Score: 1.3 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/10/2013 12:04:34.259 PDT Gen. Time: 05/10/2013 13:41:48.859 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.47.243.135 (12:04:46.738 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (12:04:46.738 PDT) 192.47.243.68 (12:04:34.580 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (12:04:34.580 PDT) 192.47.243.130 (12:04:45.969 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (12:04:45.969 PDT) 192.47.243.137 (2) (12:04:47.057 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (12:04:47.057 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (12:04:47.057 PDT) 192.47.243.71 (12:04:35.127 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (12:04:35.127 PDT) 192.47.243.67 (5) (12:04:37.707 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 2837->22 (12:04:37.707 PDT) ------------------------- event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 2657->445 (12:04:43.964 PDT) ------------------------- event=1:2002992 {tcp} E5[rb] ET SCAN Rapid POP3 Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 2657->110 (12:04:44.380 PDT) ------------------------- event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 2837->22 (12:04:37.707 PDT) 2657->22 (12:04:43.401 PDT) 192.47.243.132 (12:04:46.277 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (12:04:46.277 PDT) 192.47.243.66 (5) (12:04:34.259 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 4848->22 (12:04:43.481 PDT) ------------------------- event=1:2003068 (4) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (12:04:34.259 PDT) 2837->22 (12:04:37.787 PDT) 4848->22 (12:04:43.481 PDT) 4848->22 (12:04:43.481 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.2 (13:41:48.859 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (1 /24s) (# pkts S/M/O/I=97/641/0/0): 22:33, 139:33, 445:33, 5000:33, 136:32, 137:32, 138:32, 559:32, 1025:32, 1433:32, 2067:32, 2100:32, 3127:32, 3306:32, 4445:32, 5554:32, 9996:32, 27374:32, 10000:31, 6129:30, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:41:48.859 PDT) tcpslice 1368212674.259 1368212674.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/10/2013 12:04:34.259 PDT Gen. Time: 05/10/2013 16:26:22.876 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.47.243.135 (12:04:46.738 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (12:04:46.738 PDT) 192.47.243.68 (12:04:34.580 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (12:04:34.580 PDT) 192.47.243.130 (12:04:45.969 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (12:04:45.969 PDT) 192.47.243.137 (2) (12:04:47.057 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (12:04:47.057 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (12:04:47.057 PDT) 192.47.243.71 (12:04:35.127 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (12:04:35.127 PDT) 192.47.243.67 (5) (12:04:37.707 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 2837->22 (12:04:37.707 PDT) ------------------------- event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 2657->445 (12:04:43.964 PDT) ------------------------- event=1:2002992 {tcp} E5[rb] ET SCAN Rapid POP3 Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 2657->110 (12:04:44.380 PDT) ------------------------- event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 2837->22 (12:04:37.707 PDT) 2657->22 (12:04:43.401 PDT) 192.47.243.132 (12:04:46.277 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (12:04:46.277 PDT) 192.47.243.66 (5) (12:04:34.259 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 4848->22 (12:04:43.481 PDT) ------------------------- event=1:2003068 (4) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (12:04:34.259 PDT) 2837->22 (12:04:37.787 PDT) 4848->22 (12:04:43.481 PDT) 4848->22 (12:04:43.481 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.2 (13:41:48.859 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (1 /24s) (# pkts S/M/O/I=97/641/0/0): 22:33, 139:33, 445:33, 5000:33, 136:32, 137:32, 138:32, 559:32, 1025:32, 1433:32, 2067:32, 2100:32, 3127:32, 3306:32, 4445:32, 5554:32, 9996:32, 27374:32, 10000:31, 6129:30, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:41:48.859 PDT) 192.47.243.0 (14:59:53.249 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 66 IPs (1 /24s) (# pkts S/M/O/I=193/1271/0/0): 22:65, 139:65, 445:65, 137:64, 138:64, 559:64, 1433:64, 2100:64, 3127:64, 4445:64, 5000:64, 9996:64, 136:63, 2067:63, 3306:63, 5554:63, 10000:63, 27374:63, 1025:62, 6129:60, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:59:53.249 PDT) tcpslice 1368212674.259 1368212674.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/10/2013 16:27:06.255 PDT Gen. Time: 05/10/2013 16:47:46.755 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.47.243.198 (17) (16:27:06.255 PDT) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 3271->22 (16:27:17.833 PDT) 67->22 (16:27:33.977 PDT) ------------------------- event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 20->139 (16:27:31.101 PDT) ------------------------- event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:01:64:FF:CE:EA 16225->5900 (16:29:49.377 PDT) ------------------------- event=1:2002992 {tcp} E5[rb] ET SCAN Rapid POP3 Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20->110 (16:27:29.654 PDT) ------------------------- event=1:2002994 {tcp} E5[rb] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20->143 (16:27:29.792 PDT) ------------------------- event=1:2003068 (11) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 4697->22 (16:27:06.255 PDT) 3543->22 (16:27:12.050 PDT) 3271->22 (16:27:17.833 PDT) 3271->22 (16:27:17.833 PDT) 21->22 (16:27:26.085 PDT) 20->22 (16:27:28.743 PDT) 53->22 (16:27:31.361 PDT) 67->22 (16:27:33.977 PDT) 1034->22 (16:27:39.183 PDT) 34561->22 (16:27:41.832 PDT) 14974->22 (16:29:05.888 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.0 (16:47:46.755 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 97 IPs (1 /24s) (# pkts S/M/O/I=287/1904/0/0): 22:96, 139:96, 445:96, 3127:96, 5554:96, 27374:96, 136:95, 137:95, 138:95, 559:95, 1025:95, 1433:95, 2067:95, 2100:95, 3306:95, 4445:95, 5000:95, 9996:95, 10000:95, 6129:93, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:47:46.755 PDT) tcpslice 1368228426.255 1368228426.256 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================