Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 00:05:39.988 PDT Gen. Time: 05/12/2013 00:06:30.430 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (00:06:30.430 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (00:06:30.430 PDT) OUTBOUND SCAN 128.111.52.58 (00:06:19.157 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56801->22 (00:06:19.157 PDT) 131.179.150.70 (2) (00:06:22.172 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50927->22 (00:06:22.172 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50927->22 (00:06:22.172 PDT) 158.130.6.254 (00:05:51.315 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47392->22 (00:05:51.315 PDT) 128.42.142.45 (00:05:39.988 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56166->22 (00:05:39.988 PDT) 192.52.240.214 (2) (00:06:00.296 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43386->22 (00:06:00.296 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43386->22 (00:06:00.296 PDT) 204.123.28.56 (00:05:43.512 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48841->22 (00:05:43.512 PDT) 204.8.155.227 (00:06:08.694 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43812->22 (00:06:08.694 PDT) 141.212.113.180 (00:06:15.482 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41690->22 (00:06:15.482 PDT) 152.3.138.6 (00:06:28.992 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52511->22 (00:06:28.992 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368342339.988 1368342339.989 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 00:05:39.988 PDT Gen. Time: 05/12/2013 00:17:40.794 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (00:06:30.430 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (00:06:30.430 PDT) OUTBOUND SCAN 128.111.52.58 (00:06:19.157 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56801->22 (00:06:19.157 PDT) 128.208.4.197 (00:06:41.694 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52360->22 (00:06:41.694 PDT) 152.14.93.140 (00:06:37.044 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37426->22 (00:06:37.044 PDT) 131.179.150.70 (2) (00:06:22.172 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50927->22 (00:06:22.172 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50927->22 (00:06:22.172 PDT) 155.246.12.164 (00:07:02.837 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59116->22 (00:07:02.837 PDT) 158.130.6.254 (00:05:51.315 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47392->22 (00:05:51.315 PDT) 128.42.142.45 (00:05:39.988 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56166->22 (00:05:39.988 PDT) 192.52.240.214 (2) (00:06:00.296 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43386->22 (00:06:00.296 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43386->22 (00:06:00.296 PDT) 204.123.28.56 (00:05:43.512 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48841->22 (00:05:43.512 PDT) 204.8.155.227 (00:06:08.694 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43812->22 (00:06:08.694 PDT) 192.52.240.213 (00:06:51.870 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47788->22 (00:06:51.870 PDT) 141.212.113.180 (00:06:15.482 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41690->22 (00:06:15.482 PDT) 128.111.52.59 (2) (00:06:44.837 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51630->22 (00:06:44.837 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51630->22 (00:06:44.837 PDT) 152.3.138.6 (00:06:28.992 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52511->22 (00:06:28.992 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (6) (00:07:47.055 PDT-00:15:27.723 PDT) event=777:7777008 (6) {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (00:13:54.546 PDT-00:15:27.723 PDT) 2: 0->0 (00:10:48.021 PDT-00:12:18.150 PDT) 0->0 (00:09:18.068 PDT) 0->0 (00:07:47.055 PDT) tcpslice 1368342339.988 1368342927.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 00:22:35.131 PDT Gen. Time: 05/12/2013 00:22:35.131 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (00:22:35.131 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (00:22:35.131 PDT) tcpslice 1368343355.131 1368343355.132 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 00:22:35.131 PDT Gen. Time: 05/12/2013 00:31:51.379 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (00:25:25.416 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56978->22 (00:25:25.416 PDT) 128.208.4.197 (00:25:47.157 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52537->22 (00:25:47.157 PDT) 152.14.93.140 (00:25:41.672 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37603->22 (00:25:41.672 PDT) 131.179.150.70 (2) (00:25:27.897 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51104->22 (00:25:27.897 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51104->22 (00:25:27.897 PDT) 155.246.12.164 (00:26:06.625 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59293->22 (00:26:06.625 PDT) 158.130.6.254 (00:24:56.885 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47569->22 (00:24:56.885 PDT) 128.42.142.45 (00:24:46.124 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56343->22 (00:24:46.124 PDT) 192.52.240.214 (2) (00:25:05.553 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43563->22 (00:25:05.553 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43563->22 (00:25:05.553 PDT) 204.123.28.56 (00:24:50.172 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49018->22 (00:24:50.172 PDT) 204.8.155.227 (00:25:14.149 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43989->22 (00:25:14.149 PDT) 192.52.240.213 (00:25:56.671 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47965->22 (00:25:56.671 PDT) 141.212.113.180 (00:25:21.188 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41867->22 (00:25:21.188 PDT) 128.111.52.59 (2) (00:25:50.691 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51807->22 (00:25:50.691 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51807->22 (00:25:50.691 PDT) 152.3.138.6 (00:25:33.809 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52688->22 (00:25:33.809 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (4) (00:22:35.131 PDT-00:27:39.169 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (00:22:35.131 PDT-00:27:39.169 PDT) tcpslice 1368343355.131 1368343659.170 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 00:35:13.184 PDT Gen. Time: 05/12/2013 00:35:13.184 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (00:35:13.184 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (00:35:13.184 PDT) tcpslice 1368344113.184 1368344113.185 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 00:35:13.184 PDT Gen. Time: 05/12/2013 00:43:20.855 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 152.14.93.139 (00:39:07.878 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51821->22 (00:39:07.878 PDT) 13.7.64.22 (00:35:58.246 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38776->22 (00:35:58.246 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (4) (00:35:13.184 PDT-00:39:56.006 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (00:35:13.184 PDT-00:39:56.006 PDT) tcpslice 1368344113.184 1368344396.007 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 00:43:47.993 PDT Gen. Time: 05/12/2013 00:43:47.993 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (00:43:47.993 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (00:43:47.993 PDT) tcpslice 1368344627.993 1368344627.994 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 00:43:47.993 PDT Gen. Time: 05/12/2013 00:50:36.606 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (00:44:32.552 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57157->22 (00:44:32.552 PDT) 128.208.4.197 (00:44:53.975 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52716->22 (00:44:53.975 PDT) 152.14.93.140 (00:44:48.797 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37782->22 (00:44:48.797 PDT) 131.179.150.70 (2) (00:44:34.988 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51283->22 (00:44:34.988 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51283->22 (00:44:34.988 PDT) 155.246.12.164 (00:45:14.709 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59472->22 (00:45:14.709 PDT) 158.130.6.254 (00:44:05.118 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47748->22 (00:44:05.118 PDT) 128.42.142.45 (00:43:54.094 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56522->22 (00:43:54.094 PDT) 192.52.240.214 (2) (00:44:14.055 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43742->22 (00:44:14.055 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43742->22 (00:44:14.055 PDT) 204.123.28.56 (00:43:57.537 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49197->22 (00:43:57.537 PDT) 204.8.155.227 (00:44:22.321 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44168->22 (00:44:22.321 PDT) 192.52.240.213 (00:45:04.165 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48144->22 (00:45:04.165 PDT) 141.212.113.180 (00:44:28.820 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42046->22 (00:44:28.820 PDT) 128.111.52.59 (2) (00:44:57.359 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51986->22 (00:44:57.359 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51986->22 (00:44:57.359 PDT) 152.3.138.6 (00:44:41.643 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52867->22 (00:44:41.643 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (3) (00:43:47.993 PDT-00:46:48.148 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (00:43:47.993 PDT-00:46:48.148 PDT) tcpslice 1368344627.993 1368344808.149 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 00:47:44.040 PDT Gen. Time: 05/12/2013 00:47:44.040 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (00:47:44.040 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (00:47:44.040 PDT) tcpslice 1368344864.040 1368344864.041 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 01:00:26.662 PDT Gen. Time: 05/12/2013 01:03:31.484 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (01:03:31.484 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:03:31.484 PDT) OUTBOUND SCAN 128.111.52.58 (01:03:28.441 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57333->22 (01:03:28.441 PDT) 204.8.155.227 (01:03:13.577 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44344->22 (01:03:13.577 PDT) 128.42.142.45 (01:02:50.386 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56701->22 (01:02:50.386 PDT) 13.7.64.22 (01:00:26.662 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38954->22 (01:00:26.662 PDT) 204.123.28.56 (01:02:54.065 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49376->22 (01:02:54.065 PDT) 141.212.113.180 (01:03:22.280 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42222->22 (01:03:22.280 PDT) 192.52.240.214 (2) (01:03:06.604 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43919->22 (01:03:06.604 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43919->22 (01:03:06.604 PDT) 158.130.6.254 (01:02:58.775 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47926->22 (01:02:58.775 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368345626.662 1368345626.663 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 01:00:26.662 PDT Gen. Time: 05/12/2013 01:10:42.260 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (01:03:31.484 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:03:31.484 PDT) OUTBOUND SCAN 128.111.52.58 (01:03:28.441 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57333->22 (01:03:28.441 PDT) 128.208.4.197 (2) (01:03:53.770 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52897->22 (01:03:53.770 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52897->22 (01:03:53.770 PDT) 152.14.93.140 (01:03:49.052 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37963->22 (01:03:49.052 PDT) 131.179.150.70 (2) (01:03:31.484 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51460->22 (01:03:31.484 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51460->22 (01:03:31.484 PDT) 158.130.6.254 (01:02:58.775 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47926->22 (01:02:58.775 PDT) 13.7.64.22 (01:00:26.662 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38954->22 (01:00:26.662 PDT) 128.42.142.45 (01:02:50.386 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56701->22 (01:02:50.386 PDT) 192.52.240.214 (2) (01:03:06.604 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43919->22 (01:03:06.604 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43919->22 (01:03:06.604 PDT) 204.123.28.56 (01:02:54.065 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49376->22 (01:02:54.065 PDT) 204.8.155.227 (01:03:13.577 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44344->22 (01:03:13.577 PDT) 141.212.113.180 (01:03:22.280 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42222->22 (01:03:22.280 PDT) 128.111.52.59 (01:03:56.893 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52167->22 (01:03:56.893 PDT) 152.3.138.6 (2) (01:03:34.162 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53044->22 (01:03:34.162 PDT) 53048->22 (01:03:41.411 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (2) (01:04:47.952 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:04:47.952 PDT) 0->0 (01:06:17.336 PDT) tcpslice 1368345626.662 1368345626.663 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 01:21:49.570 PDT Gen. Time: 05/12/2013 01:22:45.096 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (01:22:45.096 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:22:45.096 PDT) OUTBOUND SCAN 128.111.52.58 (01:22:33.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57514->22 (01:22:33.454 PDT) 131.179.150.70 (2) (01:22:36.275 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51640->22 (01:22:36.275 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51640->22 (01:22:36.275 PDT) 158.130.6.254 (01:22:03.387 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48106->22 (01:22:03.387 PDT) 128.42.142.45 (01:21:49.570 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56880->22 (01:21:49.570 PDT) 192.52.240.214 (2) (01:22:12.510 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44100->22 (01:22:12.510 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44100->22 (01:22:12.510 PDT) 204.123.28.56 (01:21:55.171 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49555->22 (01:21:55.171 PDT) 204.8.155.227 (01:22:22.190 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44525->22 (01:22:22.190 PDT) 141.212.113.180 (01:22:29.452 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42403->22 (01:22:29.452 PDT) 152.3.138.6 (01:22:42.125 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53224->22 (01:22:42.125 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368346909.570 1368346909.571 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 01:21:49.570 PDT Gen. Time: 05/12/2013 01:30:46.886 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (01:22:45.096 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:22:45.096 PDT) OUTBOUND SCAN 128.111.52.58 (01:22:33.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57514->22 (01:22:33.454 PDT) 128.208.4.197 (01:22:54.741 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53073->22 (01:22:54.741 PDT) 152.14.93.140 (01:22:49.605 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38139->22 (01:22:49.605 PDT) 131.179.150.70 (2) (01:22:36.275 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51640->22 (01:22:36.275 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51640->22 (01:22:36.275 PDT) 155.246.12.164 (01:23:15.712 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59829->22 (01:23:15.712 PDT) 158.130.6.254 (01:22:03.387 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48106->22 (01:22:03.387 PDT) 128.42.142.45 (01:21:49.570 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56880->22 (01:21:49.570 PDT) 192.52.240.214 (2) (01:22:12.510 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44100->22 (01:22:12.510 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44100->22 (01:22:12.510 PDT) 204.123.28.56 (01:21:55.171 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49555->22 (01:21:55.171 PDT) 204.8.155.227 (01:22:22.190 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44525->22 (01:22:22.190 PDT) 192.52.240.213 (01:23:05.121 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48501->22 (01:23:05.121 PDT) 141.212.113.180 (01:22:29.452 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42403->22 (01:22:29.452 PDT) 128.111.52.59 (2) (01:22:59.030 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52343->22 (01:22:59.030 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52343->22 (01:22:59.030 PDT) 152.3.138.6 (01:22:42.125 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53224->22 (01:22:42.125 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.9 (4) (01:25:31.888 PDT-01:30:11.066 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (01:28:37.907 PDT-01:30:11.066 PDT) 0->0 (01:27:02.212 PDT) 0->0 (01:25:31.888 PDT) 165.91.55.8 (01:24:00.353 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:24:00.353 PDT) tcpslice 1368346909.570 1368347411.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 01:33:10.727 PDT Gen. Time: 05/12/2013 01:33:10.727 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.9 (01:33:10.727 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:33:10.727 PDT) tcpslice 1368347590.727 1368347590.728 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 01:40:50.230 PDT Gen. Time: 05/12/2013 01:40:50.230 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.9 (01:40:50.230 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:40:50.230 PDT) tcpslice 1368348050.230 1368348050.231 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 01:40:50.230 PDT Gen. Time: 05/12/2013 01:44:57.511 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (01:41:36.742 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57693->22 (01:41:36.742 PDT) 152.14.93.140 (01:42:33.188 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38314->22 (01:42:33.188 PDT) 131.179.150.70 (2) (01:41:39.722 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51819->22 (01:41:39.722 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51819->22 (01:41:39.722 PDT) 158.130.6.254 (01:41:07.857 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48284->22 (01:41:07.857 PDT) 128.42.142.45 (01:40:56.113 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57058->22 (01:40:56.113 PDT) 192.52.240.214 (2) (01:41:17.114 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44278->22 (01:41:17.114 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44278->22 (01:41:17.114 PDT) 204.123.28.56 (01:40:59.482 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49733->22 (01:40:59.482 PDT) 204.8.155.227 (01:41:25.528 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44704->22 (01:41:25.528 PDT) 141.212.113.180 (01:41:32.704 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42582->22 (01:41:32.704 PDT) 152.3.138.6 (01:41:46.590 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53403->22 (01:41:46.590 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.9 (3) (01:40:50.230 PDT-01:44:57.511 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (01:40:50.230 PDT-01:44:57.511 PDT) tcpslice 1368348050.230 1368348297.512 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 01:45:01.179 PDT Gen. Time: 05/12/2013 01:46:27.502 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.52.240.213 (01:45:17.710 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48677->22 (01:45:17.710 PDT) 155.246.12.164 (2) (01:45:42.331 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60007->22 (01:45:42.331 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60007->22 (01:45:42.331 PDT) 128.208.4.197 (01:45:01.179 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53248->22 (01:45:01.179 PDT) 204.8.155.226 (01:45:55.531 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36716->22 (01:45:55.531 PDT) 128.84.154.44 (01:46:17.947 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59024->22 (01:46:17.947 PDT) 165.91.55.8 (01:46:09.092 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60140->22 (01:46:09.092 PDT) 128.111.52.59 (01:45:05.644 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52519->22 (01:45:05.644 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.9 (01:46:27.502 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (01:46:27.502 PDT) tcpslice 1368348301.179 1368348301.180 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 01:45:01.179 PDT Gen. Time: 05/12/2013 01:55:56.064 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.197 (01:45:01.179 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53248->22 (01:45:01.179 PDT) 128.10.19.52 (01:47:31.283 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47926->22 (01:47:31.283 PDT) 155.246.12.164 (2) (01:45:42.331 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60007->22 (01:45:42.331 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60007->22 (01:45:42.331 PDT) 158.130.6.253 (01:47:39.377 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44364->22 (01:47:39.377 PDT) 165.91.55.8 (01:46:09.092 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60140->22 (01:46:09.092 PDT) 128.84.154.44 (01:46:17.947 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59024->22 (01:46:17.947 PDT) 128.42.142.44 (2) (01:46:29.809 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59928->22 (01:46:29.809 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59928->22 (01:46:29.809 PDT) 13.7.64.20 (01:47:05.199 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33590->22 (01:47:05.199 PDT) 192.52.240.213 (01:45:17.710 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48677->22 (01:45:17.710 PDT) 204.123.28.55 (01:46:55.832 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36115->22 (01:46:55.832 PDT) 128.252.19.19 (01:46:46.577 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42530->22 (01:46:46.577 PDT) 204.8.155.226 (01:45:55.531 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36716->22 (01:45:55.531 PDT) 198.133.224.147 (2) (01:47:18.246 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55458->22 (01:47:18.246 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55458->22 (01:47:18.246 PDT) 128.111.52.59 (01:45:05.644 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52519->22 (01:45:05.644 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.9 (5) (01:46:27.502 PDT-01:53:21.764 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (01:46:27.502 PDT-01:53:21.764 PDT) tcpslice 1368348301.179 1368348801.765 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 02:07:09.121 PDT Gen. Time: 05/12/2013 02:07:51.475 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.6 (02:07:51.475 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:07:51.475 PDT) OUTBOUND SCAN 128.111.52.58 (02:07:48.348 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57874->22 (02:07:48.348 PDT) 204.8.155.227 (02:07:37.536 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44885->22 (02:07:37.536 PDT) 128.42.142.45 (02:07:09.121 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57239->22 (02:07:09.121 PDT) 131.179.150.70 (2) (02:07:50.926 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52000->22 (02:07:50.926 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52000->22 (02:07:50.926 PDT) 204.123.28.56 (02:07:11.851 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49914->22 (02:07:11.851 PDT) 141.212.113.180 (02:07:44.562 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42763->22 (02:07:44.562 PDT) 192.52.240.214 (2) (02:07:29.602 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44459->22 (02:07:29.602 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44459->22 (02:07:29.602 PDT) 158.130.6.254 (02:07:19.821 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48465->22 (02:07:19.821 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368349629.121 1368349629.122 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 02:07:09.121 PDT Gen. Time: 05/12/2013 02:19:49.290 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.6 (3) (02:07:51.475 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:07:51.475 PDT) 0->0 (02:09:32.388 PDT) 0->0 (02:11:08.569 PDT) OUTBOUND SCAN 128.111.52.58 (02:07:48.348 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57874->22 (02:07:48.348 PDT) 128.208.4.197 (02:11:11.964 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53430->22 (02:11:11.964 PDT) 152.14.93.140 (02:08:44.324 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38495->22 (02:08:44.324 PDT) 131.179.150.70 (2) (02:07:50.926 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52000->22 (02:07:50.926 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52000->22 (02:07:50.926 PDT) 155.246.12.164 (2) (02:11:33.575 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60186->22 (02:11:33.575 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60186->22 (02:11:33.575 PDT) 158.130.6.254 (02:07:19.821 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48465->22 (02:07:19.821 PDT) 128.42.142.45 (02:07:09.121 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57239->22 (02:07:09.121 PDT) 192.52.240.214 (2) (02:07:29.602 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44459->22 (02:07:29.602 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44459->22 (02:07:29.602 PDT) 204.123.28.56 (02:07:11.851 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49914->22 (02:07:11.851 PDT) 204.8.155.227 (02:07:37.536 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44885->22 (02:07:37.536 PDT) 192.52.240.213 (02:11:21.817 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48858->22 (02:11:21.817 PDT) 141.212.113.180 (02:07:44.562 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42763->22 (02:07:44.562 PDT) 128.111.52.59 (02:11:15.025 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52700->22 (02:11:15.025 PDT) 152.3.138.6 (02:07:57.814 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53584->22 (02:07:57.814 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (02:12:17.171 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:12:17.171 PDT) 13.7.64.22 (3) (02:13:48.391 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:13:48.391 PDT) 0->0 (02:15:23.236 PDT) 0->0 (02:16:59.965 PDT) tcpslice 1368349629.121 1368349629.122 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 02:22:35.190 PDT Gen. Time: 05/12/2013 02:22:35.190 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (02:22:35.190 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:22:35.190 PDT) tcpslice 1368350555.190 1368350555.191 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 02:32:18.740 PDT Gen. Time: 05/12/2013 02:33:01.160 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (02:33:01.160 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:33:01.160 PDT) OUTBOUND SCAN 128.111.52.58 (02:32:56.931 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58044->22 (02:32:56.931 PDT) 204.8.155.227 (02:32:46.659 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45055->22 (02:32:46.659 PDT) 128.42.142.45 (02:32:18.740 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57409->22 (02:32:18.740 PDT) 131.179.150.70 (2) (02:32:59.855 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52170->22 (02:32:59.855 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52170->22 (02:32:59.855 PDT) 204.123.28.56 (02:32:21.