Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 23:55:35.955 PDT Gen. Time: 05/19/2013 00:00:10.238 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (23:59:34.811 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4914 (23:59:34.811 PDT) 445<-2652 (23:59:48.507 PDT) 445<-3720 (00:00:05.492 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (23:55:35.955 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34969<-6947 (23:55:35.955 PDT) 34985<-6947 (23:55:52.333 PDT) 34998<-6947 (23:56:05.593 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368946535.955 1368946535.956 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 220.244.175.83 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:00:46.552 PDT Gen. Time: 05/19/2013 00:00:48.202 PDT INBOUND SCAN EXPLOIT 220.244.175.83 (00:00:48.202 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-22833 (00:00:48.202 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:00:46.552 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53127<-6947 (00:00:46.552 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368946846.552 1368946846.553 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 220.244.175.83, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 23:56:57.243 PDT Gen. Time: 05/19/2013 00:02:45.742 PDT INBOUND SCAN EXPLOIT 220.244.175.83 (00:00:48.202 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-22833 (00:00:48.202 PDT) 94.61.243.71 (7) (00:00:58.901 PDT) event=1:22009201 (7) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4929 (00:00:58.901 PDT) 445<-2530 (00:01:18.580 PDT) 445<-3826 (00:01:33.001 PDT) 445<-1388 (00:01:53.007 PDT) 445<-2956 (00:02:07.203 PDT) 445<-4148 (00:02:26.676 PDT) 445<-2028 (00:02:39.791 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (7) (23:56:57.243 PDT) event=1:2001685 (7) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53127<-6947 (00:00:46.552 PDT) 35091<-6947 (23:56:57.243 PDT) 35151<-6947 (23:57:15.649 PDT) 35206<-6947 (23:57:31.488 PDT) 35313<-6947 (23:57:59.639 PDT) 35362<-6947 (23:58:13.218 PDT) 35449<-6947 (23:58:33.191 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368946617.243 1368946617.244 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 23:58:46.824 PDT Gen. Time: 05/19/2013 00:02:55.265 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:02:55.265 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3034 (00:02:55.265 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (23:58:46.824 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35485<-6947 (23:58:46.824 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368946726.824 1368946726.825 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 23:58:46.824 PDT Gen. Time: 05/19/2013 00:03:22.350 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:02:55.265 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3034 (00:02:55.265 PDT) 445<-4394 (00:03:08.452 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (23:58:46.824 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35485<-6947 (23:58:46.824 PDT) 35550<-6947 (23:59:03.065 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368946726.824 1368946726.825 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/18/2013 23:59:37.845 PDT Gen. Time: 05/19/2013 00:04:29.761 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (4) (00:03:38.240 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3146 (00:03:38.240 PDT) 445<-4225 (00:03:53.781 PDT) 445<-1851 (00:04:05.918 PDT) 445<-2899 (00:04:27.900 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (23:59:37.845 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53001<-6947 (23:59:37.845 PDT) 53031<-6947 (23:59:51.988 PDT) 53077<-6947 (00:00:09.219 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368946777.845 1368946777.846 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:00:24.973 PDT Gen. Time: 05/19/2013 00:04:54.510 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:04:54.510 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1702 (00:04:54.510 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:00:24.973 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53351<-6947 (00:04:36.001 PDT) 53102<-6947 (00:00:24.973 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368946824.973 1368946824.974 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:00:24.973 PDT Gen. Time: 05/19/2013 00:06:09.229 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (5) (00:04:54.510 PDT) event=1:22009201 (5) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1702 (00:04:54.510 PDT) 445<-3490 (00:05:14.259 PDT) 445<-1172 (00:05:27.353 PDT) 445<-2209 (00:05:42.297 PDT) 445<-3450 (00:05:55.736 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (5) (00:00:24.973 PDT) event=1:2001685 (5) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53351<-6947 (00:04:36.001 PDT) 53102<-6947 (00:00:24.973 PDT) 53165<-6947 (00:01:07.430 PDT) 53184<-6947 (00:01:21.705 PDT) 53187<-6947 (00:01:35.708 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368946824.973 1368946824.974 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:01:55.895 PDT Gen. Time: 05/19/2013 00:01:55.895 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:06:11.196 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4722 (00:06:11.196 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:01:55.895 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53197<-6947 (00:01:55.895 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368946915.895 1368946915.896 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:02:09.994 PDT Gen. Time: 05/19/2013 00:02:09.994 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:06:24.423 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2192 (00:06:24.423 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:02:09.994 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53201<-6947 (00:02:09.994 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368946929.994 1368946929.995 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:02:29.423 PDT Gen. Time: 05/19/2013 00:02:29.423 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:06:40.883 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3307 (00:06:40.883 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:02:29.423 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53210<-6947 (00:02:29.423 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368946949.423 1368946949.424 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:02:42.956 PDT Gen. Time: 05/19/2013 00:02:42.956 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:06:54.255 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1067 (00:06:54.255 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:02:42.956 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53228<-6947 (00:02:42.956 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368946962.956 1368946962.957 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:02:57.905 PDT Gen. Time: 05/19/2013 00:02:57.905 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:07:17.131 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2009 (00:07:17.131 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:02:57.905 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53237<-6947 (00:02:57.905 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368946977.905 1368946977.906 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:03:28.580 PDT Gen. Time: 05/19/2013 00:03:28.580 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:07:30.271 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3926 (00:07:30.271 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:03:28.580 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53256<-6947 (00:03:28.580 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947008.580 1368947008.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:03:41.272 PDT Gen. Time: 05/19/2013 00:03:41.272 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:07:45.939 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1351 (00:07:45.939 PDT) 445<-2569 (00:07:57.691 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:03:41.272 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53274<-6947 (00:03:41.272 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947021.272 1368947021.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:04:09.451 PDT Gen. Time: 05/19/2013 00:04:09.451 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:08:22.706 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3767 (00:08:22.706 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:04:09.451 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53302<-6947 (00:04:09.451 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947049.451 1368947049.452 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:05:01.026 PDT Gen. Time: 05/19/2013 00:05:01.026 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:08:41.910 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2173 (00:08:41.910 PDT) 445<-3801 (00:09:05.118 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:05:01.026 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60872<-6947 (00:05:01.026 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947101.026 1368947101.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:05:17.229 PDT Gen. Time: 05/19/2013 00:05:17.229 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:09:17.535 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1837 (00:09:17.535 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:05:17.229 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60890<-6947 (00:05:17.229 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947117.229 1368947117.230 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:05:30.710 PDT Gen. Time: 05/19/2013 00:09:34.175 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:09:34.175 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2860 (00:09:34.175 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:05:30.710 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60895<-6947 (00:05:30.710 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947130.710 1368947130.711 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:05:30.710 PDT Gen. Time: 05/19/2013 00:10:07.397 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:09:34.175 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2860 (00:09:34.175 PDT) 445<-4172 (00:09:46.085 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (00:05:30.710 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60895<-6947 (00:05:30.710 PDT) 60906<-6947 (00:05:44.829 PDT) 60915<-6947 (00:05:59.659 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947130.710 1368947130.711 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:06:13.649 PDT Gen. Time: 05/19/2013 00:10:09.846 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:10:09.846 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1539 (00:10:09.846 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:06:13.649 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60924<-6947 (00:06:13.649 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947173.649 1368947173.650 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:06:13.649 PDT Gen. Time: 05/19/2013 00:10:45.830 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:10:09.846 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1539 (00:10:09.846 PDT) 445<-3718 (00:10:30.431 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (00:06:13.649 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60924<-6947 (00:06:13.649 PDT) 46284<-6947 (00:10:14.614 PDT) 60934<-6947 (00:06:28.438 PDT) 60943<-6947 (00:06:44.488 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947173.649 1368947173.650 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:06:57.052 PDT Gen. Time: 05/19/2013 00:06:57.052 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:10:47.481 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1522 (00:10:47.481 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:06:57.052 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60950<-6947 (00:06:57.052 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947217.052 1368947217.053 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:07:20.542 PDT Gen. Time: 05/19/2013 00:07:20.542 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:11:04.158 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3066 (00:11:04.158 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:07:20.542 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60979<-6947 (00:07:20.542 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947240.542 1368947240.543 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:07:20.542 PDT Gen. Time: 05/19/2013 00:11:35.685 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:11:04.158 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3066 (00:11:04.158 PDT) 445<-4255 (00:11:19.792 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:07:20.542 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60979<-6947 (00:07:20.542 PDT) 60992<-6947 (00:07:33.894 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947240.542 1368947240.543 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:07:48.692 PDT Gen. Time: 05/19/2013 00:07:48.692 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:11:39.495 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2329 (00:11:39.495 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:07:48.692 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32769<-6947 (00:07:48.692 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947268.692 1368947268.693 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:08:00.594 PDT Gen. Time: 05/19/2013 00:08:00.594 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:11:55.349 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3499 (00:11:55.349 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:08:00.594 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32777<-6947 (00:08:00.594 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947280.594 1368947280.595 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:12:08.651 PDT Gen. Time: 05/19/2013 00:12:11.881 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:12:08.651 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1186 (00:12:08.651 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:12:11.881 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46379<-6947 (00:12:11.881 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947528.651 1368947528.652 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:08:28.377 PDT Gen. Time: 05/19/2013 00:12:30.250 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:12:08.651 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1186 (00:12:08.651 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:08:28.377 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46379<-6947 (00:12:11.881 PDT) 32796<-6947 (00:08:28.377 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947308.377 1368947308.378 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 109.134.86.183, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:08:46.395 PDT Gen. Time: 05/19/2013 00:08:46.395 PDT INBOUND SCAN EXPLOIT 109.134.86.183 (00:12:45.162 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-55732 (00:12:45.162 PDT) 94.61.243.71 (00:12:44.093 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2793 (00:12:44.093 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:08:46.395 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32809<-6947 (00:08:46.395 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947326.395 1368947326.396 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 109.134.86.183, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:12:53.358 PDT Gen. Time: 05/19/2013 00:13:04.904 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:13:04.904 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1852 (00:13:04.904 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.134.86.183 (00:12:53.418 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54726<-1369 (00:12:53.418 PDT) 94.61.243.71 (00:12:53.358 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46406<-6947 (00:12:53.358 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947573.358 1368947573.359 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 109.134.86.183, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:09:08.368 PDT Gen. Time: 05/19/2013 00:13:30.779 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:13:04.904 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1852 (00:13:04.904 PDT) 445<-3208 (00:13:21.792 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.134.86.183 (00:12:53.418 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54726<-1369 (00:12:53.418 PDT) 94.61.243.71 (3) (00:09:08.368 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46406<-6947 (00:12:53.358 PDT) 32822<-6947 (00:09:08.368 PDT) 32834<-6947 (00:09:20.924 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947348.368 1368947348.369 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:09:37.059 PDT Gen. Time: 05/19/2013 00:09:37.059 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:13:34.754 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4731 (00:13:34.754 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:09:37.059 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46247<-6947 (00:09:37.059 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947377.059 1368947377.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:09:37.059 PDT Gen. Time: 05/19/2013 00:14:14.728 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (00:13:34.754 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4731 (00:13:34.754 PDT) 445<-2011 (00:13:51.554 PDT) 445<-3381 (00:14:03.753 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:09:37.059 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46247<-6947 (00:09:37.059 PDT) 46260<-6947 (00:09:49.825 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947377.059 1368947377.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:10:33.509 PDT Gen. Time: 05/19/2013 00:10:33.509 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (00:14:19.409 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4516 (00:14:19.409 PDT) 445<-2087 (00:14:31.606 PDT) 445<-3176 (00:14:48.468 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:10:33.509 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46303<-6947 (00:10:33.509 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947433.509 1368947433.510 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:10:51.193 PDT Gen. Time: 05/19/2013 00:10:51.193 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:15:02.166 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4762 (00:15:02.166 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:10:51.193 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46318<-6947 (00:10:51.193 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947451.193 1368947451.194 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:10:51.193 PDT Gen. Time: 05/19/2013 00:17:41.785 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (9) (00:15:02.166 PDT) event=1:22009201 (9) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4762 (00:15:02.166 PDT) 445<-2028 (00:15:17.937 PDT) 445<-3358 (00:15:31.653 PDT) 445<-4551 (00:15:47.356 PDT) 445<-2155 (00:16:01.378 PDT) 445<-3307 (00:16:19.045 PDT) 445<-1063 (00:16:31.245 PDT) 445<-2887 (00:17:02.401 PDT) 445<-1891 (00:17:25.500 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (8) (00:10:51.193 PDT) event=1:2001685 (8) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46318<-6947 (00:10:51.193 PDT) 46333<-6947 (00:11:07.171 PDT) 46344<-6947 (00:11:22.598 PDT) 41447<-6947 (00:16:05.317 PDT) 46357<-6947 (00:11:42.403 PDT) 46372<-6947 (00:11:58.641 PDT) 41582<-6947 (00:17:16.889 PDT) 46417<-6947 (00:13:07.656 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947451.193 1368947451.194 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:13:24.631 PDT Gen. Time: 05/19/2013 00:13:24.631 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:17:48.440 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3629 (00:17:48.440 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:13:24.631 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46439<-6947 (00:13:24.631 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947604.631 1368947604.632 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:13:37.449 PDT Gen. Time: 05/19/2013 00:13:37.449 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:18:00.829 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1658 (00:18:00.829 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:13:37.449 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46454<-6947 (00:13:37.449 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947617.449 1368947617.450 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:13:37.449 PDT Gen. Time: 05/19/2013 00:13:54.385 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:18:00.829 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1658 (00:18:00.829 PDT) 445<-2500 (00:18:16.736 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:13:37.449 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46454<-6947 (00:13:37.449 PDT) 46477<-6947 (00:13:54.385 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947617.449 1368947617.450 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:14:06.469 PDT Gen. Time: 05/19/2013 00:14:06.469 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:18:29.238 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3574 (00:18:29.238 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:14:06.469 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46484<-6947 (00:14:06.469 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947646.469 1368947646.470 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:18:48.799 PDT Gen. Time: 05/19/2013 00:18:53.485 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:18:48.799 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4472 (00:18:48.799 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:18:53.485 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41728<-6947 (00:18:53.485 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947928.799 1368947928.800 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:14:23.027 PDT Gen. Time: 05/19/2013 00:18:58.857 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:18:48.799 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4472 (00:18:48.799 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:14:23.027 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41728<-6947 (00:18:53.485 PDT) 46503<-6947 (00:14:23.027 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947663.027 1368947663.028 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:14:35.072 PDT Gen. Time: 05/19/2013 00:14:35.072 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:19:03.832 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2222 (00:19:03.832 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:14:35.072 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46521<-6947 (00:14:35.072 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947675.072 1368947675.073 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:14:35.072 PDT Gen. Time: 05/19/2013 00:19:30.843 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:19:03.832 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2222 (00:19:03.832 PDT) 445<-3179 (00:19:20.206 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:14:35.072 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46521<-6947 (00:14:35.072 PDT) 41372<-6947 (00:14:52.584 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947675.072 1368947675.073 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:15:05.482 PDT Gen. Time: 05/19/2013 00:15:05.482 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:19:33.144 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4238 (00:19:33.144 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:15:05.482 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41386<-6947 (00:15:05.482 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947705.482 1368947705.483 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:15:21.903 PDT Gen. Time: 05/19/2013 00:15:21.903 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:19:48.489 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1416 (00:19:48.489 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:15:21.903 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41406<-6947 (00:15:21.903 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947721.903 1368947721.904 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:15:34.479 PDT Gen. Time: 05/19/2013 00:15:34.479 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:20:09.630 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2679 (00:20:09.630 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:15:34.479 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41415<-6947 (00:15:34.479 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947734.479 1368947734.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:15:34.479 PDT Gen. Time: 05/19/2013 00:22:10.932 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (9) (00:20:09.630 PDT) event=1:22009201 (9) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2679 (00:20:09.630 PDT) 445<-3975 (00:20:25.819 PDT) 445<-1400 (00:20:39.412 PDT) 445<-2305 (00:20:56.459 PDT) 445<-3470 (00:21:10.694 PDT) 445<-4389 (00:21:26.037 PDT) 445<-1721 (00:21:38.164 PDT) 445<-2565 (00:21:53.616 PDT) 445<-3597 (00:22:05.117 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (5) (00:15:34.479 PDT) event=1:2001685 (5) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41415<-6947 (00:15:34.479 PDT) 41426<-6947 (00:15:50.791 PDT) 41472<-6947 (00:16:22.110 PDT) 41501<-6947 (00:16:34.852 PDT) 41608<-6947 (00:17:30.703 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947734.479 1368947734.