Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 1.160.231.20 Egg Source List: 1.160.231.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 13:08:27.509 PDT Gen. Time: 05/16/2013 13:08:31.966 PDT INBOUND SCAN EXPLOIT 1.160.231.20 (13:08:27.509 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3179 (13:08:27.509 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.160.231.20 (13:08:31.966 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55710<-1623 (13:08:31.966 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368734907.509 1368734907.510 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.104.17.132, 116.228.71.226 Egg Source List: 95.104.17.132 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 13:51:40.275 PDT Gen. Time: 05/16/2013 13:55:30.335 PDT INBOUND SCAN EXPLOIT 95.104.17.132 (13:55:27.521 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4227 (13:55:27.521 PDT) 116.228.71.226 (13:51:40.275 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-17778 (13:51:40.275 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.104.17.132 (13:55:30.335 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44847<-1183 (13:55:30.335 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368737500.275 1368737500.276 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.87.30.61 Egg Source List: 95.87.30.61 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 14:16:26.208 PDT Gen. Time: 05/16/2013 14:16:30.754 PDT INBOUND SCAN EXPLOIT 95.87.30.61 (14:16:26.208 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2742 (14:16:26.208 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.87.30.61 (14:16:30.754 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48703<-3468 (14:16:30.754 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368738986.208 1368738986.209 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.48.39.183 Egg Source List: 190.48.39.183 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 14:29:25.266 PDT Gen. Time: 05/16/2013 14:29:28.160 PDT INBOUND SCAN EXPLOIT 190.48.39.183 (14:29:25.266 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2923 (14:29:25.266 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.48.39.183 (14:29:28.160 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53892<-8302 (14:29:28.160 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368739765.266 1368739765.267 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 119.235.15.100 Egg Source List: 119.235.15.100 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 14:31:50.441 PDT Gen. Time: 05/16/2013 14:31:54.012 PDT INBOUND SCAN EXPLOIT 119.235.15.100 (14:31:50.441 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2699 (14:31:50.441 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 119.235.15.100 (14:31:54.012 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34632<-4732 (14:31:54.012 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368739910.441 1368739910.442 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 217.218.40.194, 1.165.167.67 Egg Source List: 1.165.167.67 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 14:55:17.590 PDT Gen. Time: 05/16/2013 14:58:06.846 PDT INBOUND SCAN EXPLOIT 217.218.40.194 (14:55:17.590 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-18936 (14:55:17.590 PDT) 1.165.167.67 (14:58:04.110 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2290 (14:58:04.110 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.165.167.67 (14:58:06.846 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33764<-5983 (14:58:06.846 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368741317.590 1368741317.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.165.168.92 Egg Source List: 222.165.168.92 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 15:14:08.485 PDT Gen. Time: 05/16/2013 15:14:11.599 PDT INBOUND SCAN EXPLOIT 222.165.168.92 (15:14:08.485 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4815 (15:14:08.485 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 222.165.168.92 (15:14:11.599 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48892<-5654 (15:14:11.599 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368742448.485 1368742448.486 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.104.30.72 Egg Source List: 95.104.30.72 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 16:07:24.367 PDT Gen. Time: 05/16/2013 16:07:27.179 PDT INBOUND SCAN EXPLOIT 95.104.30.72 (16:07:24.367 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2051 (16:07:24.367 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.104.30.72 (16:07:27.179 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56092<-5813 (16:07:27.179 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368745644.367 1368745644.368 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 1.160.231.20 Egg Source List: 1.160.231.20 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 16:49:36.430 PDT Gen. Time: 05/16/2013 16:49:39.193 PDT INBOUND SCAN EXPLOIT 1.160.231.20 (16:49:36.430 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2038 (16:49:36.430 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.160.231.20 (16:49:39.193 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53193<-1623 (16:49:39.193 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368748176.430 