Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 211.53.113.36, 85.64.123.190, 59.125.47.221 Egg Source List: 211.53.113.36, 85.64.123.190, 59.125.47.221 C & C List: Peer Coord. List: Resource List: Observed Start: 05/07/2013 23:54:54.018 PDT Gen. Time: 05/08/2013 00:01:26.824 PDT INBOUND SCAN EXPLOIT 211.53.113.36 (23:57:23.646 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1866 (23:57:23.646 PDT) 85.64.123.190 (23:54:54.018 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2041 (23:54:54.018 PDT) 59.125.47.221 (23:55:12.902 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4019 (23:55:12.902 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 211.53.113.36 (23:57:26.450 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36196<-1623 (23:57:26.450 PDT) 85.64.123.190 (23:54:59.496 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33937<-5166 (23:54:59.496 PDT) 59.125.47.221 (23:55:17.208 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46641<-2145 (23:55:17.208 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367996094.018 1367996094.019 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 194.28.75.94 Egg Source List: 194.28.75.94 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 00:05:16.236 PDT Gen. Time: 05/08/2013 00:05:20.092 PDT INBOUND SCAN EXPLOIT 194.28.75.94 (00:05:16.236 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3029 (00:05:16.236 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 194.28.75.94 (00:05:20.092 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38079<-5076 (00:05:20.092 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367996716.236 1367996716.237 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.32.243.2 Egg Source List: 200.32.243.2 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 00:20:27.606 PDT Gen. Time: 05/08/2013 00:20:30.215 PDT INBOUND SCAN EXPLOIT 200.32.243.2 (00:20:27.606 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2369 (00:20:27.606 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.32.243.2 (00:20:30.215 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36703<-2371 (00:20:30.215 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367997627.606 1367997627.607 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.85.167.10, 200.32.243.2, 183.35.76.80 Egg Source List: 200.32.243.2, 183.35.76.80 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 00:20:27.606 PDT Gen. Time: 05/08/2013 00:26:49.654 PDT INBOUND SCAN EXPLOIT 190.85.167.10 (00:24:45.312 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1588 (00:24:45.312 PDT) 200.32.243.2 (00:20:27.606 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2369 (00:20:27.606 PDT) 183.35.76.80 (00:23:17.529 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3482 (00:23:17.529 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.32.243.2 (00:20:30.215 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36703<-2371 (00:20:30.215 PDT) 183.35.76.80 (00:23:21.443 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56279<-6870 (00:23:21.443 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367997627.606 1367997627.607 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 79.47.7.194 Egg Source List: 79.47.7.194 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 00:57:24.960 PDT Gen. Time: 05/08/2013 00:57:29.401 PDT INBOUND SCAN EXPLOIT 79.47.7.194 (00:57:24.960 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2032 (00:57:24.960 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 79.47.7.194 (00:57:29.401 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46575<-3213 (00:57:29.401 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1367999844.960 1367999844.961 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 216.82.164.67 Egg Source List: 216.82.164.67 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 01:02:50.217 PDT Gen. Time: 05/08/2013 01:02:53.922 PDT INBOUND SCAN EXPLOIT 216.82.164.67 (01:02:50.217 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3023 (01:02:50.217 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 216.82.164.67 (01:02:53.922 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44078<-2091 (01:02:53.922 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368000170.217 1368000170.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 216.82.164.67, 211.21.120.93 Egg Source List: 216.82.164.67, 211.21.120.93 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 01:02:50.217 PDT Gen. Time: 05/08/2013 01:07:30.992 PDT INBOUND SCAN EXPLOIT 216.82.164.67 (01:02:50.217 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3023 (01:02:50.217 PDT) 211.21.120.93 (01:03:15.391 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2763 (01:03:15.391 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 216.82.164.67 (01:02:53.922 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44078<-2091 (01:02:53.922 PDT) 211.21.120.93 (01:03:19.286 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59864<-6460 (01:03:19.286 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368000170.217 1368000170.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.64.8.211 Egg Source List: 192.168.0.100 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 01:31:51.706 PDT Gen. Time: 05/08/2013 01:34:07.219 PDT INBOUND SCAN EXPLOIT 95.64.8.211 (01:34:07.219 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2623 (01:34:07.219 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.0.100 (17) (01:31:51.706 PDT-01:32:16.842 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 40885->69 (01:31:51.706 PDT-01:32:11.834 PDT) ------------------------- event=1:2008120 (6) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 6: 40885->69 (01:31:51.706 PDT-01:32:16.842 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 40885->69 (01:31:51.706 PDT-01:32:16.842 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368001911.706 1368001936.843 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 121.58.248.4 Egg Source List: 121.58.248.4 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 01:39:01.945 PDT Gen. Time: 05/08/2013 01:39:06.149 PDT INBOUND SCAN EXPLOIT 121.58.248.4 (01:39:01.945 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2221 (01:39:01.945 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 121.58.248.4 (01:39:06.149 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51799<-3957 (01:39:06.149 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368002341.945 1368002341.946 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 121.58.248.4, 202.60.26.109 Egg Source List: 121.58.248.4 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 01:39:01.945 PDT Gen. Time: 05/08/2013 01:42:02.693 PDT INBOUND SCAN EXPLOIT 121.58.248.4 (01:39:01.945 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2221 (01:39:01.945 PDT) 202.60.26.109 (01:39:46.353 