Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 1.175.226.117 Egg Source List: 1.175.226.117 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 03:35:43.421 PDT Gen. Time: 05/13/2013 03:35:47.998 PDT INBOUND SCAN EXPLOIT 1.175.226.117 (03:35:43.421 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1608 (03:35:43.421 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.175.226.117 (03:35:47.998 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43288<-9515 (03:35:47.998 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368441343.421 1368441343.422 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 177.101.193.28, 188.52.100.171, 1.175.226.117 Egg Source List: 177.101.193.28, 1.175.226.117 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 03:35:43.421 PDT Gen. Time: 05/13/2013 03:41:55.132 PDT INBOUND SCAN EXPLOIT 177.101.193.28 (03:36:38.457 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4862 (03:36:38.457 PDT) 188.52.100.171 (03:37:09.161 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1168 (03:37:09.161 PDT) 1.175.226.117 (03:35:43.421 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1608 (03:35:43.421 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.101.193.28 (03:36:41.838 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46762<-1235 (03:36:41.838 PDT) 1.175.226.117 (03:35:47.998 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43288<-9515 (03:35:47.998 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368441343.421 1368441343.422 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 194.54.180.231 Egg Source List: 194.54.180.231 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 04:00:28.842 PDT Gen. Time: 05/13/2013 04:00:31.862 PDT INBOUND SCAN EXPLOIT 194.54.180.231 (04:00:28.842 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1763 (04:00:28.842 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 194.54.180.231 (04:00:31.862 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48067<-5600 (04:00:31.862 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368442828.842 1368442828.843 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.107.229.194 Egg Source List: 212.107.229.194 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 04:29:39.722 PDT Gen. Time: 05/13/2013 04:29:43.574 PDT INBOUND SCAN EXPLOIT 212.107.229.194 (04:29:39.722 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3344 (04:29:39.722 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.107.229.194 (04:29:43.574 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54776<-6242 (04:29:43.574 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368444579.722 1368444579.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.107.229.194, 78.62.239.71, 78.165.90.228 Egg Source List: 212.107.229.194 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 04:29:39.722 PDT Gen. Time: 05/13/2013 04:44:09.981 PDT INBOUND SCAN EXPLOIT 212.107.229.194 (13) (04:29:39.722 PDT-04:31:59.699 PDT) event=1:22009201 (13) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4793 (04:32:18.545 PDT) 445<-3668 (04:30:24.121 PDT) 445<-1175 (04:32:55.092 PDT) 445<-1350 (04:33:15.203 PDT) 445<-4078 (04:31:01.029 PDT) 445<-3344 (04:29:39.722 PDT) 445<-4984 (04:32:35.579 PDT) 445<-3910 (04:30:43.919 PDT) 445<-4247 (04:31:19.545 PDT) 445<-4414 (04:31:37.730 PDT) 2: 445<-4589 (04:31:58.653 PDT-04:31:59.699 PDT) 445<-3504 (04:29:57.691 PDT) 78.62.239.71 (3) (04:31:58.525 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4485 (04:31:58.548 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-4485 (04:31:58.542 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4485 (04:31:58.525 PDT) 78.165.90.228 (04:33:12.456 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3933 (04:33:12.456 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.107.229.194 (17) (04:29:43.574 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54776<-6242 (04:29:43.574 PDT) 54880<-6242 (04:30:02.311 PDT) 47095<-6242 (04:30:28.448 PDT) 47197<-6242 (04:30:47.592 PDT) 47292<-6242 (04:31:06.186 PDT) 47383<-6242 (04:31:23.530 PDT) 47474<-6242 (04:31:40.996 PDT) 47598<-6242 (04:32:05.185 PDT) 47684<-6242 (04:32:21.944 PDT) 47773<-6242 (04:32:39.261 PDT) 47877<-6242 (04:32:59.256 PDT) 48009<-6242 (04:33:26.012 PDT) 48144<-6242 (04:33:50.013 PDT) 48230<-6242 (04:34:06.112 PDT) 48328<-6242 (04:34:25.591 PDT) 48431<-6242 (04:34:44.999 PDT) 48530<-6242 (04:35:02.525 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368444579.722 1368444719.700 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 115.199.205.13 Egg Source List: 115.199.205.13 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 04:47:28.475 PDT Gen. Time: 05/13/2013 04:47:33.938 PDT INBOUND SCAN EXPLOIT 115.199.205.13 (04:47:28.475 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3013 (04:47:28.475 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 115.199.205.13 (04:47:33.938 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49962<-1957 (04:47:33.938 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368445648.475 1368445648.476 