Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 12:58:32.775 PDT Gen. Time: 05/20/2013 12:58:32.775 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.68.96.118 (12:58:32.775 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 (12:58:32.775 PDT) tcpslice 1369079912.775 1369079912.776 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 13:01:00.911 PDT Gen. Time: 05/20/2013 13:01:00.911 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.68.96.118 (13:01:00.911 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 (13:01:00.911 PDT) tcpslice 1369080060.911 1369080060.912 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 13:06:17.379 PDT Gen. Time: 05/20/2013 13:06:17.379 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.68.96.118 (13:06:17.379 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:06:17.379 PDT) tcpslice 1369080377.379 1369080377.380 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 16:10:48.631 PDT Gen. Time: 05/20/2013 16:10:48.631 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.13.21.95 (16:10:48.631 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:10:48.631 PDT) tcpslice 1369091448.631 1369091448.632 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 16:10:48.631 PDT Gen. Time: 05/20/2013 16:14:29.070 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.13.21.95 (2) (16:10:48.631 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:10:48.631 PDT) 0->0 (16:14:00.829 PDT) tcpslice 1369091448.631 1369091448.632 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 16:15:47.168 PDT Gen. Time: 05/20/2013 16:15:47.168 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.13.21.95 (16:15:47.168 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 (16:15:47.168 PDT) tcpslice 1369091747.168 1369091747.169 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 16:15:47.168 PDT Gen. Time: 05/20/2013 16:19:05.518 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.13.21.95 (2) (16:15:47.168 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 (16:15:47.168 PDT) 0->0 (16:17:21.124 PDT) tcpslice 1369091747.168 1369091747.169 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 16:34:48.918 PDT Gen. Time: 05/20/2013 16:34:58.306 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 114.69.242.47 (16:34:48.918 PDT) event=777:7777005 {icmp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:21:1C:EE:14:00 (16:34:48.918 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 77.101.0.31 (16:34:58.306 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:34:58.306 PDT) tcpslice 1369092888.918 1369092888.919 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 16:38:32.475 PDT Gen. Time: 05/20/2013 16:38:32.475 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 77.101.0.31 (16:38:32.475 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/44/0/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:38:32.475 PDT) tcpslice 1369093112.475 1369093112.476 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 16:42:17.189 PDT Gen. Time: 05/20/2013 16:42:17.189 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 77.101.0.31 (16:42:17.189 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/45/0/0): 445:45, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:42:17.189 PDT) tcpslice 1369093337.189 1369093337.190 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 16:44:17.199 PDT Gen. Time: 05/20/2013 16:44:17.199 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 77.101.0.31 (16:44:17.199 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (46 /24s) (# pkts S/M/O/I=0/46/0/0): 445:46, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:44:17.199 PDT) tcpslice 1369093457.199 1369093457.200 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 17:39:58.468 PDT Gen. Time: 05/20/2013 17:42:38.697 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 186.47.155.99 (17:39:58.468 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:39:58.468 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.47.155.99 (17:42:38.697 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:42:38.697 PDT) tcpslice 1369096798.468 1369096798.469 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 17:44:08.327 PDT Gen. Time: 05/20/2013 17:44:08.327 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.47.155.99 (17:44:08.327 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:44:08.327 PDT) tcpslice 1369097048.327 1369097048.328 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 17:44:08.327 PDT Gen. Time: 05/20/2013 17:48:09.798 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.47.155.99 (2) (17:44:08.327 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:44:08.327 PDT) 0->0 (17:47:41.858 PDT) tcpslice 1369097048.327 1369097048.328 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 17:52:47.719 PDT Gen. Time: 05/20/2013 17:52:47.719 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.47.155.99 (17:52:47.719 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:52:47.719 PDT) tcpslice 1369097567.719 1369097567.720 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 