1368748176.431 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 116.225.59.213 Egg Source List: 116.225.59.213 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 16:53:22.772 PDT Gen. Time: 05/16/2013 16:53:26.858 PDT INBOUND SCAN EXPLOIT 116.225.59.213 (16:53:22.772 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4287 (16:53:22.772 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 116.225.59.213 (16:53:26.858 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57185<-5252 (16:53:26.858 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368748402.772 1368748402.773 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.87.30.61 Egg Source List: 95.87.30.61 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 17:57:36.659 PDT Gen. Time: 05/16/2013 17:57:39.439 PDT INBOUND SCAN EXPLOIT 95.87.30.61 (17:57:36.659 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3997 (17:57:36.659 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.87.30.61 (17:57:39.439 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45995<-3468 (17:57:39.439 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368752256.659 1368752256.660 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 87.244.69.192 Egg Source List: 87.244.69.192 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 18:01:29.856 PDT Gen. Time: 05/16/2013 18:01:33.620 PDT INBOUND SCAN EXPLOIT 87.244.69.192 (18:01:29.856 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3113 (18:01:29.856 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 87.244.69.192 (18:01:33.620 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38829<-6838 (18:01:33.620 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368752489.856 1368752489.857 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.223.188.130, 87.244.69.192 Egg Source List: 87.244.69.192 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 18:01:29.856 PDT Gen. Time: 05/16/2013 18:08:07.802 PDT INBOUND SCAN EXPLOIT 222.223.188.130 (18:04:07.605 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-29509 (18:04:07.605 PDT) 87.244.69.192 (18:01:29.856 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3113 (18:01:29.856 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 87.244.69.192 (18:01:33.620 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38829<-6838 (18:01:33.620 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368752489.856 1368752489.857 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.3.220 Egg Source List: 183.8.3.220 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 18:45:42.889 PDT Gen. Time: 05/16/2013 18:45:46.611 PDT INBOUND SCAN EXPLOIT 183.8.3.220 (18:45:42.889 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2010 (18:45:42.889 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.3.220 (18:45:46.611 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44138<-2154 (18:45:46.611 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368755142.889 1368755142.890 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.95.9.180, 216.97.128.44, 202.21.186.58 Egg Source List: 186.95.9.180 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 19:38:35.328 PDT Gen. Time: 05/16/2013 19:42:52.847 PDT INBOUND SCAN EXPLOIT 186.95.9.180 (19:42:49.069 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2669 (19:42:49.069 PDT) 216.97.128.44 (19:40:03.537 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2788 (19:40:03.537 PDT) 202.21.186.58 (19:38:35.328 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-64875 (19:38:35.328 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.95.9.180 (19:42:52.847 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54960<-2549 (19:42:52.847 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368758315.328 1368758315.329 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.95.9.180, 216.97.128.44, 202.21.186.58, 212.98.161.238 Egg Source List: 186.95.9.180, 212.98.161.238 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 19:38:35.328 PDT Gen. Time: 05/16/2013 19:46:35.026 PDT INBOUND SCAN EXPLOIT 186.95.9.180 (19:42:49.069 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2669 (19:42:49.069 PDT) 216.97.128.44 (19:40:03.537 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2788 (19:40:03.537 PDT) 202.21.186.58 (19:38:35.328 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-64875 (19:38:35.328 PDT) 212.98.161.238 (19:43:44.529 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1104 (19:43:44.529 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.95.9.180 (19:42:52.847 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54960<-2549 (19:42:52.847 PDT) 212.98.161.238 (19:43:47.826 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44960<-3444 (19:43:47.826 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368758315.328 1368758315.329 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.104.30.72 Egg Source List: 95.104.30.72 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 19:48:36.777 PDT Gen. Time: 05/16/2013 19:48:39.976 PDT INBOUND SCAN EXPLOIT 95.104.30.72 (19:48:36.777 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3929 (19:48:36.777 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.104.30.72 (19:48:39.976 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34502<-5813 (19:48:39.976 