Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 09:24:01.431 PDT Gen. Time: 05/18/2013 09:27:09.680 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 181.71.93.116 (2) (09:24:01.431 PDT) event=777:7777005 (2) {tcp} E5[bh] Detected moderate malware port scanning of 19 IPs (19 /24s) (# pkts S/M/O/I=0/19/0/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:24:01.431 PDT) 0->0 (09:25:58.477 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.93.116 (09:27:09.680 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:27:09.680 PDT) tcpslice 1368894241.431 1368894241.432 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 09:31:11.161 PDT Gen. Time: 05/18/2013 09:31:11.161 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.93.116 (09:31:11.161 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:31:11.161 PDT) tcpslice 1368894671.161 1368894671.162 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 09:34:54.580 PDT Gen. Time: 05/18/2013 09:34:54.580 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.93.116 (09:34:54.580 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:34:54.580 PDT) tcpslice 1368894894.580 1368894894.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 09:40:43.197 PDT Gen. Time: 05/18/2013 09:40:43.197 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.93.116 (09:40:43.197 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 (09:40:43.197 PDT) tcpslice 1368895243.197 1368895243.198 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 09:46:26.489 PDT Gen. Time: 05/18/2013 09:46:26.489 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.93.116 (09:46:26.489 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:46:26.489 PDT) tcpslice 1368895586.489 1368895586.490 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 09:51:06.354 PDT Gen. Time: 05/18/2013 09:51:06.354 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.93.116 (09:51:06.354 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:51:06.354 PDT) tcpslice 1368895866.354 1368895866.355 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 09:51:06.354 PDT Gen. Time: 05/18/2013 09:54:36.334 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.93.116 (2) (09:51:06.354 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:51:06.354 PDT) 0->0 (09:54:19.412 PDT) tcpslice 1368895866.354 1368895866.355 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 09:58:16.332 PDT Gen. Time: 05/18/2013 09:58:16.332 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.93.116 (09:58:16.332 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:58:16.332 PDT) tcpslice 1368896296.332 1368896296.333 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 12:42:35.570 PDT Gen. Time: 05/18/2013 12:43:19.221 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 190.57.153.89 (12:42:35.570 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/19/1/0): 445:19, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:42:35.570 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.57.153.89 (12:43:19.221 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/1/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:43:19.221 PDT) tcpslice 1368906155.570 1368906155.571 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 12:51:59.551 PDT Gen. Time: 05/18/2013 12:51:59.551 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.57.153.89 (12:51:59.551 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/22/1/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:51:59.551 PDT) tcpslice 1368906719.551 1368906719.552 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 12:51:59.551 PDT Gen. Time: 05/18/2013 12:55:11.801 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.57.153.89 (2) (12:51:59.551 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/22/1/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:51:59.551 PDT) 0->0 (12:54:08.197 PDT) tcpslice 1368906719.551 1368906719.552 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 12:56:03.995 PDT Gen. Time: 05/18/2013 12:56:03.995 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.57.153.89 (12:56:03.995 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/27/3/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 (12:56:03.995 PDT) tcpslice 1368906963.995 1368906963.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 13:02:46.307 PDT Gen. Time: 05/18/2013 13:02:46.307 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.57.153.89 (13:02:46.307 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/29/3/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:02:46.307 PDT) tcpslice 1368907366.307 1368907366.308 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 13:07:22.683 PDT Gen. Time: 05/18/2013 13:07:22.683 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.57.153.89 (13:07:22.683 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/30/3/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:07:22.683 PDT) tcpslice 1368907642.683 1368907642.684 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 13:07:22.683 PDT Gen. Time: 05/18/2013 13:11:24.363 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.57.153.89 (2) (13:07:22.683 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/30/3/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:07:22.683 PDT) 0->0 (13:10:36.917 PDT) tcpslice 1368907642.683 1368907642.684 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================