17:52:47.719 PDT Gen. Time: 05/20/2013 17:56:18.037 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.47.155.99 (2) (17:52:47.719 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/25/0/0): 445:25, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (17:52:47.719 PDT) 0->0 (17:54:24.598 PDT) tcpslice 1369097567.719 1369097567.720 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 17:59:31.350 PDT Gen. Time: 05/20/2013 17:59:31.350 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.47.155.99 (17:59:31.350 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 (17:59:31.350 PDT) tcpslice 1369097971.350 1369097971.351 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:04:04.630 PDT Gen. Time: 05/20/2013 18:04:04.630 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.47.155.99 (18:04:04.630 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:04:04.630 PDT) tcpslice 1369098244.630 1369098244.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:04:04.630 PDT Gen. Time: 05/20/2013 18:07:39.978 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (18:06:33.111 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:06:33.111 PDT) 186.47.155.99 (18:04:04.630 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:04:04.630 PDT) tcpslice 1369098244.630 1369098244.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:11:16.185 PDT Gen. Time: 05/20/2013 18:11:16.185 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (18:11:16.185 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:11:16.185 PDT) tcpslice 1369098676.185 1369098676.186 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:11:16.185 PDT Gen. Time: 05/20/2013 18:15:00.726 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (2) (18:11:16.185 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/32/0/0): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:11:16.185 PDT) 0->0 (18:14:36.137 PDT) tcpslice 1369098676.185 1369098676.186 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:16:06.037 PDT Gen. Time: 05/20/2013 18:16:06.037 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (18:16:06.037 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=0/34/0/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:16:06.037 PDT) tcpslice 1369098966.037 1369098966.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:16:06.037 PDT Gen. Time: 05/20/2013 18:20:06.961 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (3) (18:16:06.037 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=0/34/0/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:16:06.037 PDT) 0->0 (18:17:54.645 PDT) 0->0 (18:19:37.351 PDT) tcpslice 1369098966.037 1369098966.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:22:17.802 PDT Gen. Time: 05/20/2013 18:22:17.802 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (18:22:17.802 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 (18:22:17.802 PDT) tcpslice 1369099337.802 1369099337.803 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:22:17.802 PDT Gen. Time: 05/20/2013 18:24:46.298 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (2) (18:22:17.802 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/41/0/0): 445:41, [] MAC_Src: 00:21:1C:EE:14:00 (18:22:17.802 PDT) (18:24:44.137 PDT) tcpslice 1369099337.802 1369099337.803 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:28:25.942 PDT Gen. Time: 05/20/2013 18:28:25.942 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (18:28:25.942 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (43 /24s) (# pkts S/M/O/I=0/43/0/0): 445:43, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:28:25.942 PDT) tcpslice 1369099705.942 1369099705.943 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:28:25.942 PDT Gen. Time: 05/20/2013 18:32:23.127 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (2) (18:28:25.942 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (43 /24s) (# pkts S/M/O/I=0/43/0/0): 445:43, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:28:25.942 PDT) 0->0 (18:31:39.861 PDT) tcpslice 1369099705.942 1369099705.943 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:35:27.798 PDT Gen. Time: 05/20/2013 18:35:27.798 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (18:35:27.798 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (46 /24s) (# pkts S/M/O/I=0/46/0/0): 445:46, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:35:27.798 PDT) tcpslice 1369100127.798 1369100127.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:35:27.798 PDT Gen. Time: 05/20/2013 18:39:35.332 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (3) (18:35:27.798 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (46 /24s) (# pkts S/M/O/I=0/46/0/0): 445:46, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:35:27.798 PDT) 0->0 (18:37:33.772 PDT) (18:39:07.612 PDT) tcpslice 1369100127.798 1369100127.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:40:42.811 PDT Gen. Time: 05/20/2013 18:40:42.811 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (18:40:42.811 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 52 IPs (52 /24s) (# pkts S/M/O/I=0/52/0/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:40:42.811 PDT) tcpslice 1369100442.811 1369100442.