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 115.199.205.13, 89.32.220.63 Egg Source List: 115.199.205.13, 89.32.220.63 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 04:47:28.475 PDT Gen. Time: 05/13/2013 04:51:09.343 PDT INBOUND SCAN EXPLOIT 115.199.205.13 (04:47:28.475 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3013 (04:47:28.475 PDT) 89.32.220.63 (04:47:40.927 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3023 (04:47:40.927 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 115.199.205.13 (04:47:33.938 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49962<-1957 (04:47:33.938 PDT) 89.32.220.63 (04:47:45.275 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42459<-4915 (04:47:45.275 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368445648.475 1368445648.476 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 201.68.122.62 Egg Source List: 201.68.122.62 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 05:03:04.327 PDT Gen. Time: 05/13/2013 05:03:07.121 PDT INBOUND SCAN EXPLOIT 201.68.122.62 (05:03:04.327 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2177 (05:03:04.327 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 201.68.122.62 (05:03:07.121 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41959<-5763 (05:03:07.121 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368446584.327 1368446584.328 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 80.66.157.34 Egg Source List: 80.66.157.34 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 05:32:45.778 PDT Gen. Time: 05/13/2013 05:32:49.682 PDT INBOUND SCAN EXPLOIT 80.66.157.34 (05:32:45.778 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1867 (05:32:45.778 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 80.66.157.34 (05:32:49.682 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36341<-6473 (05:32:49.682 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368448365.778 1368448365.779 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.13.3.139 Egg Source List: 189.13.3.139 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 06:16:39.590 PDT Gen. Time: 05/13/2013 06:16:42.360 PDT INBOUND SCAN EXPLOIT 189.13.3.139 (06:16:39.590 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4266 (06:16:39.590 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.13.3.139 (06:16:42.360 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36437<-5114 (06:16:42.360 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368450999.590 1368450999.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.36.65.55 Egg Source List: 114.36.65.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 06:58:46.672 PDT Gen. Time: 05/13/2013 06:58:49.484 PDT INBOUND SCAN EXPLOIT 114.36.65.55 (06:58:46.672 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2189 (06:58:46.672 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.36.65.55 (06:58:49.484 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33208<-2280 (06:58:49.484 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368453526.672 1368453526.673 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 177.101.193.28 Egg Source List: 177.101.193.28 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 07:17:46.755 PDT Gen. Time: 05/13/2013 07:17:49.562 PDT INBOUND SCAN EXPLOIT 177.101.193.28 (07:17:46.755 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1637 (07:17:46.755 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.101.193.28 (07:17:49.562 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37025<-1235 (07:17:49.562 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368454666.755 1368454666.756 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.94.13.156 Egg Source List: 2.94.13.156 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 07:36:48.846 PDT Gen. Time: 05/13/2013 07:36:54.969 PDT INBOUND SCAN EXPLOIT 2.94.13.156 (07:36:48.846 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2227 (07:36:48.846 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.94.13.156 (07:36:54.969 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39338<-4434 (07:36:54.969 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368455808.846 1368455808.847 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 1.163.95.21 Egg Source List: 1.163.95.21 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 07:37:30.653 PDT Gen. Time: 05/13/2013 07:37:33.426 PDT INBOUND SCAN EXPLOIT 1.163.95.21 (07:37:30.653 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1998 (07:37:30.653 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.163.95.21 (07:37:33.426 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42975<-7132 (07:37:33.426 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368455850.653 1368455850.654 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 109.111.99.80 Egg Source List: 109.111.99.80 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 07:51:05.169 PDT Gen. Time: 05/13/2013 07:51:07.797 PDT INBOUND SCAN EXPLOIT 109.111.99.80 (07:51:05.169 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3045 (07:51:05.169 