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:17:52.095 PDT Gen. Time: 05/19/2013 00:17:52.095 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:22:21.274 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4643 (00:22:21.274 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:17:52.095 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41636<-6947 (00:17:52.095 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947872.095 1368947872.096 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:18:03.891 PDT Gen. Time: 05/19/2013 00:18:03.891 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:22:33.242 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2148 (00:22:33.242 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:18:03.891 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41657<-6947 (00:18:03.891 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947883.891 1368947883.892 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:18:19.861 PDT Gen. Time: 05/19/2013 00:18:19.861 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:22:49.711 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3189 (00:22:49.711 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:18:19.861 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41680<-6947 (00:18:19.861 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947899.861 1368947899.862 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:18:32.470 PDT Gen. Time: 05/19/2013 00:18:32.470 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:23:01.555 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4620 (00:23:01.555 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:18:32.470 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41693<-6947 (00:18:32.470 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947912.470 1368947912.471 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:19:06.971 PDT Gen. Time: 05/19/2013 00:19:06.971 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:23:19.399 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1887 (00:23:19.399 PDT) 445<-3234 (00:23:31.009 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:19:06.971 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41743<-6947 (00:19:06.971 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947946.971 1368947946.972 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:19:22.845 PDT Gen. Time: 05/19/2013 00:19:22.845 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:23:46.947 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4237 (00:23:46.947 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:19:22.845 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41761<-6947 (00:19:22.845 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947962.845 1368947962.846 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:19:36.378 PDT Gen. Time: 05/19/2013 00:19:36.378 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:23:59.291 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1868 (00:23:59.291 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:19:36.378 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34612<-6947 (00:19:36.378 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947976.378 1368947976.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:19:51.552 PDT Gen. Time: 05/19/2013 00:19:51.552 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:24:16.510 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2918 (00:24:16.510 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:19:51.552 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34632<-6947 (00:19:51.552 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947991.552 1368947991.553 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:19:51.552 PDT Gen. Time: 05/19/2013 00:24:50.091 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (00:24:16.510 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2918 (00:24:16.510 PDT) 445<-4302 (00:24:28.011 PDT) 445<-1615 (00:24:43.917 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:19:51.552 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34632<-6947 (00:19:51.552 PDT) 34665<-6947 (00:20:13.316 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368947991.552 1368947991.553 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:20:29.550 PDT Gen. Time: 05/19/2013 00:20:29.550 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:24:56.526 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2875 (00:24:56.526 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:20:29.550 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34681<-6947 (00:20:29.550 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948029.550 1368948029.551 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:20:29.550 PDT Gen. Time: 05/19/2013 00:26:16.720 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (5) (00:24:56.526 PDT) event=1:22009201 (5) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2875 (00:24:56.526 PDT) 445<-3997 (00:25:14.200 PDT) 445<-1883 (00:25:28.497 PDT) 445<-3448 (00:25:52.264 PDT) 445<-1198 (00:26:04.387 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (5) (00:20:29.550 PDT) event=1:2001685 (5) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34681<-6947 (00:20:29.550 PDT) 34701<-6947 (00:20:42.395 PDT) 34711<-6947 (00:20:59.536 PDT) 34722<-6947 (00:21:13.381 PDT) 34735<-6947 (00:21:28.958 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948029.550 1368948029.551 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:21:41.037 PDT Gen. Time: 05/19/2013 00:21:41.037 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:26:19.373 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2191 (00:26:19.373 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:21:41.037 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34744<-6947 (00:21:41.037 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948101.037 1368948101.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:21:41.037 PDT Gen. Time: 05/19/2013 00:21:56.696 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:26:19.373 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2191 (00:26:19.373 PDT) 445<-3383 (00:26:30.607 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:21:41.037 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34744<-6947 (00:21:41.037 PDT) 34757<-6947 (00:21:56.696 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948101.037 1368948101.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:22:08.259 PDT Gen. Time: 05/19/2013 00:26:51.764 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:26:51.764 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4489 (00:26:51.764 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:22:08.259 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34767<-6947 (00:22:08.259 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948128.259 1368948128.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:22:08.259 PDT Gen. Time: 05/19/2013 00:27:44.603 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (00:26:51.764 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4489 (00:26:51.764 PDT) 445<-2501 (00:27:14.640 PDT) 445<-4665 (00:27:32.530 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (00:22:08.259 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34767<-6947 (00:22:08.259 PDT) 34774<-6947 (00:22:25.257 PDT) 34779<-6947 (00:22:35.976 PDT) 34792<-6947 (00:22:52.822 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948128.259 1368948128.260 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:23:04.494 PDT Gen. Time: 05/19/2013 00:23:04.494 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:27:46.046 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2177 (00:27:46.046 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:23:04.494 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34800<-6947 (00:23:04.494 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948184.494 1368948184.495 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:23:22.727 PDT Gen. Time: 05/19/2013 00:23:22.727 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:28:01.594 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3267 (00:28:01.594 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:23:22.727 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34823<-6947 (00:23:22.727 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948202.727 1368948202.728 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:23:33.901 PDT Gen. Time: 05/19/2013 00:23:33.901 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:28:14.283 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4723 (00:28:14.283 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:23:33.901 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34829<-6947 (00:23:33.901 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948213.901 1368948213.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:23:33.901 PDT Gen. Time: 05/19/2013 00:28:32.005 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:28:14.283 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4723 (00:28:14.283 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:23:33.901 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34829<-6947 (00:23:33.901 PDT) 34846<-6947 (00:23:50.057 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948213.901 1368948213.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:24:01.980 PDT Gen. Time: 05/19/2013 00:24:01.980 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:28:37.673 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2133 (00:28:37.673 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:24:01.980 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34861<-6947 (00:24:01.980 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948241.980 1368948241.981 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:24:01.980 PDT Gen. Time: 05/19/2013 00:24:31.104 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:28:37.673 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2133 (00:28:37.673 PDT) 445<-3998 (00:28:52.594 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (00:24:01.980 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34861<-6947 (00:24:01.980 PDT) 34872<-6947 (00:24:19.198 PDT) 34890<-6947 (00:24:31.104 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948241.980 1368948241.981 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:24:47.791 PDT Gen. Time: 05/19/2013 00:24:47.791 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:29:09.142 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1408 (00:29:09.142 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:24:47.791 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39953<-6947 (00:24:47.791 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948287.791 1368948287.792 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:24:47.791 PDT Gen. Time: 05/19/2013 00:29:30.506 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:29:09.142 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1408 (00:29:09.142 PDT) 445<-2705 (00:29:21.847 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:24:47.791 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39953<-6947 (00:24:47.791 PDT) 39972<-6947 (00:24:59.919 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948287.791 1368948287.792 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:25:17.090 PDT Gen. Time: 05/19/2013 00:25:17.090 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:29:39.347 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3845 (00:29:39.347 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:25:17.090 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39985<-6947 (00:25:17.090 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948317.090 1368948317.091 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:25:31.293 PDT Gen. Time: 05/19/2013 00:25:31.293 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:29:52.706 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1561 (00:29:52.706 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:25:31.293 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39998<-6947 (00:25:31.293 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948331.293 1368948331.294 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:25:55.387 PDT Gen. Time: 05/19/2013 00:25:55.387 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:30:13.176 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2660 (00:30:13.176 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:25:55.387 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40014<-6947 (00:25:55.387 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948355.387 1368948355.388 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:25:55.387 PDT Gen. Time: 05/19/2013 00:30:58.580 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (00:30:13.176 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2660 (00:30:13.176 PDT) 445<-4335 (00:30:26.723 PDT) 445<-1805 (00:30:43.271 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (00:25:55.387 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40014<-6947 (00:25:55.387 PDT) 40027<-6947 (00:26:07.168 PDT) 40041<-6947 (00:26:22.059 PDT) 40053<-6947 (00:26:34.092 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948355.387 1368948355.388 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:30:59.068 PDT Gen. Time: 05/19/2013 00:31:02.909 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:30:59.068 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3227 (00:30:59.068 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:31:02.909 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38189<-6947 (00:31:02.909 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948659.068 1368948659.069 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:26:56.138 PDT Gen. Time: 05/19/2013 00:31:12.537 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:30:59.068 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3227 (00:30:59.068 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:26:56.138 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38189<-6947 (00:31:02.909 PDT) 40078<-6947 (00:26:56.138 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948416.138 1368948416.139 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:31:16.926 PDT Gen. Time: 05/19/2013 00:31:25.316 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:31:16.926 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4550 (00:31:16.926 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:31:25.316 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38217<-6947 (00:31:25.316 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948676.926 1368948676.927 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:27:20.592 PDT Gen. Time: 05/19/2013 00:32:04.524 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (00:31:16.926 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4550 (00:31:16.926 PDT) 445<-2450 (00:31:35.630 PDT) 445<-3747 (00:31:51.130 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (00:27:20.592 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38217<-6947 (00:31:25.316 PDT) 40115<-6947 (00:27:20.592 PDT) 40127<-6947 (00:27:35.562 PDT) 40144<-6947 (00:27:49.749 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948440.592 1368948440.593 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:28:04.782 PDT Gen. Time: 05/19/2013 00:28:04.782 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:32:06.037 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1424 (00:32:06.037 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:28:04.782 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40170<-6947 (00:28:04.782 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948484.782 1368948484.783 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:28:04.782 PDT Gen. Time: 05/19/2013 00:32:35.436 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:32:06.037 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1424 (00:32:06.037 PDT) 445<-2568 (00:32:21.099 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:28:04.782 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40170<-6947 (00:28:04.782 PDT) 40196<-6947 (00:28:17.846 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948484.782 1368948484.783 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:28:40.954 PDT Gen. Time: 05/19/2013 00:28:40.954 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:32:41.021 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3931 (00:32:41.021 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:28:40.954 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40232<-6947 (00:28:40.954 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948520.954 1368948520.955 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:28:56.267 PDT Gen. Time: 05/19/2013 00:28:56.267 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:32:58.259 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1858 (00:32:58.259 PDT) 445<-3122 (00:33:11.336 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:28:56.267 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40259<-6947 (00:28:56.267 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948536.267 1368948536.268 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:28:56.267 PDT Gen. Time: 05/19/2013 00:34:10.584 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (6) (00:32:58.259 PDT) event=1:22009201 (6) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1858 (00:32:58.259 PDT) 445<-3122 (00:33:11.336 PDT) 445<-4206 (00:33:26.867 PDT) 445<-1851 (00:33:39.477 PDT) 445<-2947 (00:33:55.462 PDT) 445<-4198 (00:34:09.321 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (00:28:56.267 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40259<-6947 (00:28:56.267 PDT) 40297<-6947 (00:29:12.220 PDT) 40334<-6947 (00:29:25.424 PDT) 37994<-6947 (00:29:43.002 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948536.267 1368948536.268 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:30:16.849 PDT Gen. Time: 05/19/2013 00:30:16.849 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (00:34:25.685 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1763 (00:34:25.685 PDT) 445<-3007 (00:34:38.746 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:30:16.849 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38097<-6947 (00:30:16.849 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948616.849 1368948616.850 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:30:16.849 PDT Gen. Time: 05/19/2013 00:35:34.017 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (5) (00:34:25.685 PDT) event=1:22009201 (5) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1763 (00:34:25.685 PDT) 445<-3007 (00:34:38.746 PDT) 445<-4087 (00:34:54.182 PDT) 445<-1722 (00:35:09.636 PDT) 445<-3082 (00:35:27.011 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (00:30:16.849 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38097<-6947 (00:30:16.849 PDT) 38125<-6947 (00:30:30.629 PDT) 38153<-6947 (00:30:47.222 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948616.849 1368948616.850 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:31:38.866 PDT Gen. Time: 05/19/2013 00:31:38.866 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (00:35:38.464 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4414 (00:35:38.464 PDT) 445<-1777 (00:35:56.574 PDT) 445<-3204 (00:36:08.965 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:31:38.866 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38237<-6947 (00:31:38.866 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948698.866 1368948698.867 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:31:38.866 PDT Gen. Time: 05/19/2013 00:42:14.953 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (17) (00:35:38.464 PDT) event=1:22009201 (17) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4414 (00:35:38.464 PDT) 445<-1777 (00:35:56.574 PDT) 445<-3204 (00:36:08.965 PDT) 445<-4195 (00:36:26.450 PDT) 445<-2188 (00:36:44.685 PDT) 445<-3620 (00:37:12.343 PDT) 445<-2067 (00:37:24.234 PDT) 445<-3152 (00:37:41.422 PDT) 445<-4693 (00:37:54.921 PDT) 445<-2023 (00:38:11.905 PDT) 445<-3368 (00:38:24.530 PDT) 445<-4574 (00:38:42.812 PDT) 445<-2269 (00:38:55.562 PDT) 445<-3345 (00:39:12.829 PDT) 445<-1046 (00:39:25.204 PDT) 445<-2278 (00:39:44.689 PDT) 445<-3659 (00:39:58.751 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (17) (00:31:38.866 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38237<-6947 (00:31:38.866 PDT) 36181<-6947 (00:36:32.370 PDT) 38258<-6947 (00:31:55.163 PDT) 38270<-6947 (00:32:09.038 PDT) 38280<-6947 (00:32:24.271 PDT) 38292<-6947 (00:32:46.116 PDT) 38303<-6947 (00:33:01.554 PDT) 38308<-6947 (00:33:14.022 PDT) 38313<-6947 (00:33:29.710 PDT) 38314<-6947 (00:33:42.837 PDT) 38329<-6947 (00:33:58.586 PDT) 38356<-6947 (00:34:13.383 PDT) 38369<-6947 (00:34:28.462 PDT) 36081<-6947 (00:34:41.618 PDT) 36093<-6947 (00:34:57.167 PDT) 36116<-6947 (00:35:13.791 PDT) 36129<-6947 (00:35:30.340 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368948698.866 1368948698.867 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:37:57.985 PDT Gen. Time: 05/19/2013 00:37:57.985 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:42:15.709 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3876 (00:42:15.709 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:37:57.985 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36253<-6947 (00:37:57.985 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949077.985 1368949077.986 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:37:57.985 PDT Gen. Time: 05/19/2013 00:43:07.952 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (4) (00:42:15.709 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3876 (00:42:15.709 PDT) 445<-1449 (00:42:28.005 PDT) 445<-2691 (00:42:47.381 PDT) 445<-4077 (00:43:00.413 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (00:37:57.985 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36253<-6947 (00:37:57.985 PDT) 36278<-6947 (00:38:15.326 PDT) 36292<-6947 (00:38:27.890 PDT) 36312<-6947 (00:38:46.546 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949077.985 1368949077.986 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:38:59.547 PDT Gen. Time: 05/19/2013 00:38:59.547 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:43:16.163 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1476 (00:43:16.163 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:38:59.547 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36323<-6947 (00:38:59.547 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949139.547 1368949139.548 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:38:59.547 PDT Gen. Time: 05/19/2013 00:43:54.639 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (00:43:16.163 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1476 (00:43:16.163 PDT) 445<-2893 (00:43:30.022 PDT) 445<-3948 (00:43:46.398 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (00:38:59.547 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36323<-6947 (00:38:59.547 PDT) 36344<-6947 (00:39:15.565 PDT) 36363<-6947 (00:39:31.438 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949139.547 1368949139.548 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:39:47.642 PDT Gen. Time: 05/19/2013 00:39:47.642 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:43:59.633 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1671 (00:43:59.633 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:39:47.642 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50909<-6947 (00:39:47.642 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949187.642 1368949187.643 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:40:01.565 PDT Gen. Time: 05/19/2013 00:40:01.565 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:44:15.586 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2730 (00:44:15.586 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:40:01.565 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50927<-6947 (00:40:01.565 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949201.565 1368949201.566 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:40:20.627 PDT Gen. Time: 05/19/2013 00:40:20.627 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:44:28.602 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4033 (00:44:28.602 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:40:20.627 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50957<-6947 (00:40:20.627 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949220.627 1368949220.628 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:40:33.910 PDT Gen. Time: 05/19/2013 00:40:33.910 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:44:44.289 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1494 (00:44:44.289 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:40:33.910 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50971<-6947 (00:40:33.910 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949233.910 1368949233.911 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:40:50.783 PDT Gen. Time: 05/19/2013 00:45:01.619 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:45:01.619 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2756 (00:45:01.619 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:40:50.783 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50984<-6947 (00:40:50.783 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949250.783 1368949250.784 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:40:50.783 PDT Gen. Time: 05/19/2013 00:45:18.132 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:45:01.619 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2756 (00:45:01.619 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (00:40:50.783 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50984<-6947 (00:40:50.783 PDT) 50990<-6947 (00:41:05.581 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949250.783 1368949250.784 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:41:23.237 PDT Gen. Time: 05/19/2013 00:41:23.237 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:45:19.181 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4371 (00:45:19.181 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:41:23.237 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51002<-6947 (00:41:23.237 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949283.237 1368949283.238 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:41:35.035 PDT Gen. Time: 05/19/2013 00:41:35.035 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:45:32.526 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2046 (00:45:32.526 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:41:35.035 