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50084->22 (02:32:21.454 PDT) 141.212.113.180 (02:32:53.611 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42933->22 (02:32:53.611 PDT) 192.52.240.214 (2) (02:32:38.281 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44629->22 (02:32:38.281 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44629->22 (02:32:38.281 PDT) 158.130.6.254 (02:32:29.234 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48635->22 (02:32:29.234 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368351138.740 1368351138.741 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 02:32:18.740 PDT Gen. Time: 05/12/2013 02:41:55.416 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (3) (02:33:01.160 PDT-02:34:41.892 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 13 IPs (12 /24s) (# pkts S/M/O/I=0/13/0/0): 22:13, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:36:18.174 PDT) 2: 0->0 (02:33:01.160 PDT-02:34:41.892 PDT) OUTBOUND SCAN 128.111.52.58 (02:32:56.931 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58044->22 (02:32:56.931 PDT) 128.208.4.197 (02:36:21.129 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53600->22 (02:36:21.129 PDT) 152.14.93.140 (02:33:53.765 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38665->22 (02:33:53.765 PDT) 131.179.150.70 (2) (02:32:59.855 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52170->22 (02:32:59.855 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52170->22 (02:32:59.855 PDT) 155.246.12.164 (2) (02:36:40.313 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60356->22 (02:36:40.313 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60356->22 (02:36:40.313 PDT) 158.130.6.254 (02:32:29.234 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48635->22 (02:32:29.234 PDT) 128.42.142.45 (02:32:18.740 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57409->22 (02:32:18.740 PDT) 192.52.240.214 (2) (02:32:38.281 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44629->22 (02:32:38.281 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44629->22 (02:32:38.281 PDT) 204.123.28.56 (02:32:21.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50084->22 (02:32:21.454 PDT) 204.8.155.227 (02:32:46.659 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45055->22 (02:32:46.659 PDT) 192.52.240.213 (02:36:29.926 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49028->22 (02:36:29.926 PDT) 141.212.113.180 (02:32:53.611 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42933->22 (02:32:53.611 PDT) 128.111.52.59 (02:36:23.584 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52870->22 (02:36:23.584 PDT) 152.3.138.6 (02:33:07.430 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53754->22 (02:33:07.430 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (3) (02:38:48.908 PDT-02:40:19.044 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (02:38:48.908 PDT-02:40:19.044 PDT) 0->0 (02:41:55.416 PDT) 158.130.6.254 (02:37:18.055 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:37:18.055 PDT) tcpslice 1368351138.740 1368351619.045 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 02:57:09.057 PDT Gen. Time: 05/12/2013 02:57:56.979 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (02:57:56.979 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (02:57:56.979 PDT) OUTBOUND SCAN 128.111.52.58 (02:57:45.053 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58214->22 (02:57:45.053 PDT) 131.179.150.70 (2) (02:57:47.154 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52340->22 (02:57:47.154 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52340->22 (02:57:47.154 PDT) 158.130.6.254 (02:57:19.189 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48805->22 (02:57:19.189 PDT) 128.42.142.45 (02:57:09.057 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57579->22 (02:57:09.057 PDT) 192.52.240.214 (2) (02:57:27.797 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44799->22 (02:57:27.797 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44799->22 (02:57:27.797 PDT) 204.123.28.56 (02:57:11.717 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50254->22 (02:57:11.717 PDT) 204.8.155.227 (02:57:35.634 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45225->22 (02:57:35.634 PDT) 141.212.113.180 (02:57:42.051 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43103->22 (02:57:42.051 PDT) 152.3.138.6 (02:57:55.512 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53924->22 (02:57:55.512 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368352629.057 1368352629.058 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 02:57:09.057 PDT Gen. Time: 05/12/2013 03:10:16.653 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (3) (02:57:56.979 PDT-03:01:06.298 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (02:57:56.979 PDT-03:01:06.298 PDT) OUTBOUND SCAN 128.111.52.58 (02:57:45.053 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58214->22 (02:57:45.053 PDT) 128.208.4.197 (03:01:09.488 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53770->22 (03:01:09.488 PDT) 152.14.93.140 (02:58:42.084 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38835->22 (02:58:42.084 PDT) 131.179.150.70 (2) (02:57:47.154 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52340->22 (02:57:47.154 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52340->22 (02:57:47.154 PDT) 155.246.12.164 (2) (03:01:29.509 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60526->22 (03:01:29.509 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60526->22 (03:01:29.509 PDT) 158.130.6.254 (02:57:19.189 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48805->22 (02:57:19.189 PDT) 128.42.142.45 (02:57:09.057 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57579->22 (02:57:09.057 PDT) 192.52.240.214 (2) (02:57:27.797 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44799->22 (02:57:27.797 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44799->22 (02:57:27.797 PDT) 204.123.28.56 (02:57:11.717 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50254->22 (02:57:11.717 PDT) 204.8.155.227 (02:57:35.634 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45225->22 (02:57:35.634 PDT) 192.52.240.213 (03:01:18.467 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49198->22 (03:01:18.467 PDT) 141.212.113.180 (02:57:42.051 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43103->22 (02:57:42.051 PDT) 128.111.52.59 (03:01:12.222 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53040->22 (03:01:12.222 PDT) 152.3.138.6 (02:57:55.512 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53924->22 (02:57:55.512 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.45 (03:02:08.394 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:02:08.394 PDT) 128.8.126.111 (3) (03:03:42.116 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:03:42.116 PDT) 0->0 (03:05:13.116 PDT) 0->0 (03:06:43.257 PDT) tcpslice 1368352629.057 1368352866.299 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 03:21:56.306 PDT Gen. Time: 05/12/2013 03:22:34.801 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (03:22:34.801 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:22:34.801 PDT) OUTBOUND SCAN 128.111.52.58 (03:22:32.197 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58384->22 (03:22:32.197 PDT) 204.8.155.227 (03:22:22.950 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45395->22 (03:22:22.950 PDT) 128.42.142.45 (03:21:56.306 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57749->22 (03:21:56.306 PDT) 131.179.150.70 (2) (03:22:34.421 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52510->22 (03:22:34.421 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52510->22 (03:22:34.421 PDT) 204.123.28.56 (03:21:58.637 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50424->22 (03:21:58.637 PDT) 141.212.113.180 (03:22:29.252 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43273->22 (03:22:29.252 PDT) 192.52.240.214 (2) (03:22:15.355 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44969->22 (03:22:15.355 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44969->22 (03:22:15.355 PDT) 158.130.6.254 (03:22:06.691 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48975->22 (03:22:06.691 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368354116.306 1368354116.307 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 03:21:56.306 PDT Gen. Time: 05/12/2013 03:34:36.844 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.208.4.197 (03:25:51.646 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/11/0/0): 22:11, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:25:51.646 PDT) 158.130.6.254 (2) (03:22:34.801 PDT-03:24:15.459 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (03:22:34.801 PDT-03:24:15.459 PDT) OUTBOUND SCAN 128.111.52.58 (03:22:32.197 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58384->22 (03:22:32.197 PDT) 128.208.4.197 (03:25:54.590 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53940->22 (03:25:54.590 PDT) 152.14.93.140 (03:23:27.332 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39005->22 (03:23:27.332 PDT) 131.179.150.70 (2) (03:22:34.421 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52510->22 (03:22:34.421 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52510->22 (03:22:34.421 PDT) 155.246.12.164 (2) (03:26:14.716 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60696->22 (03:26:14.716 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60696->22 (03:26:14.716 PDT) 158.130.6.254 (03:22:06.691 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48975->22 (03:22:06.691 PDT) 128.42.142.45 (03:21:56.306 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57749->22 (03:21:56.306 PDT) 192.52.240.214 (2) (03:22:15.355 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44969->22 (03:22:15.355 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44969->22 (03:22:15.355 PDT) 204.123.28.56 (03:21:58.637 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50424->22 (03:21:58.637 PDT) 204.8.155.227 (03:22:22.950 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45395->22 (03:22:22.950 PDT) 192.52.240.213 (03:26:03.739 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49368->22 (03:26:03.739 PDT) 141.212.113.180 (03:22:29.252 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43273->22 (03:22:29.252 PDT) 128.111.52.59 (03:25:57.275 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53210->22 (03:25:57.275 PDT) 152.3.138.6 (03:22:40.869 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54094->22 (03:22:40.869 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (4) (03:28:24.690 PDT-03:33:01.924 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (03:29:58.627 PDT-03:33:01.924 PDT) 0->0 (03:28:24.690 PDT) 128.208.4.197 (03:26:53.601 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:26:53.601 PDT) tcpslice 1368354116.306 1368354781.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 03:35:32.452 PDT Gen. Time: 05/12/2013 03:35:32.452 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (03:35:32.452 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:35:32.452 PDT) tcpslice 1368354932.452 1368354932.453 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 03:38:02.980 PDT Gen. Time: 05/12/2013 03:38:02.980 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (03:38:02.980 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:38:02.980 PDT) tcpslice 1368355082.980 1368355082.981 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 03:43:27.222 PDT Gen. Time: 05/12/2013 03:43:27.222 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (03:43:27.222 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:43:27.222 PDT) tcpslice 1368355407.222 1368355407.223 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 03:46:36.271 PDT Gen. Time: 05/12/2013 03:46:36.271 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (03:46:36.271 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:46:36.271 PDT) tcpslice 1368355596.271 1368355596.272 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 03:46:36.271 PDT Gen. Time: 05/12/2013 03:55:35.254 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (03:47:18.298 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58555->22 (03:47:18.298 PDT) 128.208.4.197 (03:50:40.719 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54110->22 (03:50:40.719 PDT) 152.14.93.140 (03:48:13.284 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39176->22 (03:48:13.284 PDT) 131.179.150.70 (2) (03:47:20.424 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52681->22 (03:47:20.424 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52681->22 (03:47:20.424 PDT) 155.246.12.164 (2) (03:51:00.243 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 60866->22 (03:51:00.243 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60866->22 (03:51:00.243 PDT) 158.130.6.254 (03:46:52.465 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49146->22 (03:46:52.465 PDT) 128.42.142.45 (03:46:42.160 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57920->22 (03:46:42.160 PDT) 192.52.240.214 (2) (03:47:01.228 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45140->22 (03:47:01.228 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45140->22 (03:47:01.228 PDT) 204.123.28.56 (03:46:44.909 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50595->22 (03:46:44.909 PDT) 204.8.155.227 (03:47:09.105 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45566->22 (03:47:09.105 PDT) 192.52.240.213 (03:50:49.847 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49538->22 (03:50:49.847 PDT) 141.212.113.180 (03:47:15.424 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43444->22 (03:47:15.424 PDT) 128.111.52.59 (03:50:43.278 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53380->22 (03:50:43.278 PDT) 152.3.138.6 (03:47:26.839 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54265->22 (03:47:26.839 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (5) (03:46:36.271 PDT-03:53:48.004 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (03:46:36.271 PDT-03:53:48.004 PDT) tcpslice 1368355596.271 1368356028.005 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 03:56:12.282 PDT Gen. Time: 05/12/2013 03:56:12.282 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (03:56:12.282 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:56:12.282 PDT) tcpslice 1368356172.282 1368356172.283 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 03:56:12.282 PDT Gen. Time: 05/12/2013 04:00:18.436 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.198 (03:56:15.341 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54319->22 (03:56:15.341 PDT) 128.223.8.111 (03:56:19.242 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55769->22 (03:56:19.242 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (03:56:12.282 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (03:56:12.282 PDT) tcpslice 1368356172.282 1368356172.283 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 04:05:28.764 PDT Gen. Time: 05/12/2013 04:05:28.764 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (04:05:28.764 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:05:28.764 PDT) tcpslice 1368356728.764 1368356728.765 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 04:11:20.032 PDT Gen. Time: 05/12/2013 04:11:20.032 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (04:11:20.032 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:11:20.032 PDT) tcpslice 1368357080.032 1368357080.033 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 04:11:20.032 PDT Gen. Time: 05/12/2013 04:21:01.950 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (04:12:04.591 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58722->22 (04:12:04.591 PDT) 128.208.4.197 (04:15:28.317 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54277->22 (04:15:28.317 PDT) 152.14.93.140 (04:13:00.901 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39343->22 (04:13:00.901 PDT) 131.179.150.70 (2) (04:12:06.889 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52848->22 (04:12:06.889 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52848->22 (04:12:06.889 PDT) 155.246.12.164 (2) (04:15:47.619 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 32800->22 (04:15:47.619 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32800->22 (04:15:47.619 PDT) 158.130.6.254 (04:11:36.165 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49313->22 (04:11:36.165 PDT) 128.42.142.45 (04:11:25.911 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58087->22 (04:11:25.911 PDT) 192.52.240.214 (2) (04:11:44.799 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45307->22 (04:11:44.799 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45307->22 (04:11:44.799 PDT) 204.123.28.56 (04:11:28.520 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50762->22 (04:11:28.520 PDT) 204.8.155.227 (04:11:52.508 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45733->22 (04:11:52.508 PDT) 192.52.240.213 (04:15:37.442 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49705->22 (04:15:37.442 PDT) 141.212.113.180 (04:12:01.313 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43611->22 (04:12:01.313 PDT) 128.111.52.59 (04:15:31.009 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53547->22 (04:15:31.009 PDT) 152.3.138.6 (04:12:14.425 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54432->22 (04:12:14.425 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (6) (04:11:20.032 PDT-04:21:01.950 PDT) event=777:7777008 (6) {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (23 /24s) (# pkts S/M/O/I=0/37/0/0): 22:37, [] MAC_Src: 00:01:64:FF:CE:EA 6: 0->0 (04:11:20.032 PDT-04:21:01.950 PDT) tcpslice 1368357080.032 1368357661.951 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 04:36:15.988 PDT Gen. Time: 05/12/2013 04:36:49.831 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (04:36:49.831 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:36:49.831 PDT) OUTBOUND SCAN 128.111.52.58 (04:36:49.386 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58889->22 (04:36:49.386 PDT) 204.8.155.227 (04:36:40.296 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45900->22 (04:36:40.296 PDT) 128.42.142.45 (04:36:15.988 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58254->22 (04:36:15.988 PDT) 204.123.28.56 (04:36:18.553 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50929->22 (04:36:18.553 PDT) 141.212.113.180 (04:36:46.568 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43778->22 (04:36:46.568 PDT) 192.52.240.214 (2) (04:36:32.782 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45474->22 (04:36:32.782 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45474->22 (04:36:32.782 PDT) 158.130.6.254 (04:36:25.522 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49480->22 (04:36:25.522 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368358575.988 1368358575.989 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 04:36:15.988 PDT Gen. Time: 05/12/2013 04:49:38.428 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (04:36:49.831 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:36:49.831 PDT) 152.3.138.6 (2) (04:38:32.549 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 12 IPs (11 /24s) (# pkts S/M/O/I=0/12/0/0): 22:12, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:38:32.549 PDT) 0->0 (04:40:08.827 PDT) OUTBOUND SCAN 128.111.52.58 (04:36:49.386 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58889->22 (04:36:49.386 PDT) 128.208.4.197 (04:40:11.774 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54444->22 (04:40:11.774 PDT) 152.14.93.140 (04:37:44.485 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39510->22 (04:37:44.485 PDT) 131.179.150.70 (2) (04:36:51.541 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53015->22 (04:36:51.541 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53015->22 (04:36:51.541 PDT) 155.246.12.164 (2) (04:40:31.386 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 32967->22 (04:40:31.386 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32967->22 (04:40:31.386 PDT) 158.130.6.254 (04:36:25.522 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49480->22 (04:36:25.522 PDT) 128.42.142.45 (04:36:15.988 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58254->22 (04:36:15.988 PDT) 192.52.240.214 (2) (04:36:32.782 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45474->22 (04:36:32.782 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45474->22 (04:36:32.782 PDT) 204.123.28.56 (04:36:18.553 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50929->22 (04:36:18.553 PDT) 204.8.155.227 (04:36:40.296 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45900->22 (04:36:40.296 PDT) 192.52.240.213 (04:40:21.459 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49872->22 (04:40:21.459 PDT) 141.212.113.180 (04:36:46.568 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43778->22 (04:36:46.568 PDT) 128.111.52.59 (04:40:14.915 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53714->22 (04:40:14.915 PDT) 152.3.138.6 (04:36:58.074 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54599->22 (04:36:58.074 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.8 (3) (04:41:12.676 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (04:41:12.676 PDT) 0->0 (04:42:47.237 PDT) 0->0 (04:45:47.552 PDT) tcpslice 1368358575.988 1368358575.989 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 05:01:02.283 PDT Gen. Time: 05/12/2013 05:04:53.253 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (05:04:53.253 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:04:53.253 PDT) OUTBOUND SCAN 128.111.52.58 (05:01:35.799 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59057->22 (05:01:35.799 PDT) 131.179.150.70 (05:02:21.350 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53179->22 (05:02:21.350 PDT) 158.130.6.254 (05:01:12.033 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49648->22 (05:01:12.033 PDT) 128.42.142.45 (05:01:02.283 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58422->22 (05:01:02.283 PDT) 192.52.240.214 (2) (05:01:19.198 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45642->22 (05:01:19.198 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45642->22 (05:01:19.198 PDT) 204.123.28.56 (05:01:04.853 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51097->22 (05:01:04.853 PDT) 204.8.155.227 (05:01:26.692 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46068->22 (05:01:26.692 PDT) 141.212.113.180 (05:01:32.899 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43946->22 (05:01:32.899 PDT) 152.3.138.6 (05:04:51.877 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54763->22 (05:04:51.877 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368360062.283 1368360062.284 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 05:01:02.283 PDT Gen. Time: 05/12/2013 05:16:40.292 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (3) (05:04:53.253 PDT-05:08:02.624 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:21:1C:EE:14:00 3: 0->0 (05:04:53.253 PDT-05:08:02.624 PDT) OUTBOUND SCAN 128.111.52.58 (05:01:35.799 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59057->22 (05:01:35.799 PDT) 128.208.4.197 (05:08:05.684 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54608->22 (05:08:05.684 PDT) 152.14.93.140 (05:05:38.342 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39674->22 (05:05:38.342 PDT) 131.179.150.70 (05:02:21.350 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53179->22 (05:02:21.350 PDT) 155.246.12.164 (2) (05:08:26.243 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33131->22 (05:08:26.243 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33131->22 (05:08:26.243 PDT) 158.130.6.254 (05:01:12.033 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49648->22 (05:01:12.033 PDT) 128.42.142.45 (05:01:02.283 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58422->22 (05:01:02.283 PDT) 192.52.240.214 (2) (05:01:19.198 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45642->22 (05:01:19.198 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45642->22 (05:01:19.198 PDT) 204.123.28.56 (05:01:04.853 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51097->22 (05:01:04.853 PDT) 204.8.155.227 (05:01:26.692 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46068->22 (05:01:26.692 PDT) 192.52.240.213 (05:08:14.911 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50036->22 (05:08:14.911 PDT) 141.212.113.180 (05:01:32.899 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43946->22 (05:01:32.899 PDT) 204.8.155.226 (05:08:34.830 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38072->22 (05:08:34.830 PDT) 128.111.52.59 (05:08:08.379 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53878->22 (05:08:08.379 PDT) 152.3.138.6 (05:04:51.877 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54763->22 (05:04:51.877 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.52.240.213 (05:09:06.720 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:09:06.720 PDT) 139.78.141.243 (3) (05:10:36.950 PDT-05:12:07.142 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (24 /24s) (# pkts S/M/O/I=0/34/1/0): 22:34, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:13:43.290 PDT) 2: 0->0 (05:10:36.950 PDT-05:12:07.142 PDT) tcpslice 1368360062.283 1368360727.143 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 05:28:05.653 PDT Gen. Time: 05/12/2013 05:28:56.753 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (05:28:05.653 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (05:28:05.653 PDT) OUTBOUND SCAN 128.42.142.45 (05:28:56.753 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59675->22 (05:28:56.753 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368361685.653 1368361685.654 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 05:28:05.653 PDT Gen. Time: 05/12/2013 05:44:42.860 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (05:28:05.653 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (6 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (05:28:05.653 PDT) OUTBOUND SCAN 128.111.52.58 (05:29:31.635 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60466->22 (05:29:31.635 PDT) 128.208.4.197 (05:36:01.452 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57769->22 (05:36:01.452 PDT) 152.14.93.140 (05:33:34.054 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41949->22 (05:33:34.054 PDT) 131.179.150.70 (05:30:17.126 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54589->22 (05:30:17.126 PDT) 155.246.12.164 (2) (05:36:20.682 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 36431->22 (05:36:20.682 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36431->22 (05:36:20.682 PDT) 158.130.6.254 (05:29:07.134 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50949->22 (05:29:07.134 PDT) 128.42.142.45 (05:28:56.753 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59675->22 (05:28:56.753 PDT) 192.52.240.214 (2) (05:29:14.592 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 46977->22 (05:29:14.592 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46977->22 (05:29:14.592 PDT) 204.123.28.56 (05:28:59.588 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52363->22 (05:28:59.588 PDT) 204.8.155.227 (05:29:22.181 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47435->22 (05:29:22.181 PDT) 192.52.240.213 (05:36:10.349 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53262->22 (05:36:10.349 PDT) 141.212.113.180 (05:29:28.752 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45341->22 (05:29:28.752 PDT) 204.8.155.226 (05:36:29.316 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41432->22 (05:36:29.316 PDT) 128.111.52.59 (05:36:03.931 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57059->22 (05:36:03.931 PDT) 152.3.138.6 (05:32:47.516 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57033->22 (05:32:47.516 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (8) (05:31:05.190 PDT-05:43:27.236 PDT) event=777:7777008 (8) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (05:37:29.700 PDT) 2: 0->0 (05:31:05.190 PDT-05:32:41.465 PDT) 3: 0->0 (05:39:11.979 PDT-05:43:27.236 PDT) 2: 0->0 (05:34:22.182 PDT-05:35:58.481 PDT) 158.130.6.254 (05:29:22.053 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (13 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (05:29:22.053 PDT) tcpslice 1368361685.653 1368362607.237 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 05:56:50.134 PDT Gen. Time: 05/12/2013 06:00:42.459 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (06:00:42.459 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:00:42.459 PDT) OUTBOUND SCAN 128.111.52.58 (05:57:24.835 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43261->22 (05:57:24.835 PDT) 131.179.150.70 (05:58:10.471 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37387->22 (05:58:10.471 PDT) 158.130.6.254 (05:56:59.755 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33678->22 (05:56:59.755 PDT) 128.42.142.45 (05:56:50.134 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42382->22 (05:56:50.134 PDT) 192.52.240.214 (2) (05:57:07.180 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57958->22 (05:57:07.180 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57958->22 (05:57:07.180 PDT) 204.123.28.56 (05:56:52.804 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35077->22 (05:56:52.804 PDT) 204.8.155.227 (05:57:15.306 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58440->22 (05:57:15.306 PDT) 141.212.113.180 (05:57:21.887 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56362->22 (05:57:21.887 PDT) 152.3.138.6 (06:00:41.090 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40347->22 (06:00:41.090 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368363410.134 1368363410.135 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 05:56:50.134 PDT Gen. Time: 05/12/2013 06:13:10.622 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (3) (06:00:42.459 PDT-06:03:51.854 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (06:00:42.459 PDT-06:03:51.854 PDT) OUTBOUND SCAN 128.111.52.58 (05:57:24.835 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43261->22 (05:57:24.835 PDT) 128.208.4.197 (06:03:54.848 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41554->22 (06:03:54.848 PDT) 152.14.93.140 (06:01:27.527 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53501->22 (06:01:27.527 PDT) 131.179.150.70 (05:58:10.471 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37387->22 (05:58:10.471 PDT) 155.246.12.164 (2) (06:04:14.494 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 48447->22 (06:04:14.494 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48447->22 (06:04:14.494 PDT) 158.130.6.254 (05:56:59.755 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33678->22 (05:56:59.755 PDT) 128.42.142.45 (05:56:50.134 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42382->22 (05:56:50.134 PDT) 192.52.240.214 (2) (05:57:07.180 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57958->22 (05:57:07.180 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57958->22 (05:57:07.180 PDT) 204.123.28.56 (05:56:52.804 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35077->22 (05:56:52.804 PDT) 204.8.155.227 (05:57:15.306 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58440->22 (05:57:15.306 PDT) 192.52.240.213 (06:04:04.104 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37051->22 (06:04:04.104 PDT) 141.212.113.180 (05:57:21.887 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56362->22 (05:57:21.887 PDT) 204.8.155.226 (06:04:23.170 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53447->22 (06:04:23.170 PDT) 128.111.52.59 (06:03:57.479 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40845->22 (06:03:57.479 PDT) 152.3.138.6 (06:00:41.090 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40347->22 (06:00:41.090 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 158.130.6.254 (4) (06:04:59.288 PDT-06:07:59.847 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:09:36.301 PDT) 0->0 (06:04:59.288 PDT) 2: 0->0 (06:06:29.631 PDT-06:07:59.847 PDT) tcpslice 1368363410.134 1368364079.848 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 06:15:54.996 PDT Gen. Time: 05/12/2013 06:15:54.996 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 158.130.6.254 (06:15:54.996 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:15:54.996 PDT) tcpslice 1368364554.996 1368364554.997 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 06:24:50.828 PDT Gen. Time: 05/12/2013 06:28:43.716 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.14.93.140 (06:28:43.716 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:28:43.716 PDT) OUTBOUND SCAN 128.111.52.58 (06:25:26.152 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53528->22 (06:25:26.152 PDT) 131.179.150.70 (06:26:11.687 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47651->22 (06:26:11.687 PDT) 158.130.6.254 (06:25:00.455 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43990->22 (06:25:00.455 PDT) 128.42.142.45 (06:24:50.828 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52724->22 (06:24:50.828 PDT) 192.52.240.214 (2) (06:25:08.538 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40036->22 (06:25:08.538 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40036->22 (06:25:08.538 PDT) 204.123.28.56 (06:24:53.379 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45410->22 (06:24:53.379 PDT) 204.8.155.227 (06:25:16.552 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40497->22 (06:25:16.552 PDT) 141.212.113.180 (06:25:23.164 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38406->22 (06:25:23.164 PDT) 152.3.138.6 (06:28:42.292 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50383->22 (06:28:42.292 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368365090.828 1368365090.829 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 06:24:50.828 PDT Gen. Time: 05/12/2013 06:41:44.094 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.14.93.140 (3) (06:28:43.716 PDT-06:31:53.280 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (06:28:43.716 PDT-06:31:53.280 PDT) OUTBOUND SCAN 128.111.52.58 (06:25:26.152 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53528->22 (06:25:26.152 PDT) 128.208.4.197 (06:31:56.340 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51556->22 (06:31:56.340 PDT) 152.14.93.140 (06:29:28.806 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35303->22 (06:29:28.806 PDT) 131.179.150.70 (06:26:11.687 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47651->22 (06:26:11.687 PDT) 155.246.12.164 (2) (06:32:17.782 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 58460->22 (06:32:17.782 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58460->22 (06:32:17.782 PDT) 158.130.6.254 (06:25:00.455 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43990->22 (06:25:00.455 PDT) 128.42.142.45 (06:24:50.828 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52724->22 (06:24:50.828 PDT) 192.52.240.214 (2) (06:25:08.538 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40036->22 (06:25:08.538 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40036->22 (06:25:08.538 PDT) 204.123.28.56 (06:24:53.379 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45410->22 (06:24:53.379 PDT) 204.8.155.227 (06:25:16.552 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40497->22 (06:25:16.552 PDT) 192.52.240.213 (06:32:06.042 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47053->22 (06:32:06.042 PDT) 141.212.113.180 (06:25:23.164 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38406->22 (06:25:23.164 PDT) 204.8.155.226 (06:32:26.673 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35227->22 (06:32:26.673 PDT) 128.111.52.59 (06:31:59.337 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50849->22 (06:31:59.337 PDT) 152.3.138.6 (06:28:42.292 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50383->22 (06:28:42.292 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (4) (06:32:58.861 PDT-06:35:59.590 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:37:35.835 PDT) 0->0 (06:32:58.861 PDT) 2: 0->0 (06:34:29.374 PDT-06:35:59.590 PDT) tcpslice 1368365090.828 1368365759.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 06:52:49.949 PDT Gen. Time: 05/12/2013 06:56:34.021 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.6 (06:56:34.021 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:56:34.021 PDT) OUTBOUND SCAN 128.111.52.58 (06:53:24.135 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36683->22 (06:53:24.135 PDT) 204.8.155.227 (06:53:14.904 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51869->22 (06:53:14.904 PDT) 128.42.142.45 (06:52:49.949 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35821->22 (06:52:49.949 PDT) 131.179.150.70 (06:54:09.638 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59041->22 (06:54:09.638 PDT) 204.123.28.56 (06:52:52.679 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56749->22 (06:52:52.679 PDT) 141.212.113.180 (06:53:21.235 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49788->22 (06:53:21.235 PDT) 192.52.240.214 (2) (06:53:06.974 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51388->22 (06:53:06.974 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51388->22 (06:53:06.974 PDT) 158.130.6.254 (06:52:59.644 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55347->22 (06:52:59.644 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368366769.949 1368366769.950 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 06:56:40.168 PDT Gen. Time: 05/12/2013 06:58:14.630 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.6 (06:58:14.630 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/11/0/0): 22:11, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (06:58:14.630 PDT) OUTBOUND SCAN 152.14.93.140 (06:57:26.566 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46854->22 (06:57:26.566 PDT) 152.3.138.6 (06:56:40.168 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33702->22 (06:56:40.168 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368367000.168 1368367000.169 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 06:56:40.168 PDT Gen. Time: 05/12/2013 07:05:30.984 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.6 (2) (06:58:14.630 PDT-06:59:50.796 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/11/0/0): 22:11, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (06:58:14.630 PDT-06:59:50.796 PDT) OUTBOUND SCAN 128.208.4.197 (06:59:53.866 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34849->22 (06:59:53.866 PDT) 152.14.93.140 (06:57:26.566 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46854->22 (06:57:26.566 PDT) 155.246.12.164 (2) (07:00:14.970 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41748->22 (07:00:14.970 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41748->22 (07:00:14.970 PDT) 165.91.55.8 (07:00:30.424 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41981->22 (07:00:30.424 PDT) 128.42.142.44 (2) (07:00:44.582 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41860->22 (07:00:44.582 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41860->22 (07:00:44.582 PDT) 128.84.154.44 (07:00:38.537 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40919->22 (07:00:38.537 PDT) 13.7.64.20 (07:00:57.342 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43838->22 (07:00:57.342 PDT) 192.52.240.213 (07:00:02.770 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58570->22 (07:00:02.770 PDT) 204.123.28.55 (07:00:54.742 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46343->22 (07:00:54.742 PDT) 128.252.19.19 (07:00:52.105 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52744->22 (07:00:52.105 PDT) 204.8.155.226 (07:00:23.453 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46745->22 (07:00:23.453 PDT) 198.133.224.147 (2) (07:01:05.178 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37519->22 (07:01:05.178 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37519->22 (07:01:05.178 PDT) 152.3.138.6 (06:56:40.168 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33702->22 (06:56:40.168 PDT) 128.111.52.59 (06:59:56.345 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34136->22 (06:59:56.345 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.3.138.6 (4) (07:00:53.537 PDT-07:03:54.470 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:05:30.984 PDT) 0->0 (07:00:53.537 PDT) 2: 0->0 (07:02:24.262 PDT-07:03:54.470 PDT) tcpslice 1368367000.168 1368367434.471 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 07:13:35.205 PDT Gen. Time: 05/12/2013 07:13:35.205 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.3.138.6 (07:13:35.205 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (24 /24s) (# pkts S/M/O/I=0/35/1/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:13:35.205 PDT) tcpslice 1368368015.205 1368368015.206 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 07:20:44.663 PDT Gen. Time: 05/12/2013 07:24:39.392 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.6 (07:24:39.392 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/10/1/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:24:39.392 PDT) OUTBOUND SCAN 128.111.52.58 (07:21:21.790 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40691->22 (07:21:21.790 PDT) 131.179.150.70 (07:22:07.334 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34813->22 (07:22:07.334 PDT) 158.130.6.254 (07:20:56.139 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59515->22 (07:20:56.139 PDT) 128.42.142.45 (07:20:44.663 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40056->22 (07:20:44.663 PDT) 192.52.240.214 (2) (07:21:03.636 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55509->22 (07:21:03.636 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55509->22 (07:21:03.636 PDT) 204.123.28.56 (07:20:47.489 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60964->22 (07:20:47.489 PDT) 204.8.155.227 (07:21:11.501 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55935->22 (07:21:11.501 PDT) 141.212.113.180 (07:21:18.733 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53813->22 (07:21:18.733 PDT) 152.3.138.6 (07:24:38.148 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36413->22 (07:24:38.148 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368368444.663 1368368444.664 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 07:20:44.663 PDT Gen. Time: 05/12/2013 07:33:10.932 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.6 (3) (07:24:39.392 PDT-07:26:12.582 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 18 IPs (15 /24s) (# pkts S/M/O/I=0/17/1/0): 22:17, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:27:42.679 PDT) 2: 0->0 (07:24:39.392 PDT-07:26:12.582 PDT) OUTBOUND SCAN 128.111.52.58 (07:21:21.790 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40691->22 (07:21:21.790 PDT) 128.208.4.197 (07:27:51.921 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36537->22 (07:27:51.921 PDT) 152.14.93.140 (07:25:24.