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-53708 (01:39:46.353 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 121.58.248.4 (01:39:06.149 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51799<-3957 (01:39:06.149 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368002341.945 1368002341.946 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 36.224.22.209 Egg Source List: 36.224.22.209 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 01:52:18.602 PDT Gen. Time: 05/08/2013 01:52:22.022 PDT INBOUND SCAN EXPLOIT 36.224.22.209 (01:52:18.602 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2285 (01:52:18.602 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 36.224.22.209 (01:52:22.022 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52017<-9988 (01:52:22.022 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368003138.602 1368003138.603 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.107.229.194 Egg Source List: 212.107.229.194 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 02:03:09.009 PDT Gen. Time: 05/08/2013 02:03:13.554 PDT INBOUND SCAN EXPLOIT 212.107.229.194 (02:03:09.009 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3343 (02:03:09.009 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.107.229.194 (02:03:13.554 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36020<-6242 (02:03:13.554 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368003789.009 1368003789.010 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.107.229.194 Egg Source List: 212.107.229.194 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 02:03:09.009 PDT Gen. Time: 05/08/2013 02:32:57.649 PDT INBOUND SCAN EXPLOIT 212.107.229.194 (17) (02:03:09.009 PDT) event=1:22009201 (17) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3343 (02:03:09.009 PDT) 445<-3639 (02:03:26.149 PDT) 445<-4040 (02:03:38.560 PDT) 445<-4294 (02:03:56.550 PDT) 445<-4697 (02:04:08.778 PDT) 445<-1046 (02:04:24.507 PDT) 445<-1379 (02:04:36.733 PDT) 445<-1662 (02:04:51.557 PDT) 445<-1946 (02:05:04.232 PDT) 445<-2230 (02:05:19.734 PDT) 445<-2544 (02:05:32.774 PDT) 445<-3127 (02:06:06.455 PDT) 445<-3504 (02:06:19.358 PDT) 445<-3810 (02:06:36.145 PDT) 445<-4142 (02:06:48.886 PDT) 445<-4417 (02:07:05.084 PDT) 445<-4734 (02:07:16.932 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.107.229.194 (17) (02:03:13.554 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36020<-6242 (02:03:13.554 PDT) 36042<-6242 (02:03:29.541 PDT) 36065<-6242 (02:03:41.791 PDT) 36098<-6242 (02:04:00.139 PDT) 36112<-6242 (02:04:12.792 PDT) 36135<-6242 (02:04:28.006 PDT) 36155<-6242 (02:04:40.331 PDT) 36169<-6242 (02:04:55.136 PDT) 36193<-6242 (02:05:08.874 PDT) 36207<-6242 (02:05:22.986 PDT) 36234<-6242 (02:05:37.296 PDT) 54986<-6242 (02:06:10.937 PDT) 55006<-6242 (02:06:25.331 PDT) 55032<-6242 (02:06:39.833 PDT) 55067<-6242 (02:06:52.554 PDT) 55114<-6242 (02:07:10.491 PDT) 55125<-6242 (02:07:20.203 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368003789.009 1368003789.010 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 86.109.211.136 Egg Source List: 86.109.211.136 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 02:57:20.237 PDT Gen. Time: 05/08/2013 02:57:23.464 PDT INBOUND SCAN EXPLOIT 86.109.211.136 (02:57:20.237 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3664 (02:57:20.237 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 86.109.211.136 (02:57:23.464 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50426<-4475 (02:57:23.464 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368007040.237 1368007040.238 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 195.22.161.87 Egg Source List: 195.22.161.87 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 03:09:40.582 PDT Gen. Time: 05/08/2013 03:09:46.464 PDT INBOUND SCAN EXPLOIT 195.22.161.87 (03:09:40.582 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3747 (03:09:40.582 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 195.22.161.87 (03:09:46.464 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45531<-2290 (03:09:46.464 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368007780.582 1368007780.583 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 195.22.161.87 Egg Source List: 192.168.10.185, 195.22.161.87 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 03:09:40.582 PDT Gen. Time: 05/08/2013 03:16:46.361 PDT INBOUND SCAN EXPLOIT 195.22.161.87 (03:09:40.582 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3747 (03:09:40.582 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.10.185 (16) (03:11:18.354 PDT-03:11:43.284 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 38883->69 (03:11:18.354 PDT-03:11:38.283 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 38883->69 (03:11:18.354 PDT-03:11:38.283 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 38883->69 (03:11:18.354 PDT-03:11:43.284 PDT) 195.22.161.87 (03:09:46.464 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45531<-2290 (03:09:46.464 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368007780.582 1368007903.285 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 211.53.113.36, 79.32.98.3, 218.248.12.97 Egg Source List: 211.53.113.36 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 03:35:45.440 PDT Gen. Time: 05/08/2013 03:38:35.867 PDT INBOUND SCAN EXPLOIT 211.53.113.36 (03:38:31.365 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3806 (03:38:31.365 PDT) 79.32.98.3 (3) (03:36:04.659 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2007 (03:36:04.681 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-2007 (03:36:04.676 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2007 (03:36:04.659 PDT) 218.248.12.97 (03:35:45.440 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-33583 (03:35:45.440 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 211.53.113.36 (03:38:35.867 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45852<-1623 (03:38:35.867 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368009345.440 1368009345.441 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 211.53.113.36, 36.229.193.209, 79.32.98.3, 218.248.12.97 Egg Source List: 211.53.113.36, 36.229.193.209 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 03:35:45.440 PDT Gen. Time: 05/08/2013 03:41:01.840 PDT INBOUND SCAN EXPLOIT 211.53.113.36 (03:38:31.365 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3806 (03:38:31.365 PDT) 36.229.193.209 (03:38:44.619 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2908 (03:38:44.619 PDT) 79.32.98.3 (3) (03:36:04.659 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2007 (03:36:04.681 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-2007 (03:36:04.676 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2007 (03:36:04.659 PDT) 218.248.12.97 (03:35:45.440 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-33583 (03:35:45.440 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 211.53.113.36 (03:38:35.867 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45852<-1623 (03:38:35.867 PDT) 36.229.193.209 (03:38:48.130 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47376<-3158 (03:38:48.130 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368009345.440 1368009345.441 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 194.28.75.94 Egg Source List: 194.28.75.94 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 03:46:27.237 PDT Gen. Time: 05/08/2013 03:46:30.996 PDT INBOUND SCAN EXPLOIT 194.28.75.94 (03:46:27.237 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2770 (03:46:27.237 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 194.28.75.94 (03:46:30.996 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40319<-5076 (03:46:30.996 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368009987.237 1368009987.238 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.32.243.2 Egg Source List: 200.32.243.2 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 04:01:32.225 PDT Gen. Time: 05/08/2013 04:01:34.867 PDT INBOUND SCAN EXPLOIT 200.32.243.2 (04:01:32.225 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1494 (04:01:32.225 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.32.243.2 (04:01:34.867 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58430<-2371 (04:01:34.867 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368010892.225 1368010892.226 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.32.243.2, 183.35.76.80 Egg Source List: 200.32.243.2, 183.35.76.80 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 04:01:32.225 PDT Gen. Time: 05/08/2013 04:07:48.571 PDT INBOUND SCAN EXPLOIT 200.32.243.2 (04:01:32.225 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1494 (04:01:32.225 PDT) 183.35.76.80 (04:04:42.992 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3358 (04:04:42.992 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.32.243.2 (04:01:34.867 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58430<-2371 (04:01:34.867 PDT) 183.35.76.80 (04:04:56.672 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42024<-6870 (04:04:56.672 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368010892.225 1368010892.226 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.83.54.11 Egg Source List: 95.83.54.11 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 04:14:03.385 PDT Gen. Time: 05/08/2013 04:14:06.196 PDT INBOUND SCAN EXPLOIT 95.83.54.11 (04:14:03.385 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4537 (04:14:03.385 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.83.54.11 (04:14:06.196 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40786<-4196 (04:14:06.196 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368011643.385 1368011643.386 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 66.85.144.12 Egg Source List: 66.85.144.12 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 04:18:18.049 PDT Gen. Time: 05/08/2013 04:18:21.792 PDT INBOUND SCAN EXPLOIT 66.85.144.12 (04:18:18.049 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3852 (04:18:18.049 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 66.85.144.12 (04:18:21.792 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60592<-5268 (04:18:21.792 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368011898.049 1368011898.050 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.61.224.175 Egg Source List: 187.61.224.175 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 04:43:33.900 PDT Gen. Time: 05/08/2013 04:43:36.758 PDT INBOUND SCAN EXPLOIT 187.61.224.175 (04:43:33.900 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4039 (04:43:33.900 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.61.224.175 (04:43:36.758 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48042<-6745 (04:43:36.758 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368013413.900 1368013413.901 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.116.211.158, 188.131.64.3, 187.61.224.175 Egg Source List: 89.116.211.158, 188.131.64.3, 187.61.224.175 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 04:43:33.900 PDT Gen. Time: 05/08/2013 04:56:05.854 PDT INBOUND SCAN EXPLOIT 89.116.211.158 (15) (04:48:45.829 PDT) event=1:22009201 (15) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4581 (04:48:45.829 PDT) 445<-4798 (04:49:01.124 PDT) 445<-1107 (04:49:18.744 PDT) 445<-1325 (04:49:34.364 PDT) 445<-1529 (04:49:50.094 PDT) 445<-1735 (04:50:07.129 PDT) 445<-1963 (04:50:22.654 PDT) 445<-2160 (04:50:38.639 PDT) 445<-2387 (04:50:56.799 PDT) 445<-2630 (04:51:14.374 PDT) 445<-2868 (04:51:30.064 PDT) 445<-3076 (04:51:46.539 PDT) 445<-3299 (04:52:01.559 PDT) 445<-3495 (04:52:15.834 PDT) 445<-3710 (04:52:33.469 PDT) 188.131.64.3 (04:45:41.486 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1556 (04:45:41.486 PDT) 187.61.224.175 (04:43:33.900 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4039 (04:43:33.900 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.116.211.158 (15) (04:48:49.813 PDT) event=1:2001685 (15) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33665<-7054 (04:48:49.813 PDT) 33685<-7054 (04:49:05.128 PDT) 33712<-7054 (04:49:22.543 PDT) 33741<-7054 (04:49:38.028 PDT) 33796<-7054 (04:49:55.178 PDT) 33837<-7054 (04:50:10.623 PDT) 33868<-7054 (04:50:26.613 PDT) 33890<-7054 (04:50:42.168 PDT) 35623<-7054 (04:51:01.863 PDT) 35651<-7054 (04:51:18.778 PDT) 35680<-7054 (04:51:35.263 PDT) 35713<-7054 (04:51:49.858 PDT) 35749<-7054 (04:52:04.978 PDT) 35776<-7054 (04:52:19.848 PDT) 35814<-7054 (04:52:37.333 PDT) 188.131.64.3 (04:45:44.485 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49374<-1437 (04:45:44.485 PDT) 187.61.224.175 (04:43:36.758 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48042<-6745 (04:43:36.758 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368013413.900 1368013413.901 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 211.21.120.93 Egg Source List: 211.21.120.93 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 05:20:03.950 PDT Gen. Time: 05/08/2013 05:20:09.841 PDT INBOUND SCAN EXPLOIT 211.21.120.93 (05:20:03.950 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4460 (05:20:03.950 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 211.21.120.93 (05:20:09.841 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57889<-6460 (05:20:09.841 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368015603.950 1368015603.951 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 211.21.120.93, 78.149.183.159 Egg Source List: 211.21.120.93 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 05:20:03.950 PDT Gen. Time: 05/08/2013 05:26:49.021 PDT INBOUND SCAN EXPLOIT 211.21.120.93 (05:20:03.950 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4460 (05:20:03.950 PDT) 78.149.183.159 (3) (05:22:13.485 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3814 (05:22:13.526 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-3814 (05:22:13.514 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3814 (05:22:13.485 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 211.21.120.93 (05:20:09.841 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57889<-6460 (05:20:09.841 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368015603.950 1368015603.951 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.34.30.164, 200.84.64.238 Egg Source List: 200.84.64.238 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 05:38:09.387 PDT Gen. Time: 05/08/2013 05:41:49.784 PDT INBOUND SCAN EXPLOIT 41.34.30.164 (05:38:09.387 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-49765 (05:38:09.387 PDT) 200.84.64.238 (05:41:44.725 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1306 (05:41:44.725 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.84.64.238 (05:41:49.784 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50954<-8566 (05:41:49.784 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368016689.387 1368016689.388 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.34.30.164, 217.201.27.43, 200.84.64.238 Egg Source List: 217.201.27.43, 200.84.64.238 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 05:38:09.387 PDT Gen. Time: 05/08/2013 05:44:58.282 PDT INBOUND SCAN EXPLOIT 41.34.30.164 (05:38:09.387 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-49765 (05:38:09.387 PDT) 217.201.27.43 (05:41:51.737 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1321 (05:41:51.737 PDT) 200.84.64.238 (05:41:44.725 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1306 (05:41:44.725 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 217.201.27.43 (05:41:57.387 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44801<-4419 (05:41:57.387 PDT) 200.84.64.238 (05:41:49.784 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50954<-8566 (05:41:49.784 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368016689.387 1368016689.388 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 110.234.97.52 Egg Source List: 110.234.97.52 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 06:03:51.715 PDT Gen. Time: 05/08/2013 06:03:56.064 PDT INBOUND SCAN EXPLOIT 110.234.97.52 (06:03:51.715 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2598 (06:03:51.715 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 110.234.97.52 (06:03:56.064 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44132<-9119 (06:03:56.064 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368018231.715 1368018231.716 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 121.58.248.4, 110.234.97.52, 188.53.62.43 Egg Source List: 121.58.248.4, 110.234.97.52 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 06:03:51.715 PDT Gen. Time: 05/08/2013 06:10:51.812 PDT INBOUND SCAN EXPLOIT 121.58.248.4 (06:04:24.536 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1998 (06:04:24.536 PDT) 110.234.97.52 (06:03:51.715 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2598 (06:03:51.715 PDT) 188.53.62.43 (3) (06:07:58.089 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4548 (06:07:58.110 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-4548 (06:07:58.104 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4548 (06:07:58.089 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 121.58.248.4 (06:04:28.034 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45119<-3957 (06:04:28.034 PDT) 110.234.97.52 (06:03:56.064 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44132<-9119 (06:03:56.064 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368018231.715 1368018231.716 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.107.229.194 Egg Source List: 212.107.229.194 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 06:24:42.485 PDT Gen. Time: 05/08/2013 06:24:46.624 PDT INBOUND SCAN EXPLOIT 212.107.229.194 (06:24:42.485 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4949 (06:24:42.485 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.107.229.194 (06:24:46.624 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39347<-6242 (06:24:46.624 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368019482.485 1368019482.486 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.77.5.94 Egg Source List: 94.77.5.94 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 06:35:37.595 PDT Gen. Time: 05/08/2013 06:35:42.627 PDT INBOUND SCAN EXPLOIT 94.77.5.94 (06:35:37.595 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1405 (06:35:37.595 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.77.5.94 (06:35:42.627 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41214<-2337 (06:35:42.627 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368020137.595 1368020137.596 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.77.5.94, 210.107.55.100 Egg Source List: 94.77.5.94, 210.107.55.100 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 06:35:37.595 PDT Gen. Time: 05/08/2013 06:41:30.804 PDT INBOUND SCAN EXPLOIT 94.77.5.94 (06:35:37.595 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1405 (06:35:37.595 PDT) 210.107.55.100 (06:38:20.032 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1959 (06:38:20.032 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.77.5.94 (06:35:42.627 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41214<-2337 (06:35:42.627 PDT) 210.107.55.100 (06:38:23.043 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38475<-6443 (06:38:23.043 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368020137.595 1368020137.596 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.39.47.229 Egg Source List: 190.39.47.229 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 06:51:32.269 PDT Gen. Time: 05/08/2013 06:51:35.592 PDT INBOUND SCAN EXPLOIT 190.39.47.229 (06:51:32.269 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-13087 (06:51:32.269 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.39.47.229 (06:51:35.592 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48112<-6964 (06:51:35.592 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368021092.269 1368021092.270 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 195.117.93.179 Egg Source List: 195.117.93.