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51007<-6947 (00:41:35.035 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949295.035 1368949295.036 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:41:51.849 PDT Gen. Time: 05/19/2013 00:41:51.849 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:45:48.401 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3101 (00:45:48.401 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:41:51.849 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51023<-6947 (00:41:51.849 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949311.849 1368949311.850 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:41:51.849 PDT Gen. Time: 05/19/2013 00:54:55.049 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (17) (00:45:48.401 PDT) event=1:22008705 {tcp} E2[rb] ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15), [] MAC_Dst: 00:21:5A:08:EC:40 445<-4206 (00:46:41.699 PDT) ------------------------- event=1:22008715 {tcp} E2[rb] ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25), [] MAC_Dst: 00:21:5A:08:EC:40 445<-4206 (00:46:41.699 PDT) ------------------------- event=1:22009201 (15) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3101 (00:45:48.401 PDT) 445<-4410 (00:46:01.964 PDT) 445<-4206 (00:46:46.480 PDT) 445<-1846 (00:46:59.668 PDT) 445<-3346 (00:47:22.202 PDT) 445<-1334 (00:47:42.466 PDT) 445<-2886 (00:48:14.936 PDT) 445<-1854 (00:48:35.359 PDT) 445<-3639 (00:48:58.484 PDT) 445<-1839 (00:49:16.047 PDT) 445<-3386 (00:49:37.596 PDT) 445<-1434 (00:49:55.861 PDT) 445<-3073 (00:50:18.502 PDT) 445<-1096 (00:50:35.894 PDT) 445<-2483 (00:51:01.644 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (17) (00:41:51.849 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51023<-6947 (00:41:51.849 PDT) 58764<-6947 (00:46:05.322 PDT) 58852<-6947 (00:47:02.858 PDT) 58883<-6947 (00:47:46.715 PDT) 58837<-6947 (00:46:49.420 PDT) 58911<-6947 (00:48:21.481 PDT) 58931<-6947 (00:48:40.594 PDT) 58871<-6947 (00:47:26.060 PDT) 58719<-6947 (00:49:42.938 PDT) 58772<-6947 (00:50:40.689 PDT) 58951<-6947 (00:49:03.250 PDT) 58963<-6947 (00:49:20.094 PDT) 58740<-6947 (00:50:01.145 PDT) 58754<-6947 (00:50:23.485 PDT) 58899<-6947 (00:54:10.570 PDT) 58790<-6947 (00:51:06.816 PDT) 58794<-6947 (00:51:19.159 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949311.849 1368949311.850 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:51:48.332 PDT Gen. Time: 05/19/2013 00:54:59.933 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (00:54:59.933 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4586 (00:54:59.933 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (00:51:48.332 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58812<-6947 (00:51:48.332 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949908.332 1368949908.333 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 36.226.1.45, 94.61.243.71 Egg Source List: 36.226.1.45, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 00:51:48.332 PDT Gen. Time: 05/19/2013 01:08:25.306 PDT INBOUND SCAN EXPLOIT 36.226.1.45 (00:57:28.873 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4025 (00:57:28.873 PDT) 94.61.243.71 (16) (00:54:59.933 PDT-00:58:08.313 PDT) event=1:22009201 (16) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2665 (00:56:13.091 PDT) 445<-4716 (00:55:48.981 PDT) 445<-4899 (00:56:33.155 PDT) 445<-3151 (00:59:37.395 PDT) 445<-2372 (00:58:54.925 PDT) 445<-4263 (00:57:56.267 PDT) 445<-3273 (00:55:29.995 PDT) 445<-4586 (00:54:59.933 PDT) 445<-2410 (00:56:58.842 PDT) 445<-3952 (00:59:08.064 PDT) 445<-3380 (00:58:25.438 PDT) 445<-1977 (00:57:38.470 PDT) 2: 445<-2115 (00:55:13.448 PDT-00:58:08.313 PDT) 445<-1563 (00:59:25.021 PDT) 445<-1254 (00:58:37.876 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 36.226.1.45 (00:57:36.293 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43983<-9910 (00:57:36.293 PDT) 94.61.243.71 (16) (00:51:48.332 PDT) event=1:2001685 (16) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58812<-6947 (00:51:48.332 PDT) 58831<-6947 (00:52:07.582 PDT) 58842<-6947 (00:52:27.567 PDT) 58848<-6947 (00:52:50.257 PDT) 58855<-6947 (00:53:08.132 PDT) 58865<-6947 (00:53:24.570 PDT) 58874<-6947 (00:53:38.039 PDT) 58884<-6947 (00:53:54.258 PDT) 58918<-6947 (00:54:33.243 PDT) 37163<-6947 (00:54:47.464 PDT) 37197<-6947 (00:55:02.932 PDT) 37213<-6947 (00:55:17.510 PDT) 37225<-6947 (00:55:32.902 PDT) 37291<-6947 (00:57:05.014 PDT) 37245<-6947 (00:55:53.731 PDT) 37264<-6947 (00:56:18.559 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368949908.332 1368950288.314 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:04:40.418 PDT Gen. Time: 05/19/2013 01:08:31.816 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:08:31.816 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4390 (01:08:31.816 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:04:40.418 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34748<-6947 (01:04:40.418 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368950680.418 1368950680.419 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 110.78.146.45, 94.61.243.71 Egg Source List: 37.218.74.184, 94.61.243.71 C & C List: 81.177.32.14 Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:04:40.418 PDT Gen. Time: 05/19/2013 01:16:43.454 PDT INBOUND SCAN EXPLOIT 110.78.146.45 (01:08:47.425 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3063 (01:08:47.425 PDT) 94.61.243.71 (16) (01:08:31.816 PDT) event=1:22009201 (16) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4390 (01:08:31.816 PDT) 445<-2186 (01:08:51.332 PDT) 445<-3859 (01:09:08.475 PDT) 445<-1518 (01:09:20.880 PDT) 445<-2494 (01:09:35.820 PDT) 445<-3781 (01:09:49.898 PDT) 445<-1270 (01:10:06.084 PDT) 445<-2758 (01:10:22.959 PDT) 445<-4331 (01:10:47.445 PDT) 445<-2507 (01:11:05.650 PDT) 445<-3883 (01:11:22.259 PDT) 445<-1481 (01:11:35.462 PDT) 445<-2608 (01:11:51.463 PDT) 445<-3871 (01:12:09.965 PDT) 445<-1707 (01:12:25.072 PDT) 445<-2945 (01:12:37.184 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 37.218.74.184 (01:05:23.939 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57971<-6185 (01:05:23.939 PDT) 94.61.243.71 (16) (01:04:40.418 PDT) event=1:2001685 (16) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34748<-6947 (01:04:40.418 PDT) 34774<-6947 (01:05:32.607 PDT) 34788<-6947 (01:05:49.265 PDT) 34793<-6947 (01:06:01.904 PDT) 34808<-6947 (01:06:19.234 PDT) 34811<-6947 (01:06:29.921 PDT) 34821<-6947 (01:06:45.844 PDT) 34834<-6947 (01:06:58.345 PDT) 34856<-6947 (01:07:26.375 PDT) 34863<-6947 (01:07:38.377 PDT) 34890<-6947 (01:08:03.755 PDT) 34911<-6947 (01:08:16.315 PDT) 34926<-6947 (01:08:34.862 PDT) 34941<-6947 (01:08:55.269 PDT) 34949<-6947 (01:09:11.678 PDT) 34955<-6947 (01:09:23.708 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 81.177.32.14 (01:14:19.327 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 58124->33434 (01:14:19.327 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368950680.418 1368950680.419 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:16:56.831 PDT Gen. Time: 05/19/2013 01:16:56.831 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (01:18:56.334 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4079 (01:18:56.334 PDT) 445<-2290 (01:19:16.821 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:16:56.831 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42851<-6947 (01:16:56.831 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368951416.831 1368951416.832 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:16:56.831 PDT Gen. Time: 05/19/2013 01:21:35.556 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (8) (01:18:56.334 PDT) event=1:22009201 (8) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4079 (01:18:56.334 PDT) 445<-2290 (01:19:16.821 PDT) 445<-3933 (01:19:41.321 PDT) 445<-2305 (01:20:00.542 PDT) 445<-3717 (01:20:22.588 PDT) 445<-1937 (01:20:39.495 PDT) 445<-3629 (01:21:05.479 PDT) 445<-1822 (01:21:25.057 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (01:16:56.831 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42851<-6947 (01:16:56.831 PDT) 42864<-6947 (01:17:21.660 PDT) 32886<-6947 (01:21:11.666 PDT) 42886<-6947 (01:17:35.160 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368951416.831 1368951416.832 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:17:54.801 PDT Gen. Time: 05/19/2013 01:17:54.801 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (01:21:46.933 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3464 (01:21:46.933 PDT) 445<-1677 (01:22:01.809 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:17:54.801 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42912<-6947 (01:17:54.801 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368951474.801 1368951474.802 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:17:54.801 PDT Gen. Time: 05/19/2013 01:22:30.222 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (01:21:46.933 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3464 (01:21:46.933 PDT) 445<-1677 (01:22:01.809 PDT) 445<-2691 (01:22:17.090 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (01:17:54.801 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42912<-6947 (01:17:54.801 PDT) 42933<-6947 (01:18:07.020 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368951474.801 1368951474.802 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:18:23.771 PDT Gen. Time: 05/19/2013 01:18:23.771 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:22:30.310 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4001 (01:22:30.310 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:18:23.771 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42943<-6947 (01:18:23.771 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368951503.771 1368951503.772 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:18:23.771 PDT Gen. Time: 05/19/2013 01:23:59.340 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (6) (01:22:30.310 PDT) event=1:22009201 (6) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4001 (01:22:30.310 PDT) 445<-1400 (01:22:47.327 PDT) 445<-2801 (01:23:01.435 PDT) 445<-3937 (01:23:17.624 PDT) 445<-1535 (01:23:30.983 PDT) 445<-2678 (01:23:47.031 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (5) (01:18:23.771 PDT) event=1:2001685 (5) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42943<-6947 (01:18:23.771 PDT) 42961<-6947 (01:18:36.005 PDT) 42978<-6947 (01:19:00.662 PDT) 42989<-6947 (01:19:22.662 PDT) 32831<-6947 (01:19:45.476 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368951503.771 1368951503.772 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:20:04.304 PDT Gen. Time: 05/19/2013 01:20:04.304 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:24:03.938 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4125 (01:24:03.938 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:20:04.304 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32844<-6947 (01:20:04.304 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368951604.304 1368951604.305 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:20:04.304 PDT Gen. Time: 05/19/2013 01:26:35.443 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (10) (01:24:03.938 PDT) event=1:22009201 (10) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4125 (01:24:03.938 PDT) 445<-1764 (01:24:20.860 PDT) 445<-3084 (01:24:33.235 PDT) 445<-4083 (01:24:48.878 PDT) 445<-1728 (01:25:00.876 PDT) 445<-2700 (01:25:18.158 PDT) 445<-4141 (01:25:30.409 PDT) 445<-1444 (01:25:45.739 PDT) 445<-2987 (01:26:05.519 PDT) 445<-4453 (01:26:28.176 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (8) (01:20:04.304 PDT) event=1:2001685 (8) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32844<-6947 (01:20:04.304 PDT) 32858<-6947 (01:20:26.961 PDT) 32872<-6947 (01:20:45.133 PDT) 42192<-6947 (01:25:20.878 PDT) 42217<-6947 (01:25:54.315 PDT) 32905<-6947 (01:21:29.792 PDT) 32922<-6947 (01:21:51.995 PDT) 32938<-6947 (01:22:04.450 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368951604.304 1368951604.305 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:22:33.824 PDT Gen. Time: 05/19/2013 01:22:33.824 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:26:47.006 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2668 (01:26:47.006 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:22:33.824 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32958<-6947 (01:22:33.824 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368951753.824 1368951753.825 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 201.208.16.21, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:22:33.824 PDT Gen. Time: 05/19/2013 01:27:45.169 PDT INBOUND SCAN EXPLOIT 201.208.16.21 (01:27:25.437 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4861 (01:27:25.437 PDT) 94.61.243.71 (3) (01:26:47.006 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2668 (01:26:47.006 PDT) 445<-4180 (01:27:23.554 PDT) 445<-3368 (01:27:37.944 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (6) (01:22:33.824 PDT) event=1:2001685 (6) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32958<-6947 (01:22:33.824 PDT) 32968<-6947 (01:22:49.763 PDT) 32972<-6947 (01:23:04.701 PDT) 42294<-6947 (01:27:29.645 PDT) 32981<-6947 (01:23:20.421 PDT) 32995<-6947 (01:23:33.984 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368951753.824 1368951753.825 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:27:53.631 PDT Gen. Time: 05/19/2013 01:27:57.014 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:27:53.631 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4189 (01:27:53.631 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:27:57.014 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42323<-6947 (01:27:57.014 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952073.631 1368952073.632 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:23:51.311 PDT Gen. Time: 05/19/2013 01:26:09.878 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (11) (01:27:53.631 PDT) event=1:22009201 (11) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4189 (01:27:53.631 PDT) 445<-1649 (01:28:06.317 PDT) 445<-2633 (01:28:28.393 PDT) 445<-4186 (01:28:42.239 PDT) 445<-1377 (01:28:58.360 PDT) 445<-2456 (01:29:12.856 PDT) 445<-3449 (01:29:28.334 PDT) 445<-4542 (01:29:40.611 PDT) 445<-1701 (01:29:55.706 PDT) 445<-2855 (01:30:09.308 PDT) 445<-3829 (01:30:26.051 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (10) (01:23:51.311 PDT) event=1:2001685 (10) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42323<-6947 (01:27:57.014 PDT) 33012<-6947 (01:23:51.311 PDT) 33025<-6947 (01:24:07.484 PDT) 33041<-6947 (01:24:23.656 PDT) 42359<-6947 (01:28:34.358 PDT) 42166<-6947 (01:24:36.501 PDT) 42175<-6947 (01:24:51.581 PDT) 42185<-6947 (01:25:03.830 PDT) 42203<-6947 (01:25:33.268 PDT) 42234<-6947 (01:26:09.878 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368951831.311 1368951831.312 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:26:32.940 PDT Gen. Time: 05/19/2013 01:26:32.940 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:30:52.392 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1613 (01:30:52.392 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:26:32.940 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42248<-6947 (01:26:32.940 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368951992.940 1368951992.941 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 70.25.237.50, 94.61.243.71 Egg Source List: 70.25.237.50, 201.208.16.21, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:26:32.940 PDT Gen. Time: 05/19/2013 01:32:10.712 PDT INBOUND SCAN EXPLOIT 70.25.237.50 (01:31:11.965 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4722 (01:31:11.965 PDT) 94.61.243.71 (4) (01:30:52.392 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1613 (01:30:52.392 PDT) 445<-3767 (01:31:28.302 PDT) 445<-2005 (01:31:41.253 PDT) 445<-3026 (01:31:59.452 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 70.25.237.50 (01:31:20.585 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54084<-4977 (01:31:20.585 PDT) 201.208.16.21 (01:27:29.564 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50293<-5528 (01:27:29.564 PDT) 94.61.243.71 (3) (01:26:32.940 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42248<-6947 (01:26:32.940 PDT) 43291<-6947 (01:30:59.118 PDT) 42263<-6947 (01:26:51.800 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368951992.940 1368951992.941 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:27:40.976 PDT Gen. Time: 05/19/2013 01:27:40.976 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:32:12.047 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4165 (01:32:12.047 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:27:40.976 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42309<-6947 (01:27:40.976 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952060.976 1368952060.977 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:28:10.630 PDT Gen. Time: 05/19/2013 01:28:10.630 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (01:32:28.658 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1390 (01:32:28.658 PDT) 445<-2457 (01:32:41.598 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:28:10.630 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42337<-6947 (01:28:10.630 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952090.630 1368952090.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:28:45.326 PDT Gen. Time: 05/19/2013 01:28:45.326 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (01:32:57.609 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3359 (01:32:57.609 PDT) 445<-4472 (01:33:10.476 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:28:45.326 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42366<-6947 (01:28:45.326 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952125.326 1368952125.327 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:28:45.326 PDT Gen. Time: 05/19/2013 01:33:32.129 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (01:32:57.609 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3359 (01:32:57.609 PDT) 445<-4472 (01:33:10.476 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (01:28:45.326 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42366<-6947 (01:28:45.326 PDT) 42378<-6947 (01:29:01.970 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952125.326 1368952125.327 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:29:16.408 PDT Gen. Time: 05/19/2013 01:29:16.408 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:33:34.035 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1901 (01:33:34.035 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:29:16.408 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42392<-6947 (01:29:16.408 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952156.408 1368952156.409 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:29:16.408 PDT Gen. Time: 05/19/2013 01:35:05.606 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (6) (01:33:34.035 PDT) event=1:22009201 (6) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1901 (01:33:34.035 PDT) 445<-3309 (01:33:46.988 PDT) 445<-4157 (01:34:03.420 PDT) 445<-1564 (01:34:15.651 PDT) 445<-2399 (01:34:34.200 PDT) 445<-3718 (01:34:47.258 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (7) (01:29:16.408 PDT) event=1:2001685 (7) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42392<-6947 (01:29:16.408 PDT) 42409<-6947 (01:29:31.473 PDT) 43165<-6947 (01:29:43.957 PDT) 43184<-6947 (01:29:58.262 PDT) 35861<-6947 (01:34:37.473 PDT) 43207<-6947 (01:30:12.321 PDT) 43248<-6947 (01:30:30.363 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952156.408 1368952156.409 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:31:31.295 PDT Gen. Time: 05/19/2013 01:31:31.295 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (4) (01:35:06.222 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4693 (01:35:06.222 PDT) 445<-2170 (01:35:19.879 PDT) 445<-3161 (01:35:38.349 PDT) 445<-4362 (01:35:50.991 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:31:31.295 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43365<-6947 (01:31:31.295 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952291.295 1368952291.296 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.225.237.178, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:31:31.295 PDT Gen. Time: 05/19/2013 01:36:53.482 PDT INBOUND SCAN EXPLOIT 41.225.237.178 (01:36:26.477 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59322 (01:36:26.477 PDT) 94.61.243.71 (6) (01:35:06.222 PDT) event=1:22009201 (6) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4693 (01:35:06.222 PDT) 445<-2170 (01:35:19.879 PDT) 445<-3161 (01:35:38.349 PDT) 445<-4362 (01:35:50.991 PDT) 445<-1666 (01:36:20.543 PDT) 445<-3897 (01:36:38.752 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (5) (01:31:31.295 PDT) event=1:2001685 (5) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43365<-6947 (01:31:31.295 PDT) 43384<-6947 (01:31:45.911 PDT) 43408<-6947 (01:32:02.327 PDT) 36049<-6947 (01:36:29.651 PDT) 43429<-6947 (01:32:15.717 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952291.295 1368952291.296 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:32:31.314 PDT Gen. Time: 05/19/2013 01:32:31.314 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:36:53.846 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1092 (01:36:53.846 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:32:31.314 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43457<-6947 (01:32:31.314 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952351.314 1368952351.315 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:32:44.843 PDT Gen. Time: 05/19/2013 01:32:44.843 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:37:11.787 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2352 (01:37:11.787 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:32:44.843 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43478<-6947 (01:32:44.843 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952364.843 1368952364.844 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:32:44.843 PDT Gen. Time: 05/19/2013 01:38:08.097 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (4) (01:37:11.787 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2352 (01:37:11.787 PDT) 445<-3857 (01:37:27.703 PDT) 445<-1425 (01:37:41.363 PDT) 445<-2569 (01:37:57.207 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (01:32:44.843 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43478<-6947 (01:32:44.843 PDT) 43509<-6947 (01:33:00.556 PDT) 43542<-6947 (01:33:16.849 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952364.843 1368952364.844 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:38:10.378 PDT Gen. Time: 05/19/2013 01:38:16.303 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:38:10.378 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3888 (01:38:10.378 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:38:16.303 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36182<-6947 (01:38:16.303 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952690.378 1368952690.