15.202 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51361<-2905 (04:19:15.202 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367925552.389 1367925552.390 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 109.184.252.175, 64.79.73.68, 46.217.72.202, 201.34.33.15, 46.214.51.181 Egg Source List: 64.79.73.68, 46.217.72.202, 201.34.33.15, 46.214.51.181 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 04:19:12.389 PDT Gen. Time: 05/07/2013 04:29:40.376 PDT INBOUND SCAN EXPLOIT 109.184.252.175 (04:24:03.711 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2155 (04:24:03.711 PDT) 64.79.73.68 (04:19:41.559 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1910 (04:19:41.559 PDT) 46.217.72.202 (04:22:09.323 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1062 (04:22:09.323 PDT) 201.34.33.15 (04:26:42.652 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3536 (04:26:42.652 PDT) 46.214.51.181 (04:19:12.389 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1160 (04:19:12.389 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 64.79.73.68 (04:19:44.689 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49610<-9487 (04:19:44.689 PDT) 46.217.72.202 (04:22:12.590 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38954<-4302 (04:22:12.590 PDT) 201.34.33.15 (04:26:45.705 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56230<-1390 (04:26:45.705 PDT) 46.214.51.181 (04:19:15.202 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51361<-2905 (04:19:15.202 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367925552.389 1367925552.390 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 81.182.159.212, 194.28.91.132 Egg Source List: 81.182.159.212 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 04:33:49.048 PDT Gen. Time: 05/07/2013 04:34:02.285 PDT INBOUND SCAN EXPLOIT 81.182.159.212 (04:33:59.101 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1461 (04:33:59.101 PDT) 194.28.91.132 (04:33:49.048 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2725 (04:33:49.048 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 81.182.159.212 (04:34:02.285 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42883<-5372 (04:34:02.285 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367926429.048 1367926429.049 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.52.24.150 Egg Source List: 94.52.24.150 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 04:39:52.870 PDT Gen. Time: 05/07/2013 04:39:57.585 PDT INBOUND SCAN EXPLOIT 94.52.24.150 (04:39:52.870 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2499 (04:39:52.870 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.52.24.150 (04:39:57.585 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49897<-6943 (04:39:57.585 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367926792.870 1367926792.871 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.217.72.202 Egg Source List: 46.217.72.202 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 05:03:06.362 PDT Gen. Time: 05/07/2013 05:03:09.583 PDT INBOUND SCAN EXPLOIT 46.217.72.202 (05:03:06.362 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1976 (05:03:06.362 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.217.72.202 (05:03:09.583 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59132<-4302 (05:03:09.583 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367928186.362 1367928186.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 65.15.113.12 Egg Source List: 65.15.113.12 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 05:08:30.066 PDT Gen. Time: 05/07/2013 05:08:33.246 PDT INBOUND SCAN EXPLOIT 65.15.113.12 (05:08:30.066 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2764 (05:08:30.066 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 65.15.113.12 (05:08:33.246 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36388<-3449 (05:08:33.246 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367928510.066 1367928510.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 82.51.83.219, 190.72.120.123 Egg Source List: 82.51.83.219 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 05:17:59.040 PDT Gen. Time: 05/07/2013 05:18:08.047 PDT INBOUND SCAN EXPLOIT 82.51.83.219 (05:17:59.040 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3384 (05:17:59.040 PDT) 190.72.120.123 (05:18:03.502 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2143 (05:18:03.502 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 82.51.83.219 (05:18:08.047 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44550<-5295 (05:18:08.047 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367929079.040 1367929079.041 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 82.51.83.219, 190.72.120.123 Egg Source List: 82.51.83.219, 190.72.120.123 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 05:17:59.040 PDT Gen. Time: 05/07/2013 05:22:04.502 PDT INBOUND SCAN EXPLOIT 82.51.83.219 (05:17:59.040 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3384 (05:17:59.040 PDT) 190.72.120.123 (05:18:03.502 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2143 (05:18:03.502 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 82.51.83.219 (05:18:08.047 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44550<-5295 (05:18:08.047 PDT) 190.72.120.123 (05:18:08.226 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51970<-6788 (05:18:08.226 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367929079.040 1367929079.041 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 118.163.96.48 Egg Source List: 118.163.96.47 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 05:30:11.697 PDT Gen. Time: 05/07/2013 05:30:15.971 PDT INBOUND SCAN EXPLOIT 118.163.96.48 (05:30:11.697 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59999 (05:30:11.697 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.163.96.47 (05:30:15.971 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38879<-2692 (05:30:15.971 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367929811.697 1367929811.698 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 118.163.96.48, 83.39.175.24 Egg Source List: 118.163.96.47, 192.168.0.2 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 05:30:11.697 PDT Gen. Time: 05/07/2013 05:38:00.021 PDT INBOUND SCAN EXPLOIT 118.163.96.48 (05:30:11.697 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59999 (05:30:11.697 PDT) 83.39.175.24 (05:32:00.795 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-15334 (05:32:00.795 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.163.96.47 (05:30:15.971 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38879<-2692 (05:30:15.971 PDT) 192.168.0.2 (16) (05:33:03.007 PDT-05:33:28.059 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 53296->69 (05:33:03.007 PDT-05:33:23.046 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 53296->69 (05:33:03.007 PDT-05:33:23.046 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 53296->69 (05:33:03.007 PDT-05:33:28.059 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367929811.697 1367930008.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.107.30.245 Egg Source List: 210.107.30.245 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 05:40:02.620 PDT Gen. Time: 05/07/2013 05:40:10.123 PDT INBOUND SCAN EXPLOIT 210.107.30.245 (05:40:02.620 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4369 (05:40:02.620 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.107.30.245 (05:40:10.123 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38134<-6387 (05:40:10.123 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367930402.620 1367930402.621 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.46.170.250 Egg Source List: 84.46.170.250 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 06:04:30.514 PDT Gen. Time: 05/07/2013 06:04:35.523 PDT INBOUND SCAN EXPLOIT 84.46.170.250 (06:04:30.514 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1789 (06:04:30.514 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.46.170.250 (06:04:35.523 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56383<-7054 (06:04:35.523 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367931870.514 1367931870.515 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.46.170.250 Egg Source List: 84.46.170.250 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 06:04:30.514 PDT Gen. Time: 05/07/2013 06:08:10.468 PDT INBOUND SCAN EXPLOIT 84.46.170.250 (3) (06:04:30.514 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1789 (06:04:30.514 PDT) 445<-1924 (06:04:48.229 PDT) 445<-2061 (06:05:06.649 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.46.170.250 (3) (06:04:35.523 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56383<-7054 (06:04:35.523 PDT) 56388<-7054 (06:04:52.488 PDT) 56399<-7054 (06:05:10.573 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367931870.514 1367931870.515 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.120.161.232 Egg Source List: 46.120.161.232 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 06:21:53.000 PDT Gen. Time: 05/07/2013 06:21:57.060 PDT INBOUND SCAN EXPLOIT 46.120.161.232 (06:21:53.000 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4656 (06:21:53.000 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.120.161.232 (06:21:57.060 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55114<-5445 (06:21:57.060 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367932913.000 1367932913.001 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 37.142.117.146, 46.120.161.232 Egg Source List: 37.142.117.146, 46.120.161.232 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 06:21:53.000 PDT Gen. Time: 05/07/2013 06:28:01.510 PDT INBOUND SCAN EXPLOIT 37.142.117.146 (06:24:12.087 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1297 (06:24:12.087 PDT) 46.120.161.232 (06:21:53.000 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4656 (06:21:53.000 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 37.142.117.146 (06:24:17.340 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35718<-9883 (06:24:17.340 PDT) 46.120.161.232 (06:21:57.060 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55114<-5445 (06:21:57.060 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367932913.000 1367932913.001 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 59.97.152.8 Egg Source List: 192.168.2.