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 07:01:20.196 PDT Gen. Time: 05/08/2013 07:01:24.793 PDT INBOUND SCAN EXPLOIT 195.117.93.179 (07:01:20.196 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1756 (07:01:20.196 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 195.117.93.179 (07:01:24.793 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37592<-4142 (07:01:24.793 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368021680.196 1368021680.197 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 195.117.93.179, 142.4.40.242 Egg Source List: 195.117.93.179, 142.4.40.242 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 07:01:20.196 PDT Gen. Time: 05/08/2013 07:07:20.976 PDT INBOUND SCAN EXPLOIT 195.117.93.179 (07:01:20.196 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1756 (07:01:20.196 PDT) 142.4.40.242 (07:03:06.621 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-27272 (07:03:06.621 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 195.117.93.179 (07:01:24.793 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37592<-4142 (07:01:24.793 PDT) 142.4.40.242 (07:03:10.632 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49077<-4564 (07:03:10.632 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368021680.196 1368021680.197 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 59.93.199.21 Egg Source List: 59.93.199.21 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 07:12:06.886 PDT Gen. Time: 05/08/2013 07:12:10.637 PDT INBOUND SCAN EXPLOIT 59.93.199.21 (07:12:06.886 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-29455 (07:12:06.886 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 59.93.199.21 (07:12:10.637 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44699<-4863 (07:12:10.637 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368022326.886 1368022326.887 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 142.4.57.54, 59.93.199.21 Egg Source List: 142.4.57.54, 59.93.199.21 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 07:12:06.886 PDT Gen. Time: 05/08/2013 07:16:49.319 PDT INBOUND SCAN EXPLOIT 142.4.57.54 (07:12:49.812 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-35719 (07:12:49.812 PDT) 59.93.199.21 (07:12:06.886 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-29455 (07:12:06.886 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 142.4.57.54 (07:12:53.112 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55880<-4564 (07:12:53.112 PDT) 59.93.199.21 (07:12:10.637 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44699<-4863 (07:12:10.637 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368022326.886 1368022326.887 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.69.200.104 Egg Source List: 192.69.200.104 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 07:17:07.765 PDT Gen. Time: 05/08/2013 07:17:12.953 PDT INBOUND SCAN EXPLOIT 192.69.200.104 (07:17:07.765 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1818 (07:17:07.765 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.69.200.104 (07:17:12.953 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47637<-5722 (07:17:12.953 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368022627.765 1368022627.766 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 142.4.50.5, 192.69.200.104, 70.234.7.30 Egg Source List: 142.4.50.5, 192.69.200.104 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 07:17:07.765 PDT Gen. Time: 05/08/2013 07:24:52.187 PDT INBOUND SCAN EXPLOIT 142.4.50.5 (07:21:29.672 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3444 (07:21:29.672 PDT) 192.69.200.104 (07:17:07.765 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1818 (07:17:07.765 PDT) 70.234.7.30 (07:18:17.547 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-15440 (07:18:17.547 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 142.4.50.5 (07:21:32.313 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46855<-3973 (07:21:32.313 PDT) 192.69.200.104 (07:17:12.953 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47637<-5722 (07:17:12.953 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368022627.765 1368022627.766 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 81.182.207.19 Egg Source List: 81.182.207.19 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 07:33:53.769 PDT Gen. Time: 05/08/2013 07:33:57.821 PDT INBOUND SCAN EXPLOIT 81.182.207.19 (07:33:53.769 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2342 (07:33:53.769 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 81.182.207.19 (07:33:57.821 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38378<-3742 (07:33:57.821 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368023633.769 1368023633.770 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 81.182.207.19 Egg Source List: 192.168.0.106, 81.182.207.19 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 07:33:53.769 PDT Gen. Time: 05/08/2013 07:41:05.799 PDT INBOUND SCAN EXPLOIT 81.182.207.19 (07:33:53.769 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2342 (07:33:53.769 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.0.106 (16) (07:37:46.722 PDT-07:38:12.360 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 57114->69 (07:37:46.722 PDT-07:38:07.307 PDT) ------------------------- event=1:2008120 (5) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 5: 57114->69 (07:37:46.722 PDT-07:38:07.307 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 57114->69 (07:37:46.722 PDT-07:38:12.360 PDT) 81.182.207.19 (07:33:57.821 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38378<-3742 (07:33:57.821 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368023633.769 1368023892.361 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 66.85.144.12 Egg Source List: 66.85.144.12 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 08:01:26.027 PDT Gen. Time: 05/08/2013 08:01:29.024 PDT INBOUND SCAN EXPLOIT 66.85.144.12 (08:01:26.027 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4396 (08:01:26.027 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 66.85.144.12 (08:01:29.024 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34959<-5268 (08:01:29.024 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368025286.027 1368025286.028 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 36.229.193.209 Egg Source List: 36.229.193.209 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 08:04:18.612 PDT Gen. Time: 05/08/2013 08:04:22.632 PDT INBOUND SCAN EXPLOIT 36.229.193.209 (08:04:18.612 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3519 (08:04:18.612 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 36.229.193.209 (08:04:22.632 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33637<-3158 (08:04:22.632 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368025458.612 1368025458.613 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.11.30.11 Egg Source List: 187.11.30.11 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 08:32:23.907 PDT Gen. Time: 05/08/2013 08:32:27.967 PDT INBOUND SCAN EXPLOIT 187.11.30.11 (08:32:23.907 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1671 (08:32:23.907 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.11.30.11 (08:32:27.967 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37836<-9932 (08:32:27.967 