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:33:37.511 PDT Gen. Time: 05/19/2013 01:38:37.043 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:38:10.378 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3888 (01:38:10.378 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (01:33:37.511 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36182<-6947 (01:38:16.303 PDT) 43590<-6947 (01:33:37.511 PDT) 43612<-6947 (01:33:50.018 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952417.511 1368952417.512 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:34:18.509 PDT Gen. Time: 05/19/2013 01:39:09.356 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:39:09.356 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2592 (01:39:09.356 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:34:18.509 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43647<-6947 (01:34:18.509 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952458.509 1368952458.510 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:34:18.509 PDT Gen. Time: 05/19/2013 01:39:46.561 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (01:39:09.356 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2592 (01:39:09.356 PDT) 445<-2973 (01:39:37.991 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (01:34:18.509 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43647<-6947 (01:34:18.509 PDT) 36246<-6947 (01:39:17.212 PDT) 35887<-6947 (01:34:50.530 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952458.509 1368952458.510 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:35:09.077 PDT Gen. Time: 05/19/2013 01:35:09.077 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:39:53.376 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1252 (01:39:53.376 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:35:09.077 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35911<-6947 (01:35:09.077 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952509.077 1368952509.078 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:35:23.846 PDT Gen. Time: 05/19/2013 01:35:23.846 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:40:05.580 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2428 (01:40:05.580 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:35:23.846 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35926<-6947 (01:35:23.846 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952523.846 1368952523.847 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:35:23.846 PDT Gen. Time: 05/19/2013 01:40:57.999 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (4) (01:40:05.580 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2428 (01:40:05.580 PDT) 445<-3461 (01:40:21.050 PDT) 445<-1068 (01:40:35.147 PDT) 445<-2269 (01:40:50.825 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (01:35:23.846 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35926<-6947 (01:35:23.846 PDT) 35956<-6947 (01:35:40.941 PDT) 36008<-6947 (01:35:56.068 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952523.846 1368952523.847 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:36:41.617 PDT Gen. Time: 05/19/2013 01:36:41.617 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (4) (01:41:03.525 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3586 (01:41:03.525 PDT) 445<-4729 (01:41:19.066 PDT) 445<-2171 (01:41:32.471 PDT) 445<-3322 (01:41:47.739 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:36:41.617 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36069<-6947 (01:36:41.617 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952601.617 1368952601.618 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:36:57.204 PDT Gen. Time: 05/19/2013 01:36:57.204 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:41:59.786 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4850 (01:41:59.786 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:36:57.204 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36092<-6947 (01:36:57.204 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952617.204 1368952617.205 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:36:57.204 PDT Gen. Time: 05/19/2013 01:42:56.106 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (4) (01:41:59.786 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4850 (01:41:59.786 PDT) 445<-1940 (01:42:15.930 PDT) 445<-3273 (01:42:28.819 PDT) 445<-4336 (01:42:44.601 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (01:36:57.204 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36092<-6947 (01:36:57.204 PDT) 36118<-6947 (01:37:15.134 PDT) 36134<-6947 (01:37:30.713 PDT) 36149<-6947 (01:37:45.020 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952617.204 1368952617.205 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:38:00.656 PDT Gen. Time: 05/19/2013 01:38:00.656 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (01:42:56.827 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2158 (01:42:56.827 PDT) 445<-3280 (01:43:12.111 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:38:00.656 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36163<-6947 (01:38:00.656 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952680.656 1368952680.657 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:39:40.817 PDT Gen. Time: 05/19/2013 01:39:40.817 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (4) (01:43:51.838 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3343 (01:43:51.838 PDT) 445<-4844 (01:44:12.489 PDT) 445<-2962 (01:44:25.712 PDT) 445<-4115 (01:44:40.736 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:39:40.817 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55623<-6947 (01:39:40.817 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952780.817 1368952780.818 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:39:40.817 PDT Gen. Time: 05/19/2013 01:46:10.067 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (8) (01:43:51.838 PDT) event=1:22009201 (8) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3343 (01:43:51.838 PDT) 445<-4844 (01:44:12.489 PDT) 445<-2962 (01:44:25.712 PDT) 445<-4115 (01:44:40.736 PDT) 445<-1920 (01:44:53.509 PDT) 445<-3030 (01:45:14.416 PDT) 445<-1272 (01:45:31.278 PDT) 445<-3170 (01:45:58.007 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (6) (01:39:40.817 PDT) event=1:2001685 (6) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55623<-6947 (01:39:40.817 PDT) 55628<-6947 (01:39:56.031 PDT) 55636<-6947 (01:40:08.843 PDT) 55640<-6947 (01:40:24.190 PDT) 55651<-6947 (01:40:37.885 PDT) 55666<-6947 (01:40:53.748 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952780.817 1368952780.818 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:41:06.168 PDT Gen. Time: 05/19/2013 01:41:06.168 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:46:11.680 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1252 (01:46:11.680 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:41:06.168 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55672<-6947 (01:41:06.168 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952866.168 1368952866.169 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:41:21.943 PDT Gen. Time: 05/19/2013 01:46:36.427 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:46:36.427 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3077 (01:46:36.427 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:41:21.943 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55683<-6947 (01:41:21.943 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952881.943 1368952881.944 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:41:21.943 PDT Gen. Time: 05/19/2013 01:42:19.040 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (4) (01:46:36.427 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3077 (01:46:36.427 PDT) 445<-4350 (01:46:48.584 PDT) 445<-1851 (01:47:04.409 PDT) 445<-4571 (01:47:22.528 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (6) (01:41:21.943 PDT) event=1:2001685 (6) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55683<-6947 (01:41:21.943 PDT) 55691<-6947 (01:41:34.996 PDT) 55703<-6947 (01:41:50.668 PDT) 49323<-6947 (01:47:07.972 PDT) 55709<-6947 (01:42:02.476 PDT) 55724<-6947 (01:42:19.040 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952881.943 1368952881.944 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:42:31.613 PDT Gen. Time: 05/19/2013 01:42:31.613 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:47:38.754 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2223 (01:47:38.754 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:42:31.613 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55734<-6947 (01:42:31.613 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952951.613 1368952951.614 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:47:53.642 PDT Gen. Time: 05/19/2013 01:47:58.542 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:47:53.642 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3568 (01:47:53.642 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:47:58.542 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49385<-6947 (01:47:58.542 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953273.642 1368953273.643 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:42:47.871 PDT Gen. Time: 05/19/2013 01:48:07.926 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:47:53.642 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3568 (01:47:53.642 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (01:42:47.871 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49385<-6947 (01:47:58.542 PDT) 55759<-6947 (01:42:47.871 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952967.871 1368952967.872 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:42:59.983 PDT Gen. Time: 05/19/2013 01:48:23.678 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:48:23.678 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2388 (01:48:23.678 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:42:59.983 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55786<-6947 (01:42:59.983 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952979.983 1368952979.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:42:59.983 PDT Gen. Time: 05/19/2013 01:49:10.517 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (01:48:23.678 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2388 (01:48:23.678 PDT) 445<-3757 (01:48:38.094 PDT) 445<-1205 (01:48:53.465 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (01:42:59.983 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55786<-6947 (01:42:59.983 PDT) 55858<-6947 (01:43:55.573 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368952979.983 1368952979.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:44:15.396 PDT Gen. Time: 05/19/2013 01:44:15.396 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:49:20.658 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2950 (01:49:20.658 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:44:15.396 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55882<-6947 (01:44:15.396 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953055.396 1368953055.397 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 77.236.72.75 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:49:28.196 PDT Gen. Time: 05/19/2013 01:49:29.133 PDT INBOUND SCAN EXPLOIT 77.236.72.75 (01:49:29.133 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3352 (01:49:29.133 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:49:28.196 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49487<-6947 (01:49:28.196 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953368.196 1368953368.197 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 77.236.72.75 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:44:28.150 PDT Gen. Time: 05/19/2013 01:49:39.079 PDT INBOUND SCAN EXPLOIT 77.236.72.75 (01:49:29.133 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3352 (01:49:29.133 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (01:44:28.150 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49487<-6947 (01:49:28.196 PDT) 55891<-6947 (01:44:28.150 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953068.150 1368953068.151 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:44:43.991 PDT Gen. Time: 05/19/2013 01:44:43.991 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:49:49.690 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2168 (01:49:49.690 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:44:43.991 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49155<-6947 (01:44:43.991 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953083.991 1368953083.992 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:45:16.902 PDT Gen. Time: 05/19/2013 01:45:16.902 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:50:08.010 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3566 (01:50:08.010 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:45:16.902 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49195<-6947 (01:45:16.902 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953116.902 1368953116.903 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:45:35.570 PDT Gen. Time: 05/19/2013 01:45:35.570 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:50:33.143 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2193 (01:50:33.143 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:45:35.570 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49219<-6947 (01:45:35.570 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953135.570 1368953135.571 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:46:02.811 PDT Gen. Time: 05/19/2013 01:46:02.811 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (01:50:46.033 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3531 (01:50:46.033 PDT) 445<-4826 (01:51:02.963 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:46:02.811 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49247<-6947 (01:46:02.811 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953162.811 1368953162.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:46:14.723 PDT Gen. Time: 05/19/2013 01:46:14.723 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:51:18.606 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2338 (01:51:18.606 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:46:14.723 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49258<-6947 (01:46:14.723 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953174.723 1368953174.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:46:51.346 PDT Gen. Time: 05/19/2013 01:46:51.346 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (01:51:48.188 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-50526 (01:51:48.188 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:46:51.346 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49308<-6947 (01:46:51.346 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953211.346 1368953211.347 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:52:06.012 PDT Gen. Time: 05/19/2013 01:52:10.131 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:52:06.012 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2026 (01:52:06.012 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:52:10.131 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43566<-6947 (01:52:10.131 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953526.012 1368953526.013 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 77.236.72.75, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:47:25.688 PDT Gen. Time: 05/19/2013 01:54:41.577 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (01:53:06.851 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-52411 (01:53:06.851 PDT) 94.61.243.71 (9) (01:52:06.012 PDT) event=1:22009201 (9) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2026 (01:52:06.012 PDT) 445<-4038 (01:52:20.092 PDT) 445<-1466 (01:52:35.912 PDT) 445<-2770 (01:52:48.137 PDT) 445<-3843 (01:53:08.858 PDT) 445<-2197 (01:53:31.798 PDT) 445<-3731 (01:53:54.849 PDT) 445<-1625 (01:54:12.723 PDT) 445<-2881 (01:54:29.699 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 77.236.72.75 (01:49:35.978 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41231<-7115 (01:49:35.978 PDT) 94.61.243.71 (8) (01:47:25.688 PDT) event=1:2001685 (8) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43566<-6947 (01:52:10.131 PDT) 43577<-6947 (01:52:23.302 PDT) 49347<-6947 (01:47:25.688 PDT) 49369<-6947 (01:47:41.328 PDT) 49415<-6947 (01:48:27.809 PDT) 43659<-6947 (01:53:37.060 PDT) 49432<-6947 (01:48:41.082 PDT) 49452<-6947 (01:48:59.479 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953245.688 1368953245.689 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:54:42.591 PDT Gen. Time: 05/19/2013 01:54:49.775 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:54:42.591 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4036 (01:54:42.591 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:54:49.775 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42852<-6947 (01:54:49.775 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953682.591 1368953682.592 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:49:52.880 PDT Gen. Time: 05/19/2013 01:49:52.880 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (01:54:54.333 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-28527 (01:54:54.333 PDT) 94.61.243.71 (01:54:42.591 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4036 (01:54:42.591 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (01:49:52.880 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42852<-6947 (01:54:49.775 PDT) 43353<-6947 (01:49:52.880 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953392.880 1368953392.881 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:50:36.461 PDT Gen. Time: 05/19/2013 01:50:36.461 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:55:23.575 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2210 (01:55:23.575 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:50:36.461 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43406<-6947 (01:50:36.461 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953436.461 1368953436.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:50:36.461 PDT Gen. Time: 05/19/2013 01:55:47.937 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (01:55:23.575 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2210 (01:55:23.575 PDT) 445<-4134 (01:55:36.472 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (01:50:36.461 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43406<-6947 (01:50:36.461 PDT) 43431<-6947 (01:50:48.986 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953436.461 1368953436.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:51:06.329 PDT Gen. Time: 05/19/2013 01:51:06.329 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:55:53.522 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1283 (01:55:53.522 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:51:06.329 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43456<-6947 (01:51:06.329 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953466.329 1368953466.330 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:51:06.329 PDT Gen. Time: 05/19/2013 01:58:07.935 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (01:56:31.697 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-25019 (01:56:31.697 PDT) 94.61.243.71 (8) (01:55:53.522 PDT) event=1:22009201 (8) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1283 (01:55:53.522 PDT) 445<-2485 (01:56:06.731 PDT) 445<-3371 (01:56:22.887 PDT) 445<-4690 (01:56:42.088 PDT) 445<-2500 (01:57:17.777 PDT) 445<-4705 (01:57:30.208 PDT) 445<-1698 (01:57:45.248 PDT) 445<-2789 (01:57:58.031 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (6) (01:51:06.329 PDT) event=1:2001685 (6) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43456<-6947 (01:51:06.329 PDT) 42995<-6947 (01:56:29.897 PDT) 43015<-6947 (01:56:48.161 PDT) 43595<-6947 (01:52:38.825 PDT) 43615<-6947 (01:52:51.440 PDT) 43641<-6947 (01:53:15.162 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953466.329 1368953466.330 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.0.64.154, 192.77.126.50 Egg Source List: 84.0.64.154 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:58:17.340 PDT Gen. Time: 05/19/2013 01:58:29.566 PDT INBOUND SCAN EXPLOIT 84.0.64.154 (01:58:22.388 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3029 (01:58:22.388 PDT) 192.77.126.50 (01:58:17.340 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-11412 (01:58:17.340 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.0.64.154 (01:58:29.566 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59858<-7473 (01:58:29.566 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953897.340 1368953897.341 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 84.0.64.154, 192.77.126.50, 94.61.243.71 Egg Source List: 84.0.64.154, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:53:59.628 PDT Gen. Time: 05/19/2013 01:58:49.194 PDT INBOUND SCAN EXPLOIT 84.0.64.154 (01:58:22.388 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3029 (01:58:22.388 PDT) 192.77.126.50 (01:58:17.340 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-11412 (01:58:17.340 PDT) 94.61.243.71 (01:58:36.511 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4432 (01:58:36.511 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 84.0.64.154 (01:58:29.566 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59858<-7473 (01:58:29.566 PDT) 94.61.243.71 (2) (01:53:59.628 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43142<-6947 (01:58:40.472 PDT) 43681<-6947 (01:53:59.628 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953639.628 1368953639.629 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:54:16.017 PDT Gen. Time: 05/19/2013 01:54:16.017 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:58:54.262 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2849 (01:58:54.262 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:54:16.017 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43702<-6947 (01:54:16.017 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953656.017 1368953656.018 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:54:32.791 PDT Gen. Time: 05/19/2013 01:54:32.791 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (01:59:11.485 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4165 (01:59:11.485 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:54:32.791 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43717<-6947 (01:54:32.791 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953672.791 1368953672.792 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:54:32.791 PDT Gen. Time: 05/19/2013 02:00:26.705 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (01:59:56.121 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-44502 (01:59:56.121 PDT) 94.61.243.71 (4) (01:59:11.485 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4165 (01:59:11.485 PDT) 445<-1930 (01:59:24.640 PDT) 445<-2999 (01:59:39.673 PDT) 445<-4353 (01:59:57.931 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (01:54:32.791 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43717<-6947 (01:54:32.791 PDT) 53299<-6947 (02:00:04.961 PDT) 42919<-6947 (01:55:28.485 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953672.791 1368953672.792 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:00:45.391 PDT Gen. Time: 05/19/2013 02:00:52.129 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:00:45.391 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3747 (02:00:45.391 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:00:52.129 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53363<-6947 (02:00:52.129 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954045.391 1368954045.392 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:55:56.176 PDT Gen. Time: 05/19/2013 02:00:57.859 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:00:45.391 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3747 (02:00:45.391 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (01:55:56.176 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53363<-6947 (02:00:52.129 PDT) 42954<-6947 (01:55:56.176 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953756.176 1368953756.177 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:01:08.569 PDT Gen. Time: 05/19/2013 02:01:51.314 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (02:01:08.569 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2562 (02:01:08.569 PDT) 445<-1830 (02:01:43.497 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:01:51.314 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53426<-6947 (02:01:51.314 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954068.569 1368954068.570 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:57:20.514 PDT Gen. Time: 05/19/2013 01:57:20.514 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (02:01:08.569 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2562 (02:01:08.569 PDT) 445<-1830 (02:01:43.497 PDT) 445<-3931 (02:02:00.808 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (01:57:20.514 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53426<-6947 (02:01:51.314 PDT) 43055<-6947 (01:57:20.514 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953840.514 1368953840.515 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:57:33.005 PDT Gen. Time: 05/19/2013 01:57:33.005 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:02:20.046 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1375 (02:02:20.046 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:57:33.005 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43072<-6947 (01:57:33.005 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953853.005 1368953853.006 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:57:48.470 PDT Gen. Time: 05/19/2013 02:02:35.865 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:02:35.865 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3083 (02:02:35.865 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:57:48.470 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43093<-6947 (01:57:48.470 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953868.470 1368953868.471 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:57:48.470 PDT Gen. Time: 05/19/2013 02:02:48.847 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:02:35.865 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3083 (02:02:35.865 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (01:57:48.470 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43093<-6947 (01:57:48.470 PDT) 43104<-6947 (01:58:02.843 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953868.470 1368953868.471 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:58:57.152 PDT Gen. Time: 05/19/2013 01:58:57.152 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (02:02:52.267 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4267 (02:02:52.267 PDT) 445<-1974 (02:03:05.465 PDT) 445<-3068 (02:03:21.590 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:58:57.152 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43149<-6947 (01:58:57.152 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953937.152 1368953937.153 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:59:14.531 PDT Gen. Time: 05/19/2013 02:03:34.460 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:03:34.460 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4585 (02:03:34.460 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (01:59:14.531 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43170<-6947 (01:59:14.531 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953954.531 1368953954.532 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 01:59:14.531 PDT Gen. Time: 05/19/2013 02:02:04.289 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (2) (02:03:55.098 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-7254 (02:03:55.098 PDT) 445<-25338 (02:05:38.259 PDT) 94.61.243.71 (7) (02:03:34.460 PDT) event=1:22009201 (7) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4585 (02:03:34.460 PDT) 445<-1863 (02:03:52.946 PDT) 445<-3630 (02:04:14.856 PDT) 445<-3207 (02:04:53.198 PDT) 445<-1053 (02:05:05.854 PDT) 445<-2096 (02:05:21.795 PDT) 445<-3534 (02:05:45.631 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (8) (01:59:14.531 PDT) event=1:2001685 (8) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43170<-6947 (01:59:14.531 PDT) 43185<-6947 (01:59:27.365 PDT) 53678<-6947 (02:03:58.163 PDT) 53274<-6947 (01:59:43.287 PDT) 53716<-6947 (02:04:19.361 PDT) 53387<-6947 (02:01:14.402 PDT) 47158<-6947 (02:05:52.868 PDT) 53460<-6947 (02:02:04.289 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368953954.531 1368953954.532 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:02:23.816 PDT Gen. Time: 05/19/2013 02:02:23.816 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:06:27.690 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2837 (02:06:27.690 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:02:23.816 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53502<-6947 (02:02:23.816 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954143.816 1368954143.817 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:02:38.813 PDT Gen. Time: 05/19/2013 02:02:38.813 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:06:44.455 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1758 (02:06:44.455 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:02:38.813 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53523<-6947 (02:02:38.813 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954158.813 1368954158.814 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:03:08.801 PDT Gen. Time: 05/19/2013 02:03:08.801 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:07:18.604 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4159 (02:07:18.604 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:03:08.801 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53591<-6947 (02:03:08.801 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954188.801 1368954188.802 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:07:29.624 PDT Gen. Time: 05/19/2013 02:07:35.794 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:07:29.624 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4417 (02:07:29.624 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:07:35.794 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47277<-6947 (02:07:35.794 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954449.624 1368954449.625 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:03:25.346 PDT Gen. Time: 05/19/2013 02:07:56.114 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:07:29.624 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4417 (02:07:29.624 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (02:03:25.346 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47277<-6947 (02:07:35.794 PDT) 53629<-6947 (02:03:25.346 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954205.346 1368954205.347 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:08:10.913 PDT Gen. Time: 05/19/2013 02:08:15.630 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:08:10.913 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3515 (02:08:10.913 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:08:15.630 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47337<-6947 (02:08:15.630 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954490.913 1368954490.914 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:04:55.981 PDT Gen. Time: 05/19/2013 02:09:25.304 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:09:01.447 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-20207 (02:09:01.447 PDT) 94.61.243.71 (3) (02:08:10.913 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3515 (02:08:10.913 PDT) 445<-4243 (02:08:44.443 PDT) 445<-1974 (02:08:56.199 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (02:04:55.981 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47337<-6947 (02:08:15.630 PDT) 47423<-6947 (02:09:00.511 PDT) 47080<-6947 (02:04:55.981 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954295.981 1368954295.982 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:05:08.627 PDT Gen. Time: 05/19/2013 02:09:39.026 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:09:39.026 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4207 (02:09:39.026 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:05:08.627 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47093<-6947 (02:05:08.627 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954308.627 1368954308.628 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:05:08.627 PDT Gen. Time: 05/19/2013 02:11:27.226 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:10:44.887 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-20024 (02:10:44.887 PDT) 94.61.243.71 (7) (02:09:39.026 PDT) event=1:22009201 (7) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4207 (02:09:39.026 PDT) 445<-2895 (02:09:50.666 PDT) 445<-3891 (02:10:06.280 PDT) 445<-1591 (02:10:18.906 PDT) 445<-2649 (02:10:35.484 PDT) 445<-4251 (02:10:55.657 PDT) 445<-2490 (02:11:19.605 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (6) (02:05:08.627 PDT) event=1:2001685 (6) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47093<-6947 (02:05:08.627 PDT) 47120<-6947 (02:05:25.568 PDT) 48723<-6947 (02:10:40.540 PDT) 48747<-6947 (02:11:01.292 PDT) 47210<-6947 (02:06:32.047 PDT) 47220<-6947 (02:06:48.181 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954308.627 1368954308.628 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:11:32.209 PDT Gen. Time: 05/19/2013 02:12:38.104 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:12:28.497 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3351 (02:12:28.497 PDT) 94.61.243.71 (5) (02:11:32.209 PDT) event=1:22009201 (5) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4037 (02:11:32.209 PDT) 445<-1443 (02:11:48.184 PDT) 445<-2734 (02:11:59.766 PDT) 445<-3695 (02:12:15.183 PDT) 445<-1289 (02:12:33.237 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:12:38.104 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48823<-6947 (02:12:38.104 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954692.209 1368954692.210 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:08:46.974 PDT Gen. Time: 05/19/2013 02:08:46.974 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:12:28.497 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3351 (02:12:28.497 PDT) 94.61.243.71 (7) (02:11:32.209 PDT) event=1:22009201 (7) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4037 (02:11:32.209 PDT) 445<-1443 (02:11:48.184 PDT) 445<-2734 (02:11:59.766 PDT) 445<-3695 (02:12:15.183 PDT) 445<-1289 (02:12:33.237 PDT) 445<-3220 (02:13:00.799 PDT) 445<-1424 (02:13:14.416 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (02:08:46.974 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48823<-6947 (02:12:38.104 PDT) 47399<-6947 (02:08:46.974 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954526.974 1368954526.975 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:09:41.923 PDT Gen. Time: 05/19/2013 02:09:41.923 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (02:13:37.532 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2671 (02:13:37.532 PDT) 445<-4876 (02:13:53.494 PDT) 445<-2229 (02:14:19.414 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:09:41.923 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48662<-6947 (02:09:41.923 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954581.923 1368954581.924 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:09:53.742 PDT Gen. Time: 05/19/2013 02:09:53.742 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:14:32.818 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4284 (02:14:32.818 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:09:53.742 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48669<-6947 (02:09:53.742 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954593.742 1368954593.743 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:10:10.035 PDT Gen. Time: 05/19/2013 02:14:47.513 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:14:47.513 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1583 (02:14:47.513 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:10:10.035 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48683<-6947 (02:10:10.035 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954610.035 1368954610.036 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:10:10.035 PDT Gen. Time: 05/19/2013 02:10:21.850 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:14:47.513 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1583 (02:14:47.513 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (02:10:10.035 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48683<-6947 (02:10:10.035 PDT) 48697<-6947 (02:10:21.850 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954610.035 1368954610.036 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:11:22.837 PDT Gen. Time: 05/19/2013 02:11:22.837 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (5) (02:14:59.983 PDT) event=1:22009201 (5) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2615 (02:14:59.983 PDT) 445<-3453 (02:15:15.764 PDT) 445<-4848 (02:15:28.206 PDT) 445<-1766 (02:15:42.804 PDT) 445<-2761 (02:15:57.491 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:11:22.837 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48772<-6947 (02:11:22.837 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954682.837 1368954682.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:11:22.837 PDT Gen. Time: 05/19/2013 02:16:39.154 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:16:31.071 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-9162 (02:16:31.071 PDT) 94.61.243.71 (6) (02:14:59.983 PDT) event=1:22009201 (6) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2615 (02:14:59.983 PDT) 445<-3453 (02:15:15.764 PDT) 445<-4848 (02:15:28.206 PDT) 445<-1766 (02:15:42.804 PDT) 445<-2761 (02:15:57.491 PDT) 445<-3868 (02:16:19.372 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (02:11:22.837 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48772<-6947 (02:11:22.837 PDT) 48777<-6947 (02:11:35.300 PDT) 60876<-6947 (02:16:26.227 PDT) 48789<-6947 (02:11:50.863 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954682.837 1368954682.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:16:42.151 PDT Gen. Time: 05/19/2013 02:16:47.936 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:16:42.151 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1933 (02:16:42.151 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:16:47.936 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60903<-6947 (02:16:47.936 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955002.151 1368955002.152 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:12:17.964 PDT Gen. Time: 05/19/2013 02:17:00.580 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:16:42.151 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1933 (02:16:42.151 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (02:12:17.964 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60903<-6947 (02:16:47.936 PDT) 48810<-6947 (02:12:17.964 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954737.964 1368954737.965 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:13:03.505 PDT Gen. Time: 05/19/2013 02:13:03.505 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (02:17:05.540 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3359 (02:17:05.540 PDT) 445<-1490 (02:17:25.224 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:13:03.505 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48847<-6947 (02:13:03.505 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954783.505 1368954783.506 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:13:03.505 PDT Gen. Time: 05/19/2013 02:17:51.243 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (02:17:05.540 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3359 (02:17:05.540 PDT) 445<-1490 (02:17:25.224 PDT) 445<-2340 (02:17:44.090 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (02:13:03.505 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48847<-6947 (02:13:03.505 PDT) 48859<-6947 (02:13:18.571 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954783.505 1368954783.506 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:13:41.160 PDT Gen. Time: 05/19/2013 02:13:41.160 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:18:07.697 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-51576 (02:18:07.697 PDT) 94.61.243.71 (02:17:55.939 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3630 (02:17:55.939 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:13:41.160 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48871<-6947 (02:13:41.160 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954821.160 1368954821.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:13:41.160 PDT Gen. Time: 05/19/2013 02:18:27.128 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:18:07.697 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-51576 (02:18:07.697 PDT) 94.61.243.71 (2) (02:17:55.939 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3630 (02:17:55.939 PDT) 445<-4428 (02:18:17.358 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (02:13:41.160 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48871<-6947 (02:13:41.160 PDT) 61000<-6947 (02:18:22.614 PDT) 48887<-6947 (02:13:57.318 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954821.160 1368954821.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:18:40.222 PDT Gen. Time: 05/19/2013 02:18:44.257 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:18:40.222 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2481 (02:18:40.222 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:18:44.257 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32791<-6947 (02:18:44.257 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955120.222 1368955120.223 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:14:24.150 PDT Gen. Time: 05/19/2013 02:18:52.177 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:18:40.222 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2481 (02:18:40.222 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (02:14:24.150 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32791<-6947 (02:18:44.257 PDT) 48919<-6947 (02:14:24.150 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954864.150 1368954864.151 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:14:35.343 PDT Gen. Time: 05/19/2013 02:14:35.343 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:18:55.513 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3838 (02:18:55.513 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:14:35.343 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48929<-6947 (02:14:35.343 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954875.343 1368954875.344 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:14:35.343 PDT Gen. Time: 05/19/2013 02:19:43.762 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (4) (02:18:55.513 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3838 (02:18:55.513 PDT) 445<-1128 (02:19:07.962 PDT) 445<-2005 (02:19:26.184 PDT) 445<-3215 (02:19:37.832 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (02:14:35.343 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48929<-6947 (02:14:35.343 PDT) 60784<-6947 (02:14:50.291 PDT) 60800<-6947 (02:15:02.487 PDT) 60815<-6947 (02:15:18.224 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954875.343 1368954875.344 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:15:31.115 PDT Gen. Time: 05/19/2013 02:15:31.115 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:19:50.975 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-15340 (02:19:50.975 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:15:31.115 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60819<-6947 (02:15:31.115 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954931.115 1368954931.116 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:15:31.115 PDT Gen. Time: 05/19/2013 02:20:27.662 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:19:50.975 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-15340 (02:19:50.975 PDT) 94.61.243.71 (2) (02:20:00.603 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4022 (02:20:00.603 PDT) 445<-2133 (02:20:25.365 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (02:15:31.115 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60819<-6947 (02:15:31.115 PDT) 34146<-6947 (02:20:05.775 PDT) 60833<-6947 (02:15:45.716 PDT) 60853<-6947 (02:16:01.715 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368954931.115 1368954931.116 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:20:42.934 PDT Gen. Time: 05/19/2013 02:20:47.970 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:20:42.934 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3579 (02:20:42.934 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:20:47.970 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34182<-6947 (02:20:47.970 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955242.934 1368955242.935 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.102.3.174, 94.61.243.71 Egg Source List: 94.102.3.174, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:17:08.353 PDT Gen. Time: 05/19/2013 02:22:05.333 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:21:34.689 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-23049 (02:21:34.689 PDT) 94.102.3.174 (02:21:00.402 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4260 (02:21:00.402 PDT) 94.61.243.71 (4) (02:20:42.934 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3579 (02:20:42.934 PDT) 445<-1451 (02:21:06.290 PDT) 445<-2688 (02:21:21.471 PDT) 445<-4138 (02:21:51.534 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.102.3.174 (02:21:05.885 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51758<-8878 (02:21:05.885 PDT) 94.61.243.71 (4) (02:17:08.353 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34182<-6947 (02:20:47.970 PDT) 60930<-6947 (02:17:08.353 PDT) 34295<-6947 (02:21:57.415 PDT) 60948<-6947 (02:17:29.756 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955028.353 1368955028.354 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:17:46.860 PDT Gen. Time: 05/19/2013 02:17:46.860 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:22:18.162 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2513 (02:22:18.162 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:17:46.860 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60975<-6947 (02:17:46.860 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955066.860 1368955066.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:17:58.735 PDT Gen. Time: 05/19/2013 02:22:31.917 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:22:31.917 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3971 (02:22:31.917 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:17:58.735 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60981<-6947 (02:17:58.735 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955078.735 1368955078.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:17:58.735 PDT Gen. Time: 05/19/2013 02:23:29.269 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:23:14.468 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-29985 (02:23:14.468 PDT) 94.61.243.71 (3) (02:22:31.917 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3971 (02:22:31.917 PDT) 445<-1116 (02:22:47.048 PDT) 445<-2285 (02:23:05.515 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (02:17:58.735 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60981<-6947 (02:17:58.735 PDT) 32800<-6947 (02:18:58.238 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955078.735 1368955078.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:23:34.657 PDT Gen. Time: 05/19/2013 02:23:39.646 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:23:34.657 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3668 (02:23:34.657 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:23:39.646 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34399<-6947 (02:23:39.646 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955414.657 1368955414.658 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:19:11.842 PDT Gen. Time: 05/19/2013 02:23:44.382 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:23:34.657 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3668 (02:23:34.657 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (02:19:11.842 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34399<-6947 (02:23:39.646 PDT) 32812<-6947 (02:19:11.842 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955151.842 1368955151.843 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:19:28.851 PDT Gen. Time: 05/19/2013 02:19:28.851 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:23:51.870 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2067 (02:23:51.870 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:19:28.851 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32822<-6947 (02:19:28.851 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955168.851 1368955168.852 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:19:40.650 PDT Gen. Time: 05/19/2013 02:19:40.650 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:24:14.323 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3081 (02:24:14.323 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:19:40.650 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34112<-6947 (02:19:40.650 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955180.650 1368955180.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:24:17.634 PDT Gen. Time: 05/19/2013 02:24:26.940 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:24:26.940 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4905 (02:24:26.940 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:24:17.634 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34441<-6947 (02:24:17.634 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955457.634 1368955457.635 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:20:28.140 PDT Gen. Time: 05/19/2013 02:27:32.863 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:24:57.262 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-52069 (02:24:57.262 PDT) 94.61.243.71 (11) (02:24:26.940 PDT) event=1:22009201 (11) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4905 (02:24:26.940 PDT) 445<-1806 (02:24:42.450 PDT) 445<-3006 (02:24:58.872 PDT) 445<-4333 (02:25:28.076 PDT) 445<-2540 (02:25:41.174 PDT) 445<-3540 (02:25:58.207 PDT) 445<-4901 (02:26:13.027 PDT) 445<-1890 (02:26:28.442 PDT) 445<-2983 (02:26:46.340 PDT) 445<-4350 (02:27:04.564 PDT) 445<-2095 (02:27:22.491 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (11) (02:20:28.140 PDT) event=1:2001685 (11) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34441<-6947 (02:24:17.634 PDT) 34166<-6947 (02:20:28.140 PDT) 57226<-6947 (02:25:03.676 PDT) 34210<-6947 (02:21:09.209 PDT) 34224<-6947 (02:21:24.200 PDT) 57309<-6947 (02:26:03.232 PDT) 34330<-6947 (02:22:21.605 PDT) 57380<-6947 (02:26:52.504 PDT) 57399<-6947 (02:27:07.708 PDT) 34340<-6947 (02:22:34.681 PDT) 34354<-6947 (02:22:49.904 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955228.140 1368955228.141 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:23:09.048 PDT Gen. Time: 05/19/2013 02:27:37.665 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:27:37.665 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2908 (02:27:37.665 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:23:09.048 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34370<-6947 (02:23:09.048 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955389.048 1368955389.049 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:23:09.048 PDT Gen. Time: 05/19/2013 02:28:32.171 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (4) (02:27:37.665 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2908 (02:27:37.665 PDT) 445<-3993 (02:27:50.246 PDT) 445<-1312 (02:28:06.002 PDT) 445<-2405 (02:28:19.172 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (02:23:09.048 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34370<-6947 (02:23:09.048 PDT) 34417<-6947 (02:23:54.787 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955389.048 1368955389.049 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:28:34.133 PDT Gen. Time: 05/19/2013 02:28:54.416 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (02:28:34.133 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3246 (02:28:34.133 PDT) 445<-4257 (02:28:47.550 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:28:54.416 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57534<-6947 (02:28:54.416 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955714.133 1368955714.