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 06:29:56.819 PDT Gen. Time: 05/07/2013 06:31:14.002 PDT INBOUND SCAN EXPLOIT 59.97.152.8 (06:31:14.002 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-61525 (06:31:14.002 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.2.101 (17) (06:29:56.819 PDT-06:30:21.463 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 48186->69 (06:29:56.819 PDT-06:30:16.427 PDT) ------------------------- event=1:2008120 (6) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 6: 48186->69 (06:29:56.819 PDT-06:30:21.463 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 48186->69 (06:29:56.819 PDT-06:30:21.463 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367933396.819 1367933421.464 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.114.3.51 Egg Source List: 93.114.3.51 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 06:42:12.789 PDT Gen. Time: 05/07/2013 06:42:16.916 PDT INBOUND SCAN EXPLOIT 93.114.3.51 (06:42:12.789 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1133 (06:42:12.789 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 93.114.3.51 (06:42:16.916 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45783<-7961 (06:42:16.916 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367934132.789 1367934132.790 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.114.3.51 Egg Source List: 93.114.3.51, 192.168.0.12 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 06:42:12.789 PDT Gen. Time: 05/07/2013 06:47:48.483 PDT INBOUND SCAN EXPLOIT 93.114.3.51 (06:42:12.789 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1133 (06:42:12.789 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 93.114.3.51 (06:42:16.916 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45783<-7961 (06:42:16.916 PDT) 192.168.0.12 (16) (06:42:52.712 PDT-06:43:17.865 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 33714->69 (06:42:52.712 PDT-06:43:12.846 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 33714->69 (06:42:52.712 PDT-06:43:12.846 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 33714->69 (06:42:52.712 PDT-06:43:17.865 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367934132.789 1367934197.866 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.217.246.135 Egg Source List: 190.217.246.135 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 06:54:34.863 PDT Gen. Time: 05/07/2013 06:54:38.946 PDT INBOUND SCAN EXPLOIT 190.217.246.135 (06:54:34.863 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2167 (06:54:34.863 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.217.246.135 (06:54:38.946 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60505<-6821 (06:54:38.946 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367934874.863 1367934874.864 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 193.68.59.27, 190.217.246.135 Egg Source List: 190.217.246.135 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 06:54:34.863 PDT Gen. Time: 05/07/2013 06:59:31.581 PDT INBOUND SCAN EXPLOIT 193.68.59.27 (06:55:23.650 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3843 (06:55:23.650 PDT) 190.217.246.135 (06:54:34.863 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2167 (06:54:34.863 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.217.246.135 (06:54:38.946 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60505<-6821 (06:54:38.946 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367934874.863 1367934874.864 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 77.28.94.103 Egg Source List: 192.168.8.236 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 07:02:00.624 PDT Gen. Time: 05/07/2013 07:05:00.326 PDT INBOUND SCAN EXPLOIT 77.28.94.103 (07:05:00.326 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3775 (07:05:00.326 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.8.236 (17) (07:02:00.624 PDT-07:02:25.845 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 56074->69 (07:02:00.624 PDT-07:02:20.804 PDT) ------------------------- event=1:2008120 (6) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 6: 56074->69 (07:02:00.624 PDT-07:02:25.845 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 56074->69 (07:02:00.624 PDT-07:02:25.845 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367935320.624 1367935345.846 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.121.143.79 Egg Source List: 192.168.11.3 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 07:17:33.057 PDT Gen. Time: 05/07/2013 07:20:03.747 PDT INBOUND SCAN EXPLOIT 190.121.143.79 (07:20:03.747 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4235 (07:20:03.747 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.11.3 (17) (07:17:33.057 PDT-07:17:58.096 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 47392->69 (07:17:33.057 PDT-07:17:53.084 PDT) ------------------------- event=1:2008120 (6) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 6: 47392->69 (07:17:33.057 PDT-07:17:58.096 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 47392->69 (07:17:33.057 PDT-07:17:58.096 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367936253.057 1367936278.097 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 96.45.18.117 Egg Source List: 96.45.18.117 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 07:29:43.399 PDT Gen. Time: 05/07/2013 07:29:46.076 PDT INBOUND SCAN EXPLOIT 96.45.18.117 (07:29:43.399 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1569 (07:29:43.399 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 96.45.18.117 (07:29:46.076 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54393<-3238 (07:29:46.076 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367936983.399 1367936983.400 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 60.196.24.223 Egg Source List: 60.196.24.223 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 07:49:34.362 PDT Gen. Time: 05/07/2013 07:49:37.082 PDT INBOUND SCAN EXPLOIT 60.196.24.223 (07:49:34.362 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1561 (07:49:34.362 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 60.196.24.223 (07:49:37.082 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54009<-6443 (07:49:37.082 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367938174.362 1367938174.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 64.79.73.68, 190.78.159.61 Egg Source List: 64.79.73.68 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 07:57:17.111 PDT Gen. Time: 05/07/2013 08:00:52.803 PDT INBOUND SCAN EXPLOIT 64.79.73.68 (08:00:48.908 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3573 (08:00:48.908 PDT) 190.78.159.61 (07:57:17.111 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1880 (07:57:17.111 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 64.79.73.68 (08:00:52.803 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54878<-9487 (08:00:52.803 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367938637.111 1367938637.112 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.52.24.150 Egg Source List: 94.52.24.150 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 08:21:21.567 PDT Gen. Time: 05/07/2013 08:21:25.906 PDT INBOUND SCAN EXPLOIT 94.52.24.150 (08:21:21.567 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2380 (08:21:21.567 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.52.24.150 (08:21:25.906 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42979<-6943 (08:21:25.906 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367940081.567 1367940081.568 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 219.85.227.92, 184.37.5.105 Egg Source List: 219.85.227.92 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 08:26:04.491 PDT Gen. Time: 05/07/2013 08:29:55.625 PDT INBOUND SCAN EXPLOIT 219.85.227.92 (08:29:52.674 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2642 (08:29:52.674 PDT) 184.37.5.105 (3) (08:26:04.491 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-60065 (08:26:04.528 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-60065 (08:26:04.518 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-60065 (08:26:04.491 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 219.85.227.92 (08:29:55.625 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54309<-4318 (08:29:55.625 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367940364.491 1367940364.492 