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49557->22 (07:25:24.454 PDT) 131.179.150.70 (07:22:07.334 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34813->22 (07:22:07.334 PDT) 155.246.12.164 (2) (07:28:11.493 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43293->22 (07:28:11.493 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43293->22 (07:28:11.493 PDT) 158.130.6.254 (07:20:56.139 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59515->22 (07:20:56.139 PDT) 128.42.142.45 (07:20:44.663 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40056->22 (07:20:44.663 PDT) 192.52.240.214 (2) (07:21:03.636 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55509->22 (07:21:03.636 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55509->22 (07:21:03.636 PDT) 204.123.28.56 (07:20:47.489 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60964->22 (07:20:47.489 PDT) 204.8.155.227 (07:21:11.501 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55935->22 (07:21:11.501 PDT) 192.52.240.213 (07:28:01.222 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60198->22 (07:28:01.222 PDT) 141.212.113.180 (07:21:18.733 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53813->22 (07:21:18.733 PDT) 204.8.155.226 (07:28:20.040 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48234->22 (07:28:20.040 PDT) 128.111.52.59 (07:27:54.719 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35807->22 (07:27:54.719 PDT) 152.3.138.6 (07:24:38.148 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36413->22 (07:24:38.148 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.3.138.6 (4) (07:28:11.266 PDT-07:33:10.932 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:28:11.266 PDT) 2: 0->0 (07:31:22.086 PDT-07:33:10.932 PDT) 0->0 (07:29:41.113 PDT) tcpslice 1368368444.663 1368369190.933 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 07:34:05.926 PDT Gen. Time: 05/12/2013 07:34:05.926 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.3.138.6 (07:34:05.926 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (24 /24s) (# pkts S/M/O/I=0/35/1/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:34:05.926 PDT) tcpslice 1368369245.926 1368369245.927 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 07:48:43.183 PDT Gen. Time: 05/12/2013 07:52:36.273 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (07:52:36.273 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:52:36.273 PDT) OUTBOUND SCAN 128.111.52.58 (07:49:17.794 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41149->22 (07:49:17.794 PDT) 131.179.150.70 (07:50:03.302 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35271->22 (07:50:03.302 PDT) 158.130.6.254 (07:48:52.937 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59973->22 (07:48:52.937 PDT) 128.42.142.45 (07:48:43.183 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40514->22 (07:48:43.183 PDT) 192.52.240.214 (2) (07:49:00.458 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55967->22 (07:49:00.458 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55967->22 (07:49:00.458 PDT) 204.123.28.56 (07:48:45.775 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33189->22 (07:48:45.775 PDT) 204.8.155.227 (07:49:08.159 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56393->22 (07:49:08.159 PDT) 141.212.113.180 (07:49:14.824 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54271->22 (07:49:14.824 PDT) 152.3.138.6 (07:52:34.708 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36855->22 (07:52:34.708 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368370123.183 1368370123.184 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 07:48:43.183 PDT Gen. Time: 05/12/2013 08:01:27.771 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (2) (07:52:36.273 PDT-07:54:09.510 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (07:52:36.273 PDT-07:54:09.510 PDT) 128.208.4.197 (07:55:45.666 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/11/0/0): 22:11, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:55:45.666 PDT) OUTBOUND SCAN 128.111.52.58 (07:49:17.794 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41149->22 (07:49:17.794 PDT) 128.208.4.197 (07:55:49.415 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36700->22 (07:55:49.415 PDT) 152.14.93.140 (07:53:21.382 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49999->22 (07:53:21.382 PDT) 131.179.150.70 (07:50:03.302 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35271->22 (07:50:03.302 PDT) 155.246.12.164 (2) (07:56:08.451 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43456->22 (07:56:08.451 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43456->22 (07:56:08.451 PDT) 158.130.6.254 (07:48:52.937 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59973->22 (07:48:52.937 PDT) 128.42.142.45 (07:48:43.183 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40514->22 (07:48:43.183 PDT) 192.52.240.214 (2) (07:49:00.458 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55967->22 (07:49:00.458 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55967->22 (07:49:00.458 PDT) 204.123.28.56 (07:48:45.775 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33189->22 (07:48:45.775 PDT) 204.8.155.227 (07:49:08.159 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56393->22 (07:49:08.159 PDT) 192.52.240.213 (07:55:58.613 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60361->22 (07:55:58.613 PDT) 141.212.113.180 (07:49:14.824 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54271->22 (07:49:14.824 PDT) 204.8.155.226 (07:56:16.919 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48397->22 (07:56:16.919 PDT) 128.111.52.59 (07:55:51.922 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35970->22 (07:55:51.922 PDT) 152.3.138.6 (07:52:34.708 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36855->22 (07:52:34.708 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (07:56:52.144 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:56:52.144 PDT) 129.63.159.101 (2) (07:58:27.350 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (23 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (07:58:27.350 PDT) 0->0 (08:01:27.771 PDT) tcpslice 1368370123.183 1368370449.511 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 08:16:42.827 PDT Gen. Time: 05/12/2013 08:20:30.371 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (08:20:30.371 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:20:30.371 PDT) OUTBOUND SCAN 128.111.52.58 (08:17:18.206 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41312->22 (08:17:18.206 PDT) 204.8.155.227 (08:17:08.636 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56556->22 (08:17:08.636 PDT) 128.42.142.45 (08:16:42.827 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40677->22 (08:16:42.827 PDT) 131.179.150.70 (08:18:03.686 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35434->22 (08:18:03.686 PDT) 204.123.28.56 (08:16:45.469 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33352->22 (08:16:45.469 PDT) 141.212.113.180 (08:17:15.243 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54434->22 (08:17:15.243 PDT) 192.52.240.214 (2) (08:17:00.677 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56130->22 (08:17:00.677 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56130->22 (08:17:00.677 PDT) 158.130.6.254 (08:16:52.702 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60136->22 (08:16:52.702 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368371802.827 1368371802.828 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 08:16:42.827 PDT Gen. Time: 05/12/2013 08:29:31.615 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.208.4.197 (08:23:47.364 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 12 IPs (11 /24s) (# pkts S/M/O/I=0/12/0/0): 22:12, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:23:47.364 PDT) 131.179.150.70 (2) (08:20:30.371 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:20:30.371 PDT) 0->0 (08:22:11.174 PDT) OUTBOUND SCAN 128.111.52.58 (08:17:18.206 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41312->22 (08:17:18.206 PDT) 128.208.4.197 (08:23:50.358 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36863->22 (08:23:50.358 PDT) 152.14.93.140 (08:21:23.110 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50162->22 (08:21:23.110 PDT) 131.179.150.70 (08:18:03.686 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35434->22 (08:18:03.686 PDT) 155.246.12.164 (2) (08:24:10.798 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43619->22 (08:24:10.798 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43619->22 (08:24:10.798 PDT) 158.130.6.254 (08:16:52.702 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60136->22 (08:16:52.702 PDT) 128.42.142.45 (08:16:42.827 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40677->22 (08:16:42.827 PDT) 192.52.240.214 (2) (08:17:00.677 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56130->22 (08:17:00.677 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56130->22 (08:17:00.677 PDT) 204.123.28.56 (08:16:45.469 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33352->22 (08:16:45.469 PDT) 204.8.155.227 (08:17:08.636 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56556->22 (08:17:08.636 PDT) 192.52.240.213 (08:23:59.737 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60524->22 (08:23:59.737 PDT) 141.212.113.180 (08:17:15.243 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54434->22 (08:17:15.243 PDT) 204.8.155.226 (08:24:19.960 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48560->22 (08:24:19.960 PDT) 128.111.52.59 (08:23:53.102 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36133->22 (08:23:53.102 PDT) 152.3.138.6 (08:20:36.754 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37018->22 (08:20:36.754 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (2) (08:25:00.125 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:25:00.125 PDT) 0->0 (08:26:35.286 PDT) tcpslice 1368371802.827 1368371802.828 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 08:29:36.164 PDT Gen. Time: 05/12/2013 08:29:36.164 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (08:29:36.164 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:29:36.164 PDT) tcpslice 1368372576.164 1368372576.165 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 08:29:36.164 PDT Gen. Time: 05/12/2013 08:33:39.357 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.198 (08:29:39.746 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37072->22 (08:29:39.746 PDT) 128.223.8.111 (08:29:43.508 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38522->22 (08:29:43.508 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (08:29:36.164 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:29:36.164 PDT) tcpslice 1368372576.164 1368372576.165 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 08:37:47.735 PDT Gen. Time: 05/12/2013 08:37:47.735 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (08:37:47.735 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (08:37:47.735 PDT) tcpslice 1368373067.735 1368373067.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 08:42:39.615 PDT Gen. Time: 05/12/2013 08:42:39.615 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (08:42:39.615 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 36 IPs (24 /24s) (# pkts S/M/O/I=0/35/1/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA (08:42:39.615 PDT) tcpslice 1368373359.615 1368373359.616 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 08:42:39.615 PDT Gen. Time: 05/12/2013 09:00:30.261 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (08:45:27.263 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41475->22 (08:45:27.263 PDT) 128.208.4.197 (08:51:57.395 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37026->22 (08:51:57.395 PDT) 152.14.93.140 (08:49:29.958 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50325->22 (08:49:29.958 PDT) 131.179.150.70 (08:46:12.902 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35597->22 (08:46:12.902 PDT) 155.246.12.164 (2) (08:52:17.024 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43782->22 (08:52:17.024 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43782->22 (08:52:17.024 PDT) 158.130.6.254 (08:45:01.805 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60299->22 (08:45:01.805 PDT) 128.42.142.45 (08:44:51.953 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40840->22 (08:44:51.953 PDT) 192.52.240.214 (2) (08:45:09.864 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56293->22 (08:45:09.864 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56293->22 (08:45:09.864 PDT) 204.123.28.56 (08:44:54.503 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33515->22 (08:44:54.503 PDT) 204.8.155.227 (08:45:17.880 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56719->22 (08:45:17.880 PDT) 192.52.240.213 (08:52:06.679 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60687->22 (08:52:06.679 PDT) 141.212.113.180 (08:45:24.307 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54597->22 (08:45:24.307 PDT) 204.8.155.226 (08:52:25.487 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48723->22 (08:52:25.487 PDT) 128.111.52.59 (08:52:00.193 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36296->22 (08:52:00.193 PDT) 152.3.138.6 (08:48:43.494 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37181->22 (08:48:43.494 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (9) (08:42:39.615 PDT-08:57:32.063 PDT) event=777:7777008 (9) {icmp} E8[bh] Detected intense malware port scanning of 36 IPs (24 /24s) (# pkts S/M/O/I=0/35/1/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA (08:42:39.615 PDT) 8: 0->0 (08:44:45.517 PDT-08:57:32.063 PDT) tcpslice 1368373359.615 1368374252.064 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 09:01:19.612 PDT Gen. Time: 05/12/2013 09:01:19.612 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (09:01:19.612 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (25 /24s) (# pkts S/M/O/I=0/35/2/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:01:19.612 PDT) tcpslice 1368374479.612 1368374479.613 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 09:05:48.302 PDT Gen. Time: 05/12/2013 09:05:48.302 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (09:05:48.302 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (25 /24s) (# pkts S/M/O/I=0/35/2/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:05:48.302 PDT) tcpslice 1368374748.302 1368374748.303 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 09:12:40.618 PDT Gen. Time: 05/12/2013 09:12:40.618 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (09:12:40.618 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (25 /24s) (# pkts S/M/O/I=0/35/2/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:12:40.618 PDT) tcpslice 1368375160.618 1368375160.619 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 09:12:40.618 PDT Gen. Time: 05/12/2013 09:29:41.560 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (09:13:21.156 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41638->22 (09:13:21.156 PDT) 128.208.4.197 (09:19:53.260 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37189->22 (09:19:53.260 PDT) 152.14.93.140 (09:17:25.926 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50488->22 (09:17:25.926 PDT) 131.179.150.70 (09:14:06.758 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35760->22 (09:14:06.758 PDT) 155.246.12.164 (2) (09:20:13.585 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43945->22 (09:20:13.585 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43945->22 (09:20:13.585 PDT) 158.130.6.254 (09:12:56.551 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60462->22 (09:12:56.551 PDT) 128.42.142.45 (09:12:46.442 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41003->22 (09:12:46.442 PDT) 192.52.240.214 (2) (09:13:04.035 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56456->22 (09:13:04.035 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56456->22 (09:13:04.035 PDT) 204.123.28.56 (09:12:49.083 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33678->22 (09:12:49.083 PDT) 204.8.155.227 (09:13:11.823 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56882->22 (09:13:11.823 PDT) 192.52.240.213 (09:20:02.721 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60850->22 (09:20:02.721 PDT) 141.212.113.180 (09:13:18.218 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54760->22 (09:13:18.218 PDT) 204.8.155.226 (09:20:21.748 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48886->22 (09:20:21.748 PDT) 128.111.52.59 (09:19:55.901 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36459->22 (09:19:55.901 PDT) 152.3.138.6 (09:16:39.465 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37344->22 (09:16:39.465 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (10) (09:12:40.618 PDT-09:28:38.234 PDT) event=777:7777008 (10) {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (25 /24s) (# pkts S/M/O/I=0/35/2/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 10: 0->0 (09:12:40.618 PDT-09:28:38.234 PDT) tcpslice 1368375160.618 1368376118.235 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 09:30:15.225 PDT Gen. Time: 05/12/2013 09:30:15.225 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.252.19.19 (09:30:15.225 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (25 /24s) (# pkts S/M/O/I=0/35/2/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:30:15.225 PDT) tcpslice 1368376215.225 1368376215.226 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 09:40:46.859 PDT Gen. Time: 05/12/2013 09:44:32.213 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (09:44:32.213 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:44:32.213 PDT) OUTBOUND SCAN 128.111.52.58 (09:41:22.147 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41801->22 (09:41:22.147 PDT) 204.8.155.227 (09:41:12.384 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57045->22 (09:41:12.384 PDT) 128.42.142.45 (09:40:46.859 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41166->22 (09:40:46.859 PDT) 131.179.150.70 (09:42:07.719 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35923->22 (09:42:07.719 PDT) 204.123.28.56 (09:40:49.378 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33841->22 (09:40:49.378 PDT) 141.212.113.180 (09:41:19.047 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54923->22 (09:41:19.047 PDT) 192.52.240.214 (2) (09:41:04.399 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56619->22 (09:41:04.399 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56619->22 (09:41:04.399 PDT) 158.130.6.254 (09:40:56.944 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60625->22 (09:40:56.944 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368376846.859 1368376846.860 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 09:40:46.859 PDT Gen. Time: 05/12/2013 09:57:29.232 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 192.52.240.214 (3) (09:44:32.213 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (09:44:32.213 PDT) 0->0 (09:46:13.223 PDT) 0->0 (09:47:49.636 PDT) OUTBOUND SCAN 128.111.52.58 (09:41:22.147 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41801->22 (09:41:22.147 PDT) 128.208.4.197 (09:47:52.750 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37352->22 (09:47:52.750 PDT) 152.14.93.140 (09:45:25.095 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50651->22 (09:45:25.095 PDT) 131.179.150.70 (09:42:07.719 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35923->22 (09:42:07.719 PDT) 155.246.12.164 (2) (09:48:11.891 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44108->22 (09:48:11.891 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44108->22 (09:48:11.891 PDT) 158.130.6.254 (09:40:56.944 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60625->22 (09:40:56.944 PDT) 128.42.142.45 (09:40:46.859 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41166->22 (09:40:46.859 PDT) 192.52.240.214 (2) (09:41:04.399 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56619->22 (09:41:04.399 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56619->22 (09:41:04.399 PDT) 204.123.28.56 (09:40:49.378 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33841->22 (09:40:49.378 PDT) 204.8.155.227 (09:41:12.384 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57045->22 (09:41:12.384 PDT) 192.52.240.213 (09:48:01.980 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32780->22 (09:48:01.980 PDT) 141.212.113.180 (09:41:19.047 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54923->22 (09:41:19.047 PDT) 204.8.155.226 (09:48:20.793 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49049->22 (09:48:20.793 PDT) 128.111.52.59 (09:47:55.477 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36622->22 (09:47:55.477 PDT) 152.3.138.6 (09:44:38.504 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37507->22 (09:44:38.504 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.52.240.214 (4) (09:48:53.640 PDT-09:53:26.613 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (23 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (09:50:24.655 PDT-09:53:26.613 PDT) 0->0 (09:48:53.640 PDT) tcpslice 1368376846.859 1368377606.614 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 10:08:44.784 PDT Gen. Time: 05/12/2013 10:12:40.503 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.6 (10:12:40.503 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:12:40.503 PDT) OUTBOUND SCAN 128.111.52.58 (10:09:20.939 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41964->22 (10:09:20.939 PDT) 131.179.150.70 (10:10:06.439 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36086->22 (10:10:06.439 PDT) 158.130.6.254 (10:08:55.511 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60788->22 (10:08:55.511 PDT) 128.42.142.45 (10:08:44.784 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41329->22 (10:08:44.784 PDT) 192.52.240.214 (2) (10:09:03.282 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56782->22 (10:09:03.282 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56782->22 (10:09:03.282 PDT) 204.123.28.56 (10:08:47.331 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34004->22 (10:08:47.331 PDT) 204.8.155.227 (10:09:11.217 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57208->22 (10:09:11.217 PDT) 141.212.113.180 (10:09:17.904 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55086->22 (10:09:17.904 PDT) 152.3.138.6 (10:12:39.237 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37670->22 (10:12:39.237 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368378524.784 1368378524.785 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 10:08:44.784 PDT Gen. Time: 05/12/2013 10:21:30.037 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.6 (3) (10:12:40.503 PDT-10:15:49.915 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (10:12:40.503 PDT-10:15:49.915 PDT) OUTBOUND SCAN 128.111.52.58 (10:09:20.939 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41964->22 (10:09:20.939 PDT) 128.208.4.197 (10:15:53.763 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37515->22 (10:15:53.763 PDT) 152.14.93.140 (10:13:25.607 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50814->22 (10:13:25.607 PDT) 131.179.150.70 (10:10:06.439 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36086->22 (10:10:06.439 PDT) 155.246.12.164 (2) (10:16:14.510 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44271->22 (10:16:14.510 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44271->22 (10:16:14.510 PDT) 158.130.6.254 (10:08:55.511 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60788->22 (10:08:55.511 PDT) 128.42.142.45 (10:08:44.784 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41329->22 (10:08:44.784 PDT) 192.52.240.214 (2) (10:09:03.282 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56782->22 (10:09:03.282 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56782->22 (10:09:03.282 PDT) 204.123.28.56 (10:08:47.331 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34004->22 (10:08:47.331 PDT) 204.8.155.227 (10:09:11.217 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57208->22 (10:09:11.217 PDT) 192.52.240.213 (10:16:03.312 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32943->22 (10:16:03.312 PDT) 141.212.113.180 (10:09:17.904 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55086->22 (10:09:17.904 PDT) 204.8.155.226 (10:16:22.942 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49212->22 (10:16:22.942 PDT) 128.111.52.59 (10:15:56.725 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36785->22 (10:15:56.725 PDT) 152.3.138.6 (10:12:39.237 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37670->22 (10:12:39.237 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (2) (10:18:29.463 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (23 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:18:29.463 PDT) 0->0 (10:21:30.037 PDT) 128.42.142.44 (10:16:54.343 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:16:54.343 PDT) tcpslice 1368378524.784 1368378949.916 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 10:36:47.791 PDT Gen. Time: 05/12/2013 10:40:32.914 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (10:40:32.914 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:40:32.914 PDT) OUTBOUND SCAN 128.111.52.58 (10:37:23.055 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42127->22 (10:37:23.055 PDT) 204.8.155.227 (10:37:13.304 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57371->22 (10:37:13.304 PDT) 128.42.142.45 (10:36:47.791 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41492->22 (10:36:47.791 PDT) 131.179.150.70 (10:38:08.615 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36249->22 (10:38:08.615 PDT) 204.123.28.56 (10:36:50.430 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34167->22 (10:36:50.430 PDT) 141.212.113.180 (10:37:20.047 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55249->22 (10:37:20.047 PDT) 192.52.240.214 (2) (10:37:05.362 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56945->22 (10:37:05.362 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56945->22 (10:37:05.362 PDT) 158.130.6.254 (10:36:57.836 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60951->22 (10:36:57.836 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368380207.791 1368380207.792 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 10:36:47.791 PDT Gen. Time: 05/12/2013 10:51:11.909 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (3) (10:40:32.914 PDT-10:43:50.023 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (10:40:32.914 PDT-10:43:50.023 PDT) OUTBOUND SCAN 128.111.52.58 (10:37:23.055 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42127->22 (10:37:23.055 PDT) 128.208.4.197 (10:43:53.078 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37678->22 (10:43:53.078 PDT) 152.14.93.140 (10:41:25.798 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50977->22 (10:41:25.798 PDT) 131.179.150.70 (10:38:08.615 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36249->22 (10:38:08.615 PDT) 155.246.12.164 (2) (10:44:13.129 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44434->22 (10:44:13.129 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44434->22 (10:44:13.129 PDT) 158.130.6.254 (10:36:57.836 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60951->22 (10:36:57.836 PDT) 128.42.142.45 (10:36:47.791 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41492->22 (10:36:47.791 PDT) 192.52.240.214 (2) (10:37:05.362 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56945->22 (10:37:05.362 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56945->22 (10:37:05.362 PDT) 204.123.28.56 (10:36:50.430 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34167->22 (10:36:50.430 PDT) 204.8.155.227 (10:37:13.304 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57371->22 (10:37:13.304 PDT) 192.52.240.213 (10:44:02.801 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33106->22 (10:44:02.801 PDT) 141.212.113.180 (10:37:20.047 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55249->22 (10:37:20.047 PDT) 204.8.155.226 (10:44:21.915 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49375->22 (10:44:21.915 PDT) 128.111.52.59 (10:43:55.970 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36948->22 (10:43:55.970 PDT) 152.3.138.6 (10:40:39.342 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37833->22 (10:40:39.342 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (4) (10:44:44.628 PDT-10:47:55.110 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:44:44.628 PDT) 0->0 (10:49:31.263 PDT) 2: 0->0 (10:46:15.273 PDT-10:47:55.110 PDT) tcpslice 1368380207.791 1368380875.111 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 10:52:25.021 PDT Gen. Time: 05/12/2013 10:52:25.021 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (10:52:25.021 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (10:52:25.021 PDT) tcpslice 1368381145.021 1368381145.022 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 11:04:45.699 PDT Gen. Time: 05/12/2013 11:05:48.378 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (11:05:48.378 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:05:48.378 PDT) OUTBOUND SCAN 128.111.52.58 (11:05:21.877 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42290->22 (11:05:21.877 PDT) 204.8.155.227 (11:05:12.337 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57534->22 (11:05:12.337 PDT) 128.42.142.45 (11:04:45.699 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41655->22 (11:04:45.699 PDT) 204.123.28.56 (11:04:48.358 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34330->22 (11:04:48.358 PDT) 141.212.113.180 (11:05:18.903 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55412->22 (11:05:18.903 PDT) 192.52.240.214 (2) (11:05:04.511 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57108->22 (11:05:04.511 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57108->22 (11:05:04.511 PDT) 158.130.6.254 (11:04:56.819 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32881->22 (11:04:56.819 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368381885.699 1368381885.700 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 11:04:45.699 PDT Gen. Time: 05/12/2013 11:21:07.632 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (4) (11:05:48.378 PDT-11:11:49.909 PDT) event=777:7777005 (4) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (11:05:48.378 PDT-11:11:49.909 PDT) OUTBOUND SCAN 128.111.52.58 (11:05:21.877 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42290->22 (11:05:21.877 PDT) 128.208.4.197 (11:11:53.083 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37841->22 (11:11:53.083 PDT) 152.14.93.140 (11:09:25.606 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51140->22 (11:09:25.606 PDT) 131.179.150.70 (11:06:07.398 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36412->22 (11:06:07.398 PDT) 155.246.12.164 (2) (11:12:13.820 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44597->22 (11:12:13.820 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44597->22 (11:12:13.820 PDT) 158.130.6.254 (11:04:56.819 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32881->22 (11:04:56.819 PDT) 128.42.142.45 (11:04:45.699 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41655->22 (11:04:45.699 PDT) 192.52.240.214 (2) (11:05:04.511 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57108->22 (11:05:04.511 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57108->22 (11:05:04.511 PDT) 204.123.28.56 (11:04:48.358 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34330->22 (11:04:48.358 PDT) 204.8.155.227 (11:05:12.337 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57534->22 (11:05:12.337 PDT) 192.52.240.213 (11:12:02.459 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33269->22 (11:12:02.459 PDT) 141.212.113.180 (11:05:18.903 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55412->22 (11:05:18.903 PDT) 204.8.155.226 (11:12:22.653 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49538->22 (11:12:22.653 PDT) 128.111.52.59 (11:11:55.811 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37111->22 (11:11:55.811 PDT) 152.3.138.6 (11:08:39.086 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37996->22 (11:08:39.086 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (4) (11:12:54.549 PDT-11:15:55.622 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (23 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (11:14:25.414 PDT-11:15:55.622 PDT) 0->0 (11:17:31.925 PDT) 0->0 (11:12:54.549 PDT) tcpslice 1368381885.699 1368382555.623 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 11:27:02.344 PDT Gen. Time: 05/12/2013 11:27:02.344 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (11:27:02.344 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:27:02.344 PDT) tcpslice 1368383222.344 1368383222.345 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 11:32:12.773 PDT Gen. Time: 05/12/2013 11:32:12.773 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (11:32:12.773 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:32:12.773 PDT) tcpslice 1368383532.773 1368383532.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 11:32:12.773 PDT Gen. Time: 05/12/2013 11:36:32.265 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (11:33:22.241 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42453->22 (11:33:22.241 PDT) 204.8.155.227 (11:33:12.473 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57697->22 (11:33:12.473 PDT) 128.42.142.45 (11:32:47.162 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41818->22 (11:32:47.162 PDT) 131.179.150.70 (11:34:07.781 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36575->22 (11:34:07.781 PDT) 204.123.28.56 (11:32:49.688 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34493->22 (11:32:49.688 PDT) 141.212.113.180 (11:33:19.156 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55575->22 (11:33:19.156 PDT) 192.52.240.214 (2) (11:33:04.442 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57271->22 (11:33:04.442 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57271->22 (11:33:04.442 PDT) 158.130.6.254 (11:32:57.020 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33044->22 (11:32:57.020 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (3) (11:32:12.773 PDT-11:36:32.265 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (11:32:12.773 PDT-11:36:32.265 PDT) tcpslice 1368383532.773 1368383792.266 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 11:36:38.729 PDT Gen. Time: 05/12/2013 11:38:13.349 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 152.14.93.140 (11:37:25.221 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51303->22 (11:37:25.221 PDT) 152.3.138.6 (11:36:38.729 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38159->22 (11:36:38.729 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (11:38:13.349 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:38:13.349 PDT) tcpslice 1368383798.729 1368383798.730 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 11:36:38.729 PDT Gen. Time: 05/12/2013 11:49:13.005 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.197 (11:39:52.541 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38004->22 (11:39:52.541 PDT) 152.14.93.140 (11:37:25.221 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51303->22 (11:37:25.221 PDT) 155.246.12.164 (2) (11:40:12.602 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44760->22 (11:40:12.602 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44760->22 (11:40:12.602 PDT) 165.91.55.8 (11:40:33.418 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44892->22 (11:40:33.418 PDT) 128.42.142.44 (2) (11:40:48.066 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44680->22 (11:40:48.066 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44680->22 (11:40:48.066 PDT) 128.84.154.44 (11:40:41.787 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43776->22 (11:40:41.787 PDT) 13.7.64.20 (11:41:03.099 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46576->22 (11:41:03.099 PDT) 192.52.240.213 (11:40:01.958 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33432->22 (11:40:01.958 PDT) 204.123.28.55 (11:41:00.484 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49101->22 (11:41:00.484 PDT) 128.252.19.19 (11:40:57.664 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55516->22 (11:40:57.664 PDT) 204.8.155.226 (11:40:26.221 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49701->22 (11:40:26.221 PDT) 198.133.224.147 (2) (11:41:11.205 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40211->22 (11:41:11.205 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40211->22 (11:41:11.205 PDT) 152.3.138.6 (11:36:38.729 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38159->22 (11:36:38.729 PDT) 128.111.52.59 (11:39:55.287 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37274->22 (11:39:55.287 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (5) (11:38:13.349 PDT-11:44:46.437 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (11:38:13.349 PDT-11:44:46.437 PDT) tcpslice 1368383798.729 1368384286.438 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 11:45:45.822 PDT Gen. Time: 05/12/2013 11:45:45.822 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.223.8.111 (11:45:45.822 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (11:45:45.822 PDT) tcpslice 1368384345.822 1368384345.823 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 12:00:51.815 PDT Gen. Time: 05/12/2013 12:04:45.196 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (12:04:45.196 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:04:45.196 PDT) OUTBOUND SCAN 128.111.52.58 (12:01:27.768 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42635->22 (12:01:27.768 PDT) 131.179.150.70 (12:02:13.285 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36757->22 (12:02:13.285 PDT) 158.130.6.254 (12:01:02.292 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33226->22 (12:01:02.292 PDT) 128.42.142.45 (12:00:51.815 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42000->22 (12:00:51.815 PDT) 192.52.240.214 (2) (12:01:09.918 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57453->22 (12:01:09.918 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57453->22 (12:01:09.918 PDT) 204.123.28.56 (12:00:54.345 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34675->22 (12:00:54.345 PDT) 204.8.155.227 (12:01:18.040 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57879->22 (12:01:18.040 PDT) 141.212.113.180 (12:01:24.664 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55757->22 (12:01:24.664 PDT) 152.3.138.6 (12:04:43.941 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38341->22 (12:04:43.941 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368385251.815 1368385251.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 12:00:51.815 PDT Gen. Time: 05/12/2013 12:17:17.519 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 131.179.150.70 (3) (12:04:45.196 PDT-12:07:54.517 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (12:04:45.196 PDT-12:07:54.517 PDT) OUTBOUND SCAN 128.111.52.58 (12:01:27.768 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42635->22 (12:01:27.768 PDT) 128.208.4.197 (12:07:57.564 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38186->22 (12:07:57.564 PDT) 152.14.93.140 (12:05:30.276 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51485->22 (12:05:30.276 PDT) 131.179.150.70 (12:02:13.285 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36757->22 (12:02:13.285 PDT) 155.246.12.164 (2) (12:08:19.292 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44942->22 (12:08:19.292 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44942->22 (12:08:19.292 PDT) 158.130.6.254 (12:01:02.292 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33226->22 (12:01:02.292 PDT) 128.42.142.45 (12:00:51.815 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42000->22 (12:00:51.815 PDT) 192.52.240.214 (2) (12:01:09.918 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57453->22 (12:01:09.918 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57453->22 (12:01:09.918 PDT) 204.123.28.56 (12:00:54.345 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34675->22 (12:00:54.345 PDT) 204.8.155.227 (12:01:18.040 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57879->22 (12:01:18.040 PDT) 192.52.240.213 (12:08:07.089 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33614->22 (12:08:07.089 PDT) 141.212.113.180 (12:01:24.664 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55757->22 (12:01:24.664 PDT) 204.8.155.226 (12:08:27.618 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49883->22 (12:08:27.618 PDT) 128.111.52.59 (12:08:00.238 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37456->22 (12:08:00.238 PDT) 152.3.138.6 (12:04:43.941 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38341->22 (12:04:43.941 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (4) (12:10:30.572 PDT-12:12:00.740 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (23 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (12:10:30.572 PDT-12:12:00.740 PDT) 0->0 (12:13:37.034 PDT) 0->0 (12:15:55.027 PDT) 165.91.55.8 (12:08:59.599 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:08:59.599 PDT) tcpslice 1368385251.815 1368385920.741 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 12:16:59.748 PDT Gen. Time: 05/12/2013 12:16:59.748 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (12:16:59.748 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:16:59.748 PDT) tcpslice 1368386219.748 1368386219.749 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 12:28:57.002 PDT Gen. Time: 05/12/2013 12:32:43.244 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.44 (12:32:43.244 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:32:43.244 PDT) OUTBOUND SCAN 128.111.52.58 (12:29:33.216 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44361->22 (12:29:33.216 PDT) 204.8.155.227 (12:29:23.347 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59535->22 (12:29:23.347 PDT) 128.42.142.45 (12:28:57.002 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43476->22 (12:28:57.002 PDT) 131.179.150.70 (12:30:18.724 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38485->22 (12:30:18.724 PDT) 204.123.28.56 (12:28:59.836 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36173->22 (12:28:59.836 PDT) 141.212.113.180 (12:29:30.220 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57462->22 (12:29:30.220 PDT) 192.52.240.214 (2) (12:29:15.329 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 59055->22 (12:29:15.329 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59055->22 (12:29:15.329 PDT) 158.130.6.254 (12:29:07.839 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34780->22 (12:29:07.839 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368386937.002 1368386937.003 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 12:32:49.722 PDT Gen. Time: 05/12/2013 12:34:24.356 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.44 (12:34:24.356 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (10 /24s) (# pkts S/M/O/I=0/11/0/0): 22:11, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:34:24.356 PDT) OUTBOUND SCAN 152.14.93.140 (12:33:36.228 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54578->22 (12:33:36.228 PDT) 152.3.138.6 (12:32:49.722 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41423->22 (12:32:49.722 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368387169.722 1368387169.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 12:32:49.722 PDT Gen. Time: 05/12/2013 12:48:08.841 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.44 (2) (12:34:24.356 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (10 /24s) (# pkts S/M/O/I=0/11/0/0): 22:11, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:34:24.356 PDT) 0->0 (12:36:00.522 PDT) OUTBOUND SCAN 128.208.4.197 (12:36:03.697 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 42594->22 (12:36:03.697 PDT) 152.14.93.140 (12:33:36.228 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54578->22 (12:33:36.228 PDT) 155.246.12.164 (2) (12:36:23.236 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49490->22 (12:36:23.236 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49490->22 (12:36:23.236 PDT) 165.91.55.8 (12:36:38.855 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49730->22 (12:36:38.855 PDT) 128.42.142.44 (2) (12:36:54.193 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 49622->22 (12:36:54.193 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49622->22 (12:36:54.193 PDT) 128.84.154.44 (12:36:48.012 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48678->22 (12:36:48.012 PDT) 13.7.64.20 (12:37:07.221 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51611->22 (12:37:07.221 PDT) 192.52.240.213 (12:36:13.166 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38092->22 (12:36:13.166 PDT) 204.123.28.55 (12:37:04.535 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54116->22 (12:37:04.535 PDT) 128.252.19.19 (12:37:01.706 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60513->22 (12:37:01.706 PDT) 204.8.155.226 (12:36:31.824 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54492->22 (12:36:31.824 PDT) 198.133.224.147 (2) (12:37:15.124 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 45297->22 (12:37:15.124 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45297->22 (12:37:15.124 PDT) 152.3.138.6 (12:32:49.722 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41423->22 (12:32:49.722 PDT) 128.111.52.59 (12:36:06.515 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41886->22 (12:36:06.515 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.42.142.44 (5) (12:37:04.840 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:37:04.840 PDT) 0->0 (12:38:51.236 PDT) 0->0 (12:41:15.758 PDT) 0->0 (12:43:13.252 PDT) 0->0 (12:44:49.494 PDT) tcpslice 1368387169.722 1368387169.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 13:00:03.532 PDT Gen. Time: 05/12/2013 13:01:12.745 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (13:01:12.745 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:01:12.745 PDT) OUTBOUND SCAN 128.111.52.58 (13:00:42.755 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57076->22 (13:00:42.755 PDT) 204.8.155.227 (13:00:33.107 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44027->22 (13:00:33.107 PDT) 128.42.142.45 (13:00:03.532 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56188->22 (13:00:03.532 PDT) 204.123.28.56 (13:00:06.118 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48878->22 (13:00:06.118 PDT) 141.212.113.180 (13:00:39.739 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41945->22 (13:00:39.739 PDT) 192.52.240.214 (2) (13:00:25.159 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43545->22 (13:00:25.159 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43545->22 (13:00:25.159 PDT) 158.130.6.254 (13:00:14.266 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47481->22 (13:00:14.266 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368388803.532 1368388803.533 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 13:00:03.532 PDT Gen. Time: 05/12/2013 13:03:52.692 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (2) (13:01:12.745 PDT-13:03:52.692 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (13:01:12.745 PDT-13:03:52.692 PDT) OUTBOUND SCAN 128.111.52.58 (13:00:42.755 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57076->22 (13:00:42.755 PDT) 204.8.155.227 (13:00:33.107 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44027->22 (13:00:33.107 PDT) 128.42.142.45 (13:00:03.532 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56188->22 (13:00:03.532 PDT) 131.179.150.70 (13:01:28.420 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51201->22 (13:01:28.420 PDT) 204.123.28.56 (13:00:06.118 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48878->22 (13:00:06.118 PDT) 141.212.113.180 (13:00:39.739 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41945->22 (13:00:39.739 PDT) 192.52.240.214 (2) (13:00:25.159 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 43545->22 (13:00:25.159 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43545->22 (13:00:25.159 PDT) 158.130.6.254 (13:00:14.266 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47481->22 (13:00:14.266 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368388803.532 1368389032.693 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 13:04:00.116 PDT Gen. Time: 05/12/2013 13:05:34.692 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (13:05:34.692 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 12 IPs (12 /24s) (# pkts S/M/O/I=0/12/0/0): 22:12, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:05:34.692 PDT) OUTBOUND SCAN 152.14.93.140 (13:04:46.564 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39002->22 (13:04:46.564 PDT) 152.3.138.6 (13:04:00.116 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54082->22 (13:04:00.116 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368389040.116 1368389040.117 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 13:04:00.116 PDT Gen. Time: 05/12/2013 13:20:05.754 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.111.52.58 (2) (13:05:34.692 PDT-13:07:10.857 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 12 IPs (12 /24s) (# pkts S/M/O/I=0/12/0/0): 22:12, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (13:05:34.692 PDT-13:07:10.857 PDT) OUTBOUND SCAN 128.208.4.197 (13:07:13.898 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55020->22 (13:07:13.898 PDT) 152.14.93.140 (13:04:46.564 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39002->22 (13:04:46.564 PDT) 155.246.12.164 (2) (13:07:34.224 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33566->22 (13:07:34.224 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33566->22 (13:07:34.224 PDT) 165.91.55.8 (13:07:49.742 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33711->22 (13:07:49.742 PDT) 128.42.142.44 (2) (13:08:04.154 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 33505->22 (13:08:04.154 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33505->22 (13:08:04.154 PDT) 128.84.154.44 (13:07:57.877 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60829->22 (13:07:57.877 PDT) 13.7.64.20 (13:08:17.110 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35410->22 (13:08:17.110 PDT) 192.52.240.213 (13:07:23.084 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50457->22 (13:07:23.084 PDT) 204.123.28.55 (13:08:14.346 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37928->22 (13:08:14.346 PDT) 128.252.19.19 (13:08:11.569 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44342->22 (13:08:11.569 PDT) 204.8.155.226 (13:07:42.860 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38519->22 (13:07:42.860 PDT) 198.133.224.147 (2) (13:08:24.673 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 57300->22 (13:08:24.673 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57300->22 (13:08:24.673 PDT) 152.3.138.6 (13:04:00.116 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54082->22 (13:04:00.116 PDT) 128.111.52.59 (13:07:16.451 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54290->22 (13:07:16.451 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (5) (13:08:05.238 PDT-13:14:21.412 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:15:57.715 PDT) 3: 0->0 (13:09:35.652 PDT-13:14:21.412 PDT) 0->0 (13:08:05.238 PDT) tcpslice 1368389040.116 1368389661.413 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 13:22:27.530 PDT Gen. Time: 05/12/2013 13:22:27.530 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (13:22:27.530 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:22:27.530 PDT) tcpslice 1368390147.530 1368390147.531 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 13:27:02.368 PDT Gen. Time: 05/12/2013 13:27:02.368 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (13:27:02.368 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:27:02.368 PDT) tcpslice 1368390422.368 1368390422.369 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 13:31:17.907 PDT Gen. Time: 05/12/2013 13:31:40.495 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.42.142.45 (13:31:17.907 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38323->22 (13:31:17.907 PDT) 204.123.28.56 (13:31:20.680 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59247->22 (13:31:20.680 PDT) 192.52.240.214 (2) (13:31:35.876 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53885->22 (13:31:35.876 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53885->22 (13:31:35.876 PDT) 158.130.6.254 (13:31:28.404 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57847->22 (13:31:28.404 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (13:31:40.495 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:31:40.495 PDT) tcpslice 1368390677.907 1368390677.908 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 13:31:17.907 PDT Gen. Time: 05/12/2013 13:51:02.155 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (13:31:53.379 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39182->22 (13:31:53.379 PDT) 128.208.4.197 (13:38:23.464 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37227->22 (13:38:23.464 PDT) 152.14.93.140 (13:35:56.068 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49302->22 (13:35:56.068 PDT) 131.179.150.70 (13:32:38.884 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33306->22 (13:32:38.884 PDT) 155.246.12.164 (2) (13:38:43.224 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 44109->22 (13:38:43.224 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44109->22 (13:38:43.224 PDT) 158.130.6.254 (13:31:28.404 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57847->22 (13:31:28.404 PDT) 128.42.142.45 (13:31:17.907 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38323->22 (13:31:17.907 PDT) 192.52.240.214 (2) (13:31:35.876 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 53885->22 (13:31:35.876 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53885->22 (13:31:35.876 PDT) 204.123.28.56 (13:31:20.680 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59247->22 (13:31:20.680 PDT) 204.8.155.227 (13:31:43.793 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54364->22 (13:31:43.793 PDT) 192.52.240.213 (13:38:33.072 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60947->22 (13:38:33.072 PDT) 141.212.113.180 (13:31:50.414 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52284->22 (13:31:50.414 PDT) 204.8.155.226 (13:38:51.712 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49100->22 (13:38:51.712 PDT) 128.111.52.59 (13:38:26.158 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36513->22 (13:38:26.158 PDT) 152.3.138.6 (13:35:09.672 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36149->22 (13:35:09.672 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (10) (13:31:40.495 PDT-13:47:08.308 PDT) event=777:7777008 (10) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 10: 0->0 (13:31:40.495 PDT-13:47:08.308 PDT) tcpslice 1368390677.907 1368391628.