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:24:29.635 PDT Gen. Time: 05/19/2013 02:29:35.000 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:28:59.699 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1676 (02:28:59.699 PDT) 94.61.243.71 (3) (02:28:34.133 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3246 (02:28:34.133 PDT) 445<-4257 (02:28:47.550 PDT) 445<-1920 (02:29:17.345 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (02:24:29.635 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57534<-6947 (02:28:54.416 PDT) 34460<-6947 (02:24:29.635 PDT) 57581<-6947 (02:29:24.401 PDT) 57198<-6947 (02:24:46.065 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955469.635 1368955469.636 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:25:31.968 PDT Gen. Time: 05/19/2013 02:25:31.968 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (02:29:38.287 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4044 (02:29:38.287 PDT) 445<-1398 (02:29:53.490 PDT) 445<-2656 (02:30:07.388 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:25:31.968 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57265<-6947 (02:25:31.968 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955531.968 1368955531.969 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:25:43.995 PDT Gen. Time: 05/19/2013 02:25:43.995 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:30:22.953 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3502 (02:30:22.953 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:25:43.995 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57285<-6947 (02:25:43.995 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955543.995 1368955543.996 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:30:40.507 PDT Gen. Time: 05/19/2013 02:30:50.419 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:30:40.507 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-55266 (02:30:40.507 PDT) 94.61.243.71 (02:30:43.271 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4903 (02:30:43.271 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:30:50.419 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55491<-6947 (02:30:50.419 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955840.507 1368955840.508 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:26:16.305 PDT Gen. Time: 05/19/2013 02:31:23.593 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:30:40.507 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-55266 (02:30:40.507 PDT) 94.61.243.71 (2) (02:30:43.271 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4903 (02:30:43.271 PDT) 445<-2564 (02:31:13.546 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (3) (02:26:16.305 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55491<-6947 (02:30:50.419 PDT) 57325<-6947 (02:26:16.305 PDT) 57347<-6947 (02:26:31.381 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955576.305 1368955576.306 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:27:25.236 PDT Gen. Time: 05/19/2013 02:27:25.236 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (02:31:26.854 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4438 (02:31:26.854 PDT) 445<-1601 (02:31:42.740 PDT) 445<-2680 (02:31:57.832 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:27:25.236 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57422<-6947 (02:27:25.236 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955645.236 1368955645.237 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:27:25.236 PDT Gen. Time: 05/19/2013 02:32:36.456 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:32:18.565 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-58012 (02:32:18.565 PDT) 94.61.243.71 (5) (02:31:26.854 PDT) event=1:22009201 (5) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4438 (02:31:26.854 PDT) 445<-1601 (02:31:42.740 PDT) 445<-2680 (02:31:57.832 PDT) 445<-3726 (02:32:13.019 PDT) 445<-1177 (02:32:31.798 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (02:27:25.236 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57422<-6947 (02:27:25.236 PDT) 55610<-6947 (02:32:16.682 PDT) 57440<-6947 (02:27:40.878 PDT) 57459<-6947 (02:27:53.193 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955645.236 1368955645.237 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:28:21.875 PDT Gen. Time: 05/19/2013 02:28:21.875 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:32:56.456 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2768 (02:32:56.456 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:28:21.875 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57500<-6947 (02:28:21.875 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955701.875 1368955701.876 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:28:36.948 PDT Gen. Time: 05/19/2013 02:28:36.948 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (02:33:08.534 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4044 (02:33:08.534 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:28:36.948 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57516<-6947 (02:28:36.948 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955716.948 1368955716.949 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 110.164.93.72, 192.77.126.50, 222.47.66.8, 94.61.243.71 Egg Source List: 110.164.93.72, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:28:36.948 PDT Gen. Time: 05/19/2013 02:41:41.100 PDT INBOUND SCAN EXPLOIT 110.164.93.72 (02:33:39.944 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4285 (02:33:39.944 PDT) 192.77.126.50 (3) (02:34:04.378 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-30386 (02:37:29.550 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3645 (02:34:04.378 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-25738 (02:41:24.130 PDT) 222.47.66.8 (2) (02:36:14.323 PDT) event=1:22008705 {tcp} E2[rb] ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15), [] MAC_Dst: 00:21:5A:08:EC:40 445<-1133 (02:36:14.323 PDT) ------------------------- event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1133 (02:36:28.616 PDT) 94.61.243.71 (11) (02:33:08.534 PDT) event=1:22008705 {tcp} E2[rb] ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15), [] MAC_Dst: 00:21:5A:08:EC:40 445<-1610 (02:36:12.990 PDT) ------------------------- event=1:22009201 (10) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4044 (02:33:08.534 PDT) 445<-1120 (02:33:32.920 PDT) 445<-3599 (02:33:55.444 PDT) 445<-1119 (02:34:26.420 PDT) 445<-1610 (02:36:27.304 PDT) 445<-1026 (02:37:08.140 PDT) 445<-3620 (02:37:36.225 PDT) 445<-1679 (02:38:01.707 PDT) 445<-3138 (02:38:13.379 PDT) 445<-4047 (02:38:36.061 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 110.164.93.72 (02:33:49.519 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50833<-3732 (02:33:49.519 PDT) 94.61.243.71 (9) (02:28:36.948 PDT) event=1:2001685 (9) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57516<-6947 (02:28:36.948 PDT) 55843<-6947 (02:34:02.914 PDT) 55424<-6947 (02:29:40.722 PDT) 55445<-6947 (02:29:56.297 PDT) 55463<-6947 (02:30:10.115 PDT) 55932<-6947 (02:34:33.572 PDT) 43067<-6947 (02:36:34.495 PDT) 43110<-6947 (02:37:19.238 PDT) 43145<-6947 (02:37:40.768 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368955716.948 1368955716.949 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:38:04.189 PDT Gen. Time: 05/19/2013 02:38:04.189 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:42:32.671 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-62257 (02:42:32.671 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:38:04.189 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43173<-6947 (02:38:04.189 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368956284.189 1368956284.190 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 122.118.226.93 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:38:16.412 PDT Gen. Time: 05/19/2013 02:38:16.412 PDT INBOUND SCAN EXPLOIT 122.118.226.93 (02:42:55.452 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1850 (02:42:55.452 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (02:38:16.412 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43187<-6947 (02:38:16.412 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368956296.412 1368956296.413 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 202.60.26.109 Egg Source List: 122.118.226.93 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:42:58.943 PDT Gen. Time: 05/19/2013 02:42:58.943 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (2) (02:44:18.454 PDT) event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-46737 (02:44:18.454 PDT) 445<-8468 (02:45:58.075 PDT) 202.60.26.109 (02:45:25.545 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-35293 (02:45:25.545 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 122.118.226.93 (02:42:58.943 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43680<-1346 (02:42:58.943 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368956578.943 1368956578.944 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 201.208.16.21, 192.77.126.50, 189.79.44.112 Egg Source List: 189.79.44.112 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:47:39.566 PDT Gen. Time: 05/19/2013 02:50:16.756 PDT INBOUND SCAN EXPLOIT 201.208.16.21 (02:49:08.796 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3601 (02:49:08.796 PDT) 192.77.126.50 (2) (02:47:39.566 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-41680 (02:47:39.566 PDT) 445<-1038 (02:49:21.681 PDT) 189.79.44.112 (02:50:12.481 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1899 (02:50:12.481 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.79.44.112 (02:50:16.756 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33686<-1881 (02:50:16.756 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368956859.566 1368956859.567 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 201.208.16.21, 192.77.126.50, 189.79.44.112 Egg Source List: 201.208.16.21, 189.79.44.112 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:47:39.566 PDT Gen. Time: 05/19/2013 02:54:17.782 PDT INBOUND SCAN EXPLOIT 201.208.16.21 (02:49:08.796 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3601 (02:49:08.796 PDT) 192.77.126.50 (3) (02:47:39.566 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-41680 (02:47:39.566 PDT) 445<-1038 (02:49:21.681 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-62667 (02:52:51.099 PDT) 189.79.44.112 (02:50:12.481 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1899 (02:50:12.481 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 201.208.16.21 (02:49:11.398 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36634<-5528 (02:49:11.398 PDT) 189.79.44.112 (02:50:16.756 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33686<-1881 (02:50:16.756 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368956859.566 1368956859.567 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 212.34.242.110 Egg Source List: 212.34.242.110 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:54:28.585 PDT Gen. Time: 05/19/2013 02:55:03.322 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (02:54:28.585 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-39339 (02:54:28.585 PDT) 212.34.242.110 (02:54:58.255 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2442 (02:54:58.255 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 212.34.242.110 (02:55:03.322 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34779<-4316 (02:55:03.322 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368957268.585 1368957268.586 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 114.44.65.130, 212.34.242.110, 197.6.66.132 Egg Source List: 114.44.65.130, 212.34.242.110 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 02:54:28.585 PDT Gen. Time: 05/19/2013 03:02:32.661 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (5) (02:54:28.585 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2437 (02:59:02.257 PDT) 445<-38527 (03:00:44.808 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-25074 (02:55:38.485 PDT) 445<-49407 (02:57:21.094 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-39339 (02:54:28.585 PDT) 114.44.65.130 (02:57:52.961 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3356 (02:57:52.961 PDT) 212.34.242.110 (02:54:58.255 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2442 (02:54:58.255 PDT) 197.6.66.132 (03:02:31.528 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3837 (03:02:31.528 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.44.65.130 (02:57:57.305 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43377<-3030 (02:57:57.305 PDT) 212.34.242.110 (02:55:03.322 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34779<-4316 (02:55:03.322 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368957268.585 1368957268.586 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 41.158.0.130 Egg Source List: 197.6.66.132 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 03:02:35.827 PDT Gen. Time: 05/19/2013 03:02:35.827 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (2) (03:04:43.062 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-15941 (03:04:43.062 PDT) 445<-28647 (03:05:54.427 PDT) 41.158.0.130 (03:05:49.269 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3618 (03:05:49.269 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 197.6.66.132 (03:02:35.827 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36357<-6568 (03:02:35.827 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368957755.827 1368957755.828 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 1.172.75.67 Egg Source List: 41.158.0.130 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 03:05:54.769 PDT Gen. Time: 05/19/2013 03:05:54.769 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (2) (03:07:34.133 PDT) event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-49058 (03:07:34.133 PDT) 445<-40992 (03:09:16.949 PDT) 1.172.75.67 (03:07:22.655 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3448 (03:07:22.655 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 41.158.0.130 (03:05:54.769 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46942<-1648 (03:05:54.769 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368957954.769 1368957954.770 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 194.32.151.124, 192.77.126.50 Egg Source List: 194.32.151.124 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 03:11:05.980 PDT Gen. Time: 05/19/2013 03:11:12.928 PDT INBOUND SCAN EXPLOIT 194.32.151.124 (03:11:07.517 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3548 (03:11:07.517 PDT) 192.77.126.50 (03:11:05.980 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-47648 (03:11:05.980 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 194.32.151.124 (03:11:12.928 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43255<-8937 (03:11:12.928 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368958265.980 1368958265.981 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 194.32.151.124, 192.77.126.50 Egg Source List: 194.32.151.124, 1.172.75.67 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 03:07:25.543 PDT Gen. Time: 05/19/2013 03:11:51.693 PDT INBOUND SCAN EXPLOIT 194.32.151.124 (03:11:07.517 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3548 (03:11:07.517 PDT) 192.77.126.50 (03:11:05.980 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-47648 (03:11:05.980 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 194.32.151.124 (03:11:12.928 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43255<-8937 (03:11:12.928 PDT) 1.172.75.67 (03:07:25.543 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49481<-8497 (03:07:25.543 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368958045.543 1368958045.544 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.104.16.162, 79.140.98.213, 192.77.126.50 Egg Source List: 95.104.16.162 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 03:12:40.596 PDT Gen. Time: 05/19/2013 03:25:31.981 PDT INBOUND SCAN EXPLOIT 95.104.16.162 (03:25:17.953 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4116 (03:25:17.953 PDT) 79.140.98.213 (03:22:34.556 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3548 (03:22:34.556 PDT) 192.77.126.50 (7) (03:12:40.596 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-46770 (03:12:40.596 PDT) 445<-12110 (03:22:24.512 PDT) 445<-9871 (03:24:02.996 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-54435 (03:19:00.074 PDT) 445<-4424 (03:20:40.914 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-64758 (03:16:05.863 PDT) 445<-23406 (03:17:20.075 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.104.16.162 (03:25:31.981 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52700<-4466 (03:25:31.981 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368958360.596 1368958360.597 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.104.16.162, 79.140.98.213, 192.77.126.50, 213.57.244.83 Egg Source List: 95.104.16.162, 213.57.244.83 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 03:12:40.596 PDT Gen. Time: 05/19/2013 03:31:31.695 PDT INBOUND SCAN EXPLOIT 95.104.16.162 (03:25:17.953 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4116 (03:25:17.953 PDT) 79.140.98.213 (03:22:34.556 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3548 (03:22:34.556 PDT) 192.77.126.50 (10) (03:12:40.596 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-46770 (03:12:40.596 PDT) 445<-12110 (03:22:24.512 PDT) 445<-9871 (03:24:02.996 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-54435 (03:19:00.074 PDT) 445<-4424 (03:20:40.914 PDT) 445<-16696 (03:30:19.889 PDT) ------------------------- event=1:22475 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-64758 (03:16:05.863 PDT) 445<-23406 (03:17:20.075 PDT) 445<-32951 (03:28:02.387 PDT) 445<-43879 (03:29:10.057 PDT) 213.57.244.83 (03:26:52.758 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1637 (03:26:52.758 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.104.16.162 (03:25:31.981 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52700<-4466 (03:25:31.981 PDT) 213.57.244.83 (03:26:56.441 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41450<-9653 (03:26:56.441 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368958360.596 1368958360.597 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 176.14.157.218, 192.77.126.50, 89.40.37.180 Egg Source List: 89.40.37.180 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 03:32:01.919 PDT Gen. Time: 05/19/2013 03:35:38.180 PDT INBOUND SCAN EXPLOIT 176.14.157.218 (03:39:48.267 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3345 (03:39:48.267 PDT) 192.77.126.50 (5) (03:32:01.919 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-57711 (03:33:10.959 PDT) 445<-43753 (03:34:51.541 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-55444 (03:32:01.919 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-16102 (03:38:17.680 PDT) 445<-57259 (03:39:58.540 PDT) 89.40.37.180 (03:35:35.499 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4748 (03:35:35.499 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.40.37.180 (03:35:38.180 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50950<-9135 (03:35:38.180 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368959521.919 1368959521.920 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 176.14.157.218 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 03:39:50.797 PDT Gen. Time: 05/19/2013 03:39:50.797 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (3) (03:41:41.900 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-24173 (03:44:32.714 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-58909 (03:41:41.900 PDT) 445<-53691 (03:43:23.153 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 176.14.157.218 (03:39:50.797 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51989<-2843 (03:39:50.797 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368959990.797 1368959990.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 78.163.164.223, 192.77.126.50, 1.172.144.205 Egg Source List: 78.163.164.223 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 03:46:15.130 PDT Gen. Time: 05/19/2013 03:46:58.847 PDT INBOUND SCAN EXPLOIT 78.163.164.223 (03:46:55.955 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2873 (03:46:55.955 PDT) 192.77.126.50 (2) (03:46:15.130 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-38851 (03:46:15.130 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-55916 (03:50:13.996 PDT) 1.172.144.205 (03:48:25.434 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1995 (03:48:25.434 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 78.163.164.223 (03:46:58.847 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44231<-7826 (03:46:58.847 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368960375.130 1368960375.131 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 1.172.144.205 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 03:48:28.198 PDT Gen. Time: 05/19/2013 03:48:28.198 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (03:51:22.716 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-60918 (03:51:22.716 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.172.144.205 (03:48:28.198 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50167<-4755 (03:48:28.198 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368960508.198 1368960508.199 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.149.177.5, 109.134.86.183, 192.77.126.50 Egg Source List: 109.134.86.183 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 03:53:03.152 PDT Gen. Time: 05/19/2013 03:54:56.036 PDT INBOUND SCAN EXPLOIT 46.149.177.5 (03:56:26.133 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2297 (03:56:26.133 PDT) 109.134.86.183 (03:54:52.735 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-61097 (03:54:52.735 PDT) 192.77.126.50 (4) (03:53:03.152 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-56504 (03:55:19.769 PDT) 445<-31394 (03:57:03.594 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-60301 (03:53:03.152 PDT) 445<-56012 (03:54:11.512 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.134.86.183 (03:54:56.036 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52705<-1369 (03:54:56.036 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368960783.152 1368960783.153 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 46.149.177.5 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 03:56:28.984 PDT Gen. Time: 05/19/2013 04:01:03.469 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (04:01:03.469 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-8432 (04:01:03.469 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.149.177.5 (03:56:28.984 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37833<-1868 (03:56:28.984 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368960988.984 1368960988.985 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 46.149.177.5 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 03:56:28.984 PDT Gen. Time: 05/19/2013 04:07:13.718 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (4) (04:01:03.469 PDT) event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-47630 (04:03:53.918 PDT) 445<-54596 (04:05:35.628 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-8432 (04:01:03.469 PDT) 445<-60329 (04:02:43.557 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.149.177.5 (03:56:28.984 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37833<-1868 (03:56:28.984 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368960988.984 1368960988.985 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 90.150.110.179 Egg Source List: 90.150.110.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 04:07:20.071 PDT Gen. Time: 05/19/2013 04:07:50.739 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (2) (04:07:20.071 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-31812 (04:07:20.071 PDT) 445<-45888 (04:09:02.351 PDT) 90.150.110.179 (04:07:48.074 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3886 (04:07:48.074 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 90.150.110.179 (04:07:50.739 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53477<-6037 (04:07:50.739 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368961640.071 1368961640.072 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 188.6.227.134, 192.77.126.50, 124.47.106.152 Egg Source List: 124.47.106.152 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 04:44:50.975 PDT Gen. Time: 05/19/2013 05:07:53.873 PDT INBOUND SCAN EXPLOIT 188.6.227.134 (3) (04:54:54.228 PDT) event=1:22000032 {tcp} E2[rb] ET EXPLOIT LSA exploit, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1339 (04:54:54.259 PDT) ------------------------- event=1:22000033 {tcp} E2[rb] ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP), [] MAC_Dst: 00:21:5A:08:EC:40 445<-1339 (04:54:54.251 PDT) ------------------------- event=1:22514 {tcp} E2[rb] GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1339 (04:54:54.228 PDT) 192.77.126.50 (13) (04:44:50.975 PDT) event=1:22469 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-24885 (04:51:05.475 PDT) 445<-12807 (04:52:13.489 PDT) 445<-22805 (05:01:52.376 PDT) 445<-45513 (05:03:00.787 PDT) ------------------------- event=1:22472 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3988 (04:48:13.718 PDT) 445<-20947 (04:49:22.227 PDT) 445<-14710 (04:59:03.317 PDT) 445<-51499 (05:00:44.621 PDT) ------------------------- event=1:22475 (5) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1096 (04:44:50.975 PDT) 445<-16549 (04:46:33.488 PDT) 445<-61094 (04:56:12.252 PDT) 445<-20793 (04:57:24.089 PDT) 445<-40032 (05:06:27.988 PDT) 124.47.106.152 (05:07:51.203 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2498 (05:07:51.203 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 124.47.106.152 (05:07:53.873 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47234<-5297 (05:07:53.873 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368963890.975 1368963890.976 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 70.25.237.50 Egg Source List: 201.208.16.21 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 05:08:45.410 PDT Gen. Time: 05/19/2013 05:08:45.410 PDT INBOUND SCAN EXPLOIT 70.25.237.50 (05:12:31.907 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1609 (05:12:31.907 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 201.208.16.21 (05:08:45.410 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40897<-5528 (05:08:45.410 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368965325.410 1368965325.411 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 70.25.237.50 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 05:12:34.462 PDT Gen. Time: 05/19/2013 05:12:34.462 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (2) (05:13:15.142 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-62848 (05:13:15.142 PDT) 445<-29512 (05:14:23.257 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 70.25.237.50 (05:12:34.462 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36073<-4977 (05:12:34.462 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368965554.462 1368965554.463 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 128.72.17.86 Egg Source List: 70.25.237.50 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 05:12:34.462 PDT Gen. Time: 05/19/2013 05:19:19.594 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (3) (05:13:15.142 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-62848 (05:13:15.142 PDT) 445<-29512 (05:14:23.257 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-52851 (05:17:49.498 PDT) 128.72.17.86 (05:16:42.832 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2136 (05:16:42.832 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 70.25.237.50 (05:12:34.462 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36073<-4977 (05:12:34.462 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368965554.462 1368965554.463 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 178.37.35.206 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 05:24:49.902 PDT Gen. Time: 05/19/2013 05:24:49.902 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (05:28:03.207 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-17557 (05:28:03.207 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.37.35.206 (05:24:49.902 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60847<-8620 (05:24:49.902 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368966289.902 1368966289.903 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.122.234.167, 124.123.145.5, 192.77.126.50, 89.47.240.212 Egg Source List: 124.123.145.5 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 05:29:10.611 PDT Gen. Time: 05/19/2013 05:37:03.260 PDT INBOUND SCAN EXPLOIT 89.122.234.167 (05:33:12.251 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-24753 (05:33:12.251 PDT) 124.123.145.5 (05:36:58.431 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-43483 (05:36:58.431 PDT) 192.77.126.50 (8) (05:29:10.611 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-64964 (05:33:12.654 PDT) 445<-35641 (05:34:53.152 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-22262 (05:30:19.411 PDT) 445<-5702 (05:32:00.923 PDT) 445<-16735 (05:41:07.980 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-45837 (05:29:10.611 PDT) 445<-20111 (05:38:52.989 PDT) 445<-5330 (05:39:59.783 PDT) 89.47.240.212 (05:32:33.797 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3191 (05:32:33.797 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 124.123.145.5 (05:37:03.260 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56220<-4939 (05:37:03.260 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368966550.611 1368966550.612 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 46.241.181.109 Egg Source List: 46.241.181.109 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 05:42:22.362 PDT Gen. Time: 05/19/2013 05:43:47.524 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (3) (05:42:22.362 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-38363 (05:44:31.986 PDT) 445<-52525 (05:45:43.891 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-21482 (05:42:22.362 PDT) 46.241.181.109 (05:43:43.155 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1973 (05:43:43.155 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.241.181.109 (05:43:47.524 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59523<-3121 (05:43:47.524 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368967342.362 1368967342.