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 203.113.159.11 Egg Source List: 203.113.159.11 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 08:43:47.143 PDT Gen. Time: 05/07/2013 08:43:50.473 PDT INBOUND SCAN EXPLOIT 203.113.159.11 (08:43:47.143 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3049 (08:43:47.143 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 203.113.159.11 (08:43:50.473 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32937<-6405 (08:43:50.473 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367941427.143 1367941427.144 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 99.109.185.163 Egg Source List: 99.109.185.163 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 08:50:07.899 PDT Gen. Time: 05/07/2013 08:50:12.009 PDT INBOUND SCAN EXPLOIT 99.109.185.163 (08:50:07.899 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4965 (08:50:07.899 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 99.109.185.163 (08:50:12.009 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34360<-5799 (08:50:12.009 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367941807.899 1367941807.900 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 99.109.185.163, 89.96.232.10 Egg Source List: 99.109.185.163, 89.96.232.10 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 08:50:07.899 PDT Gen. Time: 05/07/2013 08:55:04.194 PDT INBOUND SCAN EXPLOIT 99.109.185.163 (08:50:07.899 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4965 (08:50:07.899 PDT) 89.96.232.10 (08:50:57.346 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1924 (08:50:57.346 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 99.109.185.163 (08:50:12.009 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34360<-5799 (08:50:12.009 PDT) 89.96.232.10 (08:51:01.420 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38100<-1489 (08:51:01.420 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367941807.899 1367941807.900 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 202.38.173.83 Egg Source List: 202.38.173.83 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 08:55:48.794 PDT Gen. Time: 05/07/2013 08:55:54.778 PDT INBOUND SCAN EXPLOIT 202.38.173.83 (08:55:48.794 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2287 (08:55:48.794 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 202.38.173.83 (08:55:54.778 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56411<-8536 (08:55:54.778 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367942148.794 1367942148.795 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.148.252.233, 195.110.32.16, 202.38.173.83 Egg Source List: 202.38.173.83 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 08:55:48.794 PDT Gen. Time: 05/07/2013 09:00:01.373 PDT INBOUND SCAN EXPLOIT 189.148.252.233 (08:57:39.609 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-49464 (08:57:39.609 PDT) 195.110.32.16 (08:57:01.722 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1273 (08:57:01.722 PDT) 202.38.173.83 (08:55:48.794 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2287 (08:55:48.794 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 202.38.173.83 (08:55:54.778 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56411<-8536 (08:55:54.778 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367942148.794 1367942148.795 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 61.32.246.14, 82.51.83.219 Egg Source List: 61.32.246.14 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 09:00:51.423 PDT Gen. Time: 05/07/2013 09:00:55.062 PDT INBOUND SCAN EXPLOIT 61.32.246.14 (09:00:51.423 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2167 (09:00:51.423 PDT) 82.51.83.219 (09:00:55.284 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2153 (09:00:55.284 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.32.246.14 (09:00:55.062 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53254<-3481 (09:00:55.062 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367942451.423 1367942451.424 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 61.32.246.14, 82.51.83.219 Egg Source List: 61.32.246.14, 82.51.83.219 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 09:00:51.423 PDT Gen. Time: 05/07/2013 09:03:03.011 PDT INBOUND SCAN EXPLOIT 61.32.246.14 (09:00:51.423 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2167 (09:00:51.423 PDT) 82.51.83.219 (09:00:55.284 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2153 (09:00:55.284 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.32.246.14 (09:00:55.062 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53254<-3481 (09:00:55.062 PDT) 82.51.83.219 (09:00:59.373 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55188<-5295 (09:00:59.373 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367942451.423 1367942451.424 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 125.99.169.133 Egg Source List: 125.99.169.133 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 09:08:25.526 PDT Gen. Time: 05/07/2013 09:08:37.876 PDT INBOUND SCAN EXPLOIT 125.99.169.133 (09:08:25.526 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1292 (09:08:25.526 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 125.99.169.133 (09:08:37.876 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36288<-3043 (09:08:37.876 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367942905.526 1367942905.527 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 125.99.169.133, 200.29.140.70 Egg Source List: 125.99.169.133, 200.29.140.70 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 09:08:25.526 PDT Gen. Time: 05/07/2013 09:16:08.693 PDT INBOUND SCAN EXPLOIT 125.99.169.133 (09:08:25.526 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1292 (09:08:25.526 PDT) 200.29.140.70 (09:12:25.908 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2632 (09:12:25.908 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 125.99.169.133 (09:08:37.876 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36288<-3043 (09:08:37.876 PDT) 200.29.140.70 (09:12:30.292 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37556<-3973 (09:12:30.292 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367942905.526 1367942905.527 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.211.99.223 Egg Source List: 210.211.99.223 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 09:18:52.798 PDT Gen. Time: 05/07/2013 09:18:57.998 PDT INBOUND SCAN EXPLOIT 210.211.99.223 (09:18:52.798 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2579 (09:18:52.798 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.211.99.223 (09:18:57.998 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33219<-6082 (09:18:57.998 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367943532.798 1367943532.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.217.94.35 Egg Source List: 46.217.94.35 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 09:36:10.403 PDT Gen. Time: 05/07/2013 09:36:14.931 PDT INBOUND SCAN EXPLOIT 46.217.94.35 (09:36:10.403 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4013 (09:36:10.403 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.217.94.35 (09:36:14.931 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48474<-4504 (09:36:14.931 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367944570.403 1367944570.404 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.217.94.35, 213.56.232.7 Egg Source List: 46.217.94.35 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 09:36:10.403 PDT Gen. Time: 05/07/2013 09:39:45.677 PDT INBOUND SCAN EXPLOIT 46.217.94.35 (09:36:10.403 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4013 (09:36:10.403 PDT) 213.56.232.7 (09:37:33.015 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-33399 (09:37:33.015 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.217.94.35 (09:36:14.931 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48474<-4504 (09:36:14.931 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367944570.403 1367944570.404 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 211.21.207.99 Egg Source List: 211.21.207.99 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 09:40:16.441 PDT Gen. Time: 05/07/2013 09:40:19.875 PDT INBOUND SCAN EXPLOIT 211.21.207.99 (09:40:16.441 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2217 (09:40:16.441 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 211.21.207.99 (09:40:19.875 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34235<-5388 (09:40:19.875 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367944816.441 1367944816.442 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 211.21.207.99, 121.80.133.20 Egg Source List: 211.21.207.99, 121.80.133.