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 13:53:26.479 PDT Gen. Time: 05/12/2013 13:53:26.479 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (13:53:26.479 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (13:53:26.479 PDT) tcpslice 1368392006.479 1368392006.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 14:02:16.660 PDT Gen. Time: 05/12/2013 14:02:16.660 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (14:02:16.660 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:02:16.660 PDT) tcpslice 1368392536.660 1368392536.661 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 14:02:16.660 PDT Gen. Time: 05/12/2013 14:17:32.116 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (14:02:58.379 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51240->22 (14:02:58.379 PDT) 128.208.4.197 (14:09:28.836 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47704->22 (14:09:28.836 PDT) 152.14.93.140 (14:07:01.220 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32770->22 (14:07:01.220 PDT) 131.179.150.70 (14:03:43.912 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45364->22 (14:03:43.912 PDT) 155.246.12.164 (2) (14:09:48.719 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54460->22 (14:09:48.719 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54460->22 (14:09:48.719 PDT) 158.130.6.254 (14:02:33.150 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41677->22 (14:02:33.150 PDT) 128.42.142.45 (14:02:22.870 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50381->22 (14:02:22.870 PDT) 192.52.240.214 (2) (14:02:40.658 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 37714->22 (14:02:40.658 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37714->22 (14:02:40.658 PDT) 204.123.28.56 (14:02:25.508 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43074->22 (14:02:25.508 PDT) 204.8.155.227 (14:02:48.587 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38190->22 (14:02:48.587 PDT) 192.52.240.213 (14:09:38.235 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43132->22 (14:09:38.235 PDT) 141.212.113.180 (14:02:55.337 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36109->22 (14:02:55.337 PDT) 204.8.155.226 (14:09:57.162 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59401->22 (14:09:57.162 PDT) 128.111.52.59 (14:09:31.632 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46974->22 (14:09:31.632 PDT) 152.3.138.6 (14:06:14.790 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47859->22 (14:06:14.790 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (9) (14:02:16.660 PDT-14:14:44.970 PDT) event=777:7777008 (9) {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (24 /24s) (# pkts S/M/O/I=0/35/1/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:16:44.388 PDT) 8: 0->0 (14:02:16.660 PDT-14:14:44.970 PDT) tcpslice 1368392536.660 1368393284.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 14:18:20.678 PDT Gen. Time: 05/12/2013 14:18:20.678 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (14:18:20.678 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (24 /24s) (# pkts S/M/O/I=0/35/1/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:18:20.678 PDT) tcpslice 1368393500.678 1368393500.679 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 14:18:20.678 PDT Gen. Time: 05/12/2013 14:21:49.799 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.198 (14:18:23.939 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47910->22 (14:18:23.939 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (2) (14:18:20.678 PDT-14:21:08.022 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (24 /24s) (# pkts S/M/O/I=0/35/1/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (14:18:20.678 PDT-14:21:08.022 PDT) tcpslice 1368393500.678 1368393668.023 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 14:24:40.695 PDT Gen. Time: 05/12/2013 14:24:40.695 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (14:24:40.695 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (24 /24s) (# pkts S/M/O/I=0/35/1/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:24:40.695 PDT) tcpslice 1368393880.695 1368393880.696 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 14:36:54.625 PDT Gen. Time: 05/12/2013 14:43:03.246 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (14:43:03.246 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:43:03.246 PDT) OUTBOUND SCAN 128.111.52.58 (14:39:53.398 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52592->22 (14:39:53.398 PDT) 204.8.155.227 (2) (14:39:43.540 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39603->22 (14:39:43.540 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39603->22 (14:39:43.540 PDT) 128.42.142.45 (14:36:54.625 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51957->22 (14:36:54.625 PDT) 131.179.150.70 (14:40:38.944 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46714->22 (14:40:38.944 PDT) 204.123.28.56 (14:39:20.235 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44632->22 (14:39:20.235 PDT) 141.212.113.180 (14:39:50.217 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37481->22 (14:39:50.217 PDT) 192.52.240.214 (14:39:35.637 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39177->22 (14:39:35.637 PDT) 158.130.6.254 (14:39:27.985 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43183->22 (14:39:27.985 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368394614.625 1368394614.626 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 14:36:54.625 PDT Gen. Time: 05/12/2013 14:51:17.561 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (3) (14:43:03.246 PDT-14:46:20.559 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (14:43:03.246 PDT-14:46:20.559 PDT) OUTBOUND SCAN 128.111.52.58 (14:39:53.398 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52592->22 (14:39:53.398 PDT) 128.208.4.197 (14:46:23.681 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48143->22 (14:46:23.681 PDT) 152.14.93.140 (14:43:56.128 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33209->22 (14:43:56.128 PDT) 131.179.150.70 (14:40:38.944 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46714->22 (14:40:38.944 PDT) 155.246.12.164 (2) (14:46:43.424 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 54899->22 (14:46:43.424 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54899->22 (14:46:43.424 PDT) 158.130.6.254 (14:39:27.985 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43183->22 (14:39:27.985 PDT) 128.42.142.45 (14:36:54.625 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51957->22 (14:36:54.625 PDT) 192.52.240.214 (14:39:35.637 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39177->22 (14:39:35.637 PDT) 204.123.28.56 (14:39:20.235 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44632->22 (14:39:20.235 PDT) 204.8.155.227 (2) (14:39:43.540 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39603->22 (14:39:43.540 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39603->22 (14:39:43.540 PDT) 192.52.240.213 (14:46:33.224 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43571->22 (14:46:33.224 PDT) 141.212.113.180 (14:39:50.217 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37481->22 (14:39:50.217 PDT) 204.8.155.226 (14:46:52.241 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59840->22 (14:46:52.241 PDT) 128.111.52.59 (14:46:26.481 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47413->22 (14:46:26.481 PDT) 152.3.138.6 (14:43:09.705 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48298->22 (14:43:09.705 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (2) (14:47:23.519 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:47:23.519 PDT) 0->0 (14:48:55.419 PDT) tcpslice 1368394614.625 1368395180.560 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 14:51:34.210 PDT Gen. Time: 05/12/2013 14:51:34.210 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (14:51:34.210 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (21 /24s) (# pkts S/M/O/I=0/30/0/0): 22:30, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:51:34.210 PDT) tcpslice 1368395494.210 1368395494.211 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 14:51:34.210 PDT Gen. Time: 05/12/2013 14:58:56.272 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.36.233.153 (14:51:40.509 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50942->22 (14:51:40.509 PDT) 128.208.4.198 (14:55:11.758 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48348->22 (14:55:11.758 PDT) 128.84.154.45 (14:51:48.599 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36614->22 (14:51:48.599 PDT) 139.78.141.243 (14:52:43.679 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49579->22 (14:52:43.679 PDT) 128.223.8.111 (14:55:16.019 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49798->22 (14:55:16.019 PDT) 128.8.126.111 (14:51:57.168 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39863->22 (14:51:57.168 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (4) (14:51:34.210 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (21 /24s) (# pkts S/M/O/I=0/30/0/0): 22:30, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:51:34.210 PDT) 0->0 (14:53:31.743 PDT) 0->0 (14:55:07.917 PDT) 0->0 (14:57:56.991 PDT) tcpslice 1368395494.210 1368395494.211 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 15:00:03.515 PDT Gen. Time: 05/12/2013 15:00:03.515 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (15:00:03.515 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:00:03.515 PDT) tcpslice 1368396003.515 1368396003.516 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 15:01:55.678 PDT Gen. Time: 05/12/2013 15:01:55.678 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (15:01:55.678 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:01:55.678 PDT) tcpslice 1368396115.678 1368396115.679 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 15:05:48.523 PDT Gen. Time: 05/12/2013 15:05:48.523 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (15:05:48.523 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:05:48.523 PDT) tcpslice 1368396348.523 1368396348.524 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 15:10:16.994 PDT Gen. Time: 05/12/2013 15:10:16.994 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (15:10:16.994 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:10:16.994 PDT) tcpslice 1368396616.994 1368396616.995 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 15:10:16.994 PDT Gen. Time: 05/12/2013 15:25:35.599 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (15:14:21.799 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52744->22 (15:14:21.799 PDT) 128.208.4.197 (15:20:53.582 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48298->22 (15:20:53.582 PDT) 152.14.93.140 (15:18:26.207 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33364->22 (15:18:26.207 PDT) 131.179.150.70 (15:14:26.758 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46869->22 (15:14:26.758 PDT) 155.246.12.164 (2) (15:21:12.817 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55054->22 (15:21:12.817 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55054->22 (15:21:12.817 PDT) 158.130.6.254 (15:13:51.544 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43335->22 (15:13:51.544 PDT) 128.42.142.45 (15:11:02.110 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52112->22 (15:11:02.110 PDT) 192.52.240.214 (15:14:00.357 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39329->22 (15:14:00.357 PDT) 204.123.28.56 (15:13:27.722 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44787->22 (15:13:27.722 PDT) 204.8.155.227 (2) (15:14:08.349 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39755->22 (15:14:08.349 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39755->22 (15:14:08.349 PDT) 192.52.240.213 (15:21:02.886 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43726->22 (15:21:02.886 PDT) 141.212.113.180 (15:14:16.152 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37633->22 (15:14:16.152 PDT) 204.8.155.226 (15:21:22.458 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59995->22 (15:21:22.458 PDT) 128.111.52.59 (15:20:56.237 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47568->22 (15:20:56.237 PDT) 152.3.138.6 (15:17:39.807 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48453->22 (15:17:39.807 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (9) (15:10:16.994 PDT-15:24:34.399 PDT) event=777:7777008 (9) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 9: 0->0 (15:10:16.994 PDT-15:24:34.399 PDT) tcpslice 1368396616.994 1368397474.400 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 15:26:10.664 PDT Gen. Time: 05/12/2013 15:26:10.664 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (15:26:10.664 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:26:10.664 PDT) tcpslice 1368397570.664 1368397570.665 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 15:26:10.664 PDT Gen. Time: 05/12/2013 15:33:44.636 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.36.233.153 (15:26:16.996 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51097->22 (15:26:16.996 PDT) 128.208.4.198 (15:29:50.258 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48503->22 (15:29:50.258 PDT) 128.84.154.45 (15:26:25.508 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 36769->22 (15:26:25.508 PDT) 139.78.141.243 (15:27:22.527 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49734->22 (15:27:22.527 PDT) 128.8.126.111 (15:26:35.955 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40018->22 (15:26:35.955 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (4) (15:26:10.664 PDT-15:31:25.151 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (15:26:10.664 PDT-15:31:25.151 PDT) tcpslice 1368397570.664 1368397885.152 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 15:32:39.801 PDT Gen. Time: 05/12/2013 15:32:39.801 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (15:32:39.801 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:32:39.801 PDT) tcpslice 1368397959.801 1368397959.802 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 15:48:25.056 PDT Gen. Time: 05/12/2013 15:54:34.088 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.6 (15:54:34.088 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:54:34.088 PDT) OUTBOUND SCAN 128.111.52.58 (15:51:24.135 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52902->22 (15:51:24.135 PDT) 204.8.155.227 (2) (15:51:14.483 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39913->22 (15:51:14.483 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39913->22 (15:51:14.483 PDT) 128.42.142.45 (15:48:25.056 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52267->22 (15:48:25.056 PDT) 131.179.150.70 (15:52:09.632 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47024->22 (15:52:09.632 PDT) 204.123.28.56 (15:50:50.817 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44942->22 (15:50:50.817 PDT) 141.212.113.180 (15:51:21.049 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37791->22 (15:51:21.049 PDT) 192.52.240.214 (15:51:06.557 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39487->22 (15:51:06.557 PDT) 158.130.6.254 (15:50:59.097 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43493->22 (15:50:59.097 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368398905.056 1368398905.057 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 15:48:25.056 PDT Gen. Time: 05/12/2013 16:06:15.368 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.3.138.6 (3) (15:54:34.088 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:54:34.088 PDT) 0->0 (15:56:15.200 PDT) 0->0 (15:57:51.376 PDT) OUTBOUND SCAN 128.111.52.58 (15:51:24.135 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52902->22 (15:51:24.135 PDT) 128.208.4.197 (15:57:54.658 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48453->22 (15:57:54.658 PDT) 152.14.93.140 (15:55:27.136 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33519->22 (15:55:27.136 PDT) 131.179.150.70 (15:52:09.632 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47024->22 (15:52:09.632 PDT) 155.246.12.164 (2) (15:58:14.742 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55209->22 (15:58:14.742 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55209->22 (15:58:14.742 PDT) 158.130.6.254 (15:50:59.097 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43493->22 (15:50:59.097 PDT) 128.42.142.45 (15:48:25.056 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52267->22 (15:48:25.056 PDT) 192.52.240.214 (15:51:06.557 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39487->22 (15:51:06.557 PDT) 204.123.28.56 (15:50:50.817 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44942->22 (15:50:50.817 PDT) 204.8.155.227 (2) (15:51:14.483 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 39913->22 (15:51:14.483 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39913->22 (15:51:14.483 PDT) 192.52.240.213 (15:58:04.282 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43881->22 (15:58:04.282 PDT) 141.212.113.180 (15:51:21.049 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37791->22 (15:51:21.049 PDT) 204.8.155.226 (15:58:23.237 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60150->22 (15:58:23.237 PDT) 128.111.52.59 (15:57:57.445 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47723->22 (15:57:57.445 PDT) 152.3.138.6 (15:54:40.596 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48608->22 (15:54:40.596 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.3.138.6 (4) (15:58:55.830 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:58:55.830 PDT) 0->0 (16:00:40.864 PDT) 0->0 (16:03:05.322 PDT) 0->0 (16:05:03.968 PDT) tcpslice 1368398905.056 1368398905.057 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 16:06:40.271 PDT Gen. Time: 05/12/2013 16:06:40.271 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.3.138.6 (16:06:40.271 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:06:40.271 PDT) tcpslice 1368400000.271 1368400000.272 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 16:06:40.271 PDT Gen. Time: 05/12/2013 16:09:24.850 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.198 (16:06:43.678 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48658->22 (16:06:43.678 PDT) 128.223.8.111 (16:06:49.740 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50108->22 (16:06:49.740 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.3.138.6 (16:06:40.271 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:06:40.271 PDT) tcpslice 1368400000.271 1368400000.272 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 16:22:35.744 PDT Gen. Time: 05/12/2013 16:28:48.590 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 158.130.6.254 (16:28:48.590 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:28:48.590 PDT) OUTBOUND SCAN 128.111.52.58 (16:25:36.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53057->22 (16:25:36.454 PDT) 204.8.155.227 (2) (16:25:26.668 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40068->22 (16:25:26.668 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40068->22 (16:25:26.668 PDT) 128.42.142.45 (16:22:35.744 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52422->22 (16:22:35.744 PDT) 131.179.150.70 (16:26:21.984 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47179->22 (16:26:21.984 PDT) 204.123.28.56 (16:25:01.442 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45097->22 (16:25:01.442 PDT) 141.212.113.180 (16:25:33.387 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37946->22 (16:25:33.387 PDT) 192.52.240.214 (16:25:18.359 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39642->22 (16:25:18.359 PDT) 158.130.6.254 (16:25:10.095 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43648->22 (16:25:10.095 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368400955.744 1368400955.745 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 16:22:35.744 PDT Gen. Time: 05/12/2013 16:45:26.405 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 152.14.93.140 (2) (16:30:29.985 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (10 /24s) (# pkts S/M/O/I=0/11/0/0): 22:11, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:30:29.985 PDT) 0->0 (16:32:06.279 PDT) 158.130.6.254 (16:28:48.590 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (9 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:28:48.590 PDT) OUTBOUND SCAN 128.111.52.58 (16:25:36.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53057->22 (16:25:36.454 PDT) 128.208.4.197 (16:32:09.348 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48608->22 (16:32:09.348 PDT) 152.14.93.140 (16:29:41.856 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33674->22 (16:29:41.856 PDT) 131.179.150.70 (16:26:21.984 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47179->22 (16:26:21.984 PDT) 155.246.12.164 (2) (16:32:30.441 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55364->22 (16:32:30.441 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55364->22 (16:32:30.441 PDT) 158.130.6.254 (16:25:10.095 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43648->22 (16:25:10.095 PDT) 128.42.142.45 (16:22:35.744 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52422->22 (16:22:35.744 PDT) 192.52.240.214 (16:25:18.359 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39642->22 (16:25:18.359 PDT) 204.123.28.56 (16:25:01.442 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45097->22 (16:25:01.442 PDT) 204.8.155.227 (2) (16:25:26.668 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40068->22 (16:25:26.668 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40068->22 (16:25:26.668 PDT) 192.52.240.213 (16:32:19.128 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44036->22 (16:32:19.128 PDT) 141.212.113.180 (16:25:33.387 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37946->22 (16:25:33.387 PDT) 204.8.155.226 (16:32:40.472 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60305->22 (16:32:40.472 PDT) 128.111.52.59 (16:32:12.484 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47878->22 (16:32:12.484 PDT) 152.3.138.6 (16:28:55.430 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48763->22 (16:28:55.430 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (6) (16:33:19.661 PDT-16:40:55.905 PDT) event=777:7777008 (6) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:43:26.433 PDT) 0->0 (16:33:19.661 PDT) 2: 0->0 (16:35:06.401 PDT-16:37:10.113 PDT) 2: 0->0 (16:38:44.513 PDT-16:40:55.905 PDT) tcpslice 1368400955.744 1368402055.906 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 16:48:55.476 PDT Gen. Time: 05/12/2013 16:48:55.476 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (16:48:55.476 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:48:55.476 PDT) tcpslice 1368402535.476 1368402535.477 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 16:56:16.995 PDT Gen. Time: 05/12/2013 16:56:16.995 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (16:56:16.995 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:56:16.995 PDT) tcpslice 1368402976.995 1368402976.