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368027143.907 1368027143.908 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 78.106.100.145, 216.46.7.118, 128.73.248.39, 207.47.16.70, 187.61.224.175, 190.167.194.227, 187.11.30.11, 79.143.82.179, 78.59.97.75 Egg Source List: 187.11.30.11, 128.73.248.39, 79.143.82.179, 78.59.97.75, 190.167.194.227, 78.106.100.145, 187.61.224.175, 207.47.16.70 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 08:32:23.907 PDT Gen. Time: 05/08/2013 08:39:58.111 PDT INBOUND SCAN EXPLOIT 78.106.100.145 (08:33:17.072 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3201 (08:33:17.072 PDT) 216.46.7.118 (08:34:29.703 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-45085 (08:34:29.703 PDT) 128.73.248.39 (08:37:36.015 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4119 (08:37:36.015 PDT) 207.47.16.70 (08:32:58.885 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4062 (08:32:58.885 PDT) 187.61.224.175 (08:37:12.183 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2465 (08:37:12.183 PDT) 190.167.194.227 (08:34:33.254 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1718 (08:34:33.254 PDT) 187.11.30.11 (08:32:23.907 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1671 (08:32:23.907 PDT) 79.143.82.179 (08:37:19.819 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4432 (08:37:19.819 PDT) 78.59.97.75 (08:36:46.973 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2463 (08:36:46.973 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.11.30.11 (08:32:27.967 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37836<-9932 (08:32:27.967 PDT) 128.73.248.39 (08:37:39.286 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60341<-9012 (08:37:39.286 PDT) 79.143.82.179 (08:37:22.982 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49330<-2657 (08:37:22.982 PDT) 78.59.97.75 (08:36:50.177 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37655<-5050 (08:36:50.177 PDT) 190.167.194.227 (08:34:36.475 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41097<-7881 (08:34:36.475 PDT) 78.106.100.145 (08:33:21.431 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34879<-3045 (08:33:21.431 PDT) 187.61.224.175 (08:37:15.846 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59760<-6745 (08:37:15.846 PDT) 207.47.16.70 (08:33:02.371 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46366<-7266 (08:33:02.371 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368027143.907 1368027143.908 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 65.223.214.50 Egg Source List: 192.168.0.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 08:57:41.953 PDT Gen. Time: 05/08/2013 08:58:25.064 PDT INBOUND SCAN EXPLOIT 65.223.214.50 (08:57:41.953 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-28590 (08:57:41.953 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.0.101 (08:58:25.064 PDT) event=1:3001441 {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 49216->69 (08:58:25.064 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368028661.953 1368028661.954 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 65.223.214.50 Egg Source List: 192.168.0.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 08:57:41.953 PDT Gen. Time: 05/08/2013 09:01:49.155 PDT INBOUND SCAN EXPLOIT 65.223.214.50 (08:57:41.953 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-28590 (08:57:41.953 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.0.101 (17) (08:58:25.064 PDT-08:58:50.173 PDT) event=1:1444 (5) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 5: 49216->69 (08:58:25.064 PDT-08:58:45.178 PDT) ------------------------- event=1:2008120 (6) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 6: 49216->69 (08:58:25.064 PDT-08:58:50.173 PDT) ------------------------- event=1:3001441 (6) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 6: 49216->69 (08:58:25.064 PDT-08:58:50.173 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368028661.953 1368028730.174 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.32.46.74 Egg Source List: 188.32.46.74 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 09:08:48.587 PDT Gen. Time: 05/08/2013 09:08:54.937 PDT INBOUND SCAN EXPLOIT 188.32.46.74 (09:08:48.587 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4864 (09:08:48.587 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 188.32.46.74 (09:08:54.937 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47159<-8609 (09:08:54.937 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368029328.587 1368029328.588 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 24.38.133.199 Egg Source List: 24.38.133.199 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 09:21:22.784 PDT Gen. Time: 05/08/2013 09:21:25.890 PDT INBOUND SCAN EXPLOIT 24.38.133.199 (09:21:22.784 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4641 (09:21:22.784 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 24.38.133.199 (09:21:25.890 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35046<-7027 (09:21:25.890 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368030082.784 1368030082.785 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 125.182.230.178 Egg Source List: 125.182.230.178 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 09:35:41.150 PDT Gen. Time: 05/08/2013 09:35:45.380 PDT INBOUND SCAN EXPLOIT 125.182.230.178 (09:35:41.150 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1657 (09:35:41.150 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 125.182.230.178 (09:35:45.380 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32962<-4883 (09:35:45.380 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368030941.150 1368030941.151 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.117.203.56, 125.182.230.178 Egg Source List: 46.117.203.56, 125.182.230.178 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 09:35:41.150 PDT Gen. Time: 05/08/2013 09:41:31.027 PDT INBOUND SCAN EXPLOIT 46.117.203.56 (09:37:11.028 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3463 (09:37:11.028 PDT) 125.182.230.178 (09:35:41.150 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1657 (09:35:41.150 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.117.203.56 (09:37:14.655 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45572<-5692 (09:37:14.655 PDT) 125.182.230.178 (09:35:45.380 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32962<-4883 (09:35:45.380 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368030941.150 1368030941.151 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 110.234.97.52 Egg Source List: 110.234.97.52 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 09:45:05.280 PDT Gen. Time: 05/08/2013 09:45:08.930 PDT INBOUND SCAN EXPLOIT 110.234.97.52 (09:45:05.280 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3476 (09:45:05.280 