Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 68.112.249.2 Egg Source List: 68.112.249.2 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 00:16:39.189 PDT Gen. Time: 05/17/2013 00:16:41.823 PDT INBOUND SCAN EXPLOIT 68.112.249.2 (00:16:39.189 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1328 (00:16:39.189 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 68.112.249.2 (00:16:41.823 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40266<-6364 (00:16:41.823 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368774999.189 1368774999.190 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 118.166.103.163, 68.112.249.2 Egg Source List: 118.166.103.163, 68.112.249.2 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 00:16:39.189 PDT Gen. Time: 05/17/2013 00:22:06.004 PDT INBOUND SCAN EXPLOIT 118.166.103.163 (00:18:02.287 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2530 (00:18:02.287 PDT) 68.112.249.2 (00:16:39.189 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1328 (00:16:39.189 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.166.103.163 (00:18:04.987 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57502<-6409 (00:18:04.987 PDT) 68.112.249.2 (00:16:41.823 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40266<-6364 (00:16:41.823 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368774999.189 1368774999.190 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.44.46.200 Egg Source List: 89.44.46.200 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 00:27:20.864 PDT Gen. Time: 05/17/2013 00:27:24.066 PDT INBOUND SCAN EXPLOIT 89.44.46.200 (00:27:20.864 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3686 (00:27:20.864 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.44.46.200 (00:27:24.066 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52497<-9444 (00:27:24.066 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368775640.864 1368775640.865 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.44.46.200, 114.46.213.112, 111.255.219.251 Egg Source List: 89.44.46.200, 114.46.213.112, 111.255.219.251 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 00:27:20.864 PDT Gen. Time: 05/17/2013 00:34:38.954 PDT INBOUND SCAN EXPLOIT 89.44.46.200 (00:27:20.864 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3686 (00:27:20.864 PDT) 114.46.213.112 (00:27:52.438 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-20760 (00:27:52.438 PDT) 111.255.219.251 (00:30:09.806 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4240 (00:30:09.806 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.44.46.200 (00:27:24.066 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52497<-9444 (00:27:24.066 PDT) 114.46.213.112 (00:27:55.022 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54541<-7496 (00:27:55.022 PDT) 111.255.219.251 (00:30:12.462 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47324<-3511 (00:30:12.462 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368775640.864 1368775640.865 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 36.233.104.107 Egg Source List: 36.233.104.107 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 01:26:15.201 PDT Gen. Time: 05/17/2013 01:26:18.632 PDT INBOUND SCAN EXPLOIT 36.233.104.107 (01:26:15.201 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1391 (01:26:15.201 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 36.233.104.107 (01:26:18.632 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35953<-1233 (01:26:18.632 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368779175.201 1368779175.202 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 36.233.104.107, 93.80.178.182 Egg Source List: 36.233.104.107, 93.80.178.182 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 01:26:15.201 PDT Gen. Time: 05/17/2013 01:32:49.599 PDT INBOUND SCAN EXPLOIT 36.233.104.107 (01:26:15.201 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1391 (01:26:15.201 PDT) 93.80.178.182 (01:28:38.314 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1751 (01:28:38.314 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 36.233.104.107 (01:26:18.632 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35953<-1233 (01:26:18.632 PDT) 93.80.178.182 (01:28:40.963 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55019<-3592 (01:28:40.963 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368779175.201 1368779175.202 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 5.248.88.205 Egg Source List: 5.248.88.205 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 01:35:29.898 PDT Gen. Time: 05/17/2013 01:35:32.628 PDT INBOUND SCAN EXPLOIT 5.248.88.205 (01:35:29.898 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2773 (01:35:29.898 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 5.248.88.205 (01:35:32.628 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47691<-4043 (01:35:32.628 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368779729.898 1368779729.899 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 5.248.88.205, 111.248.51.198, 115.91.89.99 Egg Source List: 5.248.88.205, 111.248.51.198, 115.91.89.99 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 01:35:29.898 PDT Gen. Time: 05/17/2013 01:42:06.673 PDT INBOUND SCAN EXPLOIT 5.248.88.205 (01:35:29.898 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2773 (01:35:29.898 PDT) 111.248.51.198 (01:38:25.947 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4998 (01:38:25.947 PDT) 115.91.89.99 (01:35:47.074 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3731 (01:35:47.074 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 5.248.88.205 (01:35:32.628 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47691<-4043 (01:35:32.628 PDT) 111.248.51.198 (01:38:28.637 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34415<-8751 (01:38:28.637 PDT) 115.91.89.99 (2) (01:35:50.346 PDT) event=1:2001683 {tcp} E3[rb] ET MALWARE Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54942<-80 (01:35:50.346 PDT) ------------------------- event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54942<-80 (01:35:50.346 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368779729.898 1368779729.899 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.110.149 Egg Source List: 183.8.110.149 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 01:59:25.480 PDT Gen. Time: 05/17/2013 01:59:29.622 PDT INBOUND SCAN EXPLOIT 183.8.110.149 (01:59:25.480 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4216 (01:59:25.480 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.110.149 (01:59:29.622 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37609<-2154 (01:59:29.622 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368781165.480 1368781165.481 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 213.56.95.68 Egg Source List: 213.56.95.68 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 02:04:35.792 PDT Gen. Time: 05/17/2013 02:04:38.398 PDT INBOUND SCAN EXPLOIT 213.56.95.68 (02:04:35.792 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1473 (02:04:35.792 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 213.56.95.68 (02:04:38.398 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52696<-3790 (02:04:38.398 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368781475.792 1368781475.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.124.4.242, 95.24.96.198, 213.56.95.68, 79.30.80.164 Egg Source List: 84.124.4.242, 95.24.96.198, 213.56.95.68, 79.30.80.164 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 02:04:35.792 PDT Gen. Time: 05/17/2013 02:10:42.513 PDT INBOUND SCAN EXPLOIT 84.124.4.242 (02:05:59.624 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1743 (02:05:59.624 PDT) 95.24.96.198 (02:06:08.283 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2440 (02:06:08.283 PDT) 213.56.95.68 (02:04:35.792 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1473 (02:04:35.792 PDT) 79.30.80.164 (02:05:53.744 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4101 (02:05:53.744 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.124.4.242 (02:06:03.174 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58132<-3115 (02:06:03.174 PDT) 95.24.96.198 (02:06:11.178 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55291<-8933 (02:06:11.178 PDT) 213.56.95.68 (02:04:38.398 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52696<-3790 (02:04:38.398 PDT) 79.30.80.164 (02:05:57.242 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51369<-1365 (02:05:57.242 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368781475.792 1368781475.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 61.227.73.145, 200.62.17.234 Egg Source List: 61.227.73.145 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 02:13:55.555 PDT Gen. Time: 05/17/2013 02:14:44.689 PDT INBOUND SCAN EXPLOIT 61.227.73.145 (02:14:42.066 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2812 (02:14:42.066 PDT) 200.62.17.234 (02:13:55.555 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2866 (02:13:55.555 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.227.73.145 (02:14:44.689 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60004<-2947 (02:14:44.689 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368782035.555 1368782035.556 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.124.11.103 Egg Source List: 92.124.11.103 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 02:18:04.598 PDT Gen. Time: 05/17/2013 02:18:07.985 PDT INBOUND SCAN EXPLOIT 92.124.11.103 (02:18:04.598 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1033 (02:18:04.598 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.124.11.103 (02:18:07.985 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49695<-5012 (02:18:07.985 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368782284.598 1368782284.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 177.131.206.121 Egg Source List: 177.131.206.121 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 02:56:15.650 PDT Gen. Time: 05/17/2013 02:56:18.417 PDT INBOUND SCAN EXPLOIT 177.131.206.121 (02:56:15.650 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1758 (02:56:15.650 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.131.206.121 (02:56:18.417 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55649<-6622 (02:56:18.417 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368784575.650 1368784575.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 198.211.22.134 Egg Source List: 198.211.22.134 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 03:26:29.531 PDT Gen. Time: 05/17/2013 03:26:31.863 PDT INBOUND SCAN EXPLOIT 198.211.22.134 (03:26:29.531 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1184 (03:26:29.531 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 198.211.22.134 (03:26:31.863 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38182<-6877 (03:26:31.863 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368786389.531 1368786389.532 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 109.121.248.86 Egg Source List: 109.121.248.86 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 03:29:47.786 PDT Gen. Time: 05/17/2013 03:29:51.205 PDT INBOUND SCAN EXPLOIT 109.121.248.86 (03:29:47.786 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1074 (03:29:47.786 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.121.248.86 (03:29:51.205 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37894<-6115 (03:29:51.205 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368786587.786 1368786587.787 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 211.40.183.26 Egg Source List: 211.40.183.26 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 03:38:30.917 PDT Gen. Time: 05/17/2013 03:38:33.563 PDT INBOUND SCAN EXPLOIT 211.40.183.26 (03:38:30.917 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2656 (03:38:30.917 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 211.40.183.26 (03:38:33.563 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46070<-4402 (03:38:33.563 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368787110.917 1368787110.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 213.79.117.178 Egg Source List: 213.79.117.178 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 03:44:47.437 PDT Gen. Time: 05/17/2013 03:44:50.093 PDT INBOUND SCAN EXPLOIT 213.79.117.178 (03:44:47.437 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4153 (03:44:47.437 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 213.79.117.178 (03:44:50.093 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37039<-4877 (03:44:50.093 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368787487.437 1368787487.438 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 213.79.117.178, 12.30.25.228 Egg Source List: 213.79.117.178 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 03:44:47.437 PDT Gen. Time: 05/17/2013 03:49:19.705 PDT INBOUND SCAN EXPLOIT 213.79.117.178 (03:44:47.437 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4153 (03:44:47.437 PDT) 12.30.25.228 (03:45:38.393 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-55335 (03:45:38.393 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 213.79.117.178 (03:44:50.093 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37039<-4877 (03:44:50.093 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368787487.437 1368787487.438 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 115.89.181.82 Egg Source List: 115.89.181.82 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 03:52:18.614 PDT Gen. Time: 05/17/2013 03:52:21.244 PDT INBOUND SCAN EXPLOIT 115.89.181.82 (03:52:18.614 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2748 (03:52:18.614 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 115.89.181.82 (03:52:21.244 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57217<-7527 (03:52:21.244 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368787938.614 1368787938.615 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 68.112.249.2 Egg Source List: 68.112.249.2 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 03:57:51.011 PDT Gen. Time: 05/17/2013 03:57:53.483 PDT INBOUND SCAN EXPLOIT 68.112.249.2 (03:57:51.011 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2049 (03:57:51.011 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 68.112.249.2 (03:57:53.483 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52482<-6364 (03:57:53.483 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368788271.011 1368788271.012 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 72.89.199.118, 68.112.249.2 Egg Source List: 68.112.249.2 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 03:57:51.011 PDT Gen. Time: 05/17/2013 04:02:17.945 PDT INBOUND SCAN EXPLOIT 72.89.199.118 (03:59:32.802 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-51000 (03:59:32.802 PDT) 68.112.249.2 (03:57:51.011 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2049 (03:57:51.011 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 68.112.249.2 (03:57:53.483 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52482<-6364 (03:57:53.483 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368788271.011 1368788271.012 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 141.255.161.76 Egg Source List: 141.255.161.76 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 04:03:16.924 PDT Gen. Time: 05/17/2013 04:03:19.703 PDT INBOUND SCAN EXPLOIT 141.255.161.76 (04:03:16.924 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2942 (04:03:16.924 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 141.255.161.76 (04:03:19.703 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56158<-8269 (04:03:19.703 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368788596.924 1368788596.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 216.93.141.144, 114.46.213.112, 178.79.30.1 Egg Source List: 114.46.213.112 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 04:09:02.481 PDT Gen. Time: 05/17/2013 04:11:42.165 PDT INBOUND SCAN EXPLOIT 216.93.141.144 (04:09:02.481 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3569 (04:09:02.481 PDT) 114.46.213.112 (04:11:38.662 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-28627 (04:11:38.662 PDT) 178.79.30.1 (04:11:25.861 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2037 (04:11:25.861 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.46.213.112 (04:11:42.165 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41831<-7496 (04:11:42.165 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368788942.481 1368788942.482 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 216.93.141.144, 46.34.123.2, 114.46.213.112, 178.79.30.1, 111.255.219.251 Egg Source List: 46.34.123.2, 114.46.213.112, 111.255.219.251 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 04:09:02.481 PDT Gen. Time: 05/17/2013 04:20:16.040 PDT INBOUND SCAN EXPLOIT 216.93.141.144 (04:09:02.481 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3569 (04:09:02.481 PDT) 46.34.123.2 (04:13:29.124 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-7605 (04:13:29.124 PDT) 114.46.213.112 (04:11:38.662 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-28627 (04:11:38.662 PDT) 178.79.30.1 (04:11:25.861 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2037 (04:11:25.861 PDT) 111.255.219.251 (04:16:10.940 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3584 (04:16:10.940 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.34.123.2 (04:13:33.085 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46627<-9645 (04:13:33.085 PDT) 114.46.213.112 (04:11:42.165 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41831<-7496 (04:11:42.165 PDT) 111.255.219.251 (04:16:13.694 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48958<-3511 (04:16:13.694 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368788942.481 1368788942.482 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 123.141.232.61 Egg Source List: 123.141.232.61 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 04:23:56.047 PDT Gen. Time: 05/17/2013 04:23:58.742 PDT INBOUND SCAN EXPLOIT 123.141.232.61 (04:23:56.047 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2777 (04:23:56.047 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 123.141.232.61 (04:23:58.742 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58486<-7033 (04:23:58.742 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368789836.047 1368789836.048 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 197.28.183.174, 118.166.103.163 Egg Source List: 118.166.103.163 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 04:42:10.150 PDT Gen. Time: 05/17/2013 04:43:33.574 PDT INBOUND SCAN EXPLOIT 197.28.183.174 (04:42:10.150 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3466 (04:42:10.150 PDT) 118.166.103.163 (04:43:30.108 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4153 (04:43:30.108 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.166.103.163 (04:43:33.574 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56602<-6409 (04:43:33.574 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368790930.150 1368790930.151 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 118.168.126.241 Egg Source List: 118.168.126.241 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 04:56:50.110 PDT Gen. Time: 05/17/2013 04:56:52.727 PDT INBOUND SCAN EXPLOIT 118.168.126.241 (04:56:50.110 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2023 (04:56:50.110 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.168.126.241 (04:56:52.727 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35577<-8439 (04:56:52.727 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368791810.110 1368791810.111 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 118.168.126.241, 181.65.255.40 Egg Source List: 118.168.126.241, 181.65.255.40 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 04:56:50.110 PDT Gen. Time: 05/17/2013 05:01:10.095 PDT INBOUND SCAN EXPLOIT 118.168.126.241 (04:56:50.110 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2023 (04:56:50.110 PDT) 181.65.255.40 (04:56:59.444 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3381 (04:56:59.444 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.168.126.241 (04:56:52.727 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35577<-8439 (04:56:52.727 PDT) 181.65.255.40 (04:57:02.074 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45569<-8865 (04:57:02.074 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368791810.110 1368791810.111 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 178.77.133.93 Egg Source List: 178.77.133.93 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 05:13:23.222 PDT Gen. Time: 05/17/2013 05:13:28.146 PDT INBOUND SCAN EXPLOIT 178.77.133.93 (05:13:23.222 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3262 (05:13:23.222 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.77.133.93 (05:13:28.146 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51911<-9744 (05:13:28.146 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368792803.222 1368792803.223 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 78.106.138.33 Egg Source List: 78.106.138.33 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 05:29:43.242 PDT Gen. Time: 05/17/2013 05:29:45.952 PDT INBOUND SCAN EXPLOIT 78.106.138.33 (05:29:43.242 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4456 (05:29:43.242 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 78.106.138.33 (05:29:45.952 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50041<-4780 (05:29:45.952 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368793783.242 1368793783.243 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 78.106.138.33, 178.144.8.77 Egg Source List: 78.106.138.33, 178.144.8.77 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 05:29:43.242 PDT Gen. Time: 05/17/2013 05:36:29.624 PDT INBOUND SCAN EXPLOIT 78.106.138.33 (05:29:43.242 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4456 (05:29:43.242 PDT) 178.144.8.77 (05:32:55.475 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1626 (05:32:55.475 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 78.106.138.33 (05:29:45.952 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50041<-4780 (05:29:45.952 PDT) 178.144.8.77 (05:32:58.922 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40704<-9461 (05:32:58.922 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368793783.242 1368793783.243 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.80.178.182 Egg Source List: 93.80.178.182 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 05:53:39.605 PDT Gen. Time: 05/17/2013 05:53:43.507 PDT INBOUND SCAN EXPLOIT 93.80.178.182 (05:53:39.605 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2934 (05:53:39.605 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 93.80.178.182 (05:53:43.507 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34666<-3592 (05:53:43.507 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368795219.605 1368795219.606 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.80.178.182, 79.30.80.164, 61.227.73.145, 59.125.123.7 Egg Source List: 93.80.178.182, 79.30.80.164, 61.227.73.145, 59.125.123.7 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 05:53:39.605 PDT Gen. Time: 05/17/2013 06:04:29.267 PDT INBOUND SCAN EXPLOIT 93.80.178.182 (05:53:39.605 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2934 (05:53:39.605 PDT) 79.30.80.164 (05:58:33.834 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1805 (05:58:33.834 PDT) 61.227.73.145 (06:00:26.408 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1819 (06:00:26.408 PDT) 59.125.123.7 (05:54:38.289 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1646 (05:54:38.289 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 93.80.178.182 (05:53:43.507 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34666<-3592 (05:53:43.507 PDT) 79.30.80.164 (05:58:37.019 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32829<-1365 (05:58:37.019 PDT) 61.227.73.145 (06:00:29.074 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50987<-2947 (06:00:29.074 PDT) 59.125.123.7 (05:54:42.991 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57438<-8709 (05:54:42.991 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368795219.605 1368795219.606 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.166.58.62, 77.45.27.172 Egg Source List: 77.45.27.172 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 06:06:13.795 PDT Gen. Time: 05/17/2013 06:08:11.082 PDT INBOUND SCAN EXPLOIT 212.166.58.62 (06:06:13.795 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4654 (06:06:13.795 PDT) 77.45.27.172 (06:08:07.517 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1153 (06:08:07.517 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 77.45.27.172 (06:08:11.082 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59517<-7659 (06:08:11.082 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368795973.795 1368795973.796 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.233.144.186 Egg Source List: 212.233.144.186 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 06:21:15.496 PDT Gen. Time: 05/17/2013 06:21:18.297 PDT INBOUND SCAN EXPLOIT 212.233.144.186 (06:21:15.496 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3906 (06:21:15.496 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.233.144.186 (06:21:18.297 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45198<-1355 (06:21:18.297 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368796875.496 1368796875.497 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.67.182.33 Egg Source List: 91.67.182.33 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 06:27:29.955 PDT Gen. Time: 05/17/2013 06:27:33.116 PDT INBOUND SCAN EXPLOIT 91.67.182.33 (06:27:29.955 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4028 (06:27:29.955 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 91.67.182.33 (06:27:33.116 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47083<-3946 (06:27:33.116 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368797249.955 1368797249.956 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.78.38.195 Egg Source List: 190.78.38.195 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 06:47:40.253 PDT Gen. Time: 05/17/2013 06:47:42.898 PDT INBOUND SCAN EXPLOIT 190.78.38.195 (06:47:40.253 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3421 (06:47:40.253 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.78.38.195 (06:47:42.898 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53065<-5227 (06:47:42.898 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368798460.253 1368798460.254 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 109.184.179.86 Egg Source List: 109.184.179.86 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 06:53:21.127 PDT Gen. Time: 05/17/2013 06:53:25.311 PDT INBOUND SCAN EXPLOIT 109.184.179.86 (06:53:21.127 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2298 (06:53:21.127 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.184.179.86 (06:53:25.311 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42768<-6502 (06:53:25.311 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368798801.127 1368798801.128 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 198.211.22.134 Egg Source List: 198.211.22.134 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 07:07:34.337 PDT Gen. Time: 05/17/2013 07:07:37.668 PDT INBOUND SCAN EXPLOIT 198.211.22.134 (07:07:34.337 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4709 (07:07:34.337 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 198.211.22.134 (07:07:37.668 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47294<-6877 (07:07:37.668 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368799654.337 1368799654.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 213.79.117.178 Egg Source List: 213.79.117.178 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 07:25:56.745 PDT Gen. Time: 05/17/2013 07:26:01.054 PDT INBOUND SCAN EXPLOIT 213.79.117.178 (07:25:56.745 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2404 (07:25:56.745 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 213.79.117.178 (07:26:01.054 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53784<-4877 (07:26:01.054 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368800756.745 1368800756.746 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 141.255.161.76 Egg Source List: 141.255.161.76 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 07:44:27.053 PDT Gen. Time: 05/17/2013 07:44:30.040 PDT INBOUND SCAN EXPLOIT 141.255.161.76 (07:44:27.053 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3383 (07:44:27.053 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 141.255.161.76 (07:44:30.040 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58899<-8269 (07:44:30.040 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368801867.053 1368801867.054 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 82.211.135.29, 141.255.161.76, 128.69.104.65 Egg Source List: 82.211.135.29, 141.255.161.76, 128.69.104.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 07:44:27.053 PDT Gen. Time: 05/17/2013 07:49:49.574 PDT INBOUND SCAN EXPLOIT 82.211.135.29 (07:45:46.495 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4737 (07:45:46.495 PDT) 141.255.161.76 (07:44:27.053 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3383 (07:44:27.053 PDT) 128.69.104.65 (07:44:36.673 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1521 (07:44:36.673 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 82.211.135.29 (07:45:49.210 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52443<-6786 (07:45:49.210 PDT) 141.255.161.76 (07:44:30.040 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58899<-8269 (07:44:30.040 PDT) 128.69.104.65 (07:44:40.552 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55757<-8933 (07:44:40.552 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368801867.053 1368801867.054 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.34.123.2 Egg Source List: 46.34.123.2 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 07:54:43.020 PDT Gen. Time: 05/17/2013 07:54:46.001 PDT INBOUND SCAN EXPLOIT 46.34.123.2 (07:54:43.020 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-40703 (07:54:43.020 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.34.123.2 (07:54:46.001 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54049<-9645 (07:54:46.001 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368802483.020 1368802483.021 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.69.104.65 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 07:58:49.786 PDT Gen. Time: 05/17/2013 07:59:34.993 PDT INBOUND SCAN EXPLOIT 128.69.104.65 (07:59:34.993 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3888 (07:59:34.993 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 115.168.71.84 (07:58:49.786 PDT) event=1:2012204 {udp} E5[rb] ET SCAN Modified Sipvicious Sundayddr Scanner, [] MAC_Src: 00:21:5A:08:EC:40 5060->5060 (07:58:49.786 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368802729.786 1368802729.787 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.9.112.60, 128.69.104.65 Egg Source List: 128.69.104.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 07:58:49.786 PDT Gen. Time: 05/17/2013 08:04:16.767 PDT INBOUND SCAN EXPLOIT 95.9.112.60 (08:00:11.789 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-60124 (08:00:11.789 PDT) 128.69.104.65 (07:59:34.993 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3888 (07:59:34.993 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.69.104.65 (07:59:38.164 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41500<-8933 (07:59:38.164 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 115.168.71.84 (07:58:49.786 PDT) event=1:2012204 {udp} E5[rb] ET SCAN Modified Sipvicious Sundayddr Scanner, [] MAC_Src: 00:21:5A:08:EC:40 5060->5060 (07:58:49.786 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368802729.786 1368802729.787 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.69.104.65 Egg Source List: 128.69.104.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 08:13:39.515 PDT Gen. Time: 05/17/2013 08:13:42.837 PDT INBOUND SCAN EXPLOIT 128.69.104.65 (08:13:39.515 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1637 (08:13:39.515 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.69.104.65 (08:13:42.837 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60055<-8933 (08:13:42.837 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368803619.515 1368803619.516 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 115.89.181.82 Egg Source List: 115.89.181.82 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 08:17:50.163 PDT Gen. Time: 05/17/2013 08:17:52.885 PDT INBOUND SCAN EXPLOIT 115.89.181.82 (08:17:50.163 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1332 (08:17:50.163 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 115.89.181.82 (08:17:52.885 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46823<-7527 (08:17:52.885 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368803870.163 1368803870.164 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.69.104.65 Egg Source List: 128.69.104.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 08:26:15.765 PDT Gen. Time: 05/17/2013 08:26:19.645 PDT INBOUND SCAN EXPLOIT 128.69.104.65 (08:26:15.765 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2262 (08:26:15.765 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.69.104.65 (08:26:19.645 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56465<-8933 (08:26:19.645 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368804375.765 1368804375.766 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.69.104.65 Egg Source List: 128.69.104.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 08:37:31.051 PDT Gen. Time: 05/17/2013 08:37:34.786 PDT INBOUND SCAN EXPLOIT 128.69.104.65 (08:37:31.051 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2129 (08:37:31.051 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.69.104.65 (08:37:34.786 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34784<-8933 (08:37:34.786 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368805051.051 1368805051.052 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 181.65.255.40, 128.69.104.65 Egg Source List: 181.65.255.40, 128.69.104.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 08:37:31.051 PDT Gen. Time: 05/17/2013 08:42:21.963 PDT INBOUND SCAN EXPLOIT 181.65.255.40 (08:38:11.923 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2080 (08:38:11.923 PDT) 128.69.104.65 (08:37:31.051 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2129 (08:37:31.051 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 181.65.255.40 (08:38:14.853 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45070<-8865 (08:38:14.853 PDT) 128.69.104.65 (08:37:34.786 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34784<-8933 (08:37:34.786 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368805051.051 1368805051.052 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.69.104.65 Egg Source List: 128.69.104.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 08:48:43.015 PDT Gen. Time: 05/17/2013 08:48:46.060 PDT INBOUND SCAN EXPLOIT 128.69.104.65 (08:48:43.015 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2367 (08:48:43.015 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.69.104.65 (08:48:46.060 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33471<-8933 (08:48:46.060 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368805723.015 1368805723.016 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 80.209.83.214, 128.69.104.65 Egg Source List: 128.69.104.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 09:01:45.587 PDT Gen. Time: 05/17/2013 09:02:05.383 PDT INBOUND SCAN EXPLOIT 80.209.83.214 (09:01:45.587 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3806 (09:01:45.587 PDT) 128.69.104.65 (09:01:52.225 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2601 (09:01:52.225 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.69.104.65 (09:02:05.383 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33858<-8933 (09:02:05.383 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368806505.587 1368806505.588 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.237.45.64 Egg Source List: 46.237.45.64 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 09:11:50.283 PDT Gen. Time: 05/17/2013 09:11:53.200 PDT INBOUND SCAN EXPLOIT 46.237.45.64 (09:11:50.283 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2142 (09:11:50.283 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.237.45.64 (09:11:53.200 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57186<-4964 (09:11:53.200 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368807110.283 1368807110.284 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.237.45.64, 88.2.204.133, 128.69.104.65 Egg Source List: 46.237.45.64, 128.69.104.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 09:11:50.283 PDT Gen. Time: 05/17/2013 09:19:17.222 PDT INBOUND SCAN EXPLOIT 46.237.45.64 (09:11:50.283 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2142 (09:11:50.283 PDT) 88.2.204.133 (09:15:22.977 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-35778 (09:15:22.977 PDT) 128.69.104.65 (09:13:24.537 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2498 (09:13:24.537 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.237.45.64 (09:11:53.200 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57186<-4964 (09:11:53.200 PDT) 128.69.104.65 (09:13:27.823 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40233<-8933 (09:13:27.823 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368807110.283 1368807110.284 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 178.144.8.77 Egg Source List: 178.144.8.77 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 09:22:41.325 PDT Gen. Time: 05/17/2013 09:22:47.814 PDT INBOUND SCAN EXPLOIT 178.144.8.77 (09:22:41.325 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4009 (09:22:41.325 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.144.8.77 (09:22:47.814 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59973<-9461 (09:22:47.814 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368807761.325 1368807761.326 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 179.235.231.5, 188.6.133.71, 178.144.8.77 Egg Source List: 179.235.231.5, 188.6.133.71, 178.144.8.77 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 09:22:41.325 PDT Gen. Time: 05/17/2013 09:28:19.285 PDT INBOUND SCAN EXPLOIT 179.235.231.5 (09:24:04.221 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3410 (09:24:04.221 PDT) 188.6.133.71 (09:23:24.629 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3925 (09:23:24.629 PDT) 178.144.8.77 (09:22:41.325 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4009 (09:22:41.325 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 179.235.231.5 (09:24:08.565 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52478<-3579 (09:24:08.565 PDT) 188.6.133.71 (09:23:28.882 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37593<-9887 (09:23:28.882 PDT) 178.144.8.77 (09:22:47.814 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59973<-9461 (09:22:47.814 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368807761.325 1368807761.326 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 128.69.104.65 Egg Source List: 128.69.104.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 09:28:23.486 PDT Gen. Time: 05/17/2013 09:28:26.488 PDT INBOUND SCAN EXPLOIT 128.69.104.65 (09:28:23.486 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2122 (09:28:23.486 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.69.104.65 (09:28:26.488 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44303<-8933 (09:28:26.488 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368808103.486 1368808103.487 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.214.222.159, 128.69.104.65 Egg Source List: 188.214.222.159, 128.69.104.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 09:28:23.486 PDT Gen. Time: 05/17/2013 09:31:19.421 PDT INBOUND SCAN EXPLOIT 188.214.222.159 (09:29:49.310 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2168 (09:29:49.310 PDT) 128.69.104.65 (09:28:23.486 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2122 (09:28:23.486 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 188.214.222.159 (09:29:52.279 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53517<-6392 (09:29:52.279 PDT) 128.69.104.65 (09:28:26.488 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44303<-8933 (09:28:26.488 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368808103.486 1368808103.487 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 59.125.123.7 Egg Source List: 59.125.123.7 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 09:35:48.316 PDT Gen. Time: 05/17/2013 09:35:53.528 PDT INBOUND SCAN EXPLOIT 59.125.123.7 (09:35:48.316 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4032 (09:35:48.316 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 59.125.123.7 (09:35:53.528 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35735<-8709 (09:35:53.528 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368808548.316 1368808548.317 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.237.45.64, 77.31.112.193 Egg Source List: 46.237.45.64 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 09:40:08.917 PDT Gen. Time: 05/17/2013 09:40:52.824 PDT INBOUND SCAN EXPLOIT 46.237.45.64 (09:40:49.479 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1532 (09:40:49.479 PDT) 77.31.112.193 (09:40:08.917 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1999 (09:40:08.917 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.237.45.64 (09:40:52.824 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54456<-4964 (09:40:52.824 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368808808.917 1368808808.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 179.235.231.5 Egg Source List: 179.235.231.5 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 10:00:55.137 PDT Gen. Time: 05/17/2013 10:01:00.159 PDT INBOUND SCAN EXPLOIT 179.235.231.5 (10:00:55.137 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4324 (10:00:55.137 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 179.235.231.5 (10:01:00.159 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34502<-3579 (10:01:00.159 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368810055.137 1368810055.138 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.117.70.231 Egg Source List: 46.117.70.231 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 10:04:58.786 PDT Gen. Time: 05/17/2013 10:05:01.827 PDT INBOUND SCAN EXPLOIT 46.117.70.231 (10:04:58.786 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-14351 (10:04:58.786 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.117.70.231 (10:05:01.827 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52885<-6481 (10:05:01.827 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368810298.786 1368810298.787 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.228.41.237, 95.238.193.215, 71.28.24.82, 46.117.70.231, 77.45.27.172 Egg Source List: 95.228.41.237, 71.28.24.82, 46.117.70.231, 77.45.27.172 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 10:04:58.786 PDT Gen. Time: 05/17/2013 10:13:42.961 PDT INBOUND SCAN EXPLOIT 95.228.41.237 (10:07:36.072 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2377 (10:07:36.072 PDT) 95.238.193.215 (10:09:38.217 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1765 (10:09:38.217 PDT) 71.28.24.82 (10:08:03.549 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4518 (10:08:03.549 PDT) 46.117.70.231 (10:04:58.786 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-14351 (10:04:58.786 PDT) 77.45.27.172 (10:07:46.415 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3131 (10:07:46.415 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.228.41.237 (10:07:38.975 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40643<-5422 (10:07:38.975 PDT) 71.28.24.82 (10:08:06.868 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48445<-3605 (10:08:06.868 PDT) 46.117.70.231 (10:05:01.827 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52885<-6481 (10:05:01.827 PDT) 77.45.27.172 (10:07:49.209 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34625<-7659 (10:07:49.209 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368810298.786 1368810298.787 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 31.14.218.73 Egg Source List: 31.14.218.73 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 10:17:54.100 PDT Gen. Time: 05/17/2013 10:17:57.165 PDT INBOUND SCAN EXPLOIT 31.14.218.73 (10:17:54.100 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2349 (10:17:54.100 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 31.14.218.73 (10:17:57.165 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47949<-1955 (10:17:57.165 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368811074.100 1368811074.101 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.233.144.186, 31.14.218.73 Egg Source List: 212.233.144.186, 31.14.218.73 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 10:17:54.100 PDT Gen. Time: 05/17/2013 10:23:07.816 PDT INBOUND SCAN EXPLOIT 212.233.144.186 (10:20:56.885 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1408 (10:20:56.885 PDT) 31.14.218.73 (10:17:54.100 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2349 (10:17:54.100 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.233.144.186 (10:20:59.776 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34699<-1355 (10:20:59.776 PDT) 31.14.218.73 (10:17:57.165 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47949<-1955 (10:17:57.165 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368811074.100 1368811074.101 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 203.222.8.34 Egg Source List: 203.222.8.34 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 10:44:19.179 PDT Gen. Time: 05/17/2013 10:44:21.967 PDT INBOUND SCAN EXPLOIT 203.222.8.34 (10:44:19.179 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2625 (10:44:19.179 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 203.222.8.34 (10:44:21.967 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40934<-6040 (10:44:21.967 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368812659.179 1368812659.180 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 87.105.8.251 Egg Source List: 87.105.8.251 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 11:04:48.819 PDT Gen. Time: 05/17/2013 11:04:51.728 PDT INBOUND SCAN EXPLOIT 87.105.8.251 (11:04:48.819 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2882 (11:04:48.819 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 87.105.8.251 (11:04:51.728 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45797<-4054 (11:04:51.728 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368813888.819 1368813888.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 87.105.8.251, 190.72.17.141 Egg Source List: 87.105.8.251 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 11:04:48.819 PDT Gen. Time: 05/17/2013 11:09:06.157 PDT INBOUND SCAN EXPLOIT 87.105.8.251 (11:04:48.819 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2882 (11:04:48.819 PDT) 190.72.17.141 (11:06:50.764 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4375 (11:06:50.764 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 87.105.8.251 (11:04:51.728 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45797<-4054 (11:04:51.728 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368813888.819 1368813888.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.74.177.65 Egg Source List: 190.74.177.65 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 11:27:36.772 PDT Gen. Time: 05/17/2013 11:27:39.685 PDT INBOUND SCAN EXPLOIT 190.74.177.65 (11:27:36.772 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2372 (11:27:36.772 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.74.177.65 (11:27:39.685 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45460<-6236 (11:27:39.685 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368815256.772 1368815256.773 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.237.35.174 Egg Source List: 46.237.35.174 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 12:02:52.199 PDT Gen. Time: 05/17/2013 12:02:55.204 PDT INBOUND SCAN EXPLOIT 46.237.35.174 (12:02:52.199 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1150 (12:02:52.199 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.237.35.174 (12:02:55.204 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49499<-4964 (12:02:55.204 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368817372.199 1368817372.200 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.237.35.174 Egg Source List: 46.237.35.174 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 12:02:52.199 PDT Gen. Time: 05/17/2013 12:08:07.827 PDT INBOUND SCAN EXPLOIT 46.237.35.174 (2) (12:02:52.199 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1150 (12:02:52.199 PDT) 445<-1290 (12:03:59.345 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.237.35.174 (2) (12:02:55.204 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49499<-4964 (12:02:55.204 PDT) 49508<-4964 (12:04:02.845 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368817372.199 1368817372.200 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 85.177.25.48 Egg Source List: 85.177.25.48 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 12:46:33.728 PDT Gen. Time: 05/17/2013 12:46:36.580 PDT INBOUND SCAN EXPLOIT 85.177.25.48 (12:46:33.728 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4549 (12:46:33.728 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 85.177.25.48 (12:46:36.580 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53478<-2541 (12:46:36.580 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368819993.728 1368819993.729 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 179.235.231.5 Egg Source List: 179.235.231.5 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 13:04:02.576 PDT Gen. Time: 05/17/2013 13:04:05.563 PDT INBOUND SCAN EXPLOIT 179.235.231.5 (13:04:02.576 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4630 (13:04:02.576 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 179.235.231.5 (13:04:05.563 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35134<-3579 (13:04:05.563 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368821042.576 1368821042.577 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 179.235.231.5, 78.106.6.122 Egg Source List: 179.235.231.5, 78.106.6.122 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 13:04:02.576 PDT Gen. Time: 05/17/2013 13:09:38.522 PDT INBOUND SCAN EXPLOIT 179.235.231.5 (16) (13:04:02.576 PDT) event=1:22008705 {tcp} E2[rb] ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15), [] MAC_Dst: 00:21:5A:08:EC:40 445<-3889 (13:05:59.041 PDT) ------------------------- event=1:22008715 {tcp} E2[rb] ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25), [] MAC_Dst: 00:21:5A:08:EC:40 445<-3889 (13:05:59.041 PDT) ------------------------- event=1:22009201 (14) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4630 (13:04:02.576 PDT) 445<-1095 (13:04:18.752 PDT) 445<-1528 (13:04:32.972 PDT) 445<-1883 (13:04:47.904 PDT) 445<-2290 (13:05:02.278 PDT) 445<-2662 (13:05:16.764 PDT) 445<-3052 (13:05:31.362 PDT) 445<-3889 (13:06:03.979 PDT) 445<-4318 (13:06:19.946 PDT) 445<-4723 (13:06:35.344 PDT) 445<-1246 (13:06:50.909 PDT) 445<-1699 (13:07:07.534 PDT) 445<-2159 (13:07:23.582 PDT) 445<-2574 (13:07:39.667 PDT) 78.106.6.122 (13:09:10.151 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2450 (13:09:10.151 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 179.235.231.5 (14) (13:04:05.563 PDT) event=1:2001685 (14) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35134<-3579 (13:04:05.563 PDT) 35139<-3579 (13:04:21.986 PDT) 36247<-3579 (13:04:36.366 PDT) 36256<-3579 (13:04:51.482 PDT) 36261<-3579 (13:05:05.774 PDT) 36263<-3579 (13:05:20.093 PDT) 36264<-3579 (13:05:34.988 PDT) 36271<-3579 (13:06:09.916 PDT) 36273<-3579 (13:06:23.570 PDT) 36277<-3579 (13:06:38.480 PDT) 36282<-3579 (13:06:54.942 PDT) 36285<-3579 (13:07:11.189 PDT) 36287<-3579 (13:07:26.764 PDT) 36290<-3579 (13:07:43.527 PDT) 78.106.6.122 (13:09:13.416 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59291<-2881 (13:09:13.416 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368821042.576 1368821042.577 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.6.133.71 Egg Source List: 188.6.133.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 13:12:13.014 PDT Gen. Time: 05/17/2013 13:12:16.391 PDT INBOUND SCAN EXPLOIT 188.6.133.71 (13:12:13.014 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2668 (13:12:13.014 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 188.6.133.71 (13:12:16.391 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52937<-9887 (13:12:16.391 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368821533.014 1368821533.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.6.133.71, 189.46.212.177 Egg Source List: 188.6.133.71, 189.46.212.177 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 13:12:13.014 PDT Gen. Time: 05/17/2013 13:17:56.930 PDT INBOUND SCAN EXPLOIT 188.6.133.71 (13:12:13.014 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2668 (13:12:13.014 PDT) 189.46.212.177 (13:14:10.424 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2459 (13:14:10.424 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 188.6.133.71 (13:12:16.391 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52937<-9887 (13:12:16.391 PDT) 189.46.212.177 (13:14:15.465 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52022<-6996 (13:14:15.465 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368821533.014 1368821533.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.214.222.159 Egg Source List: 188.214.222.159 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 13:22:49.273 PDT Gen. Time: 05/17/2013 13:22:52.072 PDT INBOUND SCAN EXPLOIT 188.214.222.159 (13:22:49.273 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3818 (13:22:49.273 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 188.214.222.159 (13:22:52.072 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40313<-6392 (13:22:52.072 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368822169.273 1368822169.274 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.214.222.159, 190.36.114.160 Egg Source List: 188.214.222.159, 190.36.114.160 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 13:22:49.273 PDT Gen. Time: 05/17/2013 13:28:03.365 PDT INBOUND SCAN EXPLOIT 188.214.222.159 (13:22:49.273 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3818 (13:22:49.273 PDT) 190.36.114.160 (13:24:03.589 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1565 (13:24:03.589 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 188.214.222.159 (13:22:52.072 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40313<-6392 (13:22:52.072 PDT) 190.36.114.160 (13:24:06.288 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60004<-5062 (13:24:06.288 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368822169.273 1368822169.274 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 180.191.102.156, 205.134.246.121 Egg Source List: 205.134.246.121 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 13:43:15.245 PDT Gen. Time: 05/17/2013 13:44:22.222 PDT INBOUND SCAN EXPLOIT 180.191.102.156 (13:43:15.245 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-49541 (13:43:15.245 PDT) 205.134.246.121 (13:44:19.692 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-35301 (13:44:19.692 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 205.134.246.121 (13:44:22.222 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35193<-3991 (13:44:22.222 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368823395.245 1368823395.246 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 213.186.178.230, 180.191.102.156, 205.134.246.121 Egg Source List: 205.134.246.121 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 13:43:15.245 PDT Gen. Time: 05/17/2013 13:47:21.236 PDT INBOUND SCAN EXPLOIT 213.186.178.230 (2) (13:45:51.045 PDT) event=1:22465 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-65342 (13:45:51.045 PDT) 445<-65274 (13:45:51.109 PDT) 180.191.102.156 (13:43:15.245 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-49541 (13:43:15.245 PDT) 205.134.246.121 (13:44:19.692 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-35301 (13:44:19.692 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 205.134.246.121 (13:44:22.222 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35193<-3991 (13:44:22.222 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368823395.245 1368823395.246 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 83.142.167.142 Egg Source List: 83.142.167.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 13:47:32.123 PDT Gen. Time: 05/17/2013 13:47:35.209 PDT INBOUND SCAN EXPLOIT 83.142.167.142 (13:47:32.123 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2126 (13:47:32.123 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 83.142.167.142 (13:47:35.209 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42939<-2166 (13:47:35.209 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368823652.123 1368823652.124 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 179.235.231.5 Egg Source List: 179.235.231.5 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 13:50:03.032 PDT Gen. Time: 05/17/2013 13:50:07.830 PDT INBOUND SCAN EXPLOIT 179.235.231.5 (13:50:03.032 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4865 (13:50:03.032 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 179.235.231.5 (13:50:07.830 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42335<-3579 (13:50:07.830 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368823803.032 1368823803.033 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.124.179.90 Egg Source List: 222.124.179.90 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 13:54:47.828 PDT Gen. Time: 05/17/2013 13:54:51.494 PDT INBOUND SCAN EXPLOIT 222.124.179.90 (13:54:47.828 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-42915 (13:54:47.828 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 222.124.179.90 (13:54:51.494 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60567<-6118 (13:54:51.494 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368824087.828 1368824087.829 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.117.70.231, 222.124.179.90 Egg Source List: 46.117.70.231, 222.124.179.90 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 13:54:47.828 PDT Gen. Time: 05/17/2013 13:59:41.101 PDT INBOUND SCAN EXPLOIT 46.117.70.231 (13:55:42.646 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-36496 (13:55:42.646 PDT) 222.124.179.90 (13:54:47.828 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-42915 (13:54:47.828 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.117.70.231 (13:55:46.233 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52795<-6481 (13:55:46.233 PDT) 222.124.179.90 (13:54:51.494 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60567<-6118 (13:54:51.494 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368824087.828 1368824087.829 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 71.28.24.82 Egg Source List: 71.28.24.82 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 14:00:34.553 PDT Gen. Time: 05/17/2013 14:00:37.037 PDT INBOUND SCAN EXPLOIT 71.28.24.82 (14:00:34.553 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4033 (14:00:34.553 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 71.28.24.82 (14:00:37.037 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52632<-3605 (14:00:37.037 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368824434.553 1368824434.554 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 83.142.167.142 Egg Source List: 83.142.167.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 14:34:54.885 PDT Gen. Time: 05/17/2013 14:35:00.751 PDT INBOUND SCAN EXPLOIT 83.142.167.142 (14:34:54.885 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3646 (14:34:54.885 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 83.142.167.142 (14:35:00.751 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54692<-2166 (14:35:00.751 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368826494.885 1368826494.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 83.142.167.142 Egg Source List: 83.142.167.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 14:38:26.353 PDT Gen. Time: 05/17/2013 14:38:29.226 PDT INBOUND SCAN EXPLOIT 83.142.167.142 (14:38:26.353 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3128 (14:38:26.353 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 83.142.167.142 (14:38:29.226 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54801<-2166 (14:38:29.226 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368826706.353 1368826706.354 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 83.142.167.142 Egg Source List: 83.142.167.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 14:41:55.555 PDT Gen. Time: 05/17/2013 14:41:58.412 PDT INBOUND SCAN EXPLOIT 83.142.167.142 (14:41:55.555 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2565 (14:41:55.555 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 83.142.167.142 (14:41:58.412 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51751<-2166 (14:41:58.412 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368826915.555 1368826915.556 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 83.142.167.142, 203.222.8.34, 190.72.17.141 Egg Source List: 83.142.167.142, 203.222.8.34, 190.72.17.141 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 14:41:55.555 PDT Gen. Time: 05/17/2013 14:52:24.272 PDT INBOUND SCAN EXPLOIT 83.142.167.142 (3) (14:41:55.555 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2565 (14:41:55.555 PDT) 445<-2001 (14:45:28.121 PDT) 445<-1497 (14:49:00.718 PDT) 203.222.8.34 (14:46:26.361 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3749 (14:46:26.361 PDT) 190.72.17.141 (14:48:05.541 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3731 (14:48:05.541 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 83.142.167.142 (3) (14:41:58.412 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51751<-2166 (14:41:58.412 PDT) 46593<-2166 (14:45:32.196 PDT) 46689<-2166 (14:49:04.595 PDT) 203.222.8.34 (14:46:30.644 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42582<-6040 (14:46:30.644 PDT) 190.72.17.141 (14:48:08.985 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59600<-5947 (14:48:08.985 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368826915.555 1368826915.556 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 83.142.167.142 Egg Source List: 83.142.167.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 14:52:35.162 PDT Gen. Time: 05/17/2013 14:52:39.988 PDT INBOUND SCAN EXPLOIT 83.142.167.142 (14:52:35.162 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4963 (14:52:35.162 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 83.142.167.142 (14:52:39.988 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42280<-2166 (14:52:39.988 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368827555.162 1368827555.163 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 83.142.167.142 Egg Source List: 83.142.167.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 14:52:35.162 PDT Gen. Time: 05/17/2013 14:59:28.204 PDT INBOUND SCAN EXPLOIT 83.142.167.142 (2) (14:52:35.162 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4963 (14:52:35.162 PDT) 445<-4434 (14:56:08.676 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 83.142.167.142 (2) (14:52:39.988 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42280<-2166 (14:52:39.988 PDT) 51497<-2166 (14:56:11.744 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368827555.162 1368827555.163 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 83.142.167.142 Egg Source List: 83.142.167.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 14:59:37.952 PDT Gen. Time: 05/17/2013 14:59:40.882 PDT INBOUND SCAN EXPLOIT 83.142.167.142 (14:59:37.952 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3914 (14:59:37.952 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 83.142.167.142 (14:59:40.882 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53509<-2166 (14:59:40.882 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368827977.952 1368827977.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 83.142.167.142 Egg Source List: 83.142.167.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 14:59:37.952 PDT Gen. Time: 05/17/2013 15:07:16.080 PDT INBOUND SCAN EXPLOIT 83.142.167.142 (2) (14:59:37.952 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3914 (14:59:37.952 PDT) 445<-3368 (15:03:07.471 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 83.142.167.142 (2) (14:59:40.882 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53509<-2166 (14:59:40.882 PDT) 53558<-2166 (15:03:12.341 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368827977.952 1368827977.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 50.82.168.247 Egg Source List: 50.82.168.247 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 15:17:59.192 PDT Gen. Time: 05/17/2013 15:18:01.931 PDT INBOUND SCAN EXPLOIT 50.82.168.247 (15:17:59.192 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1460 (15:17:59.192 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 50.82.168.247 (15:18:01.931 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47593<-2458 (15:18:01.931 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368829079.192 1368829079.193 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.74.177.65, 50.82.168.247 Egg Source List: 190.74.177.65, 50.82.168.247 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 15:17:59.192 PDT Gen. Time: 05/17/2013 15:22:42.681 PDT INBOUND SCAN EXPLOIT 190.74.177.65 (15:18:48.289 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4326 (15:18:48.289 PDT) 50.82.168.247 (15:17:59.192 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1460 (15:17:59.192 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.74.177.65 (15:18:50.905 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41034<-6236 (15:18:50.905 PDT) 50.82.168.247 (15:18:01.931 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47593<-2458 (15:18:01.931 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368829079.192 1368829079.193 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.25.1.202 Egg Source List: 95.25.1.202 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 16:05:53.408 PDT Gen. Time: 05/17/2013 16:05:57.701 PDT INBOUND SCAN EXPLOIT 95.25.1.202 (16:05:53.408 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1361 (16:05:53.408 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.25.1.202 (16:05:57.701 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43280<-7131 (16:05:57.701 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368831953.408 1368831953.409 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 201.94.179.216 Egg Source List: 201.94.179.216 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 16:22:35.763 PDT Gen. Time: 05/17/2013 16:22:38.428 PDT INBOUND SCAN EXPLOIT 201.94.179.216 (16:22:35.763 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4650 (16:22:35.763 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 201.94.179.216 (16:22:38.428 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49610<-1344 (16:22:38.428 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368832955.763 1368832955.764 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 68.112.249.2 Egg Source List: 68.112.249.2 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 16:29:08.771 PDT Gen. Time: 05/17/2013 16:29:11.267 PDT INBOUND SCAN EXPLOIT 68.112.249.2 (16:29:08.771 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4479 (16:29:08.771 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 68.112.249.2 (16:29:11.267 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59798<-6364 (16:29:11.267 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368833348.771 1368833348.772 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 177.131.222.70, 68.112.249.2 Egg Source List: 177.131.222.70, 68.112.249.2 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 16:29:08.771 PDT Gen. Time: 05/17/2013 16:33:40.791 PDT INBOUND SCAN EXPLOIT 177.131.222.70 (16:30:23.713 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2922 (16:30:23.713 PDT) 68.112.249.2 (16:29:08.771 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4479 (16:29:08.771 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.131.222.70 (16:30:26.552 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32969<-4001 (16:30:26.552 PDT) 68.112.249.2 (16:29:11.267 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59798<-6364 (16:29:11.267 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368833348.771 1368833348.772 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.15.89.38 Egg Source List: 190.15.89.38 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 16:53:44.918 PDT Gen. Time: 05/17/2013 16:53:47.675 PDT INBOUND SCAN EXPLOIT 190.15.89.38 (16:53:44.918 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1758 (16:53:44.918 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.15.89.38 (16:53:47.675 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46207<-2255 (16:53:47.675 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368834824.918 1368834824.919 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.46.212.177 Egg Source List: 189.46.212.177 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 17:02:36.888 PDT Gen. Time: 05/17/2013 17:02:39.794 PDT INBOUND SCAN EXPLOIT 189.46.212.177 (17:02:36.888 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1812 (17:02:36.888 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.46.212.177 (17:02:39.794 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52628<-6996 (17:02:39.794 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368835356.888 1368835356.889 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 205.134.246.121 Egg Source List: 205.134.246.121 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 17:25:21.820 PDT Gen. Time: 05/17/2013 17:25:24.378 PDT INBOUND SCAN EXPLOIT 205.134.246.121 (17:25:21.820 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-21370 (17:25:21.820 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 205.134.246.121 (17:25:24.378 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43380<-3991 (17:25:24.378 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368836721.820 1368836721.821 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 83.142.167.142, 205.134.246.121 Egg Source List: 83.142.167.142, 205.134.246.121 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 17:25:21.820 PDT Gen. Time: 05/17/2013 17:31:46.249 PDT INBOUND SCAN EXPLOIT 83.142.167.142 (17:28:41.018 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4197 (17:28:41.018 PDT) 205.134.246.121 (17:25:21.820 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-21370 (17:25:21.820 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 83.142.167.142 (17:28:43.820 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42874<-2166 (17:28:43.820 PDT) 205.134.246.121 (17:25:24.378 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43380<-3991 (17:25:24.378 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368836721.820 1368836721.821 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.124.179.90 Egg Source List: 222.124.179.90 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 17:35:58.811 PDT Gen. Time: 05/17/2013 17:36:01.966 PDT INBOUND SCAN EXPLOIT 222.124.179.90 (17:35:58.811 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-32769 (17:35:58.811 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 222.124.179.90 (17:36:01.966 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54300<-6118 (17:36:01.966 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368837358.811 1368837358.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.78.40.38 Egg Source List: 189.78.40.38 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 17:51:02.264 PDT Gen. Time: 05/17/2013 17:51:06.200 PDT INBOUND SCAN EXPLOIT 189.78.40.38 (17:51:02.264 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-28789 (17:51:02.264 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.78.40.38 (17:51:06.200 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39592<-4333 (17:51:06.200 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368838262.264 1368838262.265 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.24.200.125 Egg Source List: 114.24.200.125 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 18:04:32.510 PDT Gen. Time: 05/17/2013 18:04:35.991 PDT INBOUND SCAN EXPLOIT 114.24.200.125 (18:04:32.510 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4772 (18:04:32.510 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.24.200.125 (18:04:35.991 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34372<-1026 (18:04:35.991 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368839072.510 1368839072.511 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.27.84.142 Egg Source List: 114.27.84.142 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 18:30:10.478 PDT Gen. Time: 05/17/2013 18:30:16.365 PDT INBOUND SCAN EXPLOIT 114.27.84.142 (18:30:10.478 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3630 (18:30:10.478 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.27.84.142 (18:30:16.365 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48397<-5043 (18:30:16.365 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368840610.478 1368840610.479 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 81.198.52.152 Egg Source List: 81.198.52.152 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 18:45:00.656 PDT Gen. Time: 05/17/2013 18:45:03.812 PDT INBOUND SCAN EXPLOIT 81.198.52.152 (18:45:00.656 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1946 (18:45:00.656 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 81.198.52.152 (18:45:03.812 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35213<-3703 (18:45:03.812 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368841500.656 1368841500.657 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.94.177.189 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 18:53:05.998 PDT Gen. Time: 05/17/2013 18:56:47.587 PDT INBOUND SCAN EXPLOIT 186.94.177.189 (18:53:05.998 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3528 (18:53:05.998 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 69.33.17.218 (18:56:47.587 PDT) event=1:2008578 {udp} E5[rb] ET SCAN Sipvicious Scan, [] MAC_Src: 00:21:5A:08:EC:40 5060->5060 (18:56:47.587 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368841985.998 1368841985.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 50.82.168.247 Egg Source List: 50.82.168.247 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 19:02:25.067 PDT Gen. Time: 05/17/2013 19:02:27.493 PDT INBOUND SCAN EXPLOIT 50.82.168.247 (19:02:25.067 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1264 (19:02:25.067 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 50.82.168.247 (19:02:27.493 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54670<-2458 (19:02:27.493 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368842545.067 1368842545.068 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 68.112.249.2 Egg Source List: 68.112.249.2 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 20:10:23.880 PDT Gen. Time: 05/17/2013 20:10:27.715 PDT INBOUND SCAN EXPLOIT 68.112.249.2 (20:10:23.880 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1448 (20:10:23.880 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 68.112.249.2 (20:10:27.715 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33876<-6364 (20:10:27.715 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368846623.880 1368846623.881 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 177.131.222.70 Egg Source List: 177.131.222.70 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 20:22:45.970 PDT Gen. Time: 05/17/2013 20:22:49.329 PDT INBOUND SCAN EXPLOIT 177.131.222.70 (20:22:45.970 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4981 (20:22:45.970 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.131.222.70 (20:22:49.329 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42837<-4001 (20:22:49.329 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368847365.970 1368847365.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.120.113.34, 177.131.222.70 Egg Source List: 177.131.222.70 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 20:22:45.970 PDT Gen. Time: 05/17/2013 20:26:23.162 PDT INBOUND SCAN EXPLOIT 186.120.113.34 (20:24:10.006 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-9537 (20:24:10.006 PDT) 177.131.222.70 (20:22:45.970 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4981 (20:22:45.970 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.131.222.70 (20:22:49.329 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42837<-4001 (20:22:49.329 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368847365.970 1368847365.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 201.87.13.53 Egg Source List: 201.87.13.53 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 20:31:50.187 PDT Gen. Time: 05/17/2013 20:31:53.251 PDT INBOUND SCAN EXPLOIT 201.87.13.53 (20:31:50.187 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2082 (20:31:50.187 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 201.87.13.53 (20:31:53.251 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53838<-9474 (20:31:53.251 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368847910.187 1368847910.188 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 81.31.161.188 Egg Source List: 81.31.161.188 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 20:38:43.455 PDT Gen. Time: 05/17/2013 20:38:46.374 PDT INBOUND SCAN EXPLOIT 81.31.161.188 (20:38:43.455 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1888 (20:38:43.455 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 81.31.161.188 (20:38:46.374 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44339<-3537 (20:38:46.374 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368848323.455 1368848323.456 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.42.194.6 Egg Source List: 114.42.194.6 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 21:17:25.055 PDT Gen. Time: 05/17/2013 21:17:27.727 PDT INBOUND SCAN EXPLOIT 114.42.194.6 (21:17:25.055 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4991 (21:17:25.055 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.42.194.6 (21:17:27.727 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33167<-7401 (21:17:27.727 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368850645.055 1368850645.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 21:32:58.767 PDT Gen. Time: 05/17/2013 21:33:01.592 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (21:32:58.767 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2622 (21:32:58.767 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (21:33:01.592 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58991<-6947 (21:33:01.592 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368851578.767 1368851578.768 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.24.200.125 Egg Source List: 114.24.200.125 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 21:47:16.215 PDT Gen. Time: 05/17/2013 21:47:18.934 PDT INBOUND SCAN EXPLOIT 114.24.200.125 (21:47:16.215 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1245 (21:47:16.215 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.24.200.125 (21:47:18.934 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42147<-1026 (21:47:18.934 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368852436.215 1368852436.216 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.94.177.189 Egg Source List: 186.94.177.189 C & C List: Peer Coord. List: Resource List: Observed Start: 05/17/2013 22:40:00.238 PDT Gen. Time: 05/17/2013 22:40:03.101 PDT INBOUND SCAN EXPLOIT 186.94.177.189 (22:40:00.238 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3115 (22:40:00.238 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.94.177.189 (22:40:03.101 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33772<-3032 (22:40:03.101 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368855600.238 1368855600.239 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================