Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.85
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       66.249.74.230
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   05/07/2013 06:09:09.061 PDT
Gen. Time:        05/07/2013 06:09:27.314 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    66.249.74.230 (06:09:09.061 PDT)
       event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->64124 (06:09:09.061 PDT)
       
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    66.249.74.230 (06:09:27.314 PDT)
       event=1:552123 {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->44640 (06:09:27.314 PDT)
       
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT Local Threat Triggered
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1367932149.061 1367932149.062 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85'

============================== SEPARATOR ================================
Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.85
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       204.12.208.218
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   05/07/2013 08:00:12.142 PDT
Gen. Time:        05/07/2013 08:02:53.472 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    204.12.208.218 (08:02:53.472 PDT)
       event=1:2002033 {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->56402 (08:02:53.472 PDT)
       
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    204.12.208.218 (7) (08:00:12.142 PDT)
       event=1:552123 (7) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->56435 (08:00:12.142 PDT)
          80->34181 (08:00:19.787 PDT)
          80->55472 (08:00:49.517 PDT)
          80->55908 (08:01:29.816 PDT)
          80->42553 (08:01:50.429 PDT)
          80->51386 (08:02:04.213 PDT)
          80->37027 (08:02:25.030 PDT)
       
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT Local Threat Triggered
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1367938812.142 1367938812.143 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85'

============================== SEPARATOR ================================
Score:            1.0 (>= 0.8)
Infected Target:  192.168.1.85
Infector List:    <unobserved>
Egg Source List:  <unobserved>
C & C List:       204.12.208.218 (4)
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   05/07/2013 08:00:12.142 PDT
Gen. Time:        05/07/2013 08:25:01.176 PDT


INBOUND SCAN
    <unobserved>
    
EXPLOIT
    <unobserved>
    
EXPLOIT MALWARE DNS
    <unobserved>
    
EGG DOWNLOAD
    <unobserved>
    
C and C TRAFFIC
    204.12.208.218 (4) (08:02:53.472 PDT)
       event=1:2002033 (4) {tcp} E4[rb] ET TROJAN BOT - potential response, [] MAC_Src: 00:01:64:FF:CE:EA
          80->56402 (08:02:53.472 PDT)
          80->39339 (08:03:08.493 PDT)
          80->54495 (08:03:30.126 PDT)
          80->59427 (08:03:36.793 PDT)
       
C and C TRAFFIC (RBN)
    <unobserved>
    
C and C DNS CHECK-IN
    <unobserved>
    
OUTBOUND SKYPE CANDIDATE
    <unobserved>
    
OUTBOUND SCAN (spp)
    <unobserved>
    
OUTBOUND SCAN
    66.249.74.230 (6) (08:05:17.474 PDT)
       event=1:552123 (6) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->51599 (08:05:17.474 PDT)
          80->37211 (08:07:40.743 PDT)
          80->56183 (08:08:38.554 PDT)
          80->47041 (08:10:09.993 PDT)
          80->40226 (08:13:55.542 PDT)
          80->54048 (08:16:16.170 PDT)
       
    204.12.208.218 (11) (08:00:12.142 PDT)
       event=1:552123 (11) {tcp} E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner, [] MAC_Src: 00:01:64:FF:CE:EA
          80->56435 (08:00:12.142 PDT)
          80->34181 (08:00:19.787 PDT)
          80->55472 (08:00:49.517 PDT)
          80->55908 (08:01:29.816 PDT)
          80->42553 (08:01:50.429 PDT)
          80->51386 (08:02:04.213 PDT)
          80->37027 (08:02:25.030 PDT)
          80->36455 (08:03:44.053 PDT)
          80->33675 (08:04:22.160 PDT)
          80->60858 (08:06:01.186 PDT)
          80->50282 (08:06:34.967 PDT)
       
ATTACK PREP
    <unobserved>
    
PEER COORDINATION Info
    <unobserved>
    
PEER COORDINATION
    <unobserved>
    
DECLARE BOT Standard Port
    <unobserved>
    
DECLARE BOT Non-standard Port
    <unobserved>
    
DECLARE BOT Local Threat Triggered
    <unobserved>
    
DECLARE BOT
    <unobserved>
    
OUTBOUND INTENSE MALWARE PORT SCAN
    <unobserved>
    
tcpslice 1367938812.142 1367938812.143 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.85'

============================== SEPARATOR ================================