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 123.90.158.145, 178.37.35.206 Egg Source List: 123.90.158.145 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 05:47:58.527 PDT Gen. Time: 05/19/2013 05:50:07.195 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (5) (05:47:58.527 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-6254 (05:53:37.903 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-37778 (05:50:47.528 PDT) 445<-11296 (05:52:29.590 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-6830 (05:47:58.527 PDT) 445<-1031 (05:49:08.053 PDT) 123.90.158.145 (05:50:03.413 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2400 (05:50:03.413 PDT) 178.37.35.206 (05:51:29.544 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4325 (05:51:29.544 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 123.90.158.145 (05:50:07.195 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52429<-1975 (05:50:07.195 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368967678.527 1368967678.528 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 178.37.35.206 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 05:51:32.969 PDT Gen. Time: 05/19/2013 05:51:32.969 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (05:55:20.229 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-32441 (05:55:20.229 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.37.35.206 (05:51:32.969 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39616<-8620 (05:51:32.969 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368967892.969 1368967892.970 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 178.37.35.206 Egg Source List: 178.37.35.206 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 05:56:14.629 PDT Gen. Time: 05/19/2013 05:56:17.267 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (3) (05:57:37.201 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-21275 (05:59:53.268 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-39142 (05:57:37.201 PDT) 445<-14439 (05:58:45.159 PDT) 178.37.35.206 (05:56:14.629 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2535 (05:56:14.629 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.37.35.206 (05:56:17.267 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48502<-8620 (05:56:17.267 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368968174.629 1368968174.630 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.102.3.174, 178.37.35.206 Egg Source List: 178.37.35.206 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 06:01:06.376 PDT Gen. Time: 05/19/2013 06:01:09.120 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (2) (06:01:38.739 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59370 (06:03:18.840 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-60707 (06:01:38.739 PDT) 94.102.3.174 (06:02:17.732 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1794 (06:02:17.732 PDT) 178.37.35.206 (06:01:06.376 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4363 (06:01:06.376 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.37.35.206 (06:01:09.120 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59954<-8620 (06:01:09.120 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368968466.376 1368968466.377 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.102.3.174, 178.37.35.206 Egg Source List: 94.102.3.174, 178.37.35.206 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 06:01:06.376 PDT Gen. Time: 05/19/2013 06:05:44.202 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (3) (06:01:38.739 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59370 (06:03:18.840 PDT) 445<-2806 (06:05:00.545 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-60707 (06:01:38.739 PDT) 94.102.3.174 (06:02:17.732 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1794 (06:02:17.732 PDT) 178.37.35.206 (06:01:06.376 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4363 (06:01:06.376 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.102.3.174 (06:02:20.145 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37884<-8878 (06:02:20.145 PDT) 178.37.35.206 (06:01:09.120 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59954<-8620 (06:01:09.120 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368968466.376 1368968466.377 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.235.19.115 Egg Source List: 95.235.19.115 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 06:06:32.774 PDT Gen. Time: 05/19/2013 06:06:37.164 PDT INBOUND SCAN EXPLOIT 95.235.19.115 (06:06:32.774 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-37294 (06:06:32.774 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.235.19.115 (06:06:37.164 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39786<-8808 (06:06:37.164 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368968792.774 1368968792.775 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.235.19.115, 31.211.142.137, 110.164.93.72, 192.77.126.50, 152.101.170.177, 188.120.63.133, 77.236.72.75, 93.120.89.57 Egg Source List: 95.235.19.115, 152.101.170.177, 77.236.72.75 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 06:06:32.774 PDT Gen. Time: 05/19/2013 06:18:28.434 PDT INBOUND SCAN EXPLOIT 95.235.19.115 (06:06:32.774 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-37294 (06:06:32.774 PDT) 31.211.142.137 (06:16:33.698 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3720 (06:16:33.698 PDT) 110.164.93.72 (06:14:57.605 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3293 (06:14:57.605 PDT) 192.77.126.50 (6) (06:08:25.831 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-62658 (06:13:33.890 PDT) 445<-46564 (06:15:15.235 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-61281 (06:11:16.713 PDT) 445<-62783 (06:12:24.086 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-53821 (06:08:25.831 PDT) 445<-44382 (06:09:34.518 PDT) 152.101.170.177 (06:10:26.035 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-52105 (06:10:26.035 PDT) 188.120.63.133 (06:18:16.881 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4632 (06:18:16.881 PDT) 77.236.72.75 (06:13:46.030 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4589 (06:13:46.030 PDT) 93.120.89.57 (06:18:08.540 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4315 (06:18:08.540 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.235.19.115 (06:06:37.164 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39786<-8808 (06:06:37.164 PDT) 152.101.170.177 (06:10:30.304 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51739<-5225 (06:10:30.304 PDT) 77.236.72.75 (06:13:56.777 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49646<-7115 (06:13:56.777 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368968792.774 1368968792.775 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 110.164.93.72 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 06:15:00.403 PDT Gen. Time: 05/19/2013 06:15:00.403 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (06:19:15.442 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-33010 (06:19:15.442 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 110.164.93.72 (06:15:00.403 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36019<-3732 (06:15:00.403 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368969300.403 1368969300.404 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 31.211.142.137 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 06:16:36.060 PDT Gen. Time: 05/19/2013 06:20:57.666 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (06:20:57.666 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-21626 (06:20:57.666 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 31.211.142.137 (06:16:36.060 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53649<-6266 (06:16:36.060 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368969396.060 1368969396.061 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.185.177.162, 192.77.126.50, 95.104.50.22 Egg Source List: 31.211.142.137, 95.104.50.22, 188.120.63.133 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 06:16:36.060 PDT Gen. Time: 05/19/2013 06:31:28.664 PDT INBOUND SCAN EXPLOIT 46.185.177.162 (06:26:26.137 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-64613 (06:26:26.137 PDT) 192.77.126.50 (6) (06:20:57.666 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-38523 (06:24:20.643 PDT) 445<-21784 (06:25:35.864 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-11142 (06:22:04.368 PDT) 445<-54728 (06:23:12.582 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-21626 (06:20:57.666 PDT) 445<-22876 (06:29:32.243 PDT) 95.104.50.22 (06:25:48.549 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2156 (06:25:48.549 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 31.211.142.137 (06:16:36.060 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53649<-6266 (06:16:36.060 PDT) 95.104.50.22 (06:26:01.026 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43581<-7685 (06:26:01.026 PDT) 188.120.63.133 (06:18:19.907 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41242<-5938 (06:18:19.907 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368969396.060 1368969396.061 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.119.198.111, 192.77.126.50, 189.79.44.112 Egg Source List: 88.119.198.111 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 06:37:30.147 PDT Gen. Time: 05/19/2013 06:39:01.890 PDT INBOUND SCAN EXPLOIT 88.119.198.111 (06:38:56.228 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2178 (06:38:56.228 PDT) 192.77.126.50 (06:37:30.147 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-51404 (06:37:30.147 PDT) 189.79.44.112 (06:38:12.926 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1663 (06:38:12.926 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 88.119.198.111 (06:39:01.890 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57424<-9580 (06:39:01.890 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368970650.147 1368970650.148 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.119.198.111, 192.77.126.50, 122.118.226.93, 114.44.65.130, 189.79.44.112 Egg Source List: 88.119.198.111, 189.79.44.112 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 06:37:30.147 PDT Gen. Time: 05/19/2013 06:42:26.284 PDT INBOUND SCAN EXPLOIT 88.119.198.111 (06:38:56.228 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2178 (06:38:56.228 PDT) 192.77.126.50 (06:37:30.147 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-51404 (06:37:30.147 PDT) 122.118.226.93 (06:40:43.320 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1365 (06:40:43.320 PDT) 114.44.65.130 (06:40:00.001 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1728 (06:40:00.001 PDT) 189.79.44.112 (06:38:12.926 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1663 (06:38:12.926 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 88.119.198.111 (06:39:01.890 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57424<-9580 (06:39:01.890 PDT) 189.79.44.112 (06:38:18.949 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60786<-1881 (06:38:18.949 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368970650.147 1368970650.148 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 41.158.0.130 Egg Source List: 41.158.0.130 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 06:45:59.066 PDT Gen. Time: 05/19/2013 06:47:37.984 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (2) (06:45:59.066 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2806 (06:45:59.066 PDT) 445<-41315 (06:47:09.286 PDT) 41.158.0.130 (06:47:30.144 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4477 (06:47:30.144 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 41.158.0.130 (06:47:37.984 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58114<-1648 (06:47:37.984 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368971159.066 1368971159.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 194.32.151.124, 192.77.126.50, 41.158.0.130, 126.8.247.228 Egg Source List: 41.158.0.130, 126.8.247.228 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 06:45:59.066 PDT Gen. Time: 05/19/2013 06:53:28.127 PDT INBOUND SCAN EXPLOIT 194.32.151.124 (06:52:46.626 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3748 (06:52:46.626 PDT) 192.77.126.50 (6) (06:45:59.066 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-55438 (06:51:04.759 PDT) 445<-51487 (06:52:13.872 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-30319 (06:48:49.675 PDT) 445<-22772 (06:49:56.421 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2806 (06:45:59.066 PDT) 445<-41315 (06:47:09.286 PDT) 41.158.0.130 (06:47:30.144 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4477 (06:47:30.144 PDT) 126.8.247.228 (06:49:12.497 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-17039 (06:49:12.497 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 41.158.0.130 (06:47:37.984 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58114<-1648 (06:47:37.984 PDT) 126.8.247.228 (06:49:15.435 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42048<-1491 (06:49:15.435 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368971159.066 1368971159.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 194.32.151.124 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 06:52:50.776 PDT Gen. Time: 05/19/2013 06:52:50.776 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (06:56:12.356 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-11817 (06:56:12.356 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 194.32.151.124 (06:52:50.776 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57625<-8937 (06:52:50.776 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368971570.776 1368971570.777 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.104.16.162, 190.79.29.132, 192.77.126.50 Egg Source List: 95.104.16.162 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 07:25:48.974 PDT Gen. Time: 05/19/2013 07:39:23.759 PDT INBOUND SCAN EXPLOIT 95.104.16.162 (07:39:20.760 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2039 (07:39:20.760 PDT) 190.79.29.132 (07:28:27.706 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2897 (07:28:27.706 PDT) 192.77.126.50 (12) (07:25:48.974 PDT) event=1:22469 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-24626 (07:30:20.794 PDT) 445<-59256 (07:32:02.097 PDT) 445<-44371 (07:39:59.793 PDT) 445<-40497 (07:41:09.500 PDT) ------------------------- event=1:22472 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-25503 (07:28:04.348 PDT) 445<-7065 (07:29:11.176 PDT) 445<-18281 (07:37:42.898 PDT) 445<-46801 (07:38:51.349 PDT) ------------------------- event=1:22475 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-14501 (07:25:48.974 PDT) 445<-18089 (07:26:54.484 PDT) 445<-56994 (07:35:27.853 PDT) 445<-6610 (07:36:34.458 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.104.16.162 (07:39:23.759 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59095<-4466 (07:39:23.759 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368973548.974 1368973548.975 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 125.182.230.178 Egg Source List: 125.182.230.178 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 07:43:24.621 PDT Gen. Time: 05/19/2013 07:46:34.134 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (6) (07:43:24.621 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-15404 (07:48:31.167 PDT) 445<-35922 (07:49:43.276 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-61376 (07:45:41.250 PDT) 445<-14715 (07:47:27.782 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-31839 (07:43:24.621 PDT) 445<-30355 (07:44:32.403 PDT) 125.182.230.178 (07:46:30.893 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3173 (07:46:30.893 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 125.182.230.178 (07:46:34.134 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38185<-4883 (07:46:34.134 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368974604.621 1368974604.622 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 187.13.71.77 Egg Source List: 187.13.71.77 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 07:53:38.940 PDT Gen. Time: 05/19/2013 07:54:55.038 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (5) (07:53:38.940 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4404 (07:58:12.450 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1917 (07:55:55.075 PDT) 445<-51373 (07:57:03.183 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-57048 (07:53:38.940 PDT) 445<-60703 (07:54:48.104 PDT) 187.13.71.77 (07:54:52.406 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4119 (07:54:52.406 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.13.71.77 (07:54:55.038 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47018<-6526 (07:54:55.038 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368975218.940 1368975218.941 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 95.30.217.245 Egg Source List: 95.30.217.245 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 07:59:53.765 PDT Gen. Time: 05/19/2013 08:09:07.128 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (7) (07:59:53.765 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-32268 (07:59:53.765 PDT) 445<-5314 (08:09:01.422 PDT) 445<-50142 (08:10:43.176 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-54769 (08:05:35.720 PDT) 445<-6733 (08:07:31.517 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-62726 (08:03:19.203 PDT) 445<-11050 (08:04:26.550 PDT) 95.30.217.245 (08:09:02.881 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4067 (08:09:02.881 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.30.217.245 (08:09:07.128 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55513<-5025 (08:09:07.128 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368975593.765 1368975593.766 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 95.25.78.232, 192.77.126.50 Egg Source List: 95.25.78.232 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 08:14:41.811 PDT Gen. Time: 05/19/2013 08:20:34.811 PDT INBOUND SCAN EXPLOIT 95.25.78.232 (08:20:29.245 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2438 (08:20:29.245 PDT) 192.77.126.50 (5) (08:14:41.811 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-24175 (08:20:24.407 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-52682 (08:17:33.594 PDT) 445<-43655 (08:19:14.132 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-53387 (08:14:41.811 PDT) 445<-41608 (08:15:49.615 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.25.78.232 (08:20:34.811 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52131<-2215 (08:20:34.811 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368976481.811 1368976481.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 72.242.182.41, 95.25.78.232, 192.77.126.50, 90.150.110.179 Egg Source List: 72.242.182.41, 95.25.78.232 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 08:14:41.811 PDT Gen. Time: 05/19/2013 08:26:13.353 PDT INBOUND SCAN EXPLOIT 72.242.182.41 (08:22:43.374 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3204 (08:22:43.374 PDT) 95.25.78.232 (08:20:29.245 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2438 (08:20:29.245 PDT) 192.77.126.50 (7) (08:14:41.811 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-24175 (08:20:24.407 PDT) 445<-28401 (08:22:04.729 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-52682 (08:17:33.594 PDT) 445<-43655 (08:19:14.132 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-53387 (08:14:41.811 PDT) 445<-41608 (08:15:49.615 PDT) 445<-3687 (08:25:29.732 PDT) 90.150.110.179 (08:24:21.618 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2822 (08:24:21.618 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 72.242.182.41 (08:22:46.139 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42561<-7677 (08:22:46.139 PDT) 95.25.78.232 (08:20:34.811 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52131<-2215 (08:20:34.811 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368976481.811 1368976481.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 90.150.110.179 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 08:24:25.050 PDT Gen. Time: 05/19/2013 08:24:25.050 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (08:26:38.031 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-57578 (08:26:38.031 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 90.150.110.179 (08:24:25.050 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47622<-6037 (08:24:25.050 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368977065.050 1368977065.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 83.18.195.146, 179.235.230.120 Egg Source List: 90.150.110.179, 179.235.230.120 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 08:24:25.050 PDT Gen. Time: 05/19/2013 08:39:32.840 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (8) (08:26:38.031 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-56017 (08:30:37.908 PDT) 445<-45693 (08:32:19.311 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-50308 (08:27:47.595 PDT) 445<-41385 (08:29:28.320 PDT) 445<-57980 (08:37:37.611 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-57578 (08:26:38.031 PDT) 445<-19613 (08:34:36.093 PDT) 445<-20181 (08:35:45.166 PDT) 83.18.195.146 (08:30:43.678 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-45345 (08:30:43.678 PDT) 179.235.230.120 (2) (08:27:56.654 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4260 (08:27:56.654 PDT) 445<-1700 (08:28:34.213 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 90.150.110.179 (08:24:25.050 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47622<-6037 (08:24:25.050 PDT) 179.235.230.120 (2) (08:28:04.871 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60023<-3579 (08:28:04.871 PDT) 60066<-3579 (08:28:37.780 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368977065.050 1368977065.