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:40:42.811 PDT Gen. Time: 05/20/2013 18:44:24.398 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (2) (18:40:42.811 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 52 IPs (52 /24s) (# pkts S/M/O/I=0/52/0/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:40:42.811 PDT) 0->0 (18:42:16.431 PDT) tcpslice 1369100442.811 1369100442.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:46:33.457 PDT Gen. Time: 05/20/2013 18:46:33.457 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (18:46:33.457 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 55 IPs (55 /24s) (# pkts S/M/O/I=0/55/0/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:46:33.457 PDT) tcpslice 1369100793.457 1369100793.458 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:46:33.457 PDT Gen. Time: 05/20/2013 18:50:34.418 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.68.47.56 (18:46:33.457 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 55 IPs (55 /24s) (# pkts S/M/O/I=0/55/0/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:46:33.457 PDT) 186.46.0.89 (18:49:57.040 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 57 IPs (57 /24s) (# pkts S/M/O/I=0/57/0/0): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:49:57.040 PDT) tcpslice 1369100793.457 1369100793.458 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:55:31.969 PDT Gen. Time: 05/20/2013 18:55:31.969 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.0.89 (18:55:31.969 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 60 IPs (60 /24s) (# pkts S/M/O/I=0/60/0/0): 445:60, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:55:31.969 PDT) tcpslice 1369101331.969 1369101331.970 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:55:31.969 PDT Gen. Time: 05/20/2013 18:58:27.546 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.46.0.89 (2) (18:55:31.969 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 60 IPs (60 /24s) (# pkts S/M/O/I=0/60/0/0): 445:60, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:55:31.969 PDT) 0->0 (18:57:18.721 PDT) tcpslice 1369101331.969 1369101331.970 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:58:49.016 PDT Gen. Time: 05/20/2013 18:58:49.016 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (18:58:49.016 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 63 IPs (63 /24s) (# pkts S/M/O/I=0/63/0/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:58:49.016 PDT) tcpslice 1369101529.016 1369101529.017 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 18:58:49.016 PDT Gen. Time: 05/20/2013 19:02:27.947 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (3) (18:58:49.016 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 63 IPs (63 /24s) (# pkts S/M/O/I=0/63/0/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (18:58:49.016 PDT) 0->0 (19:00:30.837 PDT) (19:02:08.277 PDT) tcpslice 1369101529.016 1369101529.017 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 19:05:41.294 PDT Gen. Time: 05/20/2013 19:05:41.294 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (19:05:41.294 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 67 IPs (67 /24s) (# pkts S/M/O/I=0/66/1/0): 445:66, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:05:41.294 PDT) tcpslice 1369101941.294 1369101941.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 19:10:35.372 PDT Gen. Time: 05/20/2013 19:10:35.372 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (19:10:35.372 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 68 IPs (68 /24s) (# pkts S/M/O/I=0/67/1/0): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:10:35.372 PDT) tcpslice 1369102235.372 1369102235.373 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 19:16:52.786 PDT Gen. Time: 05/20/2013 19:16:52.786 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (19:16:52.786 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 70 IPs (70 /24s) (# pkts S/M/O/I=0/69/1/0): 445:69, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:16:52.786 PDT) tcpslice 1369102612.786 1369102612.787 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 19:16:52.786 PDT Gen. Time: 05/20/2013 19:20:50.903 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (3) (19:16:52.786 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 70 IPs (70 /24s) (# pkts S/M/O/I=0/69/1/0): 445:69, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:16:52.786 PDT) 0->0 (19:18:32.864 PDT) (19:20:50.532 PDT) tcpslice 1369102612.786 1369102612.787 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 19:28:13.653 PDT Gen. Time: 05/20/2013 19:28:13.653 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (19:28:13.653 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 74 IPs (74 /24s) (# pkts S/M/O/I=0/73/1/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:28:13.653 PDT) tcpslice 1369103293.653 1369103293.654 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 19:28:13.653 PDT Gen. Time: 