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.111.99.80 (07:51:07.797 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56858<-1314 (07:51:07.797 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368456665.169 1368456665.170 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.79.93.74 Egg Source List: 192.168.2.100 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 07:55:39.475 PDT Gen. Time: 05/13/2013 07:55:57.095 PDT INBOUND SCAN EXPLOIT 94.79.93.74 (07:55:57.095 PDT) event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1602 (07:55:57.095 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.168.2.100 (9) (07:55:39.475 PDT-07:55:53.821 PDT) event=1:1444 (3) {udp} E3[rb] TFTP GET from external source, [] MAC_Src: 00:21:5A:08:EC:40 3: 60395->69 (07:55:39.475 PDT-07:55:53.821 PDT) ------------------------- event=1:2008120 (3) {udp} E3[rb] ET POLICY Outbound TFTP Read Request, [] MAC_Src: 00:21:5A:08:EC:40 3: 60395->69 (07:55:39.475 PDT-07:55:53.821 PDT) ------------------------- event=1:3001441 (3) {udp} E3[rb] TFTP GET .exe from external source, [] MAC_Src: 00:21:5A:08:EC:40 3: 60395->69 (07:55:39.475 PDT-07:55:53.821 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368456939.475 1368456953.822 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 37.214.34.103 Egg Source List: 37.214.34.103 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 08:15:41.422 PDT Gen. Time: 05/13/2013 08:15:44.856 PDT INBOUND SCAN EXPLOIT 37.214.34.103 (08:15:41.422 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3031 (08:15:41.422 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 37.214.34.103 (08:15:44.856 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54250<-4686 (08:15:44.856 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368458141.422 1368458141.423 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.134.129.48, 118.171.78.91, 78.0.21.229 Egg Source List: 118.171.78.91 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 08:28:45.127 PDT Gen. Time: 05/13/2013 08:29:22.915 PDT INBOUND SCAN EXPLOIT 186.134.129.48 (08:29:05.624 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2811 (08:29:05.624 PDT) 118.171.78.91 (08:29:20.288 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3529 (08:29:20.288 PDT) 78.0.21.229 (08:28:45.127 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59004 (08:28:45.127 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.171.78.91 (08:29:22.915 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39134<-7962 (08:29:22.915 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368458925.127 1368458925.128 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 59.95.26.182 Egg Source List: 59.95.26.182 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 08:48:01.132 PDT Gen. Time: 05/13/2013 08:48:04.465 PDT INBOUND SCAN EXPLOIT 59.95.26.182 (08:48:01.132 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3312 (08:48:01.132 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 59.95.26.182 (08:48:04.465 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46769<-3822 (08:48:04.465 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368460081.132 1368460081.133 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 80.66.157.34 Egg Source List: 80.66.157.34 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 09:13:55.138 PDT Gen. Time: 05/13/2013 09:13:57.856 PDT INBOUND SCAN EXPLOIT 80.66.157.34 (09:13:55.138 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2612 (09:13:55.138 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 80.66.157.34 (09:13:57.856 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42436<-6473 (09:13:57.856 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368461635.138 1368461635.139 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 59.93.201.230 Egg Source List: 59.93.201.230 C & C List: 66.197.186.229 Peer Coord. List: Resource List: Observed Start: 05/13/2013 09:21:59.011 PDT Gen. Time: 05/13/2013 09:23:00.218 PDT INBOUND SCAN EXPLOIT 59.93.201.230 (09:22:56.371 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-26093 (09:22:56.371 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 59.93.201.230 (09:23:00.218 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44031<-9160 (09:23:00.218 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 66.197.186.229 (09:21:59.011 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 34567->33457 (09:21:59.011 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368462119.011 1368462119.012 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.250.148.176 Egg Source List: 111.250.148.176 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 09:45:28.216 PDT Gen. Time: 05/13/2013 09:45:30.918 PDT INBOUND SCAN EXPLOIT 111.250.148.176 (09:45:28.216 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3211 (09:45:28.216 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 111.250.148.176 (09:45:30.918 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42615<-7140 (09:45:30.918 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368463528.216 1368463528.