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368758916.777 1368758916.778 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 77.81.150.50 Egg Source List: 77.81.150.50 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 20:24:48.328 PDT Gen. Time: 05/16/2013 20:24:51.076 PDT INBOUND SCAN EXPLOIT 77.81.150.50 (20:24:48.328 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1703 (20:24:48.328 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 77.81.150.50 (20:24:51.076 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50179<-2628 (20:24:51.076 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368761088.328 1368761088.329 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 201.43.137.36 Egg Source List: 201.43.137.36 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 20:34:33.660 PDT Gen. Time: 05/16/2013 20:34:37.002 PDT INBOUND SCAN EXPLOIT 201.43.137.36 (20:34:33.660 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1806 (20:34:33.660 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 201.43.137.36 (20:34:37.002 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47079<-2635 (20:34:37.002 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368761673.660 1368761673.661 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 116.225.59.213 Egg Source List: 116.225.59.213 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 20:58:53.227 PDT Gen. Time: 05/16/2013 20:58:56.699 PDT INBOUND SCAN EXPLOIT 116.225.59.213 (20:58:53.227 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3002 (20:58:53.227 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 116.225.59.213 (20:58:56.699 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40708<-5252 (20:58:56.699 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368763133.227 1368763133.228 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 117.194.120.16 Egg Source List: 117.194.120.16 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 21:31:22.228 PDT Gen. Time: 05/16/2013 21:31:26.023 PDT INBOUND SCAN EXPLOIT 117.194.120.16 (21:31:22.228 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1861 (21:31:22.228 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 117.194.120.16 (21:31:26.023 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51366<-9791 (21:31:26.023 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368765082.228 1368765082.229 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.110.149 Egg Source List: 183.8.110.149 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 21:40:15.423 PDT Gen. Time: 05/16/2013 21:40:18.208 PDT INBOUND SCAN EXPLOIT 183.8.110.149 (21:40:15.423 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3929 (21:40:15.423 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.110.149 (21:40:18.208 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53212<-2154 (21:40:18.208 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368765615.423 1368765615.424 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.110.149, 87.244.69.192 Egg Source List: 183.8.110.149, 87.244.69.192 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 21:40:15.423 PDT Gen. Time: 05/16/2013 22:37:09.693 PDT INBOUND SCAN EXPLOIT 183.8.110.149 (16) (21:40:15.423 PDT) event=1:22009201 (16) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3929 (21:40:15.423 PDT) 445<-1792 (21:40:54.346 PDT) 445<-3600 (21:41:25.783 PDT) 445<-1627 (21:42:02.501 PDT) 445<-4163 (21:42:45.629 PDT) 445<-2322 (21:43:20.844 PDT) 445<-4313 (21:43:58.547 PDT) 445<-1897 (21:44:24.773 PDT) 445<-4434 (21:45:08.860 PDT) 445<-2990 (21:45:51.988 PDT) 445<-1231 (21:46:28.222 PDT) 445<-4036 (21:47:16.816 PDT) 445<-2272 (21:47:56.140 PDT) 445<-4149 (21:48:28.078 PDT) 445<-2545 (21:49:10.063 PDT) 445<-4378 (21:49:43.094 PDT) 87.244.69.192 (21:40:41.091 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3344 (21:40:41.091 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.110.149 (16) (21:40:18.208 PDT) event=1:2001685 (16) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53212<-2154 (21:40:18.208 PDT) 53220<-2154 (21:40:59.836 PDT) 53228<-2154 (21:41:28.959 PDT) 53245<-2154 (21:42:06.163 PDT) 53259<-2154 (21:42:48.513 PDT) 53274<-2154 (21:43:25.163 PDT) 53283<-2154 (21:44:01.443 PDT) 53287<-2154 (21:44:29.804 PDT) 49851<-2154 (21:45:11.802 PDT) 49859<-2154 (21:45:54.865 PDT) 49869<-2154 (21:46:31.750 PDT) 49911<-2154 (21:47:19.898 PDT) 49925<-2154 (21:47:58.915 PDT) 49935<-2154 (21:48:31.083 PDT) 49946<-2154 (21:49:12.915 PDT) 54934<-2154 (21:49:46.958 PDT) 87.244.69.192 (21:40:45.795 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47212<-6838 (21:40:45.795 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368765615.423 1368765615.424 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.110.149 Egg Source List: 183.8.110.149 C & C List: Peer Coord. List: Resource List: Observed Start: 05/16/2013 22:43:37.566 PDT Gen. Time: 05/16/2013 22:43:40.604 PDT INBOUND SCAN EXPLOIT 183.8.110.149 (22:43:37.566 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1085 (22:43:37.566 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.110.149 (22:43:40.604 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47508<-2154 (22:43:40.604 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368769417.566 1368769417.567 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================