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 09:40:16.441 PDT Gen. Time: 05/07/2013 09:46:46.339 PDT INBOUND SCAN EXPLOIT 211.21.207.99 (09:40:16.441 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2217 (09:40:16.441 PDT) 121.80.133.20 (09:42:27.825 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2533 (09:42:27.825 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 211.21.207.99 (09:40:19.875 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34235<-5388 (09:40:19.875 PDT) 121.80.133.20 (09:42:31.423 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45509<-4475 (09:42:31.423 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367944816.441 1367944816.442 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.46.170.250 Egg Source List: 84.46.170.250 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 09:55:30.256 PDT Gen. Time: 05/07/2013 09:55:33.191 PDT INBOUND SCAN EXPLOIT 84.46.170.250 (09:55:30.256 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4192 (09:55:30.256 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.46.170.250 (09:55:33.191 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51588<-7054 (09:55:33.191 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367945730.256 1367945730.257 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.46.170.250 Egg Source List: 84.46.170.250 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 09:55:30.256 PDT Gen. Time: 05/07/2013 10:03:32.727 PDT INBOUND SCAN EXPLOIT 84.46.170.250 (17) (09:55:30.256 PDT) event=1:22009201 (17) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4192 (09:55:30.256 PDT) 445<-1343 (09:55:47.211 PDT) 445<-2189 (09:56:05.321 PDT) 445<-3252 (09:56:25.336 PDT) 445<-4178 (09:56:42.881 PDT) 445<-1295 (09:57:01.686 PDT) 445<-2390 (09:57:22.781 PDT) 445<-3391 (09:57:40.866 PDT) 445<-4348 (09:58:02.301 PDT) 445<-1477 (09:58:19.136 PDT) 445<-2144 (09:58:38.551 PDT) 445<-3022 (09:58:54.976 PDT) 445<-3675 (09:59:15.566 PDT) 445<-4749 (09:59:34.596 PDT) 445<-1583 (09:59:56.056 PDT) 445<-2588 (10:00:14.251 PDT) 445<-3260 (10:00:35.561 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.46.170.250 (17) (09:55:33.191 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51588<-7054 (09:55:33.191 PDT) 51609<-7054 (09:55:51.971 PDT) 56964<-7054 (09:56:09.210 PDT) 56996<-7054 (09:56:28.571 PDT) 57003<-7054 (09:56:46.305 PDT) 57024<-7054 (09:57:05.861 PDT) 57044<-7054 (09:57:26.587 PDT) 57060<-7054 (09:57:46.366 PDT) 57089<-7054 (09:58:05.966 PDT) 57103<-7054 (09:58:24.091 PDT) 57123<-7054 (09:58:42.772 PDT) 57142<-7054 (09:58:58.646 PDT) 57169<-7054 (09:59:20.565 PDT) 57193<-7054 (09:59:38.481 PDT) 57218<-7054 (10:00:00.451 PDT) 57244<-7054 (10:00:18.300 PDT) 57281<-7054 (10:00:39.886 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367945730.256 1367945730.257 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.107.30.245 Egg Source List: 210.107.30.245 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 10:05:41.713 PDT Gen. Time: 05/07/2013 10:05:46.072 PDT INBOUND SCAN EXPLOIT 210.107.30.245 (10:05:41.713 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2646 (10:05:41.713 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.107.30.245 (10:05:46.072 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32943<-6387 (10:05:46.072 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367946341.713 1367946341.714 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.88.88.110 Egg Source List: 186.88.88.110 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 10:14:13.985 PDT Gen. Time: 05/07/2013 10:14:18.290 PDT INBOUND SCAN EXPLOIT 186.88.88.110 (10:14:13.985 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2299 (10:14:13.985 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.88.88.110 (10:14:18.290 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35882<-2362 (10:14:18.290 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367946853.985 1367946853.986 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.159.71.40, 198.100.112.237, 186.88.88.110, 77.29.244.215 Egg Source List: 222.159.71.40, 198.100.112.237, 186.88.88.110, 77.29.244.215 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 10:14:13.985 PDT Gen. Time: 05/07/2013 10:22:47.211 PDT INBOUND SCAN EXPLOIT 222.159.71.40 (10:14:24.907 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3662 (10:14:24.907 PDT) 198.100.112.237 (10:20:26.350 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3812 (10:20:26.350 PDT) 186.88.88.110 (10:14:13.985 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2299 (10:14:13.985 PDT) 77.29.244.215 (10:18:28.759 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2173 (10:18:28.759 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 222.159.71.40 (10:14:32.610 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37480<-6495 (10:14:32.610 PDT) 198.100.112.237 (10:20:30.097 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52882<-1918 (10:20:30.097 PDT) 186.88.88.110 (10:14:18.290 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35882<-2362 (10:14:18.290 PDT) 77.29.244.215 (10:18:31.955 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42209<-4302 (10:18:31.955 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367946853.985 1367946853.986 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 209.97.66.72 Egg Source List: 209.97.66.72 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 10:23:40.111 PDT Gen. Time: 05/07/2013 10:23:42.891 PDT INBOUND SCAN EXPLOIT 209.97.66.72 (10:23:40.111 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4144 (10:23:40.111 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 209.97.66.72 (10:23:42.891 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46866<-3593 (10:23:42.891 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367947420.111 1367947420.112 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.217.246.135, 121.116.243.49 Egg Source List: 190.217.246.135 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 10:36:19.880 PDT Gen. Time: 05/07/2013 10:36:48.568 PDT INBOUND SCAN EXPLOIT 190.217.246.135 (10:36:44.174 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3239 (10:36:44.174 PDT) 121.116.243.49 (10:36:19.880 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1582 (10:36:19.880 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.217.246.135 (10:36:48.568 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37187<-6821 (10:36:48.568 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367948179.880 1367948179.881 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.217.246.135, 186.244.44.170, 46.120.161.232, 121.116.243.49 Egg Source List: 190.217.246.135, 46.120.161.232 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 10:36:19.880 PDT Gen. Time: 05/07/2013 10:45:48.000 PDT INBOUND SCAN EXPLOIT 190.217.246.135 (10:36:44.174 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3239 (10:36:44.174 PDT) 186.244.44.170 (10:41:13.796 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-14277 (10:41:13.796 PDT) 46.120.161.232 (10:37:08.308 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4268 (10:37:08.308 PDT) 121.116.243.49 (10:36:19.880 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1582 (10:36:19.880 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.217.246.135 (10:36:48.568 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37187<-6821 (10:36:48.568 PDT) 46.120.161.232 (10:37:14.686 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39456<-5445 (10:37:14.686 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367948179.880 1367948179.881 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.161.39.101 Egg Source List: 200.161.39.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 10:50:34.499 PDT Gen. Time: 05/07/2013 10:50:39.444 PDT INBOUND SCAN EXPLOIT 200.161.39.101 (10:50:34.499 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2015 (10:50:34.499 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.161.39.101 (10:50:39.444 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54532<-5352 (10:50:39.444 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367949034.499 1367949034.500 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.112.67.75, 200.161.39.101 Egg Source List: 2.112.67.75, 200.161.39.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 10:50:34.499 PDT Gen. Time: 05/07/2013 10:56:31.666 PDT INBOUND SCAN EXPLOIT 2.112.67.75 (10:51:57.194 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1317 (10:51:57.194 PDT) 200.161.39.101 (10:50:34.499 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2015 (10:50:34.499 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.112.67.75 (10:52:00.908 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33610<-4855 (10:52:00.908 PDT) 200.161.39.101 (10:50:39.444 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54532<-5352 (10:50:39.444 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367949034.499 1367949034.500 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.114.3.51 Egg Source List: 93.114.3.51 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 10:59:07.531 PDT Gen. Time: 05/07/2013 10:59:11.529 PDT INBOUND SCAN EXPLOIT 93.114.3.51 (10:59:07.531 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3127 (10:59:07.531 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 93.114.3.51 (10:59:11.529 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57479<-7961 (10:59:11.529 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367949547.531 1367949547.532 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.121.143.79, 93.114.3.51 Egg Source List: 190.121.143.79, 93.114.3.51 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 10:59:07.531 PDT Gen. Time: 05/07/2013 11:05:55.967 PDT INBOUND SCAN EXPLOIT 190.121.143.79 (11:01:17.941 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3548 (11:01:17.941 PDT) 93.114.3.51 (10:59:07.531 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3127 (10:59:07.531 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.121.143.79 (11:01:23.268 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50099<-9766 (11:01:23.268 PDT) 93.114.3.51 (10:59:11.529 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57479<-7961 (10:59:11.529 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367949547.531 1367949547.532 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 96.45.18.117 Egg Source List: 96.45.18.117 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 11:10:49.705 PDT Gen. Time: 05/07/2013 11:10:54.730 PDT INBOUND SCAN EXPLOIT 96.45.18.117 (11:10:49.705 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2982 (11:10:49.705 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 96.45.18.117 (11:10:54.730 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49329<-3238 (11:10:54.730 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367950249.705 1367950249.706 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 178.16.34.23 Egg Source List: 178.16.34.23 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 11:15:22.326 PDT Gen. Time: 05/07/2013 11:15:25.645 PDT INBOUND SCAN EXPLOIT 178.16.34.23 (11:15:22.326 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-34002 (11:15:22.326 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.16.34.23 (11:15:25.645 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45156<-6919 (11:15:25.645 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367950522.326 1367950522.327 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 177.188.157.55 Egg Source List: 177.188.157.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 11:19:47.930 PDT Gen. Time: 05/07/2013 11:19:51.405 PDT INBOUND SCAN EXPLOIT 177.188.157.55 (11:19:47.930 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-57059 (11:19:47.930 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.188.157.55 (11:19:51.405 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55338<-3891 (11:19:51.405 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367950787.930 1367950787.931 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 78.160.224.217, 177.188.157.55 Egg Source List: 177.188.157.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 11:19:47.930 PDT Gen. Time: 05/07/2013 11:25:01.153 PDT INBOUND SCAN EXPLOIT 78.160.224.217 (11:21:34.560 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-63050 (11:21:34.560 PDT) 177.188.157.55 (11:19:47.930 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-57059 (11:19:47.930 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.188.157.55 (11:19:51.405 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55338<-3891 (11:19:51.405 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367950787.930 1367950787.931 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 60.196.24.223 Egg Source List: 60.196.24.223 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 11:30:41.778 PDT Gen. Time: 05/07/2013 11:30:45.364 PDT INBOUND SCAN EXPLOIT 60.196.24.223 (11:30:41.778 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3728 (11:30:41.778 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 60.196.24.223 (11:30:45.364 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60745<-6443 (11:30:45.364 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367951441.778 1367951441.779 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.75.118.10 Egg Source List: 95.75.118.10 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 11:45:53.236 PDT Gen. Time: 05/07/2013 11:45:57.176 PDT INBOUND SCAN EXPLOIT 95.75.118.10 (11:45:53.236 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4510 (11:45:53.236 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.75.118.10 (11:45:57.176 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33018<-4419 (11:45:57.176 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367952353.236 1367952353.237 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.51.210.84 Egg Source List: 190.51.210.84 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 11:51:00.097 PDT Gen. Time: 05/07/2013 11:51:06.125 PDT INBOUND SCAN EXPLOIT 190.51.210.84 (11:51:00.097 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2673 (11:51:00.097 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.51.210.84 (11:51:06.125 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47608<-6190 (11:51:06.125 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367952660.097 1367952660.098 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 78.52.68.155 Egg Source List: 78.52.68.155 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 12:09:18.021 PDT Gen. Time: 05/07/2013 12:09:23.255 PDT INBOUND SCAN EXPLOIT 78.52.68.155 (12:09:18.021 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3659 (12:09:18.021 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 78.52.68.155 (12:09:23.255 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58952<-1810 (12:09:23.255 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367953758.021 1367953758.022 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 203.113.159.11 Egg Source List: 203.113.159.11 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 12:25:06.891 PDT Gen. Time: 05/07/2013 12:25:12.680 PDT INBOUND SCAN EXPLOIT 203.113.159.11 (12:25:06.891 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4591 (12:25:06.891 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 203.113.159.11 (12:25:12.680 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47202<-6405 (12:25:12.680 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367954706.891 1367954706.892 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 99.109.185.163 Egg Source List: 99.109.185.163 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 12:31:16.860 PDT Gen. Time: 05/07/2013 12:31:23.135 PDT INBOUND SCAN EXPLOIT 99.109.185.163 (12:31:16.860 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3488 (12:31:16.860 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 99.109.185.163 (12:31:23.135 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60303<-5799 (12:31:23.135 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367955076.860 1367955076.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 99.109.185.163, 89.96.232.10 Egg Source List: 99.109.185.163, 89.96.232.10 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 12:31:16.860 PDT Gen. Time: 05/07/2013 12:36:00.766 PDT INBOUND SCAN EXPLOIT 99.109.185.163 (12:31:16.860 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3488 (12:31:16.860 PDT) 89.96.232.10 (12:32:08.569 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3889 (12:32:08.569 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 99.109.185.163 (12:31:23.135 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60303<-5799 (12:31:23.135 PDT) 89.96.232.10 (12:32:14.393 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40338<-1489 (12:32:14.393 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367955076.860 1367955076.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 37.142.117.146 Egg Source List: 37.142.117.146 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 12:36:45.181 PDT Gen. Time: 05/07/2013 12:36:49.637 PDT INBOUND SCAN EXPLOIT 37.142.117.146 (12:36:45.181 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4046 (12:36:45.181 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 37.142.117.146 (12:36:49.637 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47969<-9883 (12:36:49.637 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367955405.181 1367955405.182 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 37.142.117.146, 202.38.173.83 Egg Source List: 37.142.117.146, 202.38.173.83 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 12:36:45.181 PDT Gen. Time: 05/07/2013 12:42:30.022 PDT INBOUND SCAN EXPLOIT 37.142.117.146 (12:36:45.181 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4046 (12:36:45.181 PDT) 202.38.173.83 (12:38:02.083 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1792 (12:38:02.083 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 37.142.117.146 (12:36:49.637 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47969<-9883 (12:36:49.637 PDT) 202.38.173.83 (12:38:10.385 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57388<-8536 (12:38:10.385 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367955405.181 1367955405.182 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 61.32.246.14 Egg Source List: 61.32.246.14 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 12:42:59.679 PDT Gen. Time: 05/07/2013 12:43:08.189 PDT INBOUND SCAN EXPLOIT 61.32.246.14 (12:42:59.679 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2092 (12:42:59.679 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.32.246.14 (12:43:08.189 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50788<-3481 (12:43:08.189 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367955779.679 1367955779.680 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.29.140.70 Egg Source List: 200.29.140.70 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 12:53:48.740 PDT Gen. Time: 05/07/2013 12:53:56.515 PDT INBOUND SCAN EXPLOIT 200.29.140.70 (12:53:48.740 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2177 (12:53:48.740 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.29.140.70 (12:53:56.515 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46385<-3973 (12:53:56.515 