Score: 1.3 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/09/2013 13:29:59.323 PDT Gen. Time: 05/09/2013 16:05:10.762 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.47.243.131 (2) (13:30:00.291 PDT) event=1:2002992 {tcp} E5[rb] ET SCAN Rapid POP3 Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 3541->110 (13:30:01.273 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 3541->22 (13:30:00.291 PDT) 192.47.243.138 (3) (13:30:05.407 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 2962->22 (13:30:05.407 PDT) ------------------------- event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 2962->22 (13:30:05.407 PDT) 2962->22 (13:30:05.407 PDT) 192.47.243.137 (2) (13:30:00.419 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:00.419 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:00.419 PDT) 192.47.243.152 (2) (13:30:03.159 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:03.159 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:03.159 PDT) 192.47.243.136 (2) (13:30:01.501 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 3781->445 (13:30:02.122 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 3781->22 (13:30:01.501 PDT) 192.47.243.135 (13:30:00.147 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:00.147 PDT) 192.47.243.142 (13:30:01.210 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:01.210 PDT) 192.47.243.157 (13:30:04.017 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:04.017 PDT) 192.47.243.133 (13:29:59.323 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (13:29:59.323 PDT) 192.47.243.140 (13:30:00.890 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (13:30:00.890 PDT) 192.47.243.155 (13:30:03.670 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (13:30:03.670 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.20 (16:05:10.762 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (1 /24s) (# pkts S/M/O/I=96/636/0/0): 22:32, 136:32, 137:32, 139:32, 445:32, 559:32, 1025:32, 1433:32, 2067:32, 2100:32, 3127:32, 3306:32, 4445:32, 5000:32, 5554:32, 9996:32, 10000:32, 27374:32, 138:31, 6129:29, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:05:10.762 PDT) tcpslice 1368131399.323 1368131399.324 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/09/2013 13:29:59.323 PDT Gen. Time: 05/09/2013 17:51:04.007 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.47.243.131 (2) (13:30:00.291 PDT) event=1:2002992 {tcp} E5[rb] ET SCAN Rapid POP3 Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 3541->110 (13:30:01.273 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 3541->22 (13:30:00.291 PDT) 192.47.243.138 (3) (13:30:05.407 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 2962->22 (13:30:05.407 PDT) ------------------------- event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 2962->22 (13:30:05.407 PDT) 2962->22 (13:30:05.407 PDT) 192.47.243.137 (2) (13:30:00.419 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:00.419 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:00.419 PDT) 192.47.243.152 (2) (13:30:03.159 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:03.159 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:03.159 PDT) 192.47.243.136 (2) (13:30:01.501 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 3781->445 (13:30:02.122 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 3781->22 (13:30:01.501 PDT) 192.47.243.135 (13:30:00.147 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:00.147 PDT) 192.47.243.142 (13:30:01.210 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:01.210 PDT) 192.47.243.157 (13:30:04.017 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (13:30:04.017 PDT) 192.47.243.133 (13:29:59.323 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (13:29:59.323 PDT) 192.47.243.140 (13:30:00.890 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (13:30:00.890 PDT) 192.47.243.155 (13:30:03.670 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (13:30:03.670 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.212 (17:26:44.559 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 65 IPs (1 /24s) (# pkts S/M/O/I=194/1271/0/0): 22:65, 139:65, 445:65, 559:64, 2067:64, 3127:64, 4445:64, 5554:64, 9996:64, 10000:64, 136:63, 137:63, 1025:63, 1433:63, 2100:63, 3306:63, 5000:63, 27374:63, 138:62, 6129:62, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:26:44.559 PDT) 192.47.243.20 (16:05:10.762 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (1 /24s) (# pkts S/M/O/I=96/636/0/0): 22:32, 136:32, 137:32, 139:32, 445:32, 559:32, 1025:32, 1433:32, 2067:32, 2100:32, 3127:32, 3306:32, 4445:32, 5000:32, 5554:32, 9996:32, 10000:32, 27374:32, 138:31, 6129:29, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:05:10.762 PDT) tcpslice 1368131399.323 1368131399.324 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/09/2013 17:51:32.142 PDT Gen. Time: 05/09/2013 19:37:39.641 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.47.243.188 (17) (17:51:32.142 PDT) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 1531->22 (17:51:43.592 PDT) 67->22 (17:51:59.685 PDT) ------------------------- event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 20->139 (17:51:56.898 PDT) ------------------------- event=1:2002910 {tcp} E5[rb] ET SCAN Potential VNC Scan 5800-5820, [] MAC_Src: 00:01:64:FF:CE:EA 54445->5800 (17:53:50.287 PDT) ------------------------- event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:01:64:FF:CE:EA 54258->5902 (17:53:44.022 PDT) ------------------------- event=1:2002992 {tcp} E5[rb] ET SCAN Rapid POP3 Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20->110 (17:51:55.449 PDT) ------------------------- event=1:2002994 {tcp} E5[rb] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20->143 (17:51:55.600 PDT) ------------------------- event=1:2003068 (10) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 2600->22 (17:51:32.142 PDT) 1943->22 (17:51:37.907 PDT) 1531->22 (17:51:43.592 PDT) 1531->22 (17:51:43.592 PDT) 21->22 (17:51:51.954 PDT) 20->22 (17:51:54.501 PDT) 53->22 (17:51:57.137 PDT) 67->22 (17:51:59.685 PDT) 1034->22 (17:52:04.960 PDT) 34561->22 (17:52:07.683 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.15 (19:37:39.641 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (1 /24s) (# pkts S/M/O/I=97/637/0/0): 22:33, 139:33, 137:32, 138:32, 445:32, 559:32, 1025:32, 1433:32, 2067:32, 3127:32, 4445:32, 5000:32, 9996:32, 10000:32, 27374:32, 136:31, 2100:31, 3306:31, 5554:31, 6129:31, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:37:39.641 PDT) tcpslice 1368147092.142 1368147092.143 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/09/2013 19:37:47.966 PDT Gen. Time: 05/09/2013 19:37:47.966 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.21 (19:37:47.966 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (1 /24s) (# pkts S/M/O/I=107/715/8435/0): 6129:37, 22:36, 137:36, 138:36, 139:36, 559:36, 1025:36, 2067:36, 3127:36, 4445:36, 5000:36, 9996:36, 10000:36, 27374:36, 136:35, 445:35, 1433:35, 2100:35, 3306:35, 5554:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:37:47.966 PDT) tcpslice 1368153467.966 1368153467.967 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================