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.13.3.139 Egg Source List: 189.13.3.139 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 10:28:18.205 PDT Gen. Time: 05/13/2013 10:28:21.042 PDT INBOUND SCAN EXPLOIT 189.13.3.139 (10:28:18.205 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2181 (10:28:18.205 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.13.3.139 (10:28:21.042 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34976<-5114 (10:28:21.042 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368466098.205 1368466098.206 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.178.207.11 Egg Source List: 41.178.207.11 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 10:51:08.225 PDT Gen. Time: 05/13/2013 10:51:11.062 PDT INBOUND SCAN EXPLOIT 41.178.207.11 (10:51:08.225 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1925 (10:51:08.225 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 41.178.207.11 (10:51:11.062 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48314<-5377 (10:51:11.062 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368467468.225 1368467468.226 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 109.162.75.55 Egg Source List: 109.162.75.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 11:18:14.008 PDT Gen. Time: 05/13/2013 11:18:17.516 PDT INBOUND SCAN EXPLOIT 109.162.75.55 (11:18:14.008 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1125 (11:18:14.008 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.162.75.55 (11:18:17.516 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50649<-9826 (11:18:17.516 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368469094.008 1368469094.009 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 1.163.95.21, 109.162.75.55 Egg Source List: 1.163.95.21, 109.162.75.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 11:18:14.008 PDT Gen. Time: 05/13/2013 11:21:29.703 PDT INBOUND SCAN EXPLOIT 1.163.95.21 (11:18:42.799 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2127 (11:18:42.799 PDT) 109.162.75.55 (11:18:14.008 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1125 (11:18:14.008 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.163.95.21 (11:18:47.832 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47562<-7132 (11:18:47.832 PDT) 109.162.75.55 (11:18:17.516 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50649<-9826 (11:18:17.516 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368469094.008 1368469094.009 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 109.111.99.80 Egg Source List: 109.111.99.80 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 11:32:11.809 PDT Gen. Time: 05/13/2013 11:32:15.338 PDT INBOUND SCAN EXPLOIT 109.111.99.80 (11:32:11.809 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2439 (11:32:11.809 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.111.99.80 (11:32:15.338 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36506<-1314 (11:32:15.338 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368469931.809 1368469931.810 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 109.111.99.80, 89.42.85.140 Egg Source List: 109.111.99.80, 89.42.85.140 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 11:32:11.809 PDT Gen. Time: 05/13/2013 11:34:24.556 PDT INBOUND SCAN EXPLOIT 109.111.99.80 (11:32:11.809 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2439 (11:32:11.809 PDT) 89.42.85.140 (11:32:21.511 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3287 (11:32:21.511 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.111.99.80 (11:32:15.338 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36506<-1314 (11:32:15.338 PDT) 89.42.85.140 (11:32:24.190 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51513<-5942 (11:32:24.190 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368469931.809 1368469931.810 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.94.13.156 Egg Source List: 2.94.13.156 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 11:44:34.903 PDT Gen. Time: 05/13/2013 11:44:37.743 PDT INBOUND SCAN EXPLOIT 2.94.13.156 (11:44:34.903 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4305 (11:44:34.903 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 2.94.13.156 (11:44:37.743 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43464<-4434 (11:44:37.743 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368470674.903 1368470674.904 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 82.211.140.156 Egg Source List: 82.211.140.156 C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 12:07:14.213 PDT Gen. Time: 05/13/2013 12:07:17.634 PDT INBOUND SCAN EXPLOIT 82.211.140.156 (12:07:14.213 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2846 (12:07:14.213 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 82.211.140.156 (12:07:17.634 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43517<-2191 (12:07:17.634 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368472034.213 1368472034.214 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================