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 92.82.187.127, 192.77.126.50 Egg Source List: 92.82.187.127 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 08:39:44.351 PDT Gen. Time: 05/19/2013 08:44:58.792 PDT INBOUND SCAN EXPLOIT 92.82.187.127 (08:44:55.725 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2930 (08:44:55.725 PDT) 192.77.126.50 (5) (08:39:44.351 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2135 (08:41:26.643 PDT) 445<-18819 (08:43:07.177 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-58378 (08:39:44.351 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59143 (08:46:32.768 PDT) 445<-13376 (08:48:16.542 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 92.82.187.127 (08:44:58.792 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39080<-5066 (08:44:58.792 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368977984.351 1368977984.352 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 31.133.47.224, 89.47.240.212 Egg Source List: 89.47.240.212 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 09:07:43.700 PDT Gen. Time: 05/19/2013 09:15:01.582 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (7) (09:07:43.700 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-8005 (09:13:16.147 PDT) 445<-61362 (09:14:24.580 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-57269 (09:10:29.185 PDT) 445<-8070 (09:12:07.809 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-48647 (09:07:43.700 PDT) 445<-44624 (09:09:19.535 PDT) 445<-14752 (09:16:41.824 PDT) 31.133.47.224 (09:13:10.771 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4152 (09:13:10.771 PDT) 89.47.240.212 (09:14:58.243 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2195 (09:14:58.243 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.47.240.212 (09:15:01.582 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56157<-7962 (09:15:01.582 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368979663.700 1368979663.701 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 31.133.47.224, 179.235.230.120, 89.47.240.212 Egg Source List: 179.235.230.120, 89.47.240.212 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 09:07:43.700 PDT Gen. Time: 05/19/2013 09:24:11.742 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (10) (09:07:43.700 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-8005 (09:13:16.147 PDT) 445<-61362 (09:14:24.580 PDT) ------------------------- event=1:22472 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-57269 (09:10:29.185 PDT) 445<-8070 (09:12:07.809 PDT) 445<-8372 (09:18:57.355 PDT) 445<-34169 (09:20:08.884 PDT) ------------------------- event=1:22475 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-48647 (09:07:43.700 PDT) 445<-44624 (09:09:19.535 PDT) 445<-14752 (09:16:41.824 PDT) 445<-34428 (09:17:49.127 PDT) 31.133.47.224 (09:13:10.771 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4152 (09:13:10.771 PDT) 179.235.230.120 (5) (09:19:35.304 PDT) event=1:22009201 (5) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3655 (09:19:35.304 PDT) 445<-3849 (09:19:51.712 PDT) 445<-4055 (09:20:10.839 PDT) 445<-4453 (09:20:48.287 PDT) 445<-4771 (09:21:05.389 PDT) 89.47.240.212 (09:14:58.243 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2195 (09:14:58.243 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 179.235.230.120 (4) (09:19:38.044 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35739<-3579 (09:20:17.487 PDT) 35839<-3579 (09:21:25.232 PDT) 35691<-3579 (09:19:38.044 PDT) 35710<-3579 (09:19:54.957 PDT) 89.47.240.212 (09:15:01.582 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56157<-7962 (09:15:01.582 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368979663.700 1368979663.701 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 31.41.124.125, 192.77.126.50, 46.241.181.109 Egg Source List: 46.241.181.109 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 09:25:47.573 PDT Gen. Time: 05/19/2013 09:27:56.764 PDT INBOUND SCAN EXPLOIT 31.41.124.125 (09:27:40.277 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3711 (09:27:40.277 PDT) 192.77.126.50 (5) (09:25:47.573 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-47790 (09:30:53.627 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-15357 (09:28:04.187 PDT) 445<-34615 (09:29:47.834 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-23777 (09:25:47.573 PDT) 445<-4057 (09:26:56.825 PDT) 46.241.181.109 (09:27:53.985 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2330 (09:27:53.985 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.241.181.109 (09:27:56.764 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49409<-3121 (09:27:56.764 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368980747.573 1368980747.574 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 152.101.170.177 Egg Source List: 124.123.145.5 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 09:49:30.000 PDT Gen. Time: 05/19/2013 09:49:30.000 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (2) (09:51:57.683 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-45509 (09:51:57.683 PDT) 445<-10300 (09:53:38.806 PDT) 152.101.170.177 (09:51:42.563 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-34489 (09:51:42.563 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 124.123.145.5 (09:49:30.000 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59151<-4939 (09:49:30.000 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368982170.000 1368982170.001 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 202.60.26.109 Egg Source List: 152.101.170.177 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 09:51:45.413 PDT Gen. Time: 05/19/2013 09:51:45.413 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (2) (09:54:47.016 PDT) event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-58842 (09:54:47.016 PDT) 445<-53605 (09:55:55.824 PDT) 202.60.26.109 (09:55:35.099 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-36916 (09:55:35.099 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 152.101.170.177 (09:51:45.413 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47744<-5225 (09:51:45.413 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368982305.413 1368982305.414 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 176.14.128.197 Egg Source List: 176.14.128.197 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:01:05.926 PDT Gen. Time: 05/19/2013 10:02:40.540 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (2) (10:01:05.926 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-18186 (10:01:05.926 PDT) 445<-60576 (10:02:10.576 PDT) 176.14.128.197 (10:02:36.597 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2401 (10:02:36.597 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 176.14.128.197 (10:02:40.540 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34532<-8259 (10:02:40.540 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368982865.926 1368982865.927 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 187.62.255.225, 192.77.126.50, 177.83.78.56, 176.14.128.197 Egg Source List: 177.83.78.56, 176.14.128.197 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:01:05.926 PDT Gen. Time: 05/19/2013 10:10:34.230 PDT INBOUND SCAN EXPLOIT 187.62.255.225 (10:08:13.978 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3524 (10:08:13.978 PDT) 192.77.126.50 (6) (10:01:05.926 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-15262 (10:06:44.739 PDT) 445<-57676 (10:07:56.580 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-19225 (10:03:22.838 PDT) 445<-34456 (10:05:35.472 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-18186 (10:01:05.926 PDT) 445<-60576 (10:02:10.576 PDT) 177.83.78.56 (10:06:16.308 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4363 (10:06:16.308 PDT) 176.14.128.197 (10:02:36.597 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2401 (10:02:36.597 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 177.83.78.56 (10:06:18.891 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35219<-7019 (10:06:18.891 PDT) 176.14.128.197 (10:02:40.540 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34532<-8259 (10:02:40.540 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368982865.926 1368982865.927 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50 Egg Source List: 187.62.255.225 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:08:18.664 PDT Gen. Time: 05/19/2013 10:08:18.664 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (2) (10:11:17.127 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-11669 (10:11:17.127 PDT) 445<-25634 (10:12:25.619 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 187.62.255.225 (10:08:18.664 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42586<-3538 (10:08:18.664 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368983298.664 1368983298.665 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 95.104.50.22 Egg Source List: 95.104.50.22 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:13:34.171 PDT Gen. Time: 05/19/2013 10:14:19.304 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (4) (10:13:34.171 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-52151 (10:15:50.760 PDT) 445<-52019 (10:16:57.948 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-46842 (10:13:34.171 PDT) 445<-32133 (10:14:41.529 PDT) 95.104.50.22 (10:14:16.271 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4913 (10:14:16.271 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 95.104.50.22 (10:14:19.304 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45765<-7685 (10:14:19.304 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368983614.171 1368983614.172 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.119.198.111, 192.77.126.50 Egg Source List: 88.119.198.111 C & C List: 81.176.226.188 Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:19:15.077 PDT Gen. Time: 05/19/2013 10:20:19.777 PDT INBOUND SCAN EXPLOIT 88.119.198.111 (10:20:17.409 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4472 (10:20:17.409 PDT) 192.77.126.50 (5) (10:19:15.077 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-9639 (10:23:47.905 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-16143 (10:21:31.098 PDT) 445<-58194 (10:22:41.196 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-52681 (10:19:15.077 PDT) 445<-56454 (10:20:22.767 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 88.119.198.111 (10:20:19.777 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41037<-9580 (10:20:19.777 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 81.176.226.188 (10:22:33.833 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 57737->33434 (10:22:33.833 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368983955.077 1368983955.078 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.111.63.187, 192.77.126.50 Egg Source List: 189.111.63.187 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:29:29.567 PDT Gen. Time: 05/19/2013 10:30:49.896 PDT INBOUND SCAN EXPLOIT 189.111.63.187 (10:30:44.390 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-52883 (10:30:44.390 PDT) 192.77.126.50 (5) (10:29:29.567 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-52755 (10:34:01.728 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-31646 (10:31:45.781 PDT) 445<-40524 (10:32:53.553 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3749 (10:29:29.567 PDT) 445<-56674 (10:30:37.775 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.111.63.187 (10:30:49.896 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33360<-6249 (10:30:49.896 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368984569.567 1368984569.568 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:35:09.933 PDT Gen. Time: 05/19/2013 10:46:42.889 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (7) (10:35:09.933 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2739 (10:35:09.933 PDT) 445<-27203 (10:42:33.382 PDT) 445<-31505 (10:43:43.809 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4678 (10:40:17.139 PDT) 445<-12234 (10:41:26.885 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-48322 (10:37:39.495 PDT) 445<-22290 (10:39:08.919 PDT) 94.61.243.71 (3) (10:46:00.061 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1819 (10:46:00.061 PDT) 445<-2846 (10:46:17.650 PDT) 445<-3807 (10:46:31.227 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (10:46:42.889 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42944<-6947 (10:46:42.889 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368984909.933 1368984909.934 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:35:09.933 PDT Gen. Time: 05/19/2013 10:54:23.424 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (9) (10:35:09.933 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2739 (10:35:09.933 PDT) 445<-27203 (10:42:33.382 PDT) 445<-31505 (10:43:43.809 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4678 (10:40:17.139 PDT) 445<-12234 (10:41:26.885 PDT) ------------------------- event=1:22475 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-48322 (10:37:39.495 PDT) 445<-22290 (10:39:08.919 PDT) 445<-35501 (10:46:43.591 PDT) 445<-9375 (10:48:21.637 PDT) 94.61.243.71 (8) (10:46:00.061 PDT) event=1:22009201 (8) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1819 (10:46:00.061 PDT) 445<-2846 (10:46:17.650 PDT) 445<-3807 (10:46:31.227 PDT) 445<-1267 (10:46:58.565 PDT) 445<-2364 (10:47:11.417 PDT) 445<-3102 (10:47:26.485 PDT) 445<-4452 (10:47:47.053 PDT) 445<-1409 (10:48:10.957 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (7) (10:46:42.889 PDT) event=1:2001685 (7) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42944<-6947 (10:46:42.889 PDT) 42995<-6947 (10:47:40.882 PDT) 43083<-6947 (10:48:18.917 PDT) 44418<-6947 (10:50:04.700 PDT) 43174<-6947 (10:49:27.817 PDT) 44388<-6947 (10:49:40.582 PDT) 44430<-6947 (10:50:17.564 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368984909.933 1368984909.934 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:50:43.677 PDT Gen. Time: 05/19/2013 10:50:43.677 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (2) (10:54:23.926 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4046 (10:54:23.926 PDT) 445<-1446 (10:54:37.016 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (10:50:43.677 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44460<-6947 (10:50:43.677 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368985843.677 1368985843.678 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:50:43.677 PDT Gen. Time: 05/19/2013 10:57:11.584 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (10:55:09.508 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-38913 (10:55:09.508 PDT) 94.61.243.71 (10) (10:54:23.926 PDT) event=1:22009201 (10) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4046 (10:54:23.926 PDT) 445<-1446 (10:54:37.016 PDT) 445<-2428 (10:54:54.192 PDT) 445<-3628 (10:55:14.428 PDT) 445<-1260 (10:55:32.382 PDT) 445<-2433 (10:55:45.234 PDT) 445<-3329 (10:56:02.292 PDT) 445<-4646 (10:56:16.384 PDT) 445<-1848 (10:56:33.567 PDT) 445<-3143 (10:56:54.495 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (12) (10:50:43.677 PDT) event=1:2001685 (12) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44460<-6947 (10:50:43.677 PDT) 44475<-6947 (10:50:57.872 PDT) 44496<-6947 (10:51:13.500 PDT) 44509<-6947 (10:51:27.916 PDT) 44529<-6947 (10:51:49.829 PDT) 44541<-6947 (10:52:03.743 PDT) 49847<-6947 (10:56:05.034 PDT) 44567<-6947 (10:52:20.776 PDT) 44577<-6947 (10:52:36.133 PDT) 44604<-6947 (10:52:53.231 PDT) 44612<-6947 (10:53:05.857 PDT) 44641<-6947 (10:53:25.170 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368985843.677 1368985843.678 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:53:39.894 PDT Gen. Time: 05/19/2013 10:53:39.894 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (10:57:11.791 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4466 (10:57:11.791 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (10:53:39.894 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44652<-6947 (10:53:39.894 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368986019.894 1368986019.895 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:53:39.894 PDT Gen. Time: 05/19/2013 11:00:47.501 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (2) (10:58:31.119 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-32694 (10:58:31.119 PDT) 445<-7032 (10:59:39.318 PDT) 94.61.243.71 (12) (10:57:11.791 PDT) event=1:22009201 (12) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4466 (10:57:11.791 PDT) 445<-1834 (10:57:24.408 PDT) 445<-2733 (10:57:50.108 PDT) 445<-4549 (10:58:07.905 PDT) 445<-2049 (10:58:24.415 PDT) 445<-3347 (10:58:41.128 PDT) 445<-4316 (10:58:58.281 PDT) 445<-1741 (10:59:10.771 PDT) 445<-2678 (10:59:27.053 PDT) 445<-3767 (10:59:44.345 PDT) 445<-1250 (11:00:07.072 PDT) 445<-3071 (11:00:29.001 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (17) (10:53:39.894 PDT) event=1:2001685 (17) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44652<-6947 (10:53:39.894 PDT) 44668<-6947 (10:53:56.092 PDT) 44686<-6947 (10:54:10.018 PDT) 44714<-6947 (10:54:27.216 PDT) 49733<-6947 (10:54:40.949 PDT) 49760<-6947 (10:54:58.149 PDT) 49794<-6947 (10:55:18.117 PDT) 50035<-6947 (10:58:29.400 PDT) 49814<-6947 (10:55:36.426 PDT) 49827<-6947 (10:55:48.802 PDT) 50059<-6947 (10:59:01.613 PDT) 49860<-6947 (10:56:19.389 PDT) 49880<-6947 (10:56:39.334 PDT) 49907<-6947 (10:56:59.640 PDT) 49934<-6947 (10:57:14.893 PDT) 59301<-6947 (11:00:31.400 PDT) 49953<-6947 (10:57:27.280 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368986019.894 1368986019.895 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:57:54.451 PDT Gen. Time: 05/19/2013 10:57:54.451 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (11:00:48.570 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-25143 (11:00:48.570 PDT) 94.61.243.71 (2) (11:00:48.282 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4328 (11:00:48.282 PDT) 445<-2064 (11:01:02.731 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (10:57:54.451 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49989<-6947 (10:57:54.451 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368986274.451 1368986274.452 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:57:54.451 PDT Gen. Time: 05/19/2013 10:58:44.722 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (11:00:48.570 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-25143 (11:00:48.570 PDT) 94.61.243.71 (5) (11:00:48.282 PDT) event=1:22009201 (5) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4328 (11:00:48.282 PDT) 445<-2064 (11:01:02.731 PDT) 445<-2919 (11:01:18.195 PDT) 445<-4140 (11:01:38.002 PDT) 445<-1763 (11:02:01.527 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (10:57:54.451 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49989<-6947 (10:57:54.451 PDT) 50017<-6947 (10:58:11.613 PDT) 59365<-6947 (11:01:42.575 PDT) 50048<-6947 (10:58:44.722 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368986274.451 1368986274.452 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 11:02:21.246 PDT Gen. Time: 05/19/2013 11:02:27.374 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (11:02:21.246 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3519 (11:02:21.246 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (11:02:27.374 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59418<-6947 (11:02:27.374 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368986541.246 1368986541.247 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 10:59:14.120 PDT Gen. Time: 05/19/2013 10:59:47.278 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (11:02:31.898 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-48390 (11:02:31.898 PDT) 94.61.243.71 (3) (11:02:21.246 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3519 (11:02:21.246 PDT) 445<-1564 (11:02:47.350 PDT) 445<-3445 (11:03:07.618 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (4) (10:59:14.120 PDT) event=1:2001685 (4) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59418<-6947 (11:02:27.374 PDT) 50068<-6947 (10:59:14.120 PDT) 50079<-6947 (10:59:30.683 PDT) 59241<-6947 (10:59:47.278 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368986354.120 1368986354.121 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 164.40.187.251, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 11:00:13.710 PDT Gen. Time: 05/19/2013 11:00:13.710 PDT INBOUND SCAN EXPLOIT 164.40.187.251 (11:03:29.591 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4882 (11:03:29.591 PDT) 94.61.243.71 (11:03:41.267 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1295 (11:03:41.267 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (11:00:13.710 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59279<-6947 (11:00:13.710 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368986413.710 1368986413.711 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.121.234.89, 192.77.126.50, 114.41.226.139, 164.40.187.251, 94.61.243.71 Egg Source List: 114.41.226.139, 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 11:00:13.710 PDT Gen. Time: 05/19/2013 11:07:27.107 PDT INBOUND SCAN EXPLOIT 46.121.234.89 (11:06:55.953 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2193 (11:06:55.953 PDT) 192.77.126.50 (2) (11:04:17.762 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-47433 (11:04:17.762 PDT) 445<-10638 (11:05:58.343 PDT) 114.41.226.139 (11:06:13.085 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2512 (11:06:13.085 PDT) 164.40.187.251 (11:03:29.591 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4882 (11:03:29.591 PDT) 94.61.243.71 (10) (11:03:41.267 PDT) event=1:22009201 (10) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1295 (11:03:41.267 PDT) 445<-4023 (11:03:59.659 PDT) 445<-1611 (11:04:31.339 PDT) 445<-3909 (11:04:50.031 PDT) 445<-1477 (11:05:14.873 PDT) 445<-4032 (11:05:37.375 PDT) 445<-2965 (11:06:21.020 PDT) 445<-4678 (11:06:36.388 PDT) 445<-2011 (11:07:06.058 PDT) 445<-3912 (11:07:20.263 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.41.226.139 (11:06:17.567 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33777<-9252 (11:06:17.567 PDT) 94.61.243.71 (11) (11:00:13.710 PDT) event=1:2001685 (11) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59279<-6947 (11:00:13.710 PDT) 38771<-6947 (11:04:54.281 PDT) 59329<-6947 (11:00:53.500 PDT) 59343<-6947 (11:01:05.474 PDT) 38797<-6947 (11:05:21.251 PDT) 59350<-6947 (11:01:21.374 PDT) 38817<-6947 (11:05:46.244 PDT) 59393<-6947 (11:02:05.880 PDT) 38877<-6947 (11:06:41.108 PDT) 59441<-6947 (11:02:51.046 PDT) 59467<-6947 (11:03:12.044 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368986413.710 1368986413.711 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 11:03:47.736 PDT Gen. Time: 05/19/2013 11:03:47.736 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (11:07:52.579 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1206 (11:07:52.579 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (11:03:47.736 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59530<-6947 (11:03:47.736 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368986627.736 1368986627.737 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 11:03:47.736 PDT Gen. Time: 05/19/2013 11:06:23.997 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (11:09:22.412 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-14209 (11:09:22.412 PDT) 94.61.243.71 (10) (11:07:52.579 PDT-11:09:32.272 PDT) event=1:22009201 (10) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3336 (11:10:11.428 PDT) 2: 445<-4228 (11:09:31.716 PDT-11:09:32.272 PDT) 445<-3427 (11:09:11.478 PDT) 445<-1585 (11:08:39.152 PDT) 445<-2343 (11:08:56.476 PDT) 445<-3097 (11:08:05.494 PDT) 445<-1708 (11:09:44.116 PDT) 445<-4053 (11:08:22.959 PDT) 445<-1206 (11:07:52.579 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (5) (11:03:47.736 PDT) event=1:2001685 (5) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59530<-6947 (11:03:47.736 PDT) 59579<-6947 (11:04:04.210 PDT) 38977<-6947 (11:08:27.981 PDT) 59606<-6947 (11:04:33.903 PDT) 38857<-6947 (11:06:23.997 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368986627.736 1368986972.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 11:07:10.714 PDT Gen. Time: 05/19/2013 11:07:10.714 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (3) (11:10:25.392 PDT) event=1:22009201 (3) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4522 (11:10:25.392 PDT) 445<-1740 (11:10:41.013 PDT) 445<-2857 (11:10:53.920 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (11:07:10.714 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38910<-6947 (11:07:10.714 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368986830.714 1368986830.715 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 11:07:10.714 PDT Gen. Time: 05/19/2013 11:14:30.284 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (3) (11:11:03.015 PDT) event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-29593 (11:12:10.631 PDT) 445<-18732 (11:13:20.925 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-25794 (11:11:03.015 PDT) 94.61.243.71 (13) (11:10:25.392 PDT) event=1:22009201 (13) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4522 (11:10:25.392 PDT) 445<-1740 (11:10:41.013 PDT) 445<-2857 (11:10:53.920 PDT) 445<-4052 (11:11:14.216 PDT) 445<-1458 (11:11:27.403 PDT) 445<-2338 (11:11:42.445 PDT) 445<-3619 (11:11:58.335 PDT) 445<-4623 (11:12:20.155 PDT) 445<-2367 (11:12:33.099 PDT) 445<-4151 (11:13:11.800 PDT) 445<-2487 (11:13:33.837 PDT) 445<-1422 (11:14:10.277 PDT) 445<-2769 (11:14:24.770 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (12) (11:07:10.714 PDT) event=1:2001685 (12) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38910<-6947 (11:07:10.714 PDT) 38921<-6947 (11:07:23.461 PDT) 38947<-6947 (11:07:55.762 PDT) 38960<-6947 (11:08:08.664 PDT) 38991<-6947 (11:08:42.364 PDT) 39013<-6947 (11:09:01.459 PDT) 39033<-6947 (11:09:14.383 PDT) 56780<-6947 (11:13:16.755 PDT) 39046<-6947 (11:09:35.054 PDT) 56501<-6947 (11:09:47.256 PDT) 56536<-6947 (11:10:15.063 PDT) 56555<-6947 (11:10:27.944 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368986830.714 1368986830.715 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 11:10:44.404 PDT Gen. Time: 05/19/2013 11:14:54.321 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (11:14:54.321 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4190 (11:14:54.321 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (2) (11:10:44.404 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56578<-6947 (11:10:44.404 PDT) 56601<-6947 (11:10:56.900 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368987044.404 1368987044.405 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 11:10:44.404 PDT Gen. Time: 05/19/2013 11:12:38.324 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (11:15:04.840 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-40553 (11:15:04.840 PDT) 94.61.243.71 (2) (11:14:54.321 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4190 (11:14:54.321 PDT) 445<-1991 (11:15:17.682 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (9) (11:10:44.404 PDT) event=1:2001685 (9) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56578<-6947 (11:10:44.404 PDT) 56601<-6947 (11:10:56.900 PDT) 35968<-6947 (11:15:02.432 PDT) 56627<-6947 (11:11:17.122 PDT) 56641<-6947 (11:11:30.485 PDT) 56666<-6947 (11:11:46.410 PDT) 56692<-6947 (11:12:01.605 PDT) 56715<-6947 (11:12:22.798 PDT) 56732<-6947 (11:12:38.324 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368987044.404 1368987044.405 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 11:13:37.852 PDT Gen. Time: 05/19/2013 11:13:37.852 PDT INBOUND SCAN EXPLOIT 94.61.243.71 (4) (11:15:41.351 PDT) event=1:22009201 (4) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3315 (11:15:41.351 PDT) 445<-4579 (11:15:53.925 PDT) 445<-1510 (11:16:10.425 PDT) 445<-2589 (11:16:26.075 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (11:13:37.852 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56809<-6947 (11:13:37.852 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368987217.852 1368987217.853 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.77.126.50, 123.53.251.71, 94.61.243.71 Egg Source List: 94.61.243.71 C & C List: Peer Coord. List: Resource List: Observed Start: 05/19/2013 11:13:37.852 PDT Gen. Time: 05/19/2013 11:22:22.563 PDT INBOUND SCAN EXPLOIT 192.77.126.50 (11:16:43.778 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-30183 (11:16:43.778 PDT) 123.53.251.71 (11:18:41.302 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2390 (11:18:41.302 PDT) 94.61.243.71 (10) (11:15:41.351 PDT) event=1:22009201 (10) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3315 (11:15:41.351 PDT) 445<-4579 (11:15:53.925 PDT) 445<-1510 (11:16:10.425 PDT) 445<-2589 (11:16:26.075 PDT) 445<-3492 (11:16:43.354 PDT) 445<-4668 (11:16:58.666 PDT) 445<-1668 (11:17:16.274 PDT) 445<-2760 (11:17:47.727 PDT) 445<-1060 (11:18:09.338 PDT) 445<-2315 (11:18:36.452 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.61.243.71 (14) (11:13:37.852 PDT) event=1:2001685 (14) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56809<-6947 (11:13:37.852 PDT) 36111<-6947 (11:16:48.410 PDT) 56856<-6947 (11:14:13.605 PDT) 56873<-6947 (11:14:27.484 PDT) 36000<-6947 (11:15:22.208 PDT) 36299<-6947 (11:18:41.477 PDT) 36028<-6947 (11:15:44.200 PDT) 36048<-6947 (11:15:57.292 PDT) 36066<-6947 (11:16:13.572 PDT) 36088<-6947 (11:16:29.159 PDT) 36124<-6947 (11:17:02.112 PDT) 36149<-6947 (11:17:20.313 PDT) 36225<-6947 (11:17:53.667 PDT) 36259<-6947 (11:18:12.173 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1368987217.852 1368987217.853 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================