Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 12:10:40.352 PDT Gen. Time: 05/13/2013 12:11:47.097 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 190.13.20.47 (12:10:40.352 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 19 IPs (19 /24s) (# pkts S/M/O/I=0/18/1/0): 445:18, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:10:40.352 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.29.172.117 (12:11:47.097 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (12:11:47.097 PDT) tcpslice 1368472240.352 1368472240.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 12:10:40.352 PDT Gen. Time: 05/13/2013 12:14:08.758 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 190.13.20.47 (12:10:40.352 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 19 IPs (19 /24s) (# pkts S/M/O/I=0/18/1/0): 445:18, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:10:40.352 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.29.172.117 (2) (12:11:47.097 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 (12:11:47.097 PDT) (12:14:08.758 PDT) tcpslice 1368472240.352 1368472240.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 12:16:50.142 PDT Gen. Time: 05/13/2013 12:16:50.142 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.29.172.117 (12:16:50.142 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/24/1/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:16:50.142 PDT) tcpslice 1368472610.142 1368472610.143 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 12:16:50.142 PDT Gen. Time: 05/13/2013 12:13:29.117 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.29.172.117 (2) (12:16:50.142 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/24/1/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:16:50.142 PDT) (12:18:45.540 PDT) tcpslice 1368472610.142 1368472610.143 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 12:23:33.471 PDT Gen. Time: 05/13/2013 12:23:33.471 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.29.172.117 (12:23:33.471 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/28/1/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:23:33.471 PDT) tcpslice 1368473013.471 1368473013.472 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 15:26:14.461 PDT Gen. Time: 05/13/2013 15:28:21.481 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 181.112.127.57 (15:26:14.461 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (19 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:26:14.461 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.127.57 (15:28:21.481 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (20 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:28:21.481 PDT) tcpslice 1368483974.461 1368483974.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 15:31:03.685 PDT Gen. Time: 05/13/2013 15:31:03.685 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.127.57 (15:31:03.685 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (22 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:31:03.685 PDT) tcpslice 1368484263.685 1368484263.686 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 15:31:03.685 PDT Gen. Time: 05/13/2013 15:34:06.956 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.127.57 (2) (15:31:03.685 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (22 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:31:03.685 PDT) 0->0 (15:32:42.976 PDT) tcpslice 1368484263.685 1368484263.686 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 15:35:38.434 PDT Gen. Time: 05/13/2013 15:35:38.434 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.127.57 (15:35:38.434 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 25 IPs (24 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 (15:35:38.434 PDT) tcpslice 1368484538.434 1368484538.435 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 15:38:39.673 PDT Gen. Time: 05/13/2013 15:38:39.673 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.127.57 (15:38:39.673 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (26 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:38:39.673 PDT) tcpslice 1368484719.673 1368484719.674 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 15:42:42.072 PDT Gen. Time: 05/13/2013 15:42:42.072 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.127.57 (15:42:42.072 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 (15:42:42.072 PDT) tcpslice 1368484962.072 1368484962.073 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 15:42:42.072 PDT Gen. Time: 05/13/2013 15:46:47.650 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.137.45 (15:46:36.498 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (32 /24s) (# pkts S/M/O/I=0/33/0/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:46:36.498 PDT) 181.112.127.57 (15:42:42.072 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 (15:42:42.072 PDT) tcpslice 1368484962.072 1368484962.073 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 15:50:42.401 PDT Gen. Time: 05/13/2013 15:50:42.401 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.137.45 (15:50:42.401 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (33 /24s) (# pkts S/M/O/I=0/34/0/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:50:42.401 PDT) tcpslice 1368485442.401 1368485442.402 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 15:57:30.220 PDT Gen. Time: 05/13/2013 15:57:30.220 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.137.45 (15:57:30.220 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (34 /24s) (# pkts S/M/O/I=0/35/0/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:57:30.220 PDT) tcpslice 1368485850.220 1368485850.221 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 16:01:57.437 PDT Gen. Time: 05/13/2013 16:01:57.437 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.137.45 (16:01:57.437 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (35 /24s) (# pkts S/M/O/I=0/36/0/0): 445:36, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:01:57.437 PDT) tcpslice 1368486117.437 1368486117.438 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 16:08:43.942 PDT Gen. Time: 05/13/2013 16:08:43.942 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.137.45 (16:08:43.942 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 37 IPs (36 /24s) (# pkts S/M/O/I=0/37/0/0): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:08:43.942 PDT) tcpslice 1368486523.942 1368486523.943 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 17:48:50.377 PDT Gen. Time: 05/13/2013 17:51:27.485 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 186.115.111.83 (17:48:50.377 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 18 IPs (18 /24s) (# pkts S/M/O/I=0/18/0/0): 445:18, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:48:50.377 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.115.111.83 (17:51:27.485 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:51:27.485 PDT) tcpslice 1368492530.377 1368492530.378 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 17:55:01.308 PDT Gen. Time: 05/13/2013 17:55:01.308 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.115.111.83 (17:55:01.308 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:55:01.308 PDT) tcpslice 1368492901.308 1368492901.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/13/2013 17:56:13.636 PDT Gen. Time: 05/13/2013 17:56:13.636 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD