Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 60.250.128.205 Egg Source List: 60.250.128.205 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 00:03:53.477 PDT Gen. Time: 05/18/2013 00:03:56.799 PDT INBOUND SCAN EXPLOIT 60.250.128.205 (00:03:53.477 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4172 (00:03:53.477 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 60.250.128.205 (00:03:56.799 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50275<-8791 (00:03:56.799 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368860633.477 1368860633.478 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 177.103.238.189, 60.250.128.205 Egg Source List: 177.103.238.189, 60.250.128.205 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 00:03:53.477 PDT Gen. Time: 05/18/2013 00:10:13.123 PDT INBOUND SCAN EXPLOIT 177.103.238.189 (00:06:09.124 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4972 (00:06:09.124 PDT) 60.250.128.205 (00:03:53.477 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4172 (00:03:53.477 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.103.238.189 (00:06:12.836 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37941<-1144 (00:06:12.836 PDT) 60.250.128.205 (00:03:56.799 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50275<-8791 (00:03:56.799 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368860633.477 1368860633.478 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 60.250.128.205 Egg Source List: 60.250.128.205 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 00:19:11.081 PDT Gen. Time: 05/18/2013 00:19:13.746 PDT INBOUND SCAN EXPLOIT 60.250.128.205 (00:19:11.081 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3968 (00:19:11.081 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 60.250.128.205 (00:19:13.746 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36890<-8791 (00:19:13.746 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368861551.081 1368861551.082 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.171.216.248 Egg Source List: 192.171.216.248 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 00:31:06.452 PDT Gen. Time: 05/18/2013 00:31:08.885 PDT INBOUND SCAN EXPLOIT 192.171.216.248 (00:31:06.452 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3018 (00:31:06.452 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.171.216.248 (00:31:08.885 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37985<-2513 (00:31:08.885 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368862266.452 1368862266.453 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.171.216.248, 60.250.128.205 Egg Source List: 192.171.216.248, 60.250.128.205 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 00:31:06.452 PDT Gen. Time: 05/18/2013 00:36:58.312 PDT INBOUND SCAN EXPLOIT 192.171.216.248 (00:31:06.452 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3018 (00:31:06.452 PDT) 60.250.128.205 (00:33:29.661 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1466 (00:33:29.661 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.171.216.248 (00:31:08.885 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37985<-2513 (00:31:08.885 PDT) 60.250.128.205 (00:33:32.372 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59133<-8791 (00:33:32.372 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368862266.452 1368862266.453 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 60.250.128.205 Egg Source List: 60.250.128.205 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 00:50:13.425 PDT Gen. Time: 05/18/2013 00:50:16.033 PDT INBOUND SCAN EXPLOIT 60.250.128.205 (00:50:13.425 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4008 (00:50:13.425 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 60.250.128.205 (00:50:16.033 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49473<-8791 (00:50:16.033 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368863413.425 1368863413.426 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.249.151.178 Egg Source List: 46.249.151.178 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 00:53:44.597 PDT Gen. Time: 05/18/2013 00:53:51.138 PDT INBOUND SCAN EXPLOIT 46.249.151.178 (00:53:44.597 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2351 (00:53:44.597 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.249.151.178 (00:53:51.138 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36219<-6289 (00:53:51.138 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368863624.597 1368863624.598 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 141.255.161.98 Egg Source List: 141.255.161.98 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 01:19:22.988 PDT Gen. Time: 05/18/2013 01:19:25.625 PDT INBOUND SCAN EXPLOIT 141.255.161.98 (01:19:22.988 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1140 (01:19:22.988 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 141.255.161.98 (01:19:25.625 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40268<-2529 (01:19:25.625 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368865162.988 1368865162.989 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 141.255.161.98, 200.33.136.119 Egg Source List: 141.255.161.98, 200.33.136.119 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 01:19:22.988 PDT Gen. Time: 05/18/2013 01:25:19.659 PDT INBOUND SCAN EXPLOIT 141.255.161.98 (01:19:22.988 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1140 (01:19:22.988 PDT) 200.33.136.119 (01:22:42.248 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1753 (01:22:42.248 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 141.255.161.98 (01:19:25.625 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40268<-2529 (01:19:25.625 PDT) 200.33.136.119 (01:22:44.668 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37179<-9572 (01:22:44.668 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368865162.988 1368865162.989 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.66.43.98 Egg Source List: 190.66.43.98 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 01:44:59.623 PDT Gen. Time: 05/18/2013 01:45:02.219 PDT INBOUND SCAN EXPLOIT 190.66.43.98 (01:44:59.623 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3720 (01:44:59.623 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.66.43.98 (01:45:02.219 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43103<-7931 (01:45:02.219 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368866699.623 1368866699.624 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 79.98.91.131 Egg Source List: 79.98.91.131 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 01:53:12.561 PDT Gen. Time: 05/18/2013 01:53:15.930 PDT INBOUND SCAN EXPLOIT 79.98.91.131 (01:53:12.561 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2588 (01:53:12.561 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 79.98.91.131 (01:53:15.930 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33535<-1907 (01:53:15.930 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368867192.561 1368867192.562 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 49.204.28.29 Egg Source List: 49.204.28.29 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 02:04:36.737 PDT Gen. Time: 05/18/2013 02:04:39.593 PDT INBOUND SCAN EXPLOIT 49.204.28.29 (02:04:36.737 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2488 (02:04:36.737 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 49.204.28.29 (02:04:39.593 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45673<-5163 (02:04:39.593 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368867876.737 1368867876.738 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 141.255.161.91 Egg Source List: 141.255.161.91 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 02:13:53.817 PDT Gen. Time: 05/18/2013 02:13:57.371 PDT INBOUND SCAN EXPLOIT 141.255.161.91 (02:13:53.817 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1241 (02:13:53.817 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 141.255.161.91 (02:13:57.371 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60821<-6842 (02:13:57.371 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368868433.817 1368868433.818 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 1.168.169.206 Egg Source List: 1.168.169.206 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 02:19:16.363 PDT Gen. Time: 05/18/2013 02:19:19.205 PDT INBOUND SCAN EXPLOIT 1.168.169.206 (02:19:16.363 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2185 (02:19:16.363 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.168.169.206 (02:19:19.205 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37844<-1699 (02:19:19.205 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368868756.363 1368868756.364 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 02:30:03.523 PDT Gen. Time: 05/18/2013 02:30:06.638 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (02:30:03.523 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3997 (02:30:03.523 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (02:30:06.638 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60638<-2154 (02:30:06.638 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368869403.523 1368869403.524 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 02:30:03.523 PDT Gen. Time: 05/18/2013 02:36:51.378 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (17) (02:30:03.523 PDT) event=1:22009201 (17) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3997 (02:30:03.523 PDT) 445<-4165 (02:30:20.165 PDT) 445<-4362 (02:30:36.678 PDT) 445<-4569 (02:30:53.898 PDT) 445<-4764 (02:31:10.884 PDT) 445<-1038 (02:31:27.335 PDT) 445<-1229 (02:31:46.460 PDT) 445<-1439 (02:32:02.680 PDT) 445<-1636 (02:32:17.555 PDT) 445<-1810 (02:32:32.072 PDT) 445<-2106 (02:32:47.727 PDT) 445<-2541 (02:33:03.883 PDT) 445<-2882 (02:33:20.119 PDT) 445<-3273 (02:33:37.869 PDT) 445<-3529 (02:33:55.276 PDT) 445<-3730 (02:34:11.915 PDT) 445<-3919 (02:34:27.432 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (17) (02:30:06.638 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60638<-2154 (02:30:06.638 PDT) 60650<-2154 (02:30:23.324 PDT) 60661<-2154 (02:30:40.871 PDT) 60665<-2154 (02:30:57.407 PDT) 60667<-2154 (02:31:13.996 PDT) 60669<-2154 (02:31:31.545 PDT) 60675<-2154 (02:31:49.905 PDT) 60681<-2154 (02:32:06.316 PDT) 60684<-2154 (02:32:21.216 PDT) 60695<-2154 (02:32:35.060 PDT) 60697<-2154 (02:32:51.624 PDT) 60706<-2154 (02:33:06.921 PDT) 60711<-2154 (02:33:24.030 PDT) 60719<-2154 (02:33:41.233 PDT) 60727<-2154 (02:33:58.249 PDT) 60733<-2154 (02:34:15.312 PDT) 60738<-2154 (02:34:31.046 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368869403.523 1368869403.524 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.35.50.87 Egg Source List: 89.35.50.87 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 02:47:07.175 PDT Gen. Time: 05/18/2013 02:47:09.968 PDT INBOUND SCAN EXPLOIT 89.35.50.87 (02:47:07.175 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2590 (02:47:07.175 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.35.50.87 (02:47:09.968 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37768<-7681 (02:47:09.968 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368870427.175 1368870427.176 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.114.66.58 Egg Source List: 92.114.66.58 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 02:54:16.246 PDT Gen. Time: 05/18/2013 02:54:19.629 PDT INBOUND SCAN EXPLOIT 92.114.66.58 (02:54:16.246 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4173 (02:54:16.246 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.114.66.58 (02:54:19.629 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56499<-5628 (02:54:19.629 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368870856.246 1368870856.247 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 180.145.210.215 Egg Source List: 180.145.210.215 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 03:17:09.053 PDT Gen. Time: 05/18/2013 03:17:12.146 PDT INBOUND SCAN EXPLOIT 180.145.210.215 (03:17:09.053 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3520 (03:17:09.053 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 180.145.210.215 (03:17:12.146 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55711<-1451 (03:17:12.146 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368872229.053 1368872229.054 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 177.103.238.189 Egg Source List: 177.103.238.189 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 03:47:38.866 PDT Gen. Time: 05/18/2013 03:47:42.483 PDT INBOUND SCAN EXPLOIT 177.103.238.189 (03:47:38.866 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2184 (03:47:38.866 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.103.238.189 (03:47:42.483 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51834<-1144 (03:47:42.483 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368874058.866 1368874058.867 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 60.250.128.205 Egg Source List: 60.250.128.205 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 03:56:29.736 PDT Gen. Time: 05/18/2013 03:56:32.479 PDT INBOUND SCAN EXPLOIT 60.250.128.205 (03:56:29.736 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2715 (03:56:29.736 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 60.250.128.205 (03:56:32.479 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39914<-8791 (03:56:32.479 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368874589.736 1368874589.737 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.93.119.114 Egg Source List: 200.93.119.114 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 04:02:51.442 PDT Gen. Time: 05/18/2013 04:02:54.673 PDT INBOUND SCAN EXPLOIT 200.93.119.114 (04:02:51.442 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2646 (04:02:51.442 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.93.119.114 (04:02:54.673 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44370<-9925 (04:02:54.673 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368874971.442 1368874971.443 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.171.216.248 Egg Source List: 192.171.216.248 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 04:12:10.186 PDT Gen. Time: 05/18/2013 04:12:12.745 PDT INBOUND SCAN EXPLOIT 192.171.216.248 (04:12:10.186 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2347 (04:12:10.186 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.171.216.248 (04:12:12.745 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55872<-2513 (04:12:12.745 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368875530.186 1368875530.187 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.112.54.172 Egg Source List: 114.112.54.172 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 04:16:46.391 PDT Gen. Time: 05/18/2013 04:16:49.730 PDT INBOUND SCAN EXPLOIT 114.112.54.172 (04:16:46.391 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3525 (04:16:46.391 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.112.54.172 (04:16:49.730 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58625<-2852 (04:16:49.730 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368875806.391 1368875806.392 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 78.140.198.140, 186.46.193.114 Egg Source List: 78.140.198.140 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 04:26:07.986 PDT Gen. Time: 05/18/2013 04:26:33.611 PDT INBOUND SCAN EXPLOIT 78.140.198.140 (04:26:30.430 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3434 (04:26:30.430 PDT) 186.46.193.114 (04:26:07.986 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2991 (04:26:07.986 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 78.140.198.140 (04:26:33.611 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39552<-6395 (04:26:33.611 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368876367.986 1368876367.987 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 1.164.34.124 Egg Source List: 1.164.34.124 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 04:30:13.416 PDT Gen. Time: 05/18/2013 04:30:16.134 PDT INBOUND SCAN EXPLOIT 1.164.34.124 (04:30:13.416 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4579 (04:30:13.416 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.164.34.124 (04:30:16.134 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36738<-3992 (04:30:16.134 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368876613.416 1368876613.417 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 78.8.247.89 Egg Source List: 78.8.247.89 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 04:50:17.015 PDT Gen. Time: 05/18/2013 04:50:21.676 PDT INBOUND SCAN EXPLOIT 78.8.247.89 (04:50:17.015 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1175 (04:50:17.015 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 78.8.247.89 (04:50:21.676 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43650<-3171 (04:50:21.676 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368877817.015 1368877817.016 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 87.121.31.56 Egg Source List: 87.121.31.56 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 04:53:26.417 PDT Gen. Time: 05/18/2013 04:53:29.853 PDT INBOUND SCAN EXPLOIT 87.121.31.56 (04:53:26.417 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3236 (04:53:26.417 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 87.121.31.56 (04:53:29.853 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51983<-5025 (04:53:29.853 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368878006.417 1368878006.418 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 82.79.110.128 Egg Source List: 82.79.110.128 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 04:59:43.580 PDT Gen. Time: 05/18/2013 04:59:46.488 PDT INBOUND SCAN EXPLOIT 82.79.110.128 (04:59:43.580 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1982 (04:59:43.580 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 82.79.110.128 (04:59:46.488 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43020<-9220 (04:59:46.488 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368878383.580 1368878383.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 141.255.161.98, 82.79.110.128 Egg Source List: 141.255.161.98, 82.79.110.128 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 04:59:43.580 PDT Gen. Time: 05/18/2013 05:04:23.335 PDT INBOUND SCAN EXPLOIT 141.255.161.98 (05:00:32.023 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3511 (05:00:32.023 PDT) 82.79.110.128 (04:59:43.580 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1982 (04:59:43.580 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 141.255.161.98 (05:00:35.218 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48779<-2529 (05:00:35.218 PDT) 82.79.110.128 (04:59:46.488 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43020<-9220 (04:59:46.488 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368878383.580 1368878383.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 218.164.74.178 Egg Source List: 218.164.74.178 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 05:13:43.328 PDT Gen. Time: 05/18/2013 05:13:46.327 PDT INBOUND SCAN EXPLOIT 218.164.74.178 (05:13:43.328 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3148 (05:13:43.328 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 218.164.74.178 (05:13:46.327 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55950<-4053 (05:13:46.327 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368879223.328 1368879223.329 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.249.151.178 Egg Source List: 46.249.151.178 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 05:20:43.821 PDT Gen. Time: 05/18/2013 05:20:47.396 PDT INBOUND SCAN EXPLOIT 46.249.151.178 (05:20:43.821 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3418 (05:20:43.821 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.249.151.178 (05:20:47.396 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55029<-6289 (05:20:47.396 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368879643.821 1368879643.822 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 116.203.137.166 Egg Source List: 116.203.137.166 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 05:36:32.118 PDT Gen. Time: 05/18/2013 05:36:35.255 PDT INBOUND SCAN EXPLOIT 116.203.137.166 (05:36:32.118 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4939 (05:36:32.118 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 116.203.137.166 (05:36:35.255 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39935<-8546 (05:36:35.255 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368880592.118 1368880592.119 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173, 116.203.137.166 Egg Source List: 183.8.111.173, 116.203.137.166 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 05:36:32.118 PDT Gen. Time: 05/18/2013 06:18:54.073 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (16) (05:37:57.581 PDT) event=1:22009201 (16) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4303 (05:37:57.581 PDT) 445<-4471 (05:38:11.128 PDT) 445<-4633 (05:38:27.066 PDT) 445<-4837 (05:38:43.972 PDT) 445<-1086 (05:39:00.659 PDT) 445<-1297 (05:39:15.347 PDT) 445<-1505 (05:39:34.847 PDT) 445<-1734 (05:39:52.519 PDT) 445<-1935 (05:40:10.050 PDT) 445<-2152 (05:40:26.879 PDT) 445<-2343 (05:40:42.536 PDT) 445<-2547 (05:40:59.879 PDT) 445<-2735 (05:41:17.473 PDT) 445<-2952 (05:41:34.957 PDT) 445<-3164 (05:41:49.802 PDT) 445<-3342 (05:42:05.429 PDT) 116.203.137.166 (05:36:32.118 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4939 (05:36:32.118 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (16) (05:38:00.462 PDT) event=1:2001685 (16) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56953<-2154 (05:38:00.462 PDT) 56961<-2154 (05:38:14.276 PDT) 56963<-2154 (05:38:31.227 PDT) 56969<-2154 (05:38:48.368 PDT) 56973<-2154 (05:39:03.946 PDT) 56986<-2154 (05:39:18.399 PDT) 42346<-2154 (05:39:40.556 PDT) 42349<-2154 (05:39:56.822 PDT) 42360<-2154 (05:40:13.924 PDT) 42365<-2154 (05:40:30.743 PDT) 42369<-2154 (05:40:46.276 PDT) 42375<-2154 (05:41:03.213 PDT) 42378<-2154 (05:41:22.950 PDT) 42384<-2154 (05:41:38.478 PDT) 42391<-2154 (05:41:53.588 PDT) 42396<-2154 (05:42:08.870 PDT) 116.203.137.166 (05:36:35.255 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39935<-8546 (05:36:35.255 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368880592.118 1368880592.119 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 184.4.109.168, 183.8.111.173 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:19:22.151 PDT Gen. Time: 05/18/2013 06:19:22.151 PDT INBOUND SCAN EXPLOIT 184.4.109.168 (06:22:35.685 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3155 (06:22:35.685 PDT) 183.8.111.173 (06:22:32.491 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4675 (06:22:32.491 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (06:19:22.151 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58126<-2154 (06:19:22.151 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368883162.151 1368883162.152 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 184.4.109.168, 183.8.111.173 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:19:22.151 PDT Gen. Time: 05/18/2013 06:20:50.667 PDT INBOUND SCAN EXPLOIT 184.4.109.168 (06:22:35.685 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3155 (06:22:35.685 PDT) 183.8.111.173 (8) (06:22:32.491 PDT) event=1:22009201 (8) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4675 (06:22:32.491 PDT) 445<-4859 (06:22:48.039 PDT) 445<-1085 (06:22:58.537 PDT) 445<-1192 (06:23:13.006 PDT) 445<-1383 (06:23:25.709 PDT) 445<-1530 (06:23:42.211 PDT) 445<-1735 (06:23:53.507 PDT) 445<-1854 (06:24:06.790 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (8) (06:19:22.151 PDT) event=1:2001685 (8) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58126<-2154 (06:19:22.151 PDT) 58159<-2154 (06:19:35.668 PDT) 47448<-2154 (06:19:51.419 PDT) 47453<-2154 (06:20:02.432 PDT) 47459<-2154 (06:20:15.494 PDT) 47463<-2154 (06:20:25.776 PDT) 47468<-2154 (06:20:39.121 PDT) 47470<-2154 (06:20:50.667 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368883162.151 1368883162.152 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:21:04.418 PDT Gen. Time: 05/18/2013 06:21:04.418 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (06:24:17.507 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2014 (06:24:17.507 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (06:21:04.418 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47480<-2154 (06:21:04.418 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368883264.418 1368883264.419 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173, 200.84.76.234, 1.168.169.206 Egg Source List: 184.4.109.168, 183.8.111.173, 1.168.169.206 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:21:04.418 PDT Gen. Time: 05/18/2013 06:27:27.560 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (15) (06:24:17.507 PDT) event=1:22009201 (15) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2014 (06:24:17.507 PDT) 445<-2156 (06:24:31.652 PDT) 445<-2317 (06:24:43.819 PDT) 445<-2474 (06:24:58.179 PDT) 445<-2639 (06:25:10.913 PDT) 445<-2806 (06:25:29.164 PDT) 445<-3001 (06:25:42.772 PDT) 445<-3170 (06:26:00.101 PDT) 445<-3374 (06:26:11.570 PDT) 445<-3499 (06:26:25.930 PDT) 445<-3698 (06:26:38.914 PDT) 445<-3842 (06:26:54.867 PDT) 445<-4033 (06:27:07.026 PDT) 445<-4182 (06:27:23.836 PDT) 445<-4371 (06:27:35.383 PDT) 200.84.76.234 (06:25:36.765 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2676 (06:25:36.765 PDT) 1.168.169.206 (06:26:43.177 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3396 (06:26:43.177 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 184.4.109.168 (2) (06:22:39.227 PDT) event=1:2001683 {tcp} E3[rb] ET MALWARE Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38041<-80 (06:22:39.227 PDT) ------------------------- event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38041<-80 (06:22:39.227 PDT) 183.8.111.173 (14) (06:21:04.418 PDT) event=1:2001685 (14) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47480<-2154 (06:21:04.418 PDT) 47483<-2154 (06:21:16.324 PDT) 47488<-2154 (06:21:30.011 PDT) 47491<-2154 (06:21:42.061 PDT) 47497<-2154 (06:21:58.746 PDT) 47500<-2154 (06:22:09.232 PDT) 47504<-2154 (06:22:22.746 PDT) 47508<-2154 (06:22:35.589 PDT) 47517<-2154 (06:22:51.263 PDT) 47525<-2154 (06:23:01.203 PDT) 47530<-2154 (06:23:15.951 PDT) 47535<-2154 (06:23:28.230 PDT) 47544<-2154 (06:23:46.028 PDT) 47548<-2154 (06:23:56.529 PDT) 1.168.169.206 (06:26:45.986 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42706<-1699 (06:26:45.986 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368883264.418 1368883264.419 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:27:37.905 PDT Gen. Time: 05/18/2013 06:27:37.905 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (06:30:40.806 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2640 (06:30:40.806 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (06:27:37.905 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46212<-2154 (06:27:37.905 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368883657.905 1368883657.906 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:27:37.905 PDT Gen. Time: 05/18/2013 06:37:41.705 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (17) (06:30:40.806 PDT) event=1:22009201 (17) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2640 (06:30:40.806 PDT) 445<-2795 (06:30:58.056 PDT) 445<-2993 (06:31:11.106 PDT) 445<-3141 (06:31:25.713 PDT) 445<-3311 (06:31:39.088 PDT) 445<-3467 (06:31:54.603 PDT) 445<-3651 (06:32:06.291 PDT) 445<-3789 (06:32:21.759 PDT) 445<-3987 (06:32:34.666 PDT) 445<-4140 (06:32:51.807 PDT) 445<-4332 (06:33:04.309 PDT) 445<-4486 (06:33:18.543 PDT) 445<-4649 (06:33:29.480 PDT) 445<-4787 (06:33:44.199 PDT) 445<-1027 (06:33:56.590 PDT) 445<-1171 (06:34:10.183 PDT) 445<-1326 (06:34:22.730 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (17) (06:27:37.905 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46212<-2154 (06:27:37.905 PDT) 46219<-2154 (06:27:53.218 PDT) 46222<-2154 (06:28:03.154 PDT) 46230<-2154 (06:28:16.326 PDT) 46235<-2154 (06:28:28.062 PDT) 46243<-2154 (06:28:42.904 PDT) 46248<-2154 (06:28:55.233 PDT) 46254<-2154 (06:29:09.482 PDT) 46256<-2154 (06:29:20.702 PDT) 37858<-2154 (06:29:35.811 PDT) 37863<-2154 (06:29:47.939 PDT) 37868<-2154 (06:30:02.186 PDT) 37874<-2154 (06:30:15.890 PDT) 37879<-2154 (06:30:32.108 PDT) 37882<-2154 (06:30:45.671 PDT) 37885<-2154 (06:31:00.987 PDT) 37889<-2154 (06:31:13.483 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368883657.905 1368883657.906 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:37:56.081 PDT Gen. Time: 05/18/2013 06:41:08.358 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (06:41:08.358 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2123 (06:41:08.358 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (06:37:56.081 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47821<-2154 (06:37:56.081 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368884276.081 1368884276.082 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:37:56.081 PDT Gen. Time: 05/18/2013 06:42:01.336 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (2) (06:41:08.358 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2123 (06:41:08.358 PDT) 445<-2434 (06:41:32.872 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (4) (06:37:56.081 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47821<-2154 (06:37:56.081 PDT) 47826<-2154 (06:38:16.815 PDT) 50799<-2154 (06:41:38.942 PDT) 47829<-2154 (06:38:31.439 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368884276.081 1368884276.082 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173, 114.46.22.56 Egg Source List: 186.95.83.9 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:39:48.425 PDT Gen. Time: 05/18/2013 06:39:48.425 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (4) (06:42:10.498 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2743 (06:42:10.498 PDT) 445<-3126 (06:42:25.531 PDT) 445<-3311 (06:42:45.092 PDT) 445<-3547 (06:43:00.419 PDT) 114.46.22.56 (06:42:01.339 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1292 (06:42:01.339 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.95.83.9 (06:39:48.425 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44989<-3127 (06:39:48.425 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368884388.425 1368884388.426 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173, 114.46.22.56 Egg Source List: 183.8.111.173, 186.95.83.9 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:39:48.425 PDT Gen. Time: 05/18/2013 06:43:30.701 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (5) (06:42:10.498 PDT) event=1:22009201 (5) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2743 (06:42:10.498 PDT) 445<-3126 (06:42:25.531 PDT) 445<-3311 (06:42:45.092 PDT) 445<-3547 (06:43:00.419 PDT) 445<-3730 (06:43:21.718 PDT) 114.46.22.56 (06:42:01.339 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1292 (06:42:01.339 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (2) (06:39:56.534 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50781<-2154 (06:39:56.534 PDT) 50786<-2154 (06:40:12.053 PDT) 186.95.83.9 (06:39:48.425 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44989<-3127 (06:39:48.425 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368884388.425 1368884388.426 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:40:32.409 PDT Gen. Time: 05/18/2013 06:40:32.409 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (06:43:37.108 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3984 (06:43:37.108 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (06:40:32.409 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50790<-2154 (06:40:32.409 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368884432.409 1368884432.410 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173, 89.35.50.87 Egg Source List: 114.46.22.56, 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:40:32.409 PDT Gen. Time: 05/18/2013 06:48:46.488 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (16) (06:43:37.108 PDT) event=1:22009201 (16) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3984 (06:43:37.108 PDT) 445<-4177 (06:43:57.531 PDT) 445<-4424 (06:44:12.889 PDT) 445<-4602 (06:44:34.999 PDT) 445<-4873 (06:44:51.968 PDT) 445<-1152 (06:45:13.124 PDT) 445<-1404 (06:45:27.703 PDT) 445<-1592 (06:45:49.218 PDT) 445<-1848 (06:46:06.594 PDT) 445<-2056 (06:46:26.609 PDT) 445<-2292 (06:46:42.110 PDT) 445<-2476 (06:47:01.359 PDT) 445<-2706 (06:47:17.253 PDT) 445<-2915 (06:47:38.829 PDT) 445<-3183 (06:47:55.625 PDT) 445<-3369 (06:48:20.470 PDT) 89.35.50.87 (06:48:40.696 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3508 (06:48:40.696 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.46.22.56 (06:42:10.216 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49239<-1480 (06:42:10.216 PDT) 183.8.111.173 (16) (06:40:32.409 PDT) event=1:2001685 (16) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50790<-2154 (06:40:32.409 PDT) 50792<-2154 (06:40:48.971 PDT) 50796<-2154 (06:41:11.440 PDT) 50806<-2154 (06:42:14.488 PDT) 50810<-2154 (06:42:28.675 PDT) 50812<-2154 (06:42:49.553 PDT) 50818<-2154 (06:43:03.192 PDT) 50822<-2154 (06:43:25.098 PDT) 50833<-2154 (06:43:41.020 PDT) 50841<-2154 (06:44:01.769 PDT) 50848<-2154 (06:44:15.959 PDT) 58562<-2154 (06:44:38.582 PDT) 58568<-2154 (06:44:54.770 PDT) 58672<-2154 (06:48:28.318 PDT) 58577<-2154 (06:45:16.427 PDT) 58584<-2154 (06:45:31.661 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368884432.409 1368884432.410 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:48:50.679 PDT Gen. Time: 05/18/2013 06:52:07.331 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (06:52:07.331 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2249 (06:52:07.331 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (06:48:50.679 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58678<-2154 (06:48:50.679 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368884930.679 1368884930.680 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.111.173 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:48:50.679 PDT Gen. Time: 05/18/2013 06:52:10.993 PDT INBOUND SCAN EXPLOIT 183.8.111.173 (7) (06:52:07.331 PDT) event=1:22009201 (7) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2249 (06:52:07.331 PDT) 445<-2478 (06:52:23.157 PDT) 445<-2669 (06:52:44.065 PDT) 445<-2893 (06:53:02.299 PDT) 445<-3096 (06:53:14.705 PDT) 445<-3287 (06:53:36.519 PDT) 445<-3544 (06:53:53.190 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (12) (06:48:50.679 PDT) event=1:2001685 (12) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58678<-2154 (06:48:50.679 PDT) 58686<-2154 (06:49:11.037 PDT) 58690<-2154 (06:49:25.711 PDT) 46640<-2154 (06:49:45.836 PDT) 46646<-2154 (06:50:01.867 PDT) 46651<-2154 (06:50:22.711 PDT) 46653<-2154 (06:50:37.755 PDT) 46657<-2154 (06:50:59.897 PDT) 46660<-2154 (06:51:17.163 PDT) 46662<-2154 (06:51:37.085 PDT) 46667<-2154 (06:51:51.523 PDT) 46670<-2154 (06:52:10.993 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368884930.679 1368884930.680 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.92.61.45 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:52:26.728 PDT Gen. Time: 05/18/2013 06:52:26.728 PDT INBOUND SCAN EXPLOIT 187.92.61.45 (06:55:16.329 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2150 (06:55:16.329 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (06:52:26.728 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46675<-2154 (06:52:26.728 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368885146.728 1368885146.729 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.92.61.45 Egg Source List: 183.8.111.173 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:52:26.728 PDT Gen. Time: 05/18/2013 06:57:11.632 PDT INBOUND SCAN EXPLOIT 187.92.61.45 (06:55:16.329 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2150 (06:55:16.329 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.111.173 (6) (06:52:26.728 PDT) event=1:2001685 (6) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46675<-2154 (06:52:26.728 PDT) 46684<-2154 (06:52:49.069 PDT) 46689<-2154 (06:53:05.382 PDT) 46697<-2154 (06:53:18.070 PDT) 46706<-2154 (06:53:40.508 PDT) 46715<-2154 (06:53:57.336 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368885146.728 1368885146.729 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.114.66.58 Egg Source List: 92.114.66.58 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:58:16.327 PDT Gen. Time: 05/18/2013 06:58:19.508 PDT INBOUND SCAN EXPLOIT 92.114.66.58 (06:58:16.327 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3121 (06:58:16.327 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.114.66.58 (06:58:19.508 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51598<-5628 (06:58:19.508 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368885496.327 1368885496.328 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.114.66.58, 180.145.210.215 Egg Source List: 92.114.66.58, 180.145.210.215 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 06:58:16.327 PDT Gen. Time: 05/18/2013 07:05:09.862 PDT INBOUND SCAN EXPLOIT 92.114.66.58 (06:58:16.327 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3121 (06:58:16.327 PDT) 180.145.210.215 (07:01:14.873 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2715 (07:01:14.873 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.114.66.58 (06:58:19.508 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51598<-5628 (06:58:19.508 PDT) 180.145.210.215 (07:01:18.083 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49145<-1451 (07:01:18.083 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368885496.327 1368885496.328 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.93.119.114 Egg Source List: 200.93.119.114 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 07:44:02.195 PDT Gen. Time: 05/18/2013 07:44:05.031 PDT INBOUND SCAN EXPLOIT 200.93.119.114 (07:44:02.195 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2780 (07:44:02.195 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.93.119.114 (07:44:05.031 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59957<-9925 (07:44:05.031 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368888242.195 1368888242.196 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.254.55.25, 114.112.54.172, 46.237.37.234 Egg Source List: 46.237.37.234 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 07:54:19.511 PDT Gen. Time: 05/18/2013 07:55:47.655 PDT INBOUND SCAN EXPLOIT 111.254.55.25 (07:54:19.511 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1104 (07:54:19.511 PDT) 114.112.54.172 (07:58:08.382 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4729 (07:58:08.382 PDT) 46.237.37.234 (5) (07:55:43.485 PDT) event=1:22009201 (5) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1371 (07:55:43.485 PDT) 445<-1426 (07:56:37.713 PDT) 445<-1513 (07:56:53.765 PDT) 445<-1541 (07:57:10.685 PDT) 445<-1582 (07:57:47.549 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.237.37.234 (07:55:47.655 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55417<-4964 (07:55:47.655 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368888859.511 1368888859.512 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 111.254.55.25, 114.112.54.172, 41.137.226.9, 46.237.37.234 Egg Source List: 114.112.54.172, 46.237.37.234 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 07:54:19.511 PDT Gen. Time: 05/18/2013 08:06:21.103 PDT INBOUND SCAN EXPLOIT 111.254.55.25 (07:54:19.511 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1104 (07:54:19.511 PDT) 114.112.54.172 (07:58:08.382 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4729 (07:58:08.382 PDT) 41.137.226.9 (08:02:26.076 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-6779 (08:02:26.076 PDT) 46.237.37.234 (6) (07:55:43.485 PDT) event=1:22009201 (6) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1371 (07:55:43.485 PDT) 445<-1426 (07:56:37.713 PDT) 445<-1513 (07:56:53.765 PDT) 445<-1541 (07:57:10.685 PDT) 445<-1582 (07:57:47.549 PDT) 445<-1660 (07:59:46.527 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.112.54.172 (07:58:11.903 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33573<-2852 (07:58:11.903 PDT) 46.237.37.234 (5) (07:55:47.655 PDT) event=1:2001685 (5) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55417<-4964 (07:55:47.655 PDT) 55440<-4964 (07:56:40.461 PDT) 55446<-4964 (07:56:56.490 PDT) 55449<-4964 (07:57:14.894 PDT) 55457<-4964 (07:57:56.783 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368888859.511 1368888859.512 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 78.140.198.140 Egg Source List: 78.140.198.140 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 08:09:02.590 PDT Gen. Time: 05/18/2013 08:09:05.174 PDT INBOUND SCAN EXPLOIT 78.140.198.140 (08:09:02.590 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2205 (08:09:02.590 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 78.140.198.140 (08:09:05.174 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51910<-6395 (08:09:05.174 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368889742.590 1368889742.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 71.252.132.216 Egg Source List: 71.252.132.216 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 08:30:41.585 PDT Gen. Time: 05/18/2013 08:30:43.809 PDT INBOUND SCAN EXPLOIT 71.252.132.216 (08:30:41.585 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4085 (08:30:41.585 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 71.252.132.216 (08:30:43.809 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45197<-4013 (08:30:43.809 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368891041.585 1368891041.586 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.42.34.112, 77.254.241.62 Egg Source List: 89.42.34.112 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 08:41:11.214 PDT Gen. Time: 05/18/2013 08:41:15.622 PDT INBOUND SCAN EXPLOIT 89.42.34.112 (08:41:11.214 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2622 (08:41:11.214 PDT) 77.254.241.62 (08:42:13.123 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3611 (08:42:13.123 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.42.34.112 (08:41:15.622 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34766<-9992 (08:41:15.622 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368891671.214 1368891671.215 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.42.34.112, 77.254.241.62 Egg Source List: 89.42.34.112, 77.254.241.62 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 08:41:11.214 PDT Gen. Time: 05/18/2013 08:45:27.388 PDT INBOUND SCAN EXPLOIT 89.42.34.112 (08:41:11.214 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2622 (08:41:11.214 PDT) 77.254.241.62 (08:42:13.123 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3611 (08:42:13.123 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.42.34.112 (08:41:15.622 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34766<-9992 (08:41:15.622 PDT) 77.254.241.62 (08:42:16.626 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55244<-8710 (08:42:16.626 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368891671.214 1368891671.215 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 218.164.74.178 Egg Source List: 218.164.74.178 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 09:06:11.348 PDT Gen. Time: 05/18/2013 09:06:14.174 PDT INBOUND SCAN EXPLOIT 218.164.74.178 (09:06:11.348 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4920 (09:06:11.348 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 218.164.74.178 (09:06:14.174 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59994<-4053 (09:06:14.174 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368893171.348 1368893171.349 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.24.116.37 Egg Source List: 95.24.116.37 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 09:28:51.833 PDT Gen. Time: 05/18/2013 09:29:09.675 PDT INBOUND SCAN EXPLOIT 95.24.116.37 (09:28:51.833 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2911 (09:28:51.833 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.24.116.37 (09:29:09.675 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56883<-5566 (09:29:09.675 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368894531.833 1368894531.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 1.171.53.93 Egg Source List: 1.171.53.93 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 09:47:29.977 PDT Gen. Time: 05/18/2013 09:47:38.420 PDT INBOUND SCAN EXPLOIT 1.171.53.93 (09:47:29.977 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2355 (09:47:29.977 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.171.53.93 (09:47:38.420 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58636<-4525 (09:47:38.420 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368895649.977 1368895649.978 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 142.0.36.107 Egg Source List: 142.0.36.107 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 09:56:13.608 PDT Gen. Time: 05/18/2013 09:56:17.576 PDT INBOUND SCAN EXPLOIT 142.0.36.107 (09:56:13.608 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4025 (09:56:13.608 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 142.0.36.107 (09:56:17.576 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42235<-1537 (09:56:17.576 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368896173.608 1368896173.609 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 184.4.109.168 Egg Source List: 184.4.109.168 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 10:03:52.512 PDT Gen. Time: 05/18/2013 10:03:56.050 PDT INBOUND SCAN EXPLOIT 184.4.109.168 (10:03:52.512 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2100 (10:03:52.512 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 184.4.109.168 (10:03:56.050 PDT) event=1:2001683 {tcp} E3[rb] ET MALWARE Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41720<-80 (10:03:56.050 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368896632.512 1368896632.513 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 184.4.109.168 Egg Source List: 184.4.109.168 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 10:03:52.512 PDT Gen. Time: 05/18/2013 10:05:59.665 PDT INBOUND SCAN EXPLOIT 184.4.109.168 (10:03:52.512 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2100 (10:03:52.512 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 184.4.109.168 (2) (10:03:56.050 PDT) event=1:2001683 {tcp} E3[rb] ET MALWARE Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41720<-80 (10:03:56.050 PDT) ------------------------- event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41720<-80 (10:03:56.050 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368896632.512 1368896632.513 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 78.84.180.155 Egg Source List: 78.84.180.155 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 10:14:10.625 PDT Gen. Time: 05/18/2013 10:14:16.651 PDT INBOUND SCAN EXPLOIT 78.84.180.155 (10:14:10.625 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1763 (10:14:10.625 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 78.84.180.155 (10:14:16.651 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38667<-9607 (10:14:16.651 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368897250.625 1368897250.626 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.95.83.9, 91.83.170.105 Egg Source List: 91.83.170.105 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 10:21:18.840 PDT Gen. Time: 05/18/2013 10:22:56.626 PDT INBOUND SCAN EXPLOIT 186.95.83.9 (10:21:18.840 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2993 (10:21:18.840 PDT) 91.83.170.105 (10:22:52.468 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2150 (10:22:52.468 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 91.83.170.105 (10:22:56.626 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50809<-1394 (10:22:56.626 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368897678.840 1368897678.841 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.95.83.9, 91.83.170.105 Egg Source List: 186.95.83.9, 91.83.170.105 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 10:21:18.840 PDT Gen. Time: 05/18/2013 10:25:31.122 PDT INBOUND SCAN EXPLOIT 186.95.83.9 (10:21:18.840 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2993 (10:21:18.840 PDT) 91.83.170.105 (10:22:52.468 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2150 (10:22:52.468 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.95.83.9 (10:21:23.851 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37252<-3127 (10:21:23.851 PDT) 91.83.170.105 (10:22:56.626 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50809<-1394 (10:22:56.626 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368897678.840 1368897678.841 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.115.252.61, 200.84.76.234 Egg Source List: 188.115.252.61 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 10:48:21.438 PDT Gen. Time: 05/18/2013 10:48:27.581 PDT INBOUND SCAN EXPLOIT 188.115.252.61 (10:48:21.438 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4627 (10:48:21.438 PDT) 200.84.76.234 (10:49:43.990 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1482 (10:49:43.990 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 188.115.252.61 (10:48:27.581 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59534<-4143 (10:48:27.581 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368899301.438 1368899301.439 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.86.211.176 Egg Source List: 182.161.109.12 C & C List: 80.156.86.78 Peer Coord. List: Resource List: Observed Start: 05/18/2013 10:57:34.837 PDT Gen. Time: 05/18/2013 11:01:33.917 PDT INBOUND SCAN EXPLOIT 95.86.211.176 (11:01:33.917 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1478 (11:01:33.917 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 182.161.109.12 (10:57:34.837 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34690<-2435 (10:57:34.837 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 80.156.86.78 (11:01:19.958 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 14946->8887 (11:01:19.958 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368899854.837 1368899854.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.86.211.176 Egg Source List: 182.161.109.12, 95.86.211.176 C & C List: 80.156.86.78 Peer Coord. List: Resource List: Observed Start: 05/18/2013 10:57:34.837 PDT Gen. Time: 05/18/2013 11:07:17.672 PDT INBOUND SCAN EXPLOIT 95.86.211.176 (10) (11:01:33.917 PDT) event=1:22009201 (10) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1478 (11:01:33.917 PDT) 445<-1610 (11:01:58.763 PDT) 445<-1712 (11:02:19.814 PDT) 445<-1799 (11:02:44.267 PDT) 445<-1937 (11:03:36.047 PDT) 445<-2150 (11:04:32.981 PDT) 445<-2317 (11:04:57.015 PDT) 445<-2393 (11:05:22.768 PDT) 445<-2492 (11:05:49.794 PDT) 445<-2575 (11:06:11.698 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 182.161.109.12 (10:57:34.837 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34690<-2435 (10:57:34.837 PDT) 95.86.211.176 (5) (11:01:41.858 PDT) event=1:2001685 (5) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35486<-4964 (11:01:41.858 PDT) 35513<-4964 (11:02:02.015 PDT) 35534<-4964 (11:02:23.701 PDT) 35573<-4964 (11:02:53.986 PDT) 35675<-4964 (11:03:48.255 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 80.156.86.78 (11:01:19.958 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 14946->8887 (11:01:19.958 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368899854.837 1368899854.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.6.214.165 Egg Source List: 189.6.214.165 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 11:26:25.507 PDT Gen. Time: 05/18/2013 11:26:29.163 PDT INBOUND SCAN EXPLOIT 189.6.214.165 (11:26:25.507 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4931 (11:26:25.507 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.6.214.165 (11:26:29.163 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50123<-5969 (11:26:29.163 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368901585.507 1368901585.508 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.63.131.220 Egg Source List: 189.63.131.220 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 12:07:14.153 PDT Gen. Time: 05/18/2013 12:07:22.479 PDT INBOUND SCAN EXPLOIT 189.63.131.220 (12:07:14.153 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3461 (12:07:14.153 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.63.131.220 (12:07:22.479 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50724<-7094 (12:07:22.479 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368904034.153 1368904034.154 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.63.131.220, 31.13.239.235 Egg Source List: 189.63.131.220, 31.13.239.235 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 12:07:14.153 PDT Gen. Time: 05/18/2013 12:12:19.626 PDT INBOUND SCAN EXPLOIT 189.63.131.220 (12:07:14.153 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3461 (12:07:14.153 PDT) 31.13.239.235 (12:08:22.115 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3902 (12:08:22.115 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.63.131.220 (12:07:22.479 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50724<-7094 (12:07:22.479 PDT) 31.13.239.235 (12:08:31.324 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59382<-8181 (12:08:31.324 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368904034.153 1368904034.154 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 69.85.116.157 Egg Source List: 69.85.116.157 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 12:41:47.363 PDT Gen. Time: 05/18/2013 12:41:50.324 PDT INBOUND SCAN EXPLOIT 69.85.116.157 (12:41:47.363 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2184 (12:41:47.363 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 69.85.116.157 (12:41:50.324 PDT) event=1:2001683 {tcp} E3[rb] ET MALWARE Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52266<-80 (12:41:50.324 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368906107.363 1368906107.364 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 69.85.116.157, 77.243.114.18 Egg Source List: 69.85.116.157 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 12:41:47.363 PDT Gen. Time: 05/18/2013 12:49:01.158 PDT INBOUND SCAN EXPLOIT 69.85.116.157 (12:41:47.363 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2184 (12:41:47.363 PDT) 77.243.114.18 (12:45:00.831 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2165 (12:45:00.831 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 69.85.116.157 (2) (12:41:50.324 PDT) event=1:2001683 {tcp} E3[rb] ET MALWARE Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52266<-80 (12:41:50.324 PDT) ------------------------- event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52266<-80 (12:41:50.324 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368906107.363 1368906107.364 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 1.171.53.93 Egg Source List: 1.171.53.93 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 13:38:10.318 PDT Gen. Time: 05/18/2013 13:38:13.230 PDT INBOUND SCAN EXPLOIT 1.171.53.93 (13:38:10.318 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2765 (13:38:10.318 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.171.53.93 (13:38:13.230 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59474<-4525 (13:38:13.230 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368909490.318 1368909490.319 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 1.171.53.93, 94.61.243.71 Egg Source List: 1.171.53.93 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 13:38:10.318 PDT Gen. Time: 05/18/2013 13:44:11.342 PDT INBOUND SCAN EXPLOIT 1.171.53.93 (13:38:10.318 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2765 (13:38:10.318 PDT) 94.61.243.71 (13:41:44.914 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1537 (13:41:44.914 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.171.53.93 (13:38:13.230 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59474<-4525 (13:38:13.230 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368909490.318 1368909490.319 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 13:41:48.729 PDT Gen. Time: 05/18/2013 13:41:48.729 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (13:45:25.856 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1727 (13:45:25.856 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (13:41:48.729 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51743<-6947 (13:41:48.729 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368909708.729 1368909708.730 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 13:41:48.729 PDT Gen. Time: 05/18/2013 13:49:35.624 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (13:45:25.856 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1727 (13:45:25.856 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (13:41:48.729 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51743<-6947 (13:41:48.729 PDT) 37310<-6947 (13:45:31.135 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368909708.729 1368909708.730 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 13:49:35.863 PDT Gen. Time: 05/18/2013 13:49:40.006 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (13:49:35.863 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4575 (13:49:35.863 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (13:49:40.006 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43872<-6947 (13:49:40.006 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368910175.863 1368910175.864 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 210.182.248.163, 94.61.243.71 Egg Source List: 210.182.248.163 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 13:51:35.005 PDT Gen. Time: 05/18/2013 13:51:37.810 PDT INBOUND SCAN EXPLOIT 210.182.248.163 (13:51:35.005 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1050 (13:51:35.005 PDT) 94.61.243.71 (13:53:05.644 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4465 (13:53:05.644 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 210.182.248.163 (13:51:37.810 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40622<-7033 (13:51:37.810 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368910295.005 1368910295.006 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.48.218.3 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 13:53:10.683 PDT Gen. Time: 05/18/2013 13:53:10.683 PDT INBOUND SCAN EXPLOIT 190.48.218.3 (13:56:24.302 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3673 (13:56:24.302 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (13:53:10.683 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44119<-6947 (13:53:10.683 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368910390.683 1368910390.684 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.48.218.3, 94.61.243.71 Egg Source List: 190.48.218.3, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 13:53:10.683 PDT Gen. Time: 05/18/2013 14:00:22.199 PDT INBOUND SCAN EXPLOIT 190.48.218.3 (13:56:24.302 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3673 (13:56:24.302 PDT) 94.61.243.71 (13:57:09.806 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1872 (13:57:09.806 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.48.218.3 (13:56:27.426 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37497<-3238 (13:56:27.426 PDT) 94.61.243.71 (13:53:10.683 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44119<-6947 (13:53:10.683 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368910390.683 1368910390.684 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.83.170.105 Egg Source List: 91.83.170.105 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:04:59.582 PDT Gen. Time: 05/18/2013 14:05:11.793 PDT INBOUND SCAN EXPLOIT 91.83.170.105 (14:04:59.582 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1384 (14:04:59.582 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 91.83.170.105 (14:05:11.793 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33636<-1394 (14:05:11.793 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368911099.582 1368911099.583 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 193.33.90.228, 78.84.180.155, 190.48.149.234, 94.61.243.71, 91.83.170.105 Egg Source List: 193.33.90.228, 78.84.180.155, 94.61.243.71, 91.83.170.105 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:01:43.801 PDT Gen. Time: 05/18/2013 14:13:41.217 PDT INBOUND SCAN EXPLOIT 193.33.90.228 (14:09:37.726 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4722 (14:09:37.726 PDT) 78.84.180.155 (14:06:24.857 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2364 (14:06:24.857 PDT) 190.48.149.234 (14:05:41.528 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1473 (14:05:41.528 PDT) 94.61.243.71 (2) (14:05:40.293 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2341 (14:05:40.293 PDT) 445<-2285 (14:10:41.934 PDT) 91.83.170.105 (14:04:59.582 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1384 (14:04:59.582 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 193.33.90.228 (14:09:41.000 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48320<-3670 (14:09:41.000 PDT) 78.84.180.155 (14:06:31.889 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41203<-9607 (14:06:31.889 PDT) 94.61.243.71 (2) (14:01:43.801 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47221<-6947 (14:01:43.801 PDT) 47096<-6947 (14:05:55.245 PDT) 91.83.170.105 (14:05:11.793 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33636<-1394 (14:05:11.793 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368910903.801 1368910903.802 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:15:04.782 PDT Gen. Time: 05/18/2013 14:15:09.207 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (14:15:04.782 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1667 (14:15:04.782 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (14:15:09.207 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36571<-6947 (14:15:09.207 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368911704.782 1368911704.783 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:20:27.521 PDT Gen. Time: 05/18/2013 14:20:34.883 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (14:20:27.521 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3158 (14:20:27.521 PDT) 445<-4043 (14:23:56.007 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (14:20:34.883 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50427<-6947 (14:20:34.883 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368912027.521 1368912027.522 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:28:33.747 PDT Gen. Time: 05/18/2013 14:28:38.590 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (14:28:33.747 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3322 (14:28:33.747 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (14:28:38.590 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33519<-6947 (14:28:38.590 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368912513.747 1368912513.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:28:33.747 PDT Gen. Time: 05/18/2013 14:34:35.048 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (14:28:33.747 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3322 (14:28:33.747 PDT) 445<-3790 (14:31:56.370 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (14:28:38.590 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33519<-6947 (14:28:38.590 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368912513.747 1368912513.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.126.85.47, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:35:01.250 PDT Gen. Time: 05/18/2013 14:35:26.837 PDT INBOUND SCAN EXPLOIT 93.126.85.47 (14:35:01.250 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-10941 (14:35:01.250 PDT) 94.61.243.71 (14:35:23.099 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3755 (14:35:23.099 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (14:35:26.837 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47198<-6947 (14:35:26.837 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368912901.250 1368912901.251 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.126.85.47, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:32:01.048 PDT Gen. Time: 05/18/2013 14:36:30.673 PDT INBOUND SCAN EXPLOIT 93.126.85.47 (14:35:01.250 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-10941 (14:35:01.250 PDT) 94.61.243.71 (14:35:23.099 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3755 (14:35:23.099 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (14:32:01.048 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47198<-6947 (14:35:26.837 PDT) 37916<-6947 (14:32:01.048 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368912721.048 1368912721.049 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 93.126.85.47 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:35:03.846 PDT Gen. Time: 05/18/2013 14:38:43.455 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (14:38:43.455 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3912 (14:38:43.455 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 93.126.85.47 (14:35:03.846 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55097<-4135 (14:35:03.846 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368912903.846 1368912903.847 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:43:04.632 PDT Gen. Time: 05/18/2013 14:43:07.690 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (14:43:04.632 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2881 (14:43:04.632 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (14:43:07.690 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32925<-6947 (14:43:07.690 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368913384.632 1368913384.633 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 81.200.145.232, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:48:31.635 PDT Gen. Time: 05/18/2013 14:48:41.475 PDT INBOUND SCAN EXPLOIT 81.200.145.232 (14:48:34.183 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1313 (14:48:34.183 PDT) 94.61.243.71 (2) (14:48:31.635 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1586 (14:48:31.635 PDT) 445<-3162 (14:52:14.489 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (14:48:41.475 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38375<-6947 (14:48:41.475 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368913711.635 1368913711.636 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 81.200.145.232, 94.61.243.71 Egg Source List: 81.200.145.232, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:48:31.635 PDT Gen. Time: 05/18/2013 14:52:48.704 PDT INBOUND SCAN EXPLOIT 81.200.145.232 (14:48:34.183 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1313 (14:48:34.183 PDT) 94.61.243.71 (2) (14:48:31.635 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1586 (14:48:31.635 PDT) 445<-3162 (14:52:14.489 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 81.200.145.232 (2) (14:48:41.603 PDT) event=1:2001683 {tcp} E3[rb] ET MALWARE Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40840<-80 (14:48:41.603 PDT) ------------------------- event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40840<-80 (14:48:41.603 PDT) 94.61.243.71 (14:48:41.475 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38375<-6947 (14:48:41.475 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368913711.635 1368913711.636 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.115.252.61, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:56:39.632 PDT Gen. Time: 05/18/2013 14:56:42.077 PDT INBOUND SCAN EXPLOIT 188.115.252.61 (14:58:31.117 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1288 (14:58:31.117 PDT) 94.61.243.71 (14:56:39.632 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1646 (14:56:39.632 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (14:56:42.077 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50354<-6947 (14:56:42.077 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368914199.632 1368914199.633 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.115.252.61, 94.61.243.71 Egg Source List: 188.115.252.61, 94.61.243.71 C & C List: 50.28.6.0 Peer Coord. List: Resource List: Observed Start: 05/18/2013 14:56:39.632 PDT Gen. Time: 05/18/2013 15:02:51.157 PDT INBOUND SCAN EXPLOIT 188.115.252.61 (14:58:31.117 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1288 (14:58:31.117 PDT) 94.61.243.71 (2) (14:56:39.632 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1646 (14:56:39.632 PDT) 445<-1808 (15:00:20.323 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 188.115.252.61 (14:58:34.197 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33947<-4143 (14:58:34.197 PDT) 94.61.243.71 (14:56:42.077 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50354<-6947 (14:56:42.077 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 50.28.6.0 (15:02:06.711 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 40129->33434 (15:02:06.711 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368914199.632 1368914199.633 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:00:25.835 PDT Gen. Time: 05/18/2013 15:00:25.835 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (15:04:39.648 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1822 (15:04:39.648 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (15:00:25.835 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37496<-6947 (15:00:25.835 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368914425.835 1368914425.836 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 182.161.110.27, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:09:02.819 PDT Gen. Time: 05/18/2013 15:09:06.578 PDT INBOUND SCAN EXPLOIT 182.161.110.27 (15:13:04.576 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3892 (15:13:04.576 PDT) 94.61.243.71 (2) (15:09:02.819 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1178 (15:09:02.819 PDT) 445<-1125 (15:12:24.896 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (15:09:06.578 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44363<-6947 (15:09:06.578 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368914942.819 1368914942.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:12:27.451 PDT Gen. Time: 05/18/2013 15:12:27.451 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (15:15:59.625 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4897 (15:15:59.625 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (15:12:27.451 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53860<-6947 (15:12:27.451 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368915147.451 1368915147.452 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 217.114.1.66, 110.38.89.198, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:16:03.469 PDT Gen. Time: 05/18/2013 15:16:03.469 PDT INBOUND SCAN EXPLOIT 217.114.1.66 (15:17:15.784 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2569 (15:17:15.784 PDT) 110.38.89.198 (15:17:08.497 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-65216 (15:17:08.497 PDT) 94.61.243.71 (15:19:39.033 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3230 (15:19:39.033 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (15:16:03.469 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40094<-6947 (15:16:03.469 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368915363.469 1368915363.470 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 217.114.1.66, 110.38.89.198, 189.6.214.165, 94.61.243.71 Egg Source List: 217.114.1.66, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:16:03.469 PDT Gen. Time: 05/18/2013 15:21:26.224 PDT INBOUND SCAN EXPLOIT 217.114.1.66 (15:17:15.784 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2569 (15:17:15.784 PDT) 110.38.89.198 (15:17:08.497 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-65216 (15:17:08.497 PDT) 189.6.214.165 (15:20:15.924 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1094 (15:20:15.924 PDT) 94.61.243.71 (15:19:39.033 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3230 (15:19:39.033 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 217.114.1.66 (15:17:20.467 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49780<-5304 (15:17:20.467 PDT) 94.61.243.71 (15:16:03.469 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40094<-6947 (15:16:03.469 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368915363.469 1368915363.470 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:19:42.590 PDT Gen. Time: 05/18/2013 15:19:42.590 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (15:23:03.112 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4319 (15:23:03.112 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (15:19:42.590 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36486<-6947 (15:19:42.590 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368915582.590 1368915582.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 189.6.214.165, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:19:42.590 PDT Gen. Time: 05/18/2013 15:24:26.261 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (15:23:03.112 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4319 (15:23:03.112 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.6.214.165 (15:20:18.845 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40381<-5969 (15:20:18.845 PDT) 94.61.243.71 (15:19:42.590 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36486<-6947 (15:19:42.590 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368915582.590 1368915582.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:23:07.206 PDT Gen. Time: 05/18/2013 15:27:01.838 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (15:27:01.838 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3737 (15:27:01.838 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (15:23:07.206 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36773<-6947 (15:23:07.206 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368915787.206 1368915787.207 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.39.87.101, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:23:07.206 PDT Gen. Time: 05/18/2013 15:34:30.745 PDT INBOUND SCAN EXPLOIT 190.39.87.101 (15:32:00.724 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3675 (15:32:00.724 PDT) 94.61.243.71 (2) (15:27:01.838 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3737 (15:27:01.838 PDT) 445<-3567 (15:30:24.240 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (15:23:07.206 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36773<-6947 (15:23:07.206 PDT) 49084<-6947 (15:27:04.667 PDT) 39367<-6947 (15:30:26.782 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368915787.206 1368915787.207 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 190.39.87.101 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:32:04.289 PDT Gen. Time: 05/18/2013 15:32:04.289 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (15:34:42.158 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2508 (15:34:42.158 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.39.87.101 (15:32:04.289 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36376<-1913 (15:32:04.289 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368916324.289 1368916324.290 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 37.8.64.81, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:38:22.876 PDT Gen. Time: 05/18/2013 15:38:25.565 PDT INBOUND SCAN EXPLOIT 37.8.64.81 (15:40:23.909 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-61885 (15:40:23.909 PDT) 94.61.243.71 (15:38:22.876 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4233 (15:38:22.876 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (15:38:25.565 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45874<-6947 (15:38:25.565 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368916702.876 1368916702.877 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 37.8.64.81, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:38:22.876 PDT Gen. Time: 05/18/2013 15:43:34.936 PDT INBOUND SCAN EXPLOIT 37.8.64.81 (15:40:23.909 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-61885 (15:40:23.909 PDT) 94.61.243.71 (2) (15:38:22.876 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4233 (15:38:22.876 PDT) 445<-2814 (15:41:52.307 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (15:38:25.565 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45874<-6947 (15:38:25.565 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368916702.876 1368916702.877 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:47:09.861 PDT Gen. Time: 05/18/2013 15:47:12.252 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (15:47:09.861 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2038 (15:47:09.861 PDT) 445<-2598 (15:50:30.013 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (15:47:12.252 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59521<-6947 (15:47:12.252 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368917229.861 1368917229.862 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:50:33.066 PDT Gen. Time: 05/18/2013 15:54:08.452 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (15:54:08.452 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4982 (15:54:08.452 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (15:50:33.066 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43820<-6947 (15:50:33.066 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368917433.066 1368917433.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 15:50:33.066 PDT Gen. Time: 05/18/2013 16:01:18.768 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (15:54:08.452 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4982 (15:54:08.452 PDT) 445<-1642 (15:57:55.277 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (15:50:33.066 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43820<-6947 (15:50:33.066 PDT) 44052<-6947 (15:54:14.639 PDT) 37737<-6947 (15:57:57.841 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368917433.066 1368917433.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.78.105.221, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:01:21.062 PDT Gen. Time: 05/18/2013 16:01:25.141 PDT INBOUND SCAN EXPLOIT 190.78.105.221 (16:03:07.177 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1913 (16:03:07.177 PDT) 94.61.243.71 (2) (16:01:21.062 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3260 (16:01:21.062 PDT) 445<-1753 (16:04:44.012 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:01:25.141 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45065<-6947 (16:01:25.141 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368918081.062 1368918081.063 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 31.13.239.235 Egg Source List: 190.78.105.221 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:03:10.070 PDT Gen. Time: 05/18/2013 16:03:10.070 PDT INBOUND SCAN EXPLOIT 31.13.239.235 (16:06:31.905 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4596 (16:06:31.905 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.78.105.221 (16:03:10.070 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35099<-4096 (16:03:10.070 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368918190.070 1368918190.071 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:04:47.463 PDT Gen. Time: 05/18/2013 16:04:47.463 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (16:08:11.594 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1715 (16:08:11.594 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:04:47.463 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39777<-6947 (16:04:47.463 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368918287.463 1368918287.464 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:12:44.222 PDT Gen. Time: 05/18/2013 16:12:44.222 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (16:16:04.768 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3980 (16:16:04.768 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:12:44.222 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45462<-6947 (16:12:44.222 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368918764.222 1368918764.223 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.159.129.225 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:16:09.074 PDT Gen. Time: 05/18/2013 16:16:09.074 PDT INBOUND SCAN EXPLOIT 189.159.129.225 (16:18:47.587 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-32501 (16:18:47.587 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:16:09.074 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36648<-6947 (16:16:09.074 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368918969.074 1368918969.075 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.159.129.225, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:16:09.074 PDT Gen. Time: 05/18/2013 16:22:23.005 PDT INBOUND SCAN EXPLOIT 189.159.129.225 (16:18:47.587 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-32501 (16:18:47.587 PDT) 94.61.243.71 (16:19:51.091 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3870 (16:19:51.091 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:16:09.074 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36648<-6947 (16:16:09.074 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368918969.074 1368918969.075 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:24:02.612 PDT Gen. Time: 05/18/2013 16:24:05.739 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (16:24:02.612 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1098 (16:24:02.612 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:24:05.739 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37887<-6947 (16:24:05.739 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368919442.612 1368919442.613 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:28:26.715 PDT Gen. Time: 05/18/2013 16:28:26.715 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (16:31:50.044 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1475 (16:31:50.044 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:28:26.715 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59122<-6947 (16:28:26.715 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368919706.715 1368919706.716 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:31:53.745 PDT Gen. Time: 05/18/2013 16:31:53.745 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (16:35:14.910 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3534 (16:35:14.910 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:31:53.745 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53225<-6947 (16:31:53.745 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368919913.745 1368919913.746 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 69.85.116.157 Egg Source List: 94.61.243.71 C & C List: 216.227.214.83 Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:35:18.672 PDT Gen. Time: 05/18/2013 16:35:18.672 PDT INBOUND SCAN EXPLOIT 69.85.116.157 (16:38:11.867 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3856 (16:38:11.867 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:35:18.672 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44246<-6947 (16:35:18.672 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 216.227.214.83 (16:36:03.413 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 46027->33434 (16:36:03.413 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368920118.672 1368920118.673 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 69.85.116.157 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:38:14.464 PDT Gen. Time: 05/18/2013 16:38:14.464 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (16:39:28.882 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1216 (16:39:28.882 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 69.85.116.157 (16:38:14.464 PDT) event=1:2001683 {tcp} E3[rb] ET MALWARE Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33886<-80 (16:38:14.464 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368920294.464 1368920294.465 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 69.85.116.157 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:38:14.464 PDT Gen. Time: 05/18/2013 16:42:04.620 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (16:39:28.882 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1216 (16:39:28.882 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 69.85.116.157 (2) (16:38:14.464 PDT) event=1:2001683 {tcp} E3[rb] ET MALWARE Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33886<-80 (16:38:14.464 PDT) ------------------------- event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33886<-80 (16:38:14.464 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368920294.464 1368920294.465 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:39:31.539 PDT Gen. Time: 05/18/2013 16:39:31.539 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (16:42:59.860 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2227 (16:42:59.860 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:39:31.539 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44537<-6947 (16:39:31.539 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368920371.539 1368920371.540 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 12.97.200.188, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:48:17.789 PDT Gen. Time: 05/18/2013 16:48:21.406 PDT INBOUND SCAN EXPLOIT 12.97.200.188 (16:48:52.723 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4083 (16:48:52.723 PDT) 94.61.243.71 (16:48:17.789 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1630 (16:48:17.789 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:48:21.406 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60482<-6947 (16:48:21.406 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368920897.789 1368920897.790 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:53:20.402 PDT Gen. Time: 05/18/2013 16:53:26.158 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (16:53:20.402 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2730 (16:53:20.402 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:53:26.158 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59878<-6947 (16:53:26.158 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368921200.402 1368921200.403 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.221.232.9, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:53:20.402 PDT Gen. Time: 05/18/2013 16:57:17.995 PDT INBOUND SCAN EXPLOIT 91.221.232.9 (16:54:24.669 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3674 (16:54:24.669 PDT) 94.61.243.71 (16:53:20.402 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2730 (16:53:20.402 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:53:26.158 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59878<-6947 (16:53:26.158 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368921200.402 1368921200.403 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 16:57:24.251 PDT Gen. Time: 05/18/2013 17:01:10.378 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (17:01:10.378 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3250 (17:01:10.378 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (16:57:24.251 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49361<-6947 (16:57:24.251 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368921444.251 1368921444.252 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:10:52.092 PDT Gen. Time: 05/18/2013 17:10:52.092 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (17:14:10.909 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1230 (17:14:10.909 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (17:10:52.092 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34676<-6947 (17:10:52.092 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368922252.092 1368922252.093 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:14:13.845 PDT Gen. Time: 05/18/2013 17:14:13.845 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (17:17:29.513 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2941 (17:17:29.513 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (17:14:13.845 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34898<-6947 (17:14:13.845 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368922453.845 1368922453.846 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:17:32.389 PDT Gen. Time: 05/18/2013 17:21:30.463 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (17:21:30.463 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3376 (17:21:30.463 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (17:17:32.389 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47277<-6947 (17:17:32.389 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368922652.389 1368922652.390 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:21:33.569 PDT Gen. Time: 05/18/2013 17:21:33.569 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (17:24:52.359 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1656 (17:24:52.359 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (17:21:33.569 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36643<-6947 (17:21:33.569 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368922893.569 1368922893.570 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 70.234.7.30 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:24:54.837 PDT Gen. Time: 05/18/2013 17:28:47.894 PDT INBOUND SCAN EXPLOIT 70.234.7.30 (17:28:47.894 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-8842 (17:28:47.894 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (17:24:54.837 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39462<-6947 (17:24:54.837 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368923094.837 1368923094.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71, 70.234.7.30 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:24:54.837 PDT Gen. Time: 05/18/2013 17:33:12.589 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (17:29:11.508 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3087 (17:29:11.508 PDT) 70.234.7.30 (17:28:47.894 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-8842 (17:28:47.894 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (17:24:54.837 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39462<-6947 (17:24:54.837 PDT) 39697<-6947 (17:29:14.286 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368923094.837 1368923094.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:33:32.255 PDT Gen. Time: 05/18/2013 17:33:39.417 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (17:33:32.255 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4562 (17:33:32.255 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (17:33:39.417 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48807<-6947 (17:33:39.417 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368923612.255 1368923612.256 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.48.218.3, 83.98.187.76, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:33:32.255 PDT Gen. Time: 05/18/2013 17:40:14.862 PDT INBOUND SCAN EXPLOIT 190.48.218.3 (17:38:35.449 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4354 (17:38:35.449 PDT) 83.98.187.76 (17:36:26.123 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1592 (17:36:26.123 PDT) 94.61.243.71 (2) (17:33:32.255 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4562 (17:33:32.255 PDT) 445<-3663 (17:37:03.867 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (17:33:39.417 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48807<-6947 (17:33:39.417 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368923612.255 1368923612.256 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:40:22.549 PDT Gen. Time: 05/18/2013 17:40:25.826 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (17:40:22.549 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1619 (17:40:22.549 PDT) 445<-3556 (17:43:55.776 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (17:40:25.826 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54012<-6947 (17:40:25.826 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368924022.549 1368924022.550 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71, 183.8.5.55 Egg Source List: 193.33.90.228, 94.61.243.71, 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:40:22.549 PDT Gen. Time: 05/18/2013 17:53:25.340 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (4) (17:40:22.549 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1619 (17:40:22.549 PDT) 445<-3556 (17:43:55.776 PDT) 445<-3482 (17:44:44.649 PDT) 445<-2198 (17:47:32.511 PDT) 183.8.5.55 (13) (17:46:25.392 PDT) event=1:22009201 (13) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2320 (17:46:25.392 PDT) 445<-2967 (17:46:38.485 PDT) 445<-3362 (17:47:02.405 PDT) 445<-4150 (17:47:22.248 PDT) 445<-1091 (17:47:45.624 PDT) 445<-1738 (17:47:59.719 PDT) 445<-2190 (17:48:17.235 PDT) 445<-2822 (17:48:33.748 PDT) 445<-3327 (17:48:51.311 PDT) 445<-3907 (17:49:07.235 PDT) 445<-4429 (17:49:27.858 PDT) 445<-1260 (17:49:42.031 PDT) 445<-1722 (17:50:00.889 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 193.33.90.228 (17:51:18.399 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34209<-3670 (17:51:18.399 PDT) 94.61.243.71 (5) (17:40:25.826 PDT) event=1:2001685 (5) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54012<-6947 (17:40:25.826 PDT) 57897<-6947 (17:47:37.932 PDT) 54161<-6947 (17:43:58.792 PDT) 57749<-6947 (17:44:46.989 PDT) 52975<-6947 (17:51:25.447 PDT) 183.8.5.55 (11) (17:46:28.665 PDT) event=1:2001685 (11) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58859<-2154 (17:47:29.191 PDT) 58798<-2154 (17:46:28.665 PDT) 58815<-2154 (17:46:41.285 PDT) 58838<-2154 (17:47:05.160 PDT) 39968<-2154 (17:51:07.943 PDT) 58872<-2154 (17:47:48.741 PDT) 58884<-2154 (17:48:03.395 PDT) 58897<-2154 (17:48:20.926 PDT) 58913<-2154 (17:48:37.489 PDT) 58927<-2154 (17:48:54.817 PDT) 58940<-2154 (17:49:10.614 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368924022.549 1368924022.550 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:50:18.139 PDT Gen. Time: 05/18/2013 17:53:32.395 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (17:53:32.395 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4670 (17:53:32.395 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (17:50:18.139 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39906<-2154 (17:50:18.139 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368924618.139 1368924618.140 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71, 183.8.5.55 Egg Source List: 94.61.243.71, 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:50:18.139 PDT Gen. Time: 05/18/2013 17:57:20.148 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (17:56:59.810 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4177 (17:56:59.810 PDT) 183.8.5.55 (16) (17:53:32.395 PDT) event=1:22009201 (16) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4670 (17:53:32.395 PDT) 445<-1616 (17:53:46.968 PDT) 445<-2101 (17:54:18.486 PDT) 445<-3245 (17:54:36.063 PDT) 445<-3959 (17:54:57.094 PDT) 445<-4745 (17:55:10.969 PDT) 445<-1457 (17:55:29.047 PDT) 445<-2135 (17:55:42.126 PDT) 445<-2694 (17:56:00.016 PDT) 445<-3338 (17:56:13.906 PDT) 445<-3902 (17:56:37.314 PDT) 445<-1229 (17:57:12.078 PDT) 445<-2572 (17:57:41.009 PDT) 445<-3664 (17:58:01.925 PDT) 445<-4397 (17:58:29.986 PDT) 445<-1702 (17:58:45.845 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (17:57:06.342 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59051<-6947 (17:57:06.342 PDT) 183.8.5.55 (16) (17:50:18.139 PDT) event=1:2001685 (16) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39906<-2154 (17:50:18.139 PDT) 40133<-2154 (17:53:37.536 PDT) 39926<-2154 (17:50:37.663 PDT) 40009<-2154 (17:51:38.254 PDT) 40023<-2154 (17:51:51.710 PDT) 40057<-2154 (17:52:11.567 PDT) 40090<-2154 (17:52:27.817 PDT) 40110<-2154 (17:52:52.395 PDT) 49940<-2154 (17:56:46.115 PDT) 40147<-2154 (17:53:51.132 PDT) 40172<-2154 (17:54:21.975 PDT) 49822<-2154 (17:54:40.912 PDT) 50047<-2154 (17:58:35.554 PDT) 49839<-2154 (17:55:01.089 PDT) 49852<-2154 (17:55:14.898 PDT) 49862<-2154 (17:55:32.155 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368924618.139 1368924618.140 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:57:46.896 PDT Gen. Time: 05/18/2013 17:57:46.896 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (18:01:14.955 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3665 (18:01:14.955 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (17:57:46.896 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50001<-2154 (17:57:46.896 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368925066.896 1368925066.897 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 17:57:46.896 PDT Gen. Time: 05/18/2013 18:00:19.508 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (9) (18:01:14.955 PDT) event=1:22009201 (9) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3665 (18:01:14.955 PDT) 445<-4237 (18:01:31.356 PDT) 445<-1091 (18:01:46.423 PDT) 445<-1733 (18:02:10.800 PDT) 445<-2646 (18:02:25.189 PDT) 445<-3161 (18:02:42.049 PDT) 445<-3699 (18:02:54.908 PDT) 445<-4142 (18:03:12.502 PDT) 445<-4741 (18:03:26.392 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (8) (17:57:46.896 PDT) event=1:2001685 (8) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50001<-2154 (17:57:46.896 PDT) 50019<-2154 (17:58:07.219 PDT) 57322<-2154 (18:01:51.366 PDT) 50059<-2154 (17:58:49.244 PDT) 50077<-2154 (17:59:08.154 PDT) 50090<-2154 (17:59:23.267 PDT) 57208<-2154 (18:00:04.226 PDT) 57221<-2154 (18:00:19.508 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368925066.896 1368925066.897 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:00:43.340 PDT Gen. Time: 05/18/2013 18:00:43.340 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (18:03:46.924 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1411 (18:03:46.924 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (18:00:43.340 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51992<-6947 (18:00:43.340 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368925243.340 1368925243.341 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71, 183.8.5.55 Egg Source List: 94.61.243.71, 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:00:43.340 PDT Gen. Time: 05/18/2013 18:02:58.180 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (18:04:33.145 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3340 (18:04:33.145 PDT) 183.8.5.55 (8) (18:03:46.924 PDT) event=1:22009201 (8) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1411 (18:03:46.924 PDT) 445<-1978 (18:04:10.598 PDT) 445<-2915 (18:04:49.424 PDT) 445<-4187 (18:05:10.221 PDT) 445<-4826 (18:05:29.912 PDT) 445<-1657 (18:05:47.582 PDT) 445<-2106 (18:06:08.582 PDT) 445<-2871 (18:06:23.800 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (18:00:43.340 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51992<-6947 (18:00:43.340 PDT) 57707<-6947 (18:04:39.505 PDT) 183.8.5.55 (8) (18:00:59.210 PDT) event=1:2001685 (8) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57450<-2154 (18:04:19.086 PDT) 57258<-2154 (18:00:59.210 PDT) 57286<-2154 (18:01:18.054 PDT) 57305<-2154 (18:01:34.192 PDT) 57358<-2154 (18:02:14.335 PDT) 57385<-2154 (18:02:27.710 PDT) 57394<-2154 (18:02:45.277 PDT) 57401<-2154 (18:02:58.180 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368925243.340 1368925243.341 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:03:15.579 PDT Gen. Time: 05/18/2013 18:03:15.579 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (18:06:42.534 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3316 (18:06:42.534 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (18:03:15.579 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57409<-2154 (18:03:15.579 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368925395.579 1368925395.580 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71, 183.8.5.55 Egg Source List: 94.61.243.71, 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:03:15.579 PDT Gen. Time: 05/18/2013 18:26:50.299 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (18:08:05.514 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3156 (18:08:05.514 PDT) 183.8.5.55 (16) (18:06:42.534 PDT) event=1:22009201 (16) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3316 (18:06:42.534 PDT) 445<-3924 (18:07:02.221 PDT) 445<-4572 (18:07:22.862 PDT) 445<-1402 (18:07:36.144 PDT) 445<-1863 (18:08:01.931 PDT) 445<-2744 (18:08:24.441 PDT) 445<-3421 (18:08:41.800 PDT) 445<-4022 (18:08:56.239 PDT) 445<-4504 (18:09:16.301 PDT) 445<-1283 (18:09:29.912 PDT) 445<-1751 (18:09:48.410 PDT) 445<-2332 (18:10:01.646 PDT) 445<-2762 (18:10:21.911 PDT) 445<-3531 (18:10:39.707 PDT) 445<-4218 (18:10:58.800 PDT) 445<-1047 (18:11:12.132 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (18:08:09.084 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57893<-6947 (18:08:09.084 PDT) 183.8.5.55 (16) (18:03:15.579 PDT) event=1:2001685 (16) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57409<-2154 (18:03:15.579 PDT) 57420<-2154 (18:03:30.449 PDT) 37569<-2154 (18:07:26.268 PDT) 57430<-2154 (18:03:50.007 PDT) 37450<-2154 (18:04:55.216 PDT) 37464<-2154 (18:05:16.414 PDT) 37474<-2154 (18:05:33.604 PDT) 37487<-2154 (18:05:50.741 PDT) 37499<-2154 (18:06:12.274 PDT) 37514<-2154 (18:06:27.196 PDT) 37532<-2154 (18:06:45.696 PDT) 37546<-2154 (18:07:06.398 PDT) 53342<-2154 (18:10:44.494 PDT) 37578<-2154 (18:07:39.388 PDT) 37605<-2154 (18:08:08.337 PDT) 37618<-2154 (18:08:27.572 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 173.242.117.145 (18:11:29.425 PDT) event=1:2008578 {udp} E5[rb] ET SCAN Sipvicious Scan, [] MAC_Src: 00:21:5A:08:EC:40 5060->5060 (18:11:29.425 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368925395.579 1368925395.580 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:24:03.404 PDT Gen. Time: 05/18/2013 18:27:12.231 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (18:27:12.231 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1775 (18:27:12.231 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (18:24:03.404 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49174<-2154 (18:24:03.404 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368926643.404 1368926643.405 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71, 183.8.5.55 Egg Source List: 94.61.243.71, 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:24:03.404 PDT Gen. Time: 05/18/2013 18:29:31.334 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (18:27:21.655 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2184 (18:27:21.655 PDT) 183.8.5.55 (8) (18:27:12.231 PDT) event=1:22009201 (8) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1775 (18:27:12.231 PDT) 445<-2893 (18:27:31.700 PDT) 445<-3449 (18:27:48.898 PDT) 445<-4095 (18:28:08.195 PDT) 445<-4652 (18:28:26.134 PDT) 445<-1405 (18:28:40.211 PDT) 445<-1880 (18:28:58.370 PDT) 445<-2544 (18:29:19.119 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (18:27:27.130 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60370<-6947 (18:27:27.130 PDT) 183.8.5.55 (9) (18:24:03.404 PDT) event=1:2001685 (9) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49174<-2154 (18:24:03.404 PDT) 49182<-2154 (18:24:21.559 PDT) 55676<-2154 (18:24:38.590 PDT) 55690<-2154 (18:24:52.075 PDT) 55712<-2154 (18:25:10.466 PDT) 55724<-2154 (18:25:27.030 PDT) 55745<-2154 (18:25:51.622 PDT) 55767<-2154 (18:26:11.872 PDT) 55782<-2154 (18:26:28.841 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368926643.404 1368926643.405 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:26:43.857 PDT Gen. Time: 05/18/2013 18:26:43.857 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (18:29:46.669 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3257 (18:29:46.669 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (18:26:43.857 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55799<-2154 (18:26:43.857 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368926803.857 1368926803.858 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71, 183.8.5.55 Egg Source List: 94.61.243.71, 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:26:43.857 PDT Gen. Time: 05/18/2013 18:30:38.154 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (18:31:42.986 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4480 (18:31:42.986 PDT) 183.8.5.55 (14) (18:29:46.669 PDT) event=1:22009201 (14) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3257 (18:29:46.669 PDT) 445<-4093 (18:30:08.728 PDT) 445<-4944 (18:30:34.637 PDT) 445<-1795 (18:30:48.369 PDT) 445<-2269 (18:31:08.375 PDT) 445<-2911 (18:31:21.979 PDT) 445<-3447 (18:31:51.580 PDT) 445<-4332 (18:32:05.775 PDT) 445<-4824 (18:32:23.432 PDT) 445<-1658 (18:32:40.916 PDT) 445<-2093 (18:32:59.338 PDT) 445<-2690 (18:33:12.056 PDT) 445<-3162 (18:33:38.558 PDT) 445<-4012 (18:33:52.371 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (18:31:49.076 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39369<-6947 (18:31:49.076 PDT) 183.8.5.55 (13) (18:26:43.857 PDT) event=1:2001685 (13) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55799<-2154 (18:26:43.857 PDT) 35361<-2154 (18:30:13.436 PDT) 55834<-2154 (18:27:18.498 PDT) 55852<-2154 (18:27:35.326 PDT) 55870<-2154 (18:27:52.078 PDT) 55884<-2154 (18:28:11.185 PDT) 35420<-2154 (18:31:29.453 PDT) 55889<-2154 (18:28:29.420 PDT) 55903<-2154 (18:28:43.499 PDT) 55918<-2154 (18:29:04.030 PDT) 55940<-2154 (18:29:23.669 PDT) 35342<-2154 (18:29:50.842 PDT) 35382<-2154 (18:30:38.154 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368926803.857 1368926803.858 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:30:52.264 PDT Gen. Time: 05/18/2013 18:30:52.264 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (18:34:09.387 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4443 (18:34:09.387 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (18:30:52.264 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35394<-2154 (18:30:52.264 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368927052.264 1368927052.265 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.219.157.245, 94.61.243.71, 183.8.5.55 Egg Source List: 91.219.157.245, 94.61.243.71, 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:30:52.264 PDT Gen. Time: 05/18/2013 18:33:17.515 PDT INBOUND SCAN EXPLOIT 91.219.157.245 (18:36:23.222 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4863 (18:36:23.222 PDT) 94.61.243.71 (18:35:19.105 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3312 (18:35:19.105 PDT) 183.8.5.55 (8) (18:34:09.387 PDT) event=1:22009201 (8) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4443 (18:34:09.387 PDT) 445<-1183 (18:34:24.995 PDT) 445<-1691 (18:34:49.339 PDT) 445<-2542 (18:35:09.232 PDT) 445<-3243 (18:35:33.060 PDT) 445<-3907 (18:35:45.871 PDT) 445<-4382 (18:36:10.688 PDT) 445<-1387 (18:36:31.387 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 91.219.157.245 (18:36:27.800 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50558<-3785 (18:36:27.800 PDT) 94.61.243.71 (18:35:24.145 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49169<-6947 (18:35:24.145 PDT) 183.8.5.55 (9) (18:30:52.264 PDT) event=1:2001685 (9) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35394<-2154 (18:30:52.264 PDT) 35410<-2154 (18:31:11.250 PDT) 42205<-2154 (18:35:13.937 PDT) 35442<-2154 (18:31:55.295 PDT) 35462<-2154 (18:32:08.483 PDT) 35508<-2154 (18:32:26.310 PDT) 35531<-2154 (18:32:43.968 PDT) 35547<-2154 (18:33:02.483 PDT) 35567<-2154 (18:33:17.515 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368927052.264 1368927052.265 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:36:50.137 PDT Gen. Time: 05/18/2013 18:36:53.156 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (18:36:50.137 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2004 (18:36:50.137 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (18:36:53.156 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42266<-2154 (18:36:53.156 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368927410.137 1368927410.138 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:33:41.796 PDT Gen. Time: 05/18/2013 18:37:56.050 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (4) (18:36:50.137 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2004 (18:36:50.137 PDT) 445<-2746 (18:37:08.682 PDT) 445<-3280 (18:37:38.980 PDT) 445<-4209 (18:37:51.477 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (5) (18:33:41.796 PDT) event=1:2001685 (5) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42266<-2154 (18:36:53.156 PDT) 35580<-2154 (18:33:41.796 PDT) 35594<-2154 (18:33:55.436 PDT) 35602<-2154 (18:34:12.609 PDT) 35612<-2154 (18:34:27.874 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368927221.796 1368927221.797 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:34:53.046 PDT Gen. Time: 05/18/2013 18:34:53.046 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (18:38:10.042 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4670 (18:38:10.042 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (18:34:53.046 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42190<-2154 (18:34:53.046 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368927293.046 1368927293.047 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 93.126.85.47, 94.61.243.71, 183.8.5.55 Egg Source List: 93.126.85.47, 94.61.243.71, 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:34:53.046 PDT Gen. Time: 05/18/2013 18:42:05.656 PDT INBOUND SCAN EXPLOIT 93.126.85.47 (18:39:24.518 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-18186 (18:39:24.518 PDT) 94.61.243.71 (18:40:00.669 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2619 (18:40:00.669 PDT) 183.8.5.55 (12) (18:38:10.042 PDT) event=1:22009201 (12) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4670 (18:38:10.042 PDT) 445<-1428 (18:38:24.184 PDT) 445<-1888 (18:38:42.870 PDT) 445<-2473 (18:38:58.651 PDT) 445<-3170 (18:39:34.214 PDT) 445<-4412 (18:40:08.214 PDT) 445<-1452 (18:40:24.730 PDT) 445<-1996 (18:40:38.605 PDT) 445<-2506 (18:40:57.688 PDT) 445<-3162 (18:41:16.215 PDT) 445<-3679 (18:41:34.014 PDT) 445<-4351 (18:41:49.280 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 93.126.85.47 (18:39:31.588 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58002<-4135 (18:39:31.588 PDT) 94.61.243.71 (18:40:08.437 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45847<-6947 (18:40:08.437 PDT) 183.8.5.55 (12) (18:34:53.046 PDT) event=1:2001685 (12) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42190<-2154 (18:34:53.046 PDT) 42217<-2154 (18:35:35.499 PDT) 42354<-2154 (18:39:08.219 PDT) 42226<-2154 (18:35:50.609 PDT) 42242<-2154 (18:36:14.836 PDT) 47259<-2154 (18:39:42.235 PDT) 42255<-2154 (18:36:35.073 PDT) 42271<-2154 (18:37:11.783 PDT) 42291<-2154 (18:37:42.174 PDT) 42305<-2154 (18:37:54.625 PDT) 42320<-2154 (18:38:13.236 PDT) 42332<-2154 (18:38:28.625 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368927293.046 1368927293.047 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:38:46.537 PDT Gen. Time: 05/18/2013 18:38:46.537 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (18:42:07.919 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4897 (18:42:07.919 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (18:38:46.537 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42343<-2154 (18:38:46.537 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368927526.537 1368927526.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71, 183.8.5.55 Egg Source List: 94.61.243.71, 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:38:46.537 PDT Gen. Time: 05/18/2013 18:48:56.640 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (18:43:41.962 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1773 (18:43:41.962 PDT) 183.8.5.55 (16) (18:42:07.919 PDT) event=1:22009201 (16) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4897 (18:42:07.919 PDT) 445<-1645 (18:42:28.215 PDT) 445<-2283 (18:42:55.403 PDT) 445<-3103 (18:43:14.748 PDT) 445<-3822 (18:43:45.513 PDT) 445<-4765 (18:43:59.170 PDT) 445<-1356 (18:44:22.888 PDT) 445<-2238 (18:44:43.441 PDT) 445<-2900 (18:45:04.550 PDT) 445<-3515 (18:45:17.857 PDT) 445<-3938 (18:45:34.029 PDT) 445<-4471 (18:45:47.466 PDT) 445<-1078 (18:46:05.075 PDT) 445<-1669 (18:46:19.920 PDT) 445<-2155 (18:46:37.186 PDT) 445<-2784 (18:46:54.687 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (18:43:48.446 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46022<-6947 (18:43:48.446 PDT) 183.8.5.55 (16) (18:38:46.537 PDT) event=1:2001685 (16) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42343<-2154 (18:38:46.537 PDT) 47391<-2154 (18:42:32.923 PDT) 47281<-2154 (18:40:11.642 PDT) 47297<-2154 (18:40:28.079 PDT) 47311<-2154 (18:40:42.923 PDT) 47324<-2154 (18:41:01.564 PDT) 47335<-2154 (18:41:19.080 PDT) 42186<-2154 (18:44:46.845 PDT) 47350<-2154 (18:41:37.596 PDT) 47357<-2154 (18:41:52.128 PDT) 47371<-2154 (18:42:13.221 PDT) 47413<-2154 (18:42:59.377 PDT) 47421<-2154 (18:43:17.721 PDT) 47454<-2154 (18:43:48.908 PDT) 42267<-2154 (18:47:07.987 PDT) 47459<-2154 (18:44:02.098 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368927526.537 1368927526.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:45:50.441 PDT Gen. Time: 05/18/2013 18:45:50.441 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (18:49:04.298 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3108 (18:49:04.298 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (18:45:50.441 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42225<-2154 (18:45:50.441 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368927950.441 1368927950.442 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71, 183.8.5.55 Egg Source List: 94.61.243.71, 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:45:50.441 PDT Gen. Time: 05/18/2013 18:51:59.858 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (18:50:28.506 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2063 (18:50:28.506 PDT) 183.8.5.55 (11) (18:49:04.298 PDT) event=1:22009201 (11) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3108 (18:49:04.298 PDT) 445<-3800 (18:49:19.623 PDT) 445<-4243 (18:49:36.108 PDT) 445<-4797 (18:49:48.749 PDT) 445<-1362 (18:50:07.642 PDT) 445<-2118 (18:50:35.468 PDT) 445<-2905 (18:50:53.170 PDT) 445<-3470 (18:51:06.702 PDT) 445<-3894 (18:51:23.578 PDT) 445<-4460 (18:51:36.988 PDT) 445<-1070 (18:51:53.515 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (18:50:34.389 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33905<-6947 (18:50:34.389 PDT) 183.8.5.55 (9) (18:45:50.441 PDT) event=1:2001685 (9) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42225<-2154 (18:45:50.441 PDT) 42235<-2154 (18:46:08.674 PDT) 42246<-2154 (18:46:22.959 PDT) 42255<-2154 (18:46:40.721 PDT) 42275<-2154 (18:47:31.784 PDT) 42307<-2154 (18:47:47.693 PDT) 42351<-2154 (18:48:04.630 PDT) 42364<-2154 (18:48:17.206 PDT) 42387<-2154 (18:48:35.035 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368927950.441 1368927950.442 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:48:47.506 PDT Gen. Time: 05/18/2013 18:48:47.506 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (18:52:07.452 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1610 (18:52:07.452 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (18:48:47.506 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42399<-2154 (18:48:47.506 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368928127.506 1368928127.507 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 81.200.145.232, 94.61.243.71, 183.8.5.55 Egg Source List: 81.200.145.232, 94.61.243.71, 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:48:47.506 PDT Gen. Time: 05/18/2013 18:54:55.367 PDT INBOUND SCAN EXPLOIT 81.200.145.232 (18:53:19.423 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2048 (18:53:19.423 PDT) 94.61.243.71 (18:54:42.502 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2456 (18:54:42.502 PDT) 183.8.5.55 (15) (18:52:07.452 PDT) event=1:22009201 (15) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1610 (18:52:07.452 PDT) 445<-2047 (18:52:24.030 PDT) 445<-2725 (18:52:45.893 PDT) 445<-3614 (18:53:23.764 PDT) 445<-4564 (18:53:36.656 PDT) 445<-1173 (18:53:53.953 PDT) 445<-1775 (18:54:14.874 PDT) 445<-2564 (18:54:51.906 PDT) 445<-3648 (18:55:05.156 PDT) 445<-4066 (18:55:23.705 PDT) 445<-4678 (18:55:36.423 PDT) 445<-1262 (18:56:00.734 PDT) 445<-2123 (18:56:18.221 PDT) 445<-2721 (18:56:39.767 PDT) 445<-3363 (18:56:59.844 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 81.200.145.232 (3) (18:53:24.128 PDT) event=1:2001683 {tcp} E3[rb] ET MALWARE Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50372<-80 (18:53:24.128 PDT) ------------------------- event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50372<-80 (18:53:24.128 PDT) ------------------------- event=1:2012633 {tcp} E3[rb] ET TROJAN Content-Type image/jpeg with DOS MZ header set likely 2nd stage download, [] MAC_Src: 00:21:1C:EE:14:00 50372<-80 (18:53:24.128 PDT) 94.61.243.71 (18:54:49.540 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50347<-6947 (18:54:49.540 PDT) 183.8.5.55 (13) (18:48:47.506 PDT) event=1:2001685 (13) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42399<-2154 (18:48:47.506 PDT) 42416<-2154 (18:49:07.883 PDT) 53364<-2154 (18:52:29.942 PDT) 42430<-2154 (18:49:22.567 PDT) 53385<-2154 (18:52:52.037 PDT) 53234<-2154 (18:49:38.878 PDT) 53240<-2154 (18:49:52.019 PDT) 53259<-2154 (18:50:11.145 PDT) 53279<-2154 (18:50:38.879 PDT) 53479<-2154 (18:54:23.446 PDT) 53295<-2154 (18:50:56.754 PDT) 53306<-2154 (18:51:09.598 PDT) 53319<-2154 (18:51:26.990 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368928127.506 1368928127.507 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:55:08.382 PDT Gen. Time: 05/18/2013 18:55:08.382 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (18:58:26.263 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2485 (18:58:26.263 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (18:55:08.382 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50712<-2154 (18:55:08.382 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368928508.382 1368928508.383 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 217.114.1.66, 201.95.116.9, 94.61.243.71, 183.8.5.55 Egg Source List: 217.114.1.66, 201.95.116.9, 94.61.243.71, 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 18:55:08.382 PDT Gen. Time: 05/18/2013 19:14:41.252 PDT INBOUND SCAN EXPLOIT 217.114.1.66 (18:58:56.064 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3073 (18:58:56.064 PDT) 201.95.116.9 (19:01:26.126 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2463 (19:01:26.126 PDT) 94.61.243.71 (2) (18:58:26.263 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2485 (18:58:26.263 PDT) 445<-1472 (19:02:05.972 PDT) 183.8.5.55 (13) (18:58:55.612 PDT) event=1:22009201 (13) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2681 (18:58:55.612 PDT) 445<-4033 (18:59:10.033 PDT) 445<-4481 (18:59:28.488 PDT) 445<-1222 (18:59:41.657 PDT) 445<-1769 (19:00:08.407 PDT) 445<-2608 (19:00:23.863 PDT) 445<-3066 (19:00:40.985 PDT) 445<-3616 (19:00:54.066 PDT) 445<-4022 (19:01:19.019 PDT) 445<-1164 (19:01:36.720 PDT) 445<-1713 (19:02:09.987 PDT) 445<-2811 (19:02:30.596 PDT) 445<-3452 (19:02:56.487 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 217.114.1.66 (18:59:00.862 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33044<-5304 (18:59:00.862 PDT) 201.95.116.9 (19:01:31.196 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44919<-4001 (19:01:31.196 PDT) 94.61.243.71 (2) (18:58:34.853 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50532<-6947 (18:58:34.853 PDT) 48665<-6947 (19:02:16.511 PDT) 183.8.5.55 (13) (18:55:08.382 PDT) event=1:2001685 (13) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50712<-2154 (18:55:08.382 PDT) 50723<-2154 (18:55:26.427 PDT) 50733<-2154 (18:55:39.943 PDT) 50753<-2154 (18:56:06.257 PDT) 50759<-2154 (18:56:21.975 PDT) 50774<-2154 (18:56:42.464 PDT) 50798<-2154 (18:57:02.912 PDT) 50810<-2154 (18:57:19.381 PDT) 50821<-2154 (18:57:31.976 PDT) 50836<-2154 (18:57:49.950 PDT) 50515<-2154 (19:02:17.478 PDT) 50900<-2154 (18:59:00.849 PDT) 50909<-2154 (18:59:12.975 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368928508.382 1368928508.383 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.8.5.55 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 19:11:28.479 PDT Gen. Time: 05/18/2013 19:14:59.663 PDT INBOUND SCAN EXPLOIT 183.8.5.55 (19:14:59.663 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3984 (19:14:59.663 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (19:11:28.479 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32900<-2154 (19:11:28.479 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368929488.479 1368929488.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71, 189.130.99.56, 183.8.5.55 Egg Source List: 94.61.243.71, 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 19:11:28.479 PDT Gen. Time: 05/18/2013 19:20:58.206 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (19:17:46.224 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2048 (19:17:46.224 PDT) 189.130.99.56 (19:17:14.851 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-58011 (19:17:14.851 PDT) 183.8.5.55 (9) (19:14:59.663 PDT) event=1:22009201 (9) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3984 (19:14:59.663 PDT) 445<-1241 (19:15:21.756 PDT) 445<-2030 (19:16:06.124 PDT) 445<-3364 (19:16:19.445 PDT) 445<-3786 (19:16:35.617 PDT) 445<-4310 (19:16:48.475 PDT) 445<-4736 (19:17:32.007 PDT) 445<-2439 (19:17:52.804 PDT) 445<-3027 (19:18:11.274 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (19:14:08.001 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47162<-6947 (19:14:08.001 PDT) 58790<-6947 (19:17:50.590 PDT) 183.8.5.55 (13) (19:11:28.479 PDT) event=1:2001685 (13) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32900<-2154 (19:11:28.479 PDT) 48491<-2154 (19:15:30.511 PDT) 32972<-2154 (19:12:58.387 PDT) 32986<-2154 (19:13:11.111 PDT) 33008<-2154 (19:13:28.635 PDT) 33021<-2154 (19:13:41.105 PDT) 33050<-2154 (19:14:07.823 PDT) 48568<-2154 (19:17:36.716 PDT) 48470<-2154 (19:15:04.293 PDT) 48520<-2154 (19:16:09.714 PDT) 48527<-2154 (19:16:21.975 PDT) 48540<-2154 (19:16:38.106 PDT) 48547<-2154 (19:16:51.284 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368929488.479 1368929488.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 19:17:56.060 PDT Gen. Time: 05/18/2013 19:21:06.341 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (19:21:06.341 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1124 (19:21:06.341 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (19:17:56.060 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48620<-2154 (19:17:56.060 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368929876.060 1368929876.061 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 183.8.5.55 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 19:17:56.060 PDT Gen. Time: 05/18/2013 19:22:31.831 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (19:21:06.341 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1124 (19:21:06.341 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.8.5.55 (2) (19:17:56.060 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48620<-2154 (19:17:56.060 PDT) 48638<-2154 (19:18:15.887 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368929876.060 1368929876.061 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 19:21:10.001 PDT Gen. Time: 05/18/2013 19:24:39.237 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (19:24:39.237 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3406 (19:24:39.237 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (19:21:10.001 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40366<-6947 (19:21:10.001 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368930070.001 1368930070.002 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.186.162.102, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 19:21:10.001 PDT Gen. Time: 05/18/2013 19:28:54.751 PDT INBOUND SCAN EXPLOIT 189.186.162.102 (19:27:01.015 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-61779 (19:27:01.015 PDT) 94.61.243.71 (19:24:39.237 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3406 (19:24:39.237 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (19:21:10.001 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40366<-6947 (19:21:10.001 PDT) 46786<-6947 (19:24:41.922 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368930070.001 1368930070.002 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.123.150.131 Egg Source List: 187.123.150.131 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 19:55:14.494 PDT Gen. Time: 05/18/2013 19:55:17.980 PDT INBOUND SCAN EXPLOIT 187.123.150.131 (19:55:14.494 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4452 (19:55:14.494 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.123.150.131 (19:55:17.980 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36992<-3579 (19:55:17.980 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368932114.494 1368932114.495 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.117.12.217 Egg Source List: 212.117.12.217 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:38:00.466 PDT Gen. Time: 05/18/2013 22:38:04.976 PDT INBOUND SCAN EXPLOIT 212.117.12.217 (22:38:00.466 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3947 (22:38:00.466 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.117.12.217 (22:38:04.976 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59671<-6630 (22:38:04.976 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368941880.466 1368941880.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:49:11.535 PDT Gen. Time: 05/18/2013 22:49:17.044 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (16) (22:49:11.535 PDT) event=1:22009201 (16) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2432 (22:49:11.535 PDT) 445<-4464 (22:49:33.711 PDT) 445<-2470 (22:49:52.048 PDT) 445<-3940 (22:50:09.674 PDT) 445<-1618 (22:50:26.611 PDT) 445<-3075 (22:50:45.314 PDT) 445<-4878 (22:51:03.983 PDT) 445<-2373 (22:51:20.097 PDT) 445<-3692 (22:51:38.464 PDT) 445<-1636 (22:51:55.851 PDT) 445<-3045 (22:52:13.106 PDT) 445<-4463 (22:52:30.052 PDT) 445<-2127 (22:52:46.555 PDT) 445<-3488 (22:53:00.191 PDT) 445<-4808 (22:53:18.380 PDT) 445<-2350 (22:53:30.837 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (22:49:17.044 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57390<-6947 (22:49:17.044 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942551.535 1368942551.536 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:49:38.563 PDT Gen. Time: 05/18/2013 22:49:38.563 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (22:53:55.422 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3598 (22:53:55.422 PDT) 445<-1890 (22:54:17.637 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (22:49:38.563 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50505<-6947 (22:49:38.563 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942578.563 1368942578.564 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:50:12.630 PDT Gen. Time: 05/18/2013 22:50:12.630 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (22:54:42.399 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3700 (22:54:42.399 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (22:50:12.630 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50532<-6947 (22:50:12.630 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942612.630 1368942612.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:55:02.890 PDT Gen. Time: 05/18/2013 22:55:05.858 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (22:55:02.890 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1933 (22:55:02.890 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (22:55:05.858 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39190<-6947 (22:55:05.858 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942902.890 1368942902.891 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:50:30.280 PDT Gen. Time: 05/18/2013 22:55:23.649 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (22:55:02.890 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1933 (22:55:02.890 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (22:50:30.280 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39190<-6947 (22:55:05.858 PDT) 50548<-6947 (22:50:30.280 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942630.280 1368942630.281 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:50:48.678 PDT Gen. Time: 05/18/2013 22:55:37.389 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (22:55:37.389 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3421 (22:55:37.389 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (22:50:48.678 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50561<-6947 (22:50:48.678 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942648.678 1368942648.679 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.46.237.119, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:50:48.678 PDT Gen. Time: 05/18/2013 22:55:50.771 PDT INBOUND SCAN EXPLOIT 89.46.237.119 (22:55:42.832 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1471 (22:55:42.832 PDT) 94.61.243.71 (22:55:37.389 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3421 (22:55:37.389 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (22:50:48.678 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50561<-6947 (22:50:48.678 PDT) 50576<-6947 (22:51:07.304 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942648.678 1368942648.679 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:51:23.699 PDT Gen. Time: 05/18/2013 22:51:23.699 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (22:55:55.961 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2157 (22:55:55.961 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (22:51:23.699 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50587<-6947 (22:51:23.699 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942683.699 1368942683.700 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:51:23.699 PDT Gen. Time: 05/18/2013 22:51:42.879 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (22:55:55.961 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2157 (22:55:55.961 PDT) 445<-3146 (22:56:20.759 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (22:51:23.699 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50587<-6947 (22:51:23.699 PDT) 50607<-6947 (22:51:42.879 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942683.699 1368942683.700 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 180.30.0.200 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:56:25.740 PDT Gen. Time: 05/18/2013 22:56:26.301 PDT INBOUND SCAN EXPLOIT 180.30.0.200 (22:56:25.740 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1620 (22:56:25.740 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (22:56:26.301 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39240<-6947 (22:56:26.301 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942985.740 1368942985.741 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 180.30.0.200, 94.61.243.71 Egg Source List: 180.30.0.200, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:51:59.092 PDT Gen. Time: 05/18/2013 22:56:51.317 PDT INBOUND SCAN EXPLOIT 180.30.0.200 (22:56:25.740 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1620 (22:56:25.740 PDT) 94.61.243.71 (22:56:36.232 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1539 (22:56:36.232 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 180.30.0.200 (22:56:28.912 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37511<-9457 (22:56:28.912 PDT) 94.61.243.71 (2) (22:51:59.092 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39240<-6947 (22:56:26.301 PDT) 50621<-6947 (22:51:59.092 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942719.092 1368942719.093 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:52:17.005 PDT Gen. Time: 05/18/2013 22:56:55.216 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (22:56:55.216 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2415 (22:56:55.216 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (22:52:17.005 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50645<-6947 (22:52:17.005 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942737.005 1368942737.006 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:52:17.005 PDT Gen. Time: 05/18/2013 22:57:19.810 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (22:56:55.216 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2415 (22:56:55.216 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (22:52:17.005 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50645<-6947 (22:52:17.005 PDT) 50684<-6947 (22:52:33.449 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942737.005 1368942737.006 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:52:49.924 PDT Gen. Time: 05/18/2013 22:52:49.924 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (22:57:21.763 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4378 (22:57:21.763 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (22:52:49.924 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50717<-6947 (22:52:49.924 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942769.924 1368942769.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:53:04.618 PDT Gen. Time: 05/18/2013 22:57:44.820 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (22:57:44.820 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2008 (22:57:44.820 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (22:53:04.618 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50739<-6947 (22:53:04.618 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942784.618 1368942784.619 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:53:04.618 PDT Gen. Time: 05/18/2013 22:58:01.690 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (22:57:44.820 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2008 (22:57:44.820 PDT) 445<-3448 (22:57:58.280 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (22:53:04.618 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50739<-6947 (22:53:04.618 PDT) 39313<-6947 (22:57:49.310 PDT) 50782<-6947 (22:53:21.481 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942784.618 1368942784.619 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:53:34.976 PDT Gen. Time: 05/18/2013 22:53:34.976 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (22:58:13.758 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4308 (22:58:13.758 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (22:53:34.976 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50815<-6947 (22:53:34.976 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942814.976 1368942814.977 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 22:54:00.249 PDT Gen. Time: 05/18/2013 22:54:00.249 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (22:58:25.959 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1671 (22:58:25.959 PDT) 445<-2506 (22:58:43.029 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (22:54:00.249 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50847<-6947 (22:54:00.249 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368942840.249 1368942840.250 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================