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 110.234.97.52 (09:45:08.930 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39619<-9119 (09:45:08.930 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368031505.280 1368031505.281 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 31.41.233.29 Egg Source List: 31.41.233.29 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 09:54:19.570 PDT Gen. Time: 05/08/2013 09:54:24.745 PDT INBOUND SCAN EXPLOIT 31.41.233.29 (09:54:19.570 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1330 (09:54:19.570 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 31.41.233.29 (09:54:24.745 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49378<-4787 (09:54:24.745 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368032059.570 1368032059.571 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 177.85.1.187, 31.41.233.29, 202.162.78.132 Egg Source List: 177.85.1.187, 31.41.233.29, 202.162.78.132 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 09:54:19.570 PDT Gen. Time: 05/08/2013 10:00:49.285 PDT INBOUND SCAN EXPLOIT 177.85.1.187 (09:55:22.640 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4837 (09:55:22.640 PDT) 31.41.233.29 (09:54:19.570 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1330 (09:54:19.570 PDT) 202.162.78.132 (09:56:38.702 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2181 (09:56:38.702 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.85.1.187 (09:55:31.115 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33982<-4365 (09:55:31.115 PDT) 31.41.233.29 (09:54:24.745 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49378<-4787 (09:54:24.745 PDT) 202.162.78.132 (09:56:43.038 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46148<-6169 (09:56:43.038 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368032059.570 1368032059.571 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 211.20.146.226, 209.167.212.219 Egg Source List: 211.20.146.226 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 10:07:08.994 PDT Gen. Time: 05/08/2013 10:07:55.788 PDT INBOUND SCAN EXPLOIT 211.20.146.226 (10:07:52.229 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2551 (10:07:52.229 PDT) 209.167.212.219 (10:07:08.994 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1983 (10:07:08.994 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 211.20.146.226 (10:07:55.788 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38224<-1372 (10:07:55.788 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368032828.994 1368032828.995 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 118.141.181.123, 211.20.146.226, 209.167.212.219 Egg Source List: 118.141.181.123, 211.20.146.226 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 10:07:08.994 PDT Gen. Time: 05/08/2013 10:11:31.481 PDT INBOUND SCAN EXPLOIT 118.141.181.123 (10:08:34.694 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1082 (10:08:34.694 PDT) 211.20.146.226 (10:07:52.229 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2551 (10:07:52.229 PDT) 209.167.212.219 (10:07:08.994 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1983 (10:07:08.994 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.141.181.123 (10:08:38.056 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43426<-9140 (10:08:38.056 PDT) 211.20.146.226 (10:07:55.788 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38224<-1372 (10:07:55.788 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368032828.994 1368032828.995 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 63.82.6.20 Egg Source List: 63.82.6.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 10:17:05.768 PDT Gen. Time: 05/08/2013 10:17:08.908 PDT INBOUND SCAN EXPLOIT 63.82.6.20 (10:17:05.768 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-39223 (10:17:05.768 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 63.82.6.20 (10:17:08.908 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35969<-7598 (10:17:08.908 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368033425.768 1368033425.769 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 72.0.182.121, 198.100.107.21, 61.42.76.43, 184.106.116.47, 63.82.6.20 Egg Source List: 198.100.107.21, 61.42.76.43, 184.106.116.47, 63.82.6.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 10:17:05.768 PDT Gen. Time: 05/08/2013 10:21:59.101 PDT INBOUND SCAN EXPLOIT 72.0.182.121 (10:17:21.611 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4772 (10:17:21.611 PDT) 198.100.107.21 (10:18:44.422 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4825 (10:18:44.422 PDT) 61.42.76.43 (10:19:10.765 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3167 (10:19:10.765 PDT) 184.106.116.47 (10:19:32.000 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3828 (10:19:32.000 PDT) 63.82.6.20 (10:17:05.768 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-39223 (10:17:05.768 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 198.100.107.21 (10:18:47.861 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45610<-1918 (10:18:47.861 PDT) 61.42.76.43 (10:19:15.613 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41182<-6443 (10:19:15.613 PDT) 184.106.116.47 (10:19:35.504 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50965<-6133 (10:19:35.504 PDT) 63.82.6.20 (10:17:08.908 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35969<-7598 (10:17:08.908 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368033425.768 1368033425.769 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 63.82.6.27 Egg Source List: 63.82.6.27 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 10:22:49.177 PDT Gen. Time: 05/08/2013 10:22:52.430 PDT INBOUND SCAN EXPLOIT 63.82.6.27 (10:22:49.177 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4187 (10:22:49.177 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 63.82.6.27 (10:22:52.430 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59736<-7598 (10:22:52.430 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368033769.177 1368033769.178 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.77.5.94 Egg Source List: 94.77.5.94 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 10:30:36.580 PDT Gen. Time: 05/08/2013 10:30:40.760 PDT INBOUND SCAN EXPLOIT 94.77.5.94 (10:30:36.580 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4659 (10:30:36.580 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.77.5.94 (10:30:40.760 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38320<-2337 (10:30:40.760 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368034236.580 1368034236.