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367956428.740 1367956428.741 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.29.140.70, 60.249.5.88 Egg Source List: 200.29.140.70, 60.249.5.88 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 12:53:48.740 PDT Gen. Time: 05/07/2013 12:58:07.336 PDT INBOUND SCAN EXPLOIT 200.29.140.70 (12:53:48.740 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2177 (12:53:48.740 PDT) 60.249.5.88 (12:55:26.939 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3702 (12:55:26.939 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.29.140.70 (12:53:56.515 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46385<-3973 (12:53:56.515 PDT) 60.249.5.88 (12:55:31.086 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44121<-3246 (12:55:31.086 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367956428.740 1367956428.741 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.211.99.223 Egg Source List: 210.211.99.223 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 13:00:09.729 PDT Gen. Time: 05/07/2013 13:00:16.733 PDT INBOUND SCAN EXPLOIT 210.211.99.223 (13:00:09.729 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2902 (13:00:09.729 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.211.99.223 (13:00:16.733 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45555<-6082 (13:00:16.733 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367956809.729 1367956809.730 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 77.21.239.223, 210.211.99.223 Egg Source List: 77.21.239.223, 210.211.99.223 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 13:00:09.729 PDT Gen. Time: 05/07/2013 13:04:45.983 PDT INBOUND SCAN EXPLOIT 77.21.239.223 (13:01:25.940 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3335 (13:01:25.940 PDT) 210.211.99.223 (13:00:09.729 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2902 (13:00:09.729 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 77.21.239.223 (13:01:32.426 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41945<-9280 (13:01:32.426 PDT) 210.211.99.223 (13:00:16.733 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45555<-6082 (13:00:16.733 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367956809.729 1367956809.730 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.38.231.129 Egg Source List: 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 13:14:16.779 PDT Gen. Time: 05/07/2013 13:14:19.801 PDT INBOUND SCAN EXPLOIT 189.38.231.129 (13:14:16.779 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1055 (13:14:16.779 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (13:14:19.801 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50232<-5542 (13:14:19.801 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367957656.779 1367957656.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 211.21.207.99 Egg Source List: 211.21.207.99 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 13:22:47.234 PDT Gen. Time: 05/07/2013 13:22:50.555 PDT INBOUND SCAN EXPLOIT 211.21.207.99 (13:22:47.234 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1670 (13:22:47.234 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 211.21.207.99 (13:22:50.555 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55153<-5388 (13:22:50.555 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367958167.234 1367958167.235 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.170.196.82 Egg Source List: 200.170.196.82 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 13:54:12.962 PDT Gen. Time: 05/07/2013 13:54:18.130 PDT INBOUND SCAN EXPLOIT 200.170.196.82 (13:54:12.962 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59529 (13:54:12.962 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.170.196.82 (13:54:18.130 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46768<-9021 (13:54:18.130 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367960052.962 1367960052.963 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.159.71.40, 200.170.196.82 Egg Source List: 222.159.71.40, 200.170.196.82 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 13:54:12.962 PDT Gen. Time: 05/07/2013 13:58:10.304 PDT INBOUND SCAN EXPLOIT 222.159.71.40 (13:55:36.795 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1976 (13:55:36.795 PDT) 200.170.196.82 (13:54:12.962 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59529 (13:54:12.962 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 222.159.71.40 (13:55:39.644 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58560<-6495 (13:55:39.644 PDT) 200.170.196.82 (13:54:18.130 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46768<-9021 (13:54:18.130 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367960052.962 1367960052.963 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 198.100.112.237 Egg Source List: 198.100.112.237 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 14:01:35.186 PDT Gen. Time: 05/07/2013 14:01:38.455 PDT INBOUND SCAN EXPLOIT 198.100.112.237 (14:01:35.186 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3644 (14:01:35.186 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 198.100.112.237 (14:01:38.455 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44877<-1918 (14:01:38.455 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367960495.186 1367960495.187 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 198.100.112.237, 189.38.231.129 Egg Source List: 198.100.112.237, 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 14:01:35.186 PDT Gen. Time: 05/07/2013 14:05:54.182 PDT INBOUND SCAN EXPLOIT 198.100.112.237 (14:01:35.186 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3644 (14:01:35.186 PDT) 189.38.231.129 (14:02:40.891 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1664 (14:02:40.891 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 198.100.112.237 (14:01:38.455 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44877<-1918 (14:01:38.455 PDT) 189.38.231.129 (14:02:44.452 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48308<-5542 (14:02:44.452 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367960495.186 1367960495.187 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.88.88.110 Egg Source List: 186.88.88.110 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 14:08:43.419 PDT Gen. Time: 05/07/2013 14:08:48.704 PDT INBOUND SCAN EXPLOIT 186.88.88.110 (14:08:43.419 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4680 (14:08:43.419 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.88.88.110 (14:08:48.704 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45806<-2362 (14:08:48.704 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367960923.419 1367960923.420 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.38.231.129, 186.88.88.110 Egg Source List: 189.38.231.129, 186.88.88.110 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 14:08:43.419 PDT Gen. Time: 05/07/2013 14:14:54.029 PDT INBOUND SCAN EXPLOIT 189.38.231.129 (14:11:49.965 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1848 (14:11:49.965 PDT) 186.88.88.110 (14:08:43.419 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4680 (14:08:43.419 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (14:11:54.780 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42850<-5542 (14:11:54.780 PDT) 186.88.88.110 (14:08:48.704 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45806<-2362 (14:08:48.704 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367960923.419 1367960923.420 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.38.231.129, 188.36.80.200 Egg Source List: 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 14:17:52.800 PDT Gen. Time: 05/07/2013 14:18:49.452 PDT INBOUND SCAN EXPLOIT 189.38.231.129 (14:18:46.493 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1314 (14:18:46.493 PDT) 188.36.80.200 (3) (14:17:52.800 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4457 (14:17:52.828 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-4457 (14:17:52.821 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4457 (14:17:52.800 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (14:18:49.452 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58367<-5542 (14:18:49.452 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367961472.800 1367961472.801 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.75.118.10, 189.38.231.129, 188.36.80.200, 193.106.127.33 Egg Source List: 189.38.231.129, 193.106.127.33 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 14:17:52.800 PDT Gen. Time: 05/07/2013 14:23:58.854 PDT INBOUND SCAN EXPLOIT 95.75.118.10 (14:21:31.532 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1785 (14:21:31.532 PDT) 189.38.231.129 (14:18:46.493 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1314 (14:18:46.493 PDT) 188.36.80.200 (3) (14:17:52.800 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4457 (14:17:52.828 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-4457 (14:17:52.821 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4457 (14:17:52.800 PDT) 193.106.127.33 (14:19:29.148 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3277 (14:19:29.148 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (14:18:49.452 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58367<-5542 (14:18:49.452 PDT) 193.106.127.33 (14:19:33.203 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49222<-8236 (14:19:33.203 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367961472.800 1367961472.801 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.38.231.129 Egg Source List: 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 14:27:20.617 PDT Gen. Time: 05/07/2013 14:27:28.304 PDT INBOUND SCAN EXPLOIT 189.38.231.129 (14:27:20.617 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3143 (14:27:20.617 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (14:27:28.304 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52642<-5542 (14:27:28.304 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367962040.617 1367962040.618 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.161.39.101 Egg Source List: 200.161.39.