05/20/2013 19:32:54.762 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (2) (19:28:13.653 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 74 IPs (74 /24s) (# pkts S/M/O/I=0/73/1/0): 445:73, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:28:13.653 PDT) (19:31:15.352 PDT) tcpslice 1369103293.653 1369103293.654 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 19:32:55.850 PDT Gen. Time: 05/20/2013 19:32:55.850 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (19:32:55.850 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 76 IPs (76 /24s) (# pkts S/M/O/I=0/75/1/0): 445:75, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:32:55.850 PDT) tcpslice 1369103575.850 1369103575.851 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 19:38:12.669 PDT Gen. Time: 05/20/2013 19:38:12.669 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (19:38:12.669 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 78 IPs (78 /24s) (# pkts S/M/O/I=0/77/1/0): 445:77, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:38:12.669 PDT) tcpslice 1369103892.669 1369103892.670 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 19:42:17.156 PDT Gen. Time: 05/20/2013 19:42:17.156 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (19:42:17.156 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 79 IPs (79 /24s) (# pkts S/M/O/I=0/78/1/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:42:17.156 PDT) tcpslice 1369104137.156 1369104137.157 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 19:42:17.156 PDT Gen. Time: 05/20/2013 19:46:18.946 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (2) (19:42:17.156 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 79 IPs (79 /24s) (# pkts S/M/O/I=0/78/1/0): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:42:17.156 PDT) 0->0 (19:45:37.285 PDT) tcpslice 1369104137.156 1369104137.157 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 19:47:28.069 PDT Gen. Time: 05/20/2013 19:47:28.069 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (19:47:28.069 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 82 IPs (82 /24s) (# pkts S/M/O/I=0/81/1/0): 445:81, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:47:28.069 PDT) tcpslice 1369104448.069 1369104448.070 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 19:51:46.473 PDT Gen. Time: 05/20/2013 19:51:46.473 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (19:51:46.473 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 83 IPs (83 /24s) (# pkts S/M/O/I=0/82/1/0): 445:82, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:51:46.473 PDT) tcpslice 1369104706.473 1369104706.474 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 19:55:44.627 PDT Gen. Time: 05/20/2013 19:55:44.627 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (19:55:44.627 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 84 IPs (84 /24s) (# pkts S/M/O/I=0/83/1/0): 445:83, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:55:44.627 PDT) tcpslice 1369104944.627 1369104944.628 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 20:02:08.566 PDT Gen. Time: 05/20/2013 20:02:08.566 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (20:02:08.566 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 87 IPs (87 /24s) (# pkts S/M/O/I=0/86/1/0): 445:86, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:02:08.566 PDT) tcpslice 1369105328.566 1369105328.567 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 20:02:08.566 PDT Gen. Time: 05/20/2013 20:06:09.068 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (2) (20:02:08.566 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 87 IPs (87 /24s) (# pkts S/M/O/I=0/86/1/0): 445:86, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:02:08.566 PDT) 0->0 (20:04:38.197 PDT) tcpslice 1369105328.566 1369105328.567 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 20:06:48.654 PDT Gen. Time: 05/20/2013 20:06:48.654 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (20:06:48.654 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 90 IPs (90 /24s) (# pkts S/M/O/I=0/89/1/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:06:48.654 PDT) tcpslice 1369105608.654 1369105608.655 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 20:06:48.654 PDT Gen. Time: 05/20/2013 20:10:24.010 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (2) (20:06:48.654 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 90 IPs (90 /24s) (# pkts S/M/O/I=0/89/1/0): 445:89, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:06:48.654 PDT) 0->0 (20:09:19.992 PDT) tcpslice 1369105608.654 1369105608.655 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/20/2013 20:12:37.532 PDT Gen. Time: 05/20/2013 20:12:37.532 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.220.4 (20:12:37.532 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 93 IPs (93 /24s) (# pkts S/M/O/I=0/92/1/0): 445:92, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (20:12:37.532 PDT) tcpslice 1369105957.532 1369105957.533 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================