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 16:56:16.995 PDT Gen. Time: 05/12/2013 17:03:03.527 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (17:00:01.865 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53212->22 (17:00:01.865 PDT) 204.8.155.227 (2) (16:59:51.896 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40223->22 (16:59:51.896 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40223->22 (16:59:51.896 PDT) 128.42.142.45 (16:57:02.114 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52577->22 (16:57:02.114 PDT) 131.179.150.70 (17:00:47.394 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47334->22 (17:00:47.394 PDT) 204.123.28.56 (16:59:28.488 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45252->22 (16:59:28.488 PDT) 141.212.113.180 (16:59:58.782 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38101->22 (16:59:58.782 PDT) 192.52.240.214 (16:59:43.978 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39797->22 (16:59:43.978 PDT) 158.130.6.254 (16:59:36.333 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43803->22 (16:59:36.333 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (4) (16:56:16.995 PDT-17:00:59.106 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 4: 0->0 (16:56:16.995 PDT-17:00:59.106 PDT) tcpslice 1368402976.995 1368403259.107 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 17:03:11.730 PDT Gen. Time: 05/12/2013 17:03:11.730 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (17:03:11.730 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:03:11.730 PDT) tcpslice 1368403391.730 1368403391.731 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 17:03:11.730 PDT Gen. Time: 05/12/2013 17:18:15.567 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.197 (17:06:32.148 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48763->22 (17:06:32.148 PDT) 152.14.93.140 (17:04:04.770 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33829->22 (17:04:04.770 PDT) 155.246.12.164 (2) (17:06:55.966 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55519->22 (17:06:55.966 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55519->22 (17:06:55.966 PDT) 165.91.55.8 (17:07:16.764 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55651->22 (17:07:16.764 PDT) 128.42.142.44 (2) (17:07:31.793 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55439->22 (17:07:31.793 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55439->22 (17:07:31.793 PDT) 128.84.154.44 (17:07:25.231 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54535->22 (17:07:25.231 PDT) 13.7.64.20 (17:07:47.844 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57335->22 (17:07:47.844 PDT) 192.52.240.213 (17:06:41.750 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44191->22 (17:06:41.750 PDT) 204.123.28.55 (17:07:45.221 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 59860->22 (17:07:45.221 PDT) 128.252.19.19 (17:07:42.149 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38042->22 (17:07:42.149 PDT) 204.8.155.226 (17:07:09.513 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60460->22 (17:07:09.513 PDT) 198.133.224.147 (2) (17:07:55.817 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 50970->22 (17:07:55.817 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50970->22 (17:07:55.817 PDT) 152.3.138.6 (17:03:18.256 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48918->22 (17:03:18.256 PDT) 128.111.52.59 (17:06:34.804 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48033->22 (17:06:34.804 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (8) (17:03:11.730 PDT-17:15:35.412 PDT) event=777:7777008 (8) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 8: 0->0 (17:03:11.730 PDT-17:15:35.412 PDT) tcpslice 1368403391.730 1368404135.413 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 17:20:18.598 PDT Gen. Time: 05/12/2013 17:20:18.598 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (17:20:18.598 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:20:18.598 PDT) tcpslice 1368404418.598 1368404418.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 17:27:02.420 PDT Gen. Time: 05/12/2013 17:27:02.420 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (17:27:02.420 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:27:02.420 PDT) tcpslice 1368404822.420 1368404822.421 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 17:27:02.420 PDT Gen. Time: 05/12/2013 17:46:25.901 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (17:34:28.112 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53367->22 (17:34:28.112 PDT) 128.208.4.197 (17:40:58.371 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48918->22 (17:40:58.371 PDT) 152.14.93.140 (17:38:30.884 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33984->22 (17:38:30.884 PDT) 131.179.150.70 (17:35:13.635 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47489->22 (17:35:13.635 PDT) 155.246.12.164 (2) (17:41:22.560 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55674->22 (17:41:22.560 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55674->22 (17:41:22.560 PDT) 158.130.6.254 (17:34:02.466 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 43958->22 (17:34:02.466 PDT) 128.42.142.45 (17:31:28.675 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52732->22 (17:31:28.675 PDT) 192.52.240.214 (17:34:10.489 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39952->22 (17:34:10.489 PDT) 204.123.28.56 (17:33:54.158 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45407->22 (17:33:54.158 PDT) 204.8.155.227 (2) (17:34:18.505 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40378->22 (17:34:18.505 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40378->22 (17:34:18.505 PDT) 192.52.240.213 (17:41:07.848 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44346->22 (17:41:07.848 PDT) 141.212.113.180 (17:34:25.110 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38256->22 (17:34:25.110 PDT) 204.8.155.226 (17:41:31.282 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60615->22 (17:41:31.282 PDT) 128.111.52.59 (17:41:01.109 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48188->22 (17:41:01.109 PDT) 152.3.138.6 (17:37:44.536 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49073->22 (17:37:44.536 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (12) (17:27:02.420 PDT-17:46:25.901 PDT) event=777:7777008 (12) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 12: 0->0 (17:27:02.420 PDT-17:46:25.901 PDT) tcpslice 1368404822.420 1368405985.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 17:46:33.188 PDT Gen. Time: 05/12/2013 17:48:26.340 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.36.233.153 (17:46:33.188 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51717->22 (17:46:33.188 PDT) 128.84.154.45 (17:46:41.701 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37389->22 (17:46:41.701 PDT) 139.78.141.243 (17:47:38.276 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50354->22 (17:47:38.276 PDT) 128.8.126.111 (17:46:51.215 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40638->22 (17:46:51.215 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (17:48:26.340 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:48:26.340 PDT) tcpslice 1368405993.188 1368405993.189 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 17:50:02.633 PDT Gen. Time: 05/12/2013 17:50:02.633 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (17:50:02.633 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:50:02.633 PDT) tcpslice 1368406202.633 1368406202.634 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 17:50:02.633 PDT Gen. Time: 05/12/2013 17:54:43.720 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.198 (17:50:06.636 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49123->22 (17:50:06.636 PDT) 128.223.8.111 (17:50:11.129 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50573->22 (17:50:11.129 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (2) (17:50:02.633 PDT-17:53:26.858 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (17:50:02.633 PDT-17:53:26.858 PDT) tcpslice 1368406202.633 1368406406.859 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 17:54:30.372 PDT Gen. Time: 05/12/2013 17:54:30.372 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 152.14.93.140 (17:54:30.372 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (17:54:30.372 PDT) tcpslice 1368406470.372 1368406470.373 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 18:05:57.029 PDT Gen. Time: 05/12/2013 18:12:06.644 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (18:12:06.644 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:12:06.644 PDT) OUTBOUND SCAN 128.111.52.58 (18:08:56.769 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53522->22 (18:08:56.769 PDT) 204.8.155.227 (2) (18:08:46.629 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40533->22 (18:08:46.629 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40533->22 (18:08:46.629 PDT) 128.42.142.45 (18:05:57.029 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52887->22 (18:05:57.029 PDT) 131.179.150.70 (18:09:42.309 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47644->22 (18:09:42.309 PDT) 204.123.28.56 (18:08:22.678 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45562->22 (18:08:22.678 PDT) 141.212.113.180 (18:08:53.524 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38411->22 (18:08:53.524 PDT) 192.52.240.214 (18:08:38.724 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40107->22 (18:08:38.724 PDT) 158.130.6.254 (18:08:30.593 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44113->22 (18:08:30.593 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368407157.029 1368407157.030 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 18:12:14.205 PDT Gen. Time: 05/12/2013 18:13:48.901 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (18:13:48.901 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/11/0/0): 22:11, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:13:48.901 PDT) OUTBOUND SCAN 152.14.93.140 (18:13:00.773 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34139->22 (18:13:00.773 PDT) 152.3.138.6 (18:12:14.205 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49228->22 (18:12:14.205 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368407534.205 1368407534.206 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 18:12:14.205 PDT Gen. Time: 05/12/2013 18:28:05.716 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 141.212.113.180 (2) (18:13:48.901 PDT-18:15:25.077 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (11 /24s) (# pkts S/M/O/I=0/11/0/0): 22:11, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (18:13:48.901 PDT-18:15:25.077 PDT) OUTBOUND SCAN 128.208.4.197 (18:15:28.197 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49073->22 (18:15:28.197 PDT) 152.14.93.140 (18:13:00.773 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34139->22 (18:13:00.773 PDT) 155.246.12.164 (2) (18:16:05.792 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55829->22 (18:16:05.792 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55829->22 (18:16:05.792 PDT) 165.91.55.8 (18:16:21.219 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55961->22 (18:16:21.219 PDT) 128.42.142.44 (2) (18:16:35.936 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55749->22 (18:16:35.936 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55749->22 (18:16:35.936 PDT) 128.84.154.44 (18:16:29.568 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54845->22 (18:16:29.568 PDT) 13.7.64.20 (18:16:48.966 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 57645->22 (18:16:48.966 PDT) 192.52.240.213 (18:15:38.365 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44501->22 (18:15:38.365 PDT) 204.123.28.55 (18:16:46.279 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60170->22 (18:16:46.279 PDT) 128.252.19.19 (18:16:43.530 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38352->22 (18:16:43.530 PDT) 204.8.155.226 (18:16:14.270 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60770->22 (18:16:14.270 PDT) 198.133.224.147 (2) (18:16:56.844 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 51280->22 (18:16:56.844 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51280->22 (18:16:56.844 PDT) 152.3.138.6 (18:12:14.205 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49228->22 (18:12:14.205 PDT) 128.111.52.59 (18:15:31.044 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48343->22 (18:15:31.044 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (5) (18:16:44.960 PDT-18:20:57.700 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:24:35.220 PDT) 2: 0->0 (18:18:32.485 PDT-18:20:57.700 PDT) 0->0 (18:22:58.917 PDT) 0->0 (18:16:44.960 PDT) tcpslice 1368407534.205 1368408057.701 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 18:40:29.286 PDT Gen. Time: 05/12/2013 18:46:48.513 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (18:46:48.513 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:46:48.513 PDT) OUTBOUND SCAN 128.111.52.58 (18:43:28.729 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53677->22 (18:43:28.729 PDT) 131.179.150.70 (18:44:14.310 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47799->22 (18:44:14.310 PDT) 158.130.6.254 (18:43:03.274 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44268->22 (18:43:03.274 PDT) 128.42.142.45 (18:40:29.286 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53042->22 (18:40:29.286 PDT) 192.52.240.214 (18:43:10.902 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40262->22 (18:43:10.902 PDT) 204.123.28.56 (18:42:54.968 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45717->22 (18:42:54.968 PDT) 204.8.155.227 (2) (18:43:18.917 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40688->22 (18:43:18.917 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40688->22 (18:43:18.917 PDT) 141.212.113.180 (18:43:25.610 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38566->22 (18:43:25.610 PDT) 152.3.138.6 (18:46:47.180 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49383->22 (18:46:47.180 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368409229.286 1368409229.287 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 18:40:29.286 PDT Gen. Time: 05/12/2013 18:54:55.843 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (3) (18:46:48.513 PDT-18:49:57.877 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (18:46:48.513 PDT-18:49:57.877 PDT) OUTBOUND SCAN 128.111.52.58 (18:43:28.729 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53677->22 (18:43:28.729 PDT) 128.208.4.197 (18:50:00.976 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49228->22 (18:50:00.976 PDT) 152.14.93.140 (18:47:33.606 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34294->22 (18:47:33.606 PDT) 131.179.150.70 (18:44:14.310 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47799->22 (18:44:14.310 PDT) 155.246.12.164 (2) (18:50:22.249 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 55984->22 (18:50:22.249 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55984->22 (18:50:22.249 PDT) 158.130.6.254 (18:43:03.274 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44268->22 (18:43:03.274 PDT) 128.42.142.45 (18:40:29.286 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53042->22 (18:40:29.286 PDT) 192.52.240.214 (18:43:10.902 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40262->22 (18:43:10.902 PDT) 204.123.28.56 (18:42:54.968 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45717->22 (18:42:54.968 PDT) 204.8.155.227 (2) (18:43:18.917 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40688->22 (18:43:18.917 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40688->22 (18:43:18.917 PDT) 192.52.240.213 (18:50:11.260 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44656->22 (18:50:11.260 PDT) 141.212.113.180 (18:43:25.610 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38566->22 (18:43:25.610 PDT) 204.8.155.226 (18:50:31.236 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60925->22 (18:50:31.236 PDT) 128.111.52.59 (18:50:04.379 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48498->22 (18:50:04.379 PDT) 152.3.138.6 (18:46:47.180 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49383->22 (18:46:47.180 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.227 (18:51:06.855 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:51:06.855 PDT) 198.133.224.147 (18:52:58.470 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (20 /24s) (# pkts S/M/O/I=0/29/0/0): 22:29, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:52:58.470 PDT) tcpslice 1368409229.286 1368409797.878 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 18:55:22.861 PDT Gen. Time: 05/12/2013 18:55:22.861 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (18:55:22.861 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (21 /24s) (# pkts S/M/O/I=0/30/0/0): 22:30, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:55:22.861 PDT) tcpslice 1368410122.861 1368410122.862 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 18:55:22.861 PDT Gen. Time: 05/12/2013 19:02:12.424 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.36.233.153 (18:55:29.204 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52027->22 (18:55:29.204 PDT) 128.208.4.198 (18:59:02.054 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49433->22 (18:59:02.054 PDT) 128.84.154.45 (18:55:37.853 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 37699->22 (18:55:37.853 PDT) 139.78.141.243 (18:56:34.214 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50664->22 (18:56:34.214 PDT) 128.223.8.111 (18:59:06.541 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50883->22 (18:59:06.541 PDT) 128.8.126.111 (18:55:47.625 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40948->22 (18:55:47.625 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (4) (18:55:22.861 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (21 /24s) (# pkts S/M/O/I=0/30/0/0): 22:30, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (18:55:22.861 PDT) 0->0 (18:57:22.278 PDT) 0->0 (18:58:58.549 PDT) 0->0 (19:01:08.070 PDT) tcpslice 1368410122.861 1368410122.862 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 19:02:13.607 PDT Gen. Time: 05/12/2013 19:02:13.607 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (19:02:13.607 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:02:13.607 PDT) tcpslice 1368410533.607 1368410533.608 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 19:14:52.391 PDT Gen. Time: 05/12/2013 19:21:13.032 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (19:21:13.032 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:21:13.032 PDT) OUTBOUND SCAN 128.111.52.58 (19:17:53.175 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53832->22 (19:17:53.175 PDT) 131.179.150.70 (19:18:38.759 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47954->22 (19:18:38.759 PDT) 158.130.6.254 (19:17:27.438 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44423->22 (19:17:27.438 PDT) 128.42.142.45 (19:14:52.391 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53197->22 (19:14:52.391 PDT) 192.52.240.214 (19:17:35.016 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40417->22 (19:17:35.016 PDT) 204.123.28.56 (19:17:18.249 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45872->22 (19:17:18.249 PDT) 204.8.155.227 (2) (19:17:43.038 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40843->22 (19:17:43.038 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40843->22 (19:17:43.038 PDT) 141.212.113.180 (19:17:49.883 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38721->22 (19:17:49.883 PDT) 152.3.138.6 (19:21:11.354 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49538->22 (19:21:11.354 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368411292.391 1368411292.392 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 19:14:52.391 PDT Gen. Time: 05/12/2013 19:36:59.940 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (3) (19:21:13.032 PDT-19:24:22.549 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (19:21:13.032 PDT-19:24:22.549 PDT) OUTBOUND SCAN 128.111.52.58 (19:17:53.175 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53832->22 (19:17:53.175 PDT) 128.208.4.197 (19:24:25.679 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49383->22 (19:24:25.679 PDT) 152.14.93.140 (19:21:58.119 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34449->22 (19:21:58.119 PDT) 131.179.150.70 (19:18:38.759 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 47954->22 (19:18:38.759 PDT) 155.246.12.164 (2) (19:24:50.283 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56139->22 (19:24:50.283 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56139->22 (19:24:50.283 PDT) 158.130.6.254 (19:17:27.438 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44423->22 (19:17:27.438 PDT) 128.42.142.45 (19:14:52.391 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53197->22 (19:14:52.391 PDT) 192.52.240.214 (19:17:35.016 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40417->22 (19:17:35.016 PDT) 204.123.28.56 (19:17:18.249 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45872->22 (19:17:18.249 PDT) 204.8.155.227 (2) (19:17:43.038 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40843->22 (19:17:43.038 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40843->22 (19:17:43.038 PDT) 192.52.240.213 (19:24:37.063 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44811->22 (19:24:37.063 PDT) 141.212.113.180 (19:17:49.883 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38721->22 (19:17:49.883 PDT) 204.8.155.226 (19:24:58.900 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32847->22 (19:24:58.900 PDT) 128.111.52.59 (19:24:29.900 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48653->22 (19:24:29.900 PDT) 152.3.138.6 (19:21:11.354 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49538->22 (19:21:11.354 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.227 (5) (19:25:41.433 PDT-19:32:15.847 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (20 /24s) (# pkts S/M/O/I=0/30/0/0): 22:30, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (19:27:20.568 PDT-19:28:59.239 PDT) 2: 0->0 (19:30:33.767 PDT-19:32:15.847 PDT) 0->0 (19:25:41.433 PDT) tcpslice 1368411292.391 1368412335.848 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 19:33:43.016 PDT Gen. Time: 05/12/2013 19:33:43.016 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.227 (19:33:43.016 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:33:43.016 PDT) tcpslice 1368412423.016 1368412423.017 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 19:49:28.167 PDT Gen. Time: 05/12/2013 19:55:37.206 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (19:55:37.206 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 11 IPs (10 /24s) (# pkts S/M/O/I=1/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:55:37.206 PDT) OUTBOUND SCAN 128.111.52.58 (19:52:27.491 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53987->22 (19:52:27.491 PDT) 204.8.155.227 (2) (19:52:17.784 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40998->22 (19:52:17.784 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40998->22 (19:52:17.784 PDT) 128.42.142.45 (19:49:28.167 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53352->22 (19:49:28.167 PDT) 131.179.150.70 (19:53:12.999 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48109->22 (19:53:12.999 PDT) 204.123.28.56 (19:51:53.739 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46027->22 (19:51:53.739 PDT) 141.212.113.180 (19:52:24.479 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38876->22 (19:52:24.479 PDT) 192.52.240.214 (19:52:09.802 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40572->22 (19:52:09.802 PDT) 158.130.6.254 (19:52:02.199 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44578->22 (19:52:02.199 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368413368.167 1368413368.168 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 19:49:28.167 PDT Gen. Time: 05/12/2013 20:04:46.859 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 204.8.155.227 (3) (19:55:37.206 PDT-19:58:54.614 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 12 IPs (11 /24s) (# pkts S/M/O/I=1/11/0/0): 22:11, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (19:57:18.311 PDT) 2: 0->0 (19:55:37.206 PDT-19:58:54.614 PDT) 165.91.55.8 (20:00:24.193 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 19 IPs (15 /24s) (# pkts S/M/O/I=1/18/0/0): 22:18, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (20:00:24.193 PDT) OUTBOUND SCAN 128.111.52.58 (19:52:27.491 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53987->22 (19:52:27.491 PDT) 128.208.4.197 (19:58:57.750 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49538->22 (19:58:57.750 PDT) 152.14.93.140 (19:56:30.247 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34604->22 (19:56:30.247 PDT) 131.179.150.70 (19:53:12.999 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48109->22 (19:53:12.999 PDT) 155.246.12.164 (2) (19:59:52.187 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56294->22 (19:59:52.187 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56294->22 (19:59:52.187 PDT) 158.130.6.254 (19:52:02.199 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44578->22 (19:52:02.199 PDT) 128.42.142.45 (19:49:28.167 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53352->22 (19:49:28.167 PDT) 192.52.240.214 (19:52:09.802 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40572->22 (19:52:09.802 PDT) 204.123.28.56 (19:51:53.739 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46027->22 (19:51:53.739 PDT) 204.8.155.227 (2) (19:52:17.784 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 40998->22 (19:52:17.784 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40998->22 (19:52:17.784 PDT) 192.52.240.213 (19:59:07.376 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44966->22 (19:59:07.376 PDT) 141.212.113.180 (19:52:24.479 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38876->22 (19:52:24.479 PDT) 204.8.155.226 (20:00:00.931 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33002->22 (20:00:00.931 PDT) 128.111.52.59 (19:59:00.463 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48808->22 (19:59:00.463 PDT) 152.3.138.6 (19:55:43.919 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49693->22 (19:55:43.919 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.9 (2) (20:02:04.775 PDT-20:04:46.859 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (21 /24s) (# pkts S/M/O/I=1/29/0/0): 22:29, [] MAC_Src: 00:01:64:FF:CE:EA 2: 0->0 (20:02:04.775 PDT-20:04:46.859 PDT) 165.91.55.8 (20:00:33.410 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=1/20/0/0): 22:20, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (20:00:33.410 PDT) tcpslice 1368413368.167 1368414286.860 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 20:04:59.744 PDT Gen. Time: 05/12/2013 20:06:42.919 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.36.233.153 (20:04:59.744 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52337->22 (20:04:59.744 PDT) 128.84.154.45 (20:05:08.306 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38009->22 (20:05:08.306 PDT) 128.8.126.111 (20:05:54.855 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41254->22 (20:05:54.855 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.9 (20:06:42.919 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (23 /24s) (# pkts S/M/O/I=1/32/0/0): 22:32, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (20:06:42.919 PDT) tcpslice 1368414299.744 1368414299.745 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 20:04:59.744 PDT Gen. Time: 05/12/2013 20:14:55.862 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.36.233.153 (20:04:59.744 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52337->22 (20:04:59.744 PDT) 128.208.4.198 (20:11:32.129 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49739->22 (20:11:32.129 PDT) 128.84.154.45 (20:05:08.306 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38009->22 (20:05:08.306 PDT) 139.78.141.243 (20:09:04.295 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50970->22 (20:09:04.295 PDT) 128.223.8.111 (20:11:36.213 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51189->22 (20:11:36.213 PDT) 128.8.126.111 (20:05:54.855 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41254->22 (20:05:54.855 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.9 (4) (20:06:42.919 PDT-20:09:52.359 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (24 /24s) (# pkts S/M/O/I=1/34/0/0): 22:34, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (20:11:28.502 PDT) 3: 0->0 (20:06:42.919 PDT-20:09:52.359 PDT) tcpslice 1368414299.744 1368414592.360 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 20:15:55.077 PDT Gen. Time: 05/12/2013 20:15:55.077 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.9 (20:15:55.077 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (24 /24s) (# pkts S/M/O/I=1/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (20:15:55.077 PDT) tcpslice 1368414955.077 1368414955.078 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 20:27:22.086 PDT Gen. Time: 05/12/2013 20:33:42.792 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (20:33:42.792 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (20:33:42.792 PDT) OUTBOUND SCAN 128.111.52.58 (20:30:22.997 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54138->22 (20:30:22.997 PDT) 131.179.150.70 (20:31:08.518 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48260->22 (20:31:08.518 PDT) 158.130.6.254 (20:29:56.255 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44729->22 (20:29:56.255 PDT) 128.42.142.45 (20:27:22.086 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53503->22 (20:27:22.086 PDT) 192.52.240.214 (20:30:04.508 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40723->22 (20:30:04.508 PDT) 204.123.28.56 (20:29:47.778 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46178->22 (20:29:47.778 PDT) 204.8.155.227 (2) (20:30:12.984 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41149->22 (20:30:12.984 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41149->22 (20:30:12.984 PDT) 141.212.113.180 (20:30:19.899 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39027->22 (20:30:19.899 PDT) 152.3.138.6 (20:33:41.373 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49844->22 (20:33:41.373 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368415642.086 1368415642.087 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 20:27:22.086 PDT Gen. Time: 05/12/2013 20:51:03.550 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 128.42.142.45 (3) (20:33:42.792 PDT-20:36:52.245 PDT) event=777:7777005 (3) {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 22:10, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (20:33:42.792 PDT-20:36:52.245 PDT) OUTBOUND SCAN 128.111.52.58 (20:30:22.997 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54138->22 (20:30:22.997 PDT) 128.208.4.197 (20:36:55.441 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49689->22 (20:36:55.441 PDT) 152.14.93.140 (20:34:27.878 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34755->22 (20:34:27.878 PDT) 131.179.150.70 (20:31:08.518 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48260->22 (20:31:08.518 PDT) 155.246.12.164 (2) (20:37:30.358 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56445->22 (20:37:30.358 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56445->22 (20:37:30.358 PDT) 158.130.6.254 (20:29:56.255 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44729->22 (20:29:56.255 PDT) 128.42.142.45 (20:27:22.086 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53503->22 (20:27:22.086 PDT) 192.52.240.214 (20:30:04.508 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40723->22 (20:30:04.508 PDT) 204.123.28.56 (20:29:47.778 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46178->22 (20:29:47.778 PDT) 204.8.155.227 (2) (20:30:12.984 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41149->22 (20:30:12.984 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41149->22 (20:30:12.984 PDT) 192.52.240.213 (20:37:05.122 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45117->22 (20:37:05.122 PDT) 141.212.113.180 (20:30:19.899 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39027->22 (20:30:19.899 PDT) 204.8.155.226 (20:37:39.025 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33153->22 (20:37:39.025 PDT) 128.111.52.59 (20:36:58.250 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48959->22 (20:36:58.250 PDT) 152.3.138.6 (20:33:41.373 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49844->22 (20:33:41.373 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (7) (20:38:15.418 PDT-20:47:27.718 PDT) event=777:7777008 (7) {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (22 /24s) (# pkts S/M/O/I=0/32/0/0): 22:32, [] MAC_Src: 00:01:64:FF:CE:EA 3: 0->0 (20:44:18.150 PDT-20:47:27.718 PDT) 0->0 (20:42:28.853 PDT) 0->0 (20:40:04.646 PDT) 0->0 (20:49:03.883 PDT) 0->0 (20:38:15.418 PDT) tcpslice 1368415642.086 1368416847.719 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 20:57:56.624 PDT Gen. Time: 05/12/2013 20:57:56.624 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (20:57:56.624 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (20:57:56.624 PDT) tcpslice 1368417476.624 1368417476.625 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 21:02:22.566 PDT Gen. Time: 05/12/2013 21:02:22.566 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (21:02:22.566 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:02:22.566 PDT) tcpslice 1368417742.566 1368417742.567 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 21:02:22.566 PDT Gen. Time: 05/12/2013 21:09:46.587 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (21:07:57.450 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54289->22 (21:07:57.450 PDT) 204.8.155.227 (2) (21:07:47.483 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41300->22 (21:07:47.483 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41300->22 (21:07:47.483 PDT) 128.42.142.45 (21:04:57.638 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53654->22 (21:04:57.638 PDT) 131.179.150.70 (21:08:42.982 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48411->22 (21:08:42.982 PDT) 204.123.28.56 (21:07:23.177 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46329->22 (21:07:23.177 PDT) 141.212.113.180 (21:07:54.241 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39178->22 (21:07:54.241 PDT) 192.52.240.214 (21:07:39.228 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 40874->22 (21:07:39.228 PDT) 158.130.6.254 (21:07:31.387 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 44880->22 (21:07:31.387 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (5) (21:02:22.566 PDT-21:09:31.216 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (21:02:22.566 PDT-21:09:31.216 PDT) tcpslice 1368417742.566 1368418171.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 21:11:07.381 PDT Gen. Time: 05/12/2013 21:11:07.381 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (21:11:07.381 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:11:07.381 PDT) tcpslice 1368418267.381 1368418267.382 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 21:11:07.381 PDT Gen. Time: 05/12/2013 21:29:21.654 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.197 (21:14:30.797 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49840->22 (21:14:30.797 PDT) 152.14.93.140 (21:12:03.238 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 34906->22 (21:12:03.238 PDT) 155.246.12.164 (2) (21:14:52.462 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56596->22 (21:14:52.462 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56596->22 (21:14:52.462 PDT) 165.91.55.8 (21:15:08.829 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56728->22 (21:15:08.829 PDT) 128.42.142.44 (2) (21:15:24.622 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56516->22 (21:15:24.622 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56516->22 (21:15:24.622 PDT) 128.84.154.44 (21:15:17.907 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55612->22 (21:15:17.907 PDT) 13.7.64.20 (21:15:37.367 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58412->22 (21:15:37.367 PDT) 192.52.240.213 (21:14:40.373 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45268->22 (21:14:40.373 PDT) 204.123.28.55 (21:15:34.652 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 60937->22 (21:15:34.652 PDT) 128.252.19.19 (21:15:31.936 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39119->22 (21:15:31.936 PDT) 204.8.155.226 (21:15:01.361 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33304->22 (21:15:01.361 PDT) 198.133.224.147 (2) (21:15:45.454 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52047->22 (21:15:45.454 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52047->22 (21:15:45.454 PDT) 152.3.138.6 (21:11:16.703 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49995->22 (21:11:16.703 PDT) 128.111.52.59 (21:14:33.541 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49110->22 (21:14:33.541 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (11) (21:11:07.381 PDT-21:28:06.227 PDT) event=777:7777008 (11) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 11: 0->0 (21:11:07.381 PDT-21:28:06.227 PDT) tcpslice 1368418267.381 1368419286.228 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 21:29:47.425 PDT Gen. Time: 05/12/2013 21:29:47.425 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (21:29:47.425 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:29:47.425 PDT) tcpslice 1368419387.425 1368419387.426 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 21:33:59.525 PDT Gen. Time: 05/12/2013 21:33:59.525 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (21:33:59.525 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:33:59.525 PDT) tcpslice 1368419639.525 1368419639.526 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 21:39:00.581 PDT Gen. Time: 05/12/2013 21:39:00.581 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (21:39:00.581 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:39:00.581 PDT) tcpslice 1368419940.581 1368419940.582 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 21:39:00.581 PDT Gen. Time: 05/12/2013 21:47:54.043 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (21:45:26.243 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54440->22 (21:45:26.243 PDT) 204.8.155.227 (2) (21:45:14.807 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41451->22 (21:45:14.807 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41451->22 (21:45:14.807 PDT) 128.42.142.45 (21:42:20.773 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53805->22 (21:42:20.773 PDT) 131.179.150.70 (21:46:11.943 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48562->22 (21:46:11.943 PDT) 204.123.28.56 (21:44:47.477 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46480->22 (21:44:47.477 PDT) 141.212.113.180 (21:45:22.481 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39329->22 (21:45:22.481 PDT) 192.52.240.214 (21:45:05.419 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41025->22 (21:45:05.419 PDT) 158.130.6.254 (21:44:56.478 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45031->22 (21:44:56.478 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (5) (21:39:00.581 PDT-21:47:00.070 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (21:39:00.581 PDT-21:47:00.070 PDT) tcpslice 1368419940.581 1368420420.071 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 21:48:36.467 PDT Gen. Time: 05/12/2013 21:48:36.467 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (21:48:36.467 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:48:36.467 PDT) tcpslice 1368420516.467 1368420516.468 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 21:48:36.467 PDT Gen. Time: 05/12/2013 21:57:24.788 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.197 (21:51:58.348 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49991->22 (21:51:58.348 PDT) 152.14.93.140 (21:49:30.471 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35057->22 (21:49:30.471 PDT) 155.246.12.164 (2) (21:52:22.449 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56747->22 (21:52:22.449 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56747->22 (21:52:22.449 PDT) 165.91.55.8 (21:52:41.575 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56879->22 (21:52:41.575 PDT) 128.42.142.44 (2) (21:52:59.759 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56667->22 (21:52:59.759 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56667->22 (21:52:59.759 PDT) 128.84.154.44 (21:52:51.624 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 55763->22 (21:52:51.624 PDT) 13.7.64.20 (21:53:17.873 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 58563->22 (21:53:17.873 PDT) 192.52.240.213 (21:52:09.790 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45419->22 (21:52:09.790 PDT) 204.123.28.55 (21:53:14.861 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 32855->22 (21:53:14.861 PDT) 128.252.19.19 (21:53:11.531 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39270->22 (21:53:11.531 PDT) 204.8.155.226 (21:52:32.467 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33455->22 (21:52:32.467 PDT) 198.133.224.147 (2) (21:53:26.297 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 52198->22 (21:53:26.297 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52198->22 (21:53:26.297 PDT) 152.3.138.6 (21:48:43.912 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50146->22 (21:48:43.912 PDT) 128.111.52.59 (21:52:01.706 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49261->22 (21:52:01.706 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (5) (21:48:36.467 PDT-21:55:07.238 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 5: 0->0 (21:48:36.467 PDT-21:55:07.238 PDT) tcpslice 1368420516.467 1368420907.239 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 21:57:31.780 PDT Gen. Time: 05/12/2013 21:57:31.780 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (21:57:31.780 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (21:57:31.780 PDT) tcpslice 1368421051.780 1368421051.781 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 21:57:31.780 PDT Gen. Time: 05/12/2013 22:07:59.554 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.36.233.153 (21:57:39.032 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 52790->22 (21:57:39.032 PDT) 128.208.4.198 (22:04:12.470 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50192->22 (22:04:12.470 PDT) 128.84.154.45 (21:57:48.310 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 38462->22 (21:57:48.310 PDT) 139.78.141.243 (22:01:44.422 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51423->22 (22:01:44.422 PDT) 128.223.8.111 (22:04:17.309 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51642->22 (22:04:17.309 PDT) 128.8.126.111 (21:58:34.918 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41707->22 (21:58:34.918 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (6) (21:57:31.780 PDT-22:05:43.654 PDT) event=777:7777008 (6) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 6: 0->0 (21:57:31.780 PDT-22:05:43.654 PDT) tcpslice 1368421051.780 1368421543.655 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 22:09:14.233 PDT Gen. Time: 05/12/2013 22:09:14.233 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (22:09:14.233 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:09:14.233 PDT) tcpslice 1368421754.233 1368421754.234 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 22:15:55.093 PDT Gen. Time: 05/12/2013 22:15:55.093 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (22:15:55.093 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:15:55.093 PDT) tcpslice 1368422155.093 1368422155.094 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 22:19:18.353 PDT Gen. Time: 05/12/2013 22:19:18.353 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (22:19:18.353 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:19:18.353 PDT) tcpslice 1368422358.353 1368422358.354 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 22:19:18.353 PDT Gen. Time: 05/12/2013 22:39:03.610 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.111.52.58 (22:23:22.696 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 54591->22 (22:23:22.696 PDT) 128.208.4.197 (22:29:57.452 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50141->22 (22:29:57.452 PDT) 152.14.93.140 (22:27:27.335 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 35208->22 (22:27:27.335 PDT) 131.179.150.70 (22:24:08.423 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 48713->22 (22:24:08.423 PDT) 155.246.12.164 (2) (22:30:20.310 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 56897->22 (22:30:20.310 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 56897->22 (22:30:20.310 PDT) 158.130.6.254 (22:22:53.702 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45182->22 (22:22:53.702 PDT) 128.42.142.45 (22:20:03.431 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 53956->22 (22:20:03.431 PDT) 192.52.240.214 (22:23:02.646 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41176->22 (22:23:02.646 PDT) 204.123.28.56 (22:22:29.760 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 46631->22 (22:22:29.760 PDT) 204.8.155.227 (2) (22:23:11.672 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 41602->22 (22:23:11.672 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 41602->22 (22:23:11.672 PDT) 192.52.240.213 (22:30:07.993 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 45569->22 (22:30:07.993 PDT) 141.212.113.180 (22:23:19.048 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 39480->22 (22:23:19.048 PDT) 204.8.155.226 (22:30:30.594 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 33605->22 (22:30:30.594 PDT) 128.111.52.59 (22:30:01.493 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 49411->22 (22:30:01.493 PDT) 152.3.138.6 (22:26:40.833 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50297->22 (22:26:40.833 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (12) (22:19:18.353 PDT-22:39:03.610 PDT) event=777:7777008 (12) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 12: 0->0 (22:19:18.353 PDT-22:39:03.610 PDT) tcpslice 1368422358.353 1368423543.611 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 22:39:48.712 PDT Gen. Time: 05/12/2013 22:40:36.840 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 139.78.141.243 (22:39:48.712 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51574->22 (22:39:48.712 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (22:40:36.840 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:40:36.840 PDT) tcpslice 1368423588.712 1368423588.713 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 22:42:13.025 PDT Gen. Time: 05/12/2013 22:42:13.025 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (22:42:13.025 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:42:13.025 PDT) tcpslice 1368423733.025 1368423733.026 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/12/2013 22:42:13.025 PDT Gen. Time: 05/12/2013 22:44:44.159 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 128.208.4.198 (22:42:17.707 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 50343->22 (22:42:17.707 PDT) 128.223.8.111 (22:42:22.919 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 51793->22 (22:42:22.919 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.123.28.55 (22:42:13.025 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (23 /24s) (# pkts S/M/O/I=0/35/0/0): 22:35, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (22:42:13.025 PDT) tcpslice 1368423733.025 1368423733.026 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================