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 14:32:00.978 PDT Gen. Time: 05/07/2013 14:32:06.229 PDT INBOUND SCAN EXPLOIT 200.161.39.101 (14:32:00.978 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2712 (14:32:00.978 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.161.39.101 (14:32:06.229 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56532<-5352 (14:32:06.229 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367962320.978 1367962320.979 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.38.231.129, 200.161.39.101 Egg Source List: 189.38.231.129, 200.161.39.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 14:32:00.978 PDT Gen. Time: 05/07/2013 14:39:09.259 PDT INBOUND SCAN EXPLOIT 189.38.231.129 (14:35:02.317 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2439 (14:35:02.317 PDT) 200.161.39.101 (14:32:00.978 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2712 (14:32:00.978 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (14:35:05.734 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41366<-5542 (14:35:05.734 PDT) 200.161.39.101 (14:32:06.229 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56532<-5352 (14:32:06.229 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367962320.978 1367962320.979 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.38.231.129 Egg Source List: 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 14:49:52.632 PDT Gen. Time: 05/07/2013 14:49:56.460 PDT INBOUND SCAN EXPLOIT 189.38.231.129 (14:49:52.632 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4744 (14:49:52.632 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (14:49:56.460 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48787<-5542 (14:49:56.460 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367963392.632 1367963392.633 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.38.231.129 Egg Source List: 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 14:58:21.133 PDT Gen. Time: 05/07/2013 14:58:25.552 PDT INBOUND SCAN EXPLOIT 189.38.231.129 (14:58:21.133 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2191 (14:58:21.133 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (14:58:25.552 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57816<-5542 (14:58:25.552 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367963901.133 1367963901.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.38.231.129, 178.89.73.159 Egg Source List: 189.38.231.129, 178.89.73.159 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 14:58:21.133 PDT Gen. Time: 05/07/2013 15:03:51.228 PDT INBOUND SCAN EXPLOIT 189.38.231.129 (14:58:21.133 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2191 (14:58:21.133 PDT) 178.89.73.159 (15:00:47.912 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4955 (15:00:47.912 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (14:58:25.552 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57816<-5542 (14:58:25.552 PDT) 178.89.73.159 (15:00:53.077 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58280<-3253 (15:00:53.077 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367963901.133 1367963901.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.38.231.129 Egg Source List: 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 15:07:28.635 PDT Gen. Time: 05/07/2013 15:07:32.243 PDT INBOUND SCAN EXPLOIT 189.38.231.129 (15:07:28.635 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2613 (15:07:28.635 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (15:07:32.243 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34920<-5542 (15:07:32.243 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367964448.635 1367964448.636 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.38.231.129 Egg Source List: 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 15:15:16.530 PDT Gen. Time: 05/07/2013 15:15:19.714 PDT INBOUND SCAN EXPLOIT 189.38.231.129 (15:15:16.530 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2503 (15:15:16.530 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (15:15:19.714 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59397<-5542 (15:15:19.714 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367964916.530 1367964916.531 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 178.16.34.23, 189.38.231.129 Egg Source List: 178.16.34.23, 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 15:15:16.530 PDT Gen. Time: 05/07/2013 15:21:14.646 PDT INBOUND SCAN EXPLOIT 178.16.34.23 (15:17:51.748 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-12822 (15:17:51.748 PDT) 189.38.231.129 (15:15:16.530 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2503 (15:15:16.530 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.16.34.23 (15:17:55.556 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58434<-6919 (15:17:55.556 PDT) 189.38.231.129 (15:15:19.714 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59397<-5542 (15:15:19.714 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367964916.530 1367964916.531 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.38.231.129 Egg Source List: 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 15:23:15.396 PDT Gen. Time: 05/07/2013 15:23:19.077 PDT INBOUND SCAN EXPLOIT 189.38.231.129 (15:23:15.396 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4145 (15:23:15.396 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (15:23:19.077 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51727<-5542 (15:23:19.077 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367965395.396 1367965395.397 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.78.65.1, 189.38.231.129 Egg Source List: 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 15:23:15.396 PDT Gen. Time: 05/07/2013 15:27:55.068 PDT INBOUND SCAN EXPLOIT 189.78.65.1 (15:24:49.275 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-43329 (15:24:49.275 PDT) 189.38.231.129 (15:23:15.396 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4145 (15:23:15.396 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (15:23:19.077 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51727<-5542 (15:23:19.077 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367965395.396 1367965395.397 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.38.231.129 Egg Source List: 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 15:47:03.312 PDT Gen. Time: 05/07/2013 15:47:08.551 PDT INBOUND SCAN EXPLOIT 189.38.231.129 (15:47:03.312 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3855 (15:47:03.312 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (15:47:08.551 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38635<-5542 (15:47:08.551 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367966823.312 1367966823.313 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.51.210.84, 189.38.231.129 Egg Source List: 190.51.210.84, 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 15:47:03.312 PDT Gen. Time: 05/07/2013 15:52:06.628 PDT INBOUND SCAN EXPLOIT 190.51.210.84 (15:50:05.177 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4230 (15:50:05.177 PDT) 189.38.231.129 (15:47:03.312 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3855 (15:47:03.312 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.51.210.84 (15:50:08.884 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58150<-6190 (15:50:08.884 PDT) 189.38.231.129 (15:47:08.551 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38635<-5542 (15:47:08.551 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367966823.312 1367966823.313 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 78.52.68.155 Egg Source List: 78.52.68.155 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 15:52:19.250 PDT Gen. Time: 05/07/2013 15:52:22.255 PDT INBOUND SCAN EXPLOIT 78.52.68.155 (15:52:19.250 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1231 (15:52:19.250 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 78.52.68.155 (15:52:22.255 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58296<-1810 (15:52:22.255 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367967139.250 1367967139.251 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.38.231.129 Egg Source List: 189.38.231.129 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 15:55:50.424 PDT Gen. Time: 05/07/2013 15:55:53.382 PDT INBOUND SCAN EXPLOIT 189.38.231.129 (15:55:50.424 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3508 (15:55:50.424 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.38.231.129 (15:55:53.382 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55569<-5542 (15:55:53.382 