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.39.47.229 Egg Source List: 190.39.47.229 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 10:41:34.079 PDT Gen. Time: 05/08/2013 10:41:37.711 PDT INBOUND SCAN EXPLOIT 190.39.47.229 (10:41:34.079 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-17884 (10:41:34.079 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.39.47.229 (10:41:37.711 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51305<-6964 (10:41:37.711 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368034894.079 1368034894.080 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.39.47.229, 142.4.40.242, 78.128.114.99 Egg Source List: 190.39.47.229, 142.4.40.242, 78.128.114.99 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 10:41:34.079 PDT Gen. Time: 05/08/2013 10:47:48.687 PDT INBOUND SCAN EXPLOIT 190.39.47.229 (10:41:34.079 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-17884 (10:41:34.079 PDT) 142.4.40.242 (10:44:14.002 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1389 (10:44:14.002 PDT) 78.128.114.99 (10:42:55.463 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-16895 (10:42:55.463 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.39.47.229 (10:41:37.711 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51305<-6964 (10:41:37.711 PDT) 142.4.40.242 (10:44:17.068 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46869<-4564 (10:44:17.068 PDT) 78.128.114.99 (10:42:58.850 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36252<-7918 (10:42:58.850 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368034894.079 1368034894.080 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 142.4.57.54 Egg Source List: 142.4.57.54 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 10:54:03.117 PDT Gen. Time: 05/08/2013 10:54:08.860 PDT INBOUND SCAN EXPLOIT 142.4.57.54 (10:54:03.117 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-11908 (10:54:03.117 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 142.4.57.54 (10:54:08.860 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38023<-4564 (10:54:08.860 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368035643.117 1368035643.118 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 142.4.57.54, 142.4.50.5, 210.107.55.100, 203.217.117.5, 192.69.200.104 Egg Source List: 142.4.57.54, 142.4.50.5, 210.107.55.100, 192.69.200.104 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 10:54:03.117 PDT Gen. Time: 05/08/2013 11:07:12.833 PDT INBOUND SCAN EXPLOIT 142.4.57.54 (10:54:03.117 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-11908 (10:54:03.117 PDT) 142.4.50.5 (11:02:34.713 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3240 (11:02:34.713 PDT) 210.107.55.100 (11:03:01.516 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3149 (11:03:01.516 PDT) 203.217.117.5 (3) (10:57:25.957 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-60723 (10:57:26.004 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-60723 (10:57:25.981 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-60723 (10:57:25.957 PDT) 192.69.200.104 (10:58:52.627 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3522 (10:58:52.627 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 142.4.57.54 (10:54:08.860 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38023<-4564 (10:54:08.860 PDT) 142.4.50.5 (11:02:37.672 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55515<-3973 (11:02:37.672 PDT) 210.107.55.100 (11:03:05.325 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37975<-6443 (11:03:05.325 PDT) 192.69.200.104 (10:58:58.623 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42237<-5722 (10:58:58.623 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368035643.117 1368035643.118 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 217.201.203.208 Egg Source List: 217.201.203.208 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 11:23:13.901 PDT Gen. Time: 05/08/2013 11:23:20.795 PDT INBOUND SCAN EXPLOIT 217.201.203.208 (11:23:13.901 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1831 (11:23:13.901 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 217.201.203.208 (11:23:20.795 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40230<-4419 (11:23:20.795 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368037393.901 1368037393.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 85.153.17.4, 201.238.80.39 Egg Source List: 201.238.80.39 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 11:47:01.357 PDT Gen. Time: 05/08/2013 11:47:07.479 PDT INBOUND SCAN EXPLOIT 85.153.17.4 (11:47:07.699 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2300 (11:47:07.699 PDT) 201.238.80.39 (11:47:01.357 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1462 (11:47:01.357 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 201.238.80.39 (11:47:07.479 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54076<-5823 (11:47:07.479 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368038821.357 1368038821.358 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.225.151.149, 201.238.80.39, 178.27.8.28, 190.196.2.51, 70.107.237.215, 176.32.176.130, 95.0.90.23, 180.173.24.94, 85.153.17.4 Egg Source List: 85.153.17.4, 201.238.80.39, 95.0.90.23, 70.107.237.215, 178.27.8.28 C & C List: Peer Coord. List: Resource List: Observed Start: 05/08/2013 11:47:01.357 PDT Gen. Time: 05/08/2013 12:00:29.596 PDT INBOUND SCAN EXPLOIT 212.225.151.149 (11:56:14.587 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2303 (11:56:14.587 PDT) 201.238.80.39 (11:47:01.357 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1462 (11:47:01.357 PDT) 178.27.8.28 (11:52:17.230 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2025 (11:52:17.230 PDT) 190.196.2.51 (11:48:56.562 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-47224 (11:48:56.562 PDT) 70.107.237.215 (11:47:26.142 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1275 (11:47:26.142 PDT) 176.32.176.130 (11:50:47.963 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4886 (11:50:47.963 PDT) 95.0.90.23 (11:48:11.088 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1533 (11:48:11.088 PDT) 180.173.24.94 (11:54:24.906 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3428 (11:54:24.906 PDT) 85.153.17.4 (11:47:07.699 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2300 (11:47:07.699 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 85.153.17.4 (11:47:16.339 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36836<-1933 (11:47:16.339 PDT) 201.238.80.39 (11:47:07.479 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54076<-5823 (11:47:07.479 PDT) 95.0.90.23 (11:48:21.331 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51584<-6127 (11:48:21.331 PDT) 70.107.237.215 (11:47:30.984 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42487<-7460 (11:47:30.984 PDT) 178.27.8.28 (11:52:22.757 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41191<-2037 (11:52:22.757 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368038821.357 1368038821.358 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================