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367967350.424 1367967350.425 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 77.29.244.215 Egg Source List: 77.29.244.215 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 16:03:25.529 PDT Gen. Time: 05/07/2013 16:03:32.698 PDT INBOUND SCAN EXPLOIT 77.29.244.215 (16:03:25.529 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3362 (16:03:25.529 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 77.29.244.215 (16:03:32.698 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34672<-4302 (16:03:32.698 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367967805.529 1367967805.530 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.170.196.82 Egg Source List: 200.170.196.82 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 17:35:22.474 PDT Gen. Time: 05/07/2013 17:35:29.365 PDT INBOUND SCAN EXPLOIT 200.170.196.82 (17:35:22.474 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-44702 (17:35:22.474 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.170.196.82 (17:35:29.365 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57897<-9021 (17:35:29.365 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367973322.474 1367973322.475 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 85.217.251.240 Egg Source List: 85.217.251.240 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 17:58:06.393 PDT Gen. Time: 05/07/2013 17:58:10.745 PDT INBOUND SCAN EXPLOIT 85.217.251.240 (17:58:06.393 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4400 (17:58:06.393 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 85.217.251.240 (17:58:10.745 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39589<-2212 (17:58:10.745 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367974686.393 1367974686.394 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.203.225.200, 85.217.251.240, 189.111.52.166 Egg Source List: 190.203.225.200, 85.217.251.240 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 17:58:06.393 PDT Gen. Time: 05/07/2013 18:09:50.050 PDT INBOUND SCAN EXPLOIT 190.203.225.200 (18:05:48.564 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4068 (18:05:48.564 PDT) 85.217.251.240 (17:58:06.393 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4400 (17:58:06.393 PDT) 189.111.52.166 (18:02:03.797 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3707 (18:02:03.797 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.203.225.200 (18:05:52.003 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58725<-8950 (18:05:52.003 PDT) 85.217.251.240 (17:58:10.745 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39589<-2212 (17:58:10.745 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367974686.393 1367974686.394 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 178.89.73.159 Egg Source List: 178.89.73.159 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 18:43:28.419 PDT Gen. Time: 05/07/2013 18:43:31.530 PDT INBOUND SCAN EXPLOIT 178.89.73.159 (18:43:28.419 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3493 (18:43:28.419 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.89.73.159 (18:43:31.530 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43432<-3253 (18:43:31.530 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367977408.419 1367977408.420 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 59.125.47.221 Egg Source List: 59.125.47.221 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 19:40:55.829 PDT Gen. Time: 05/07/2013 19:41:01.292 PDT INBOUND SCAN EXPLOIT 59.125.47.221 (19:40:55.829 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2135 (19:40:55.829 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 59.125.47.221 (19:41:01.292 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49782<-2145 (19:41:01.292 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367980855.829 1367980855.830 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 216.82.164.67 Egg Source List: 216.82.164.67 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 21:21:42.826 PDT Gen. Time: 05/07/2013 21:21:45.582 PDT INBOUND SCAN EXPLOIT 216.82.164.67 (21:21:42.826 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1416 (21:21:42.826 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 216.82.164.67 (21:21:45.582 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56447<-2091 (21:21:45.582 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367986902.826 1367986902.827 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 216.82.164.67 Egg Source List: 216.82.164.67, 192.168.0.10 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 21:21:42.826 PDT Gen. Time: 05/07/2013 21:27:21.175 PDT INBOUND SCAN EXPLOIT 216.82.164.67 (21:21:42.826 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1416 (21:21:42.826 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 216.82.164.67 (21:21:45.582 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56447<-2091 (21:21:45.582 PDT) 192.168.0.10 (16) (21:23:40.063 PDT-21:24:05.285 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 39416->69 (21:23:40.063 PDT-21:24:00.294 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 39416->69 (21:23:40.063 PDT-21:24:00.294 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 39416->69 (21:23:40.063 PDT-21:24:05.285 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367986902.826 1367987045.286 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 151.233.9.161 Egg Source List: 151.233.9.161 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 21:28:53.806 PDT Gen. Time: 05/07/2013 21:28:58.274 PDT INBOUND SCAN EXPLOIT 151.233.9.161 (21:28:53.806 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4391 (21:28:53.806 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 151.233.9.161 (21:28:58.274 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56008<-5970 (21:28:58.274 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367987333.806 1367987333.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 85.217.251.240, 96.36.2.82 Egg Source List: 85.217.251.240 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 21:39:43.826 PDT Gen. Time: 05/07/2013 21:41:01.560 PDT INBOUND SCAN EXPLOIT 85.217.251.240 (21:40:56.329 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1824 (21:40:56.329 PDT) 96.36.2.82 (2) (21:39:43.826 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-55460 (21:39:45.457 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-55460 (21:39:43.826 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 85.217.251.240 (21:41:01.560 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55430<-2212 (21:41:01.560 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367987983.826 1367987983.827 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.7.9.20 Egg Source List: 189.7.9.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 21:54:43.924 PDT Gen. Time: 05/07/2013 21:54:46.800 PDT INBOUND SCAN EXPLOIT 189.7.9.20 (21:54:43.924 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2393 (21:54:43.924 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.7.9.20 (21:54:46.800 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34983<-1325 (21:54:46.800 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367988883.924 1367988883.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.203.225.200 Egg Source List: 190.203.225.200 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 22:18:12.119 PDT Gen. Time: 05/07/2013 22:18:14.987 PDT INBOUND SCAN EXPLOIT 190.203.225.200 (22:18:12.119 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3465 (22:18:12.119 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.203.225.200 (22:18:14.987 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44031<-8950 (22:18:14.987 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367990292.119 1367990292.120 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.179.65.154, 190.203.225.200, 188.159.207.205 Egg Source List: 89.179.65.154, 190.203.225.200 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 22:18:12.119 PDT Gen. Time: 05/07/2013 22:26:36.116 PDT INBOUND SCAN EXPLOIT 89.179.65.154 (22:22:03.967 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1836 (22:22:03.967 PDT) 190.203.225.200 (22:18:12.119 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3465 (22:18:12.119 PDT) 188.159.207.205 (22:18:15.887 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1202 (22:18:15.887 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.179.65.154 (22:22:06.785 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38592<-9011 (22:22:06.785 PDT) 190.203.225.200 (22:18:14.987 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44031<-8950 (22:18:14.987 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367990292.119 1367990292.120 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 109.184.151.242 Egg Source List: 109.184.151.242 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 22:38:16.343 PDT Gen. Time: 05/07/2013 22:38:19.556 PDT INBOUND SCAN EXPLOIT 109.184.151.242 (22:38:16.343 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2531 (22:38:16.343 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.184.151.242 (22:38:19.556 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34276<-6874 (22:38:19.556 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367991496.343 1367991496.344 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================