Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 04:39:49.113 PDT Gen. Time: 05/21/2013 04:39:49.113 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.228.90 (04:39:49.113 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:39:49.113 PDT) tcpslice 1369136389.113 1369136389.114 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 04:43:18.440 PDT Gen. Time: 05/21/2013 04:43:18.440 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.71.228.90 (04:43:18.440 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:43:18.440 PDT) tcpslice 1369136598.440 1369136598.441 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 04:47:05.951 PDT Gen. Time: 05/21/2013 04:47:05.951 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.3.208.1 (04:47:05.951 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 23 IPs (23 /24s) (# pkts S/M/O/I=0/23/0/0): 445:23, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:47:05.951 PDT) tcpslice 1369136825.951 1369136825.952 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 04:50:32.354 PDT Gen. Time: 05/21/2013 04:50:32.354 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.3.208.1 (04:50:32.354 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 26 IPs (26 /24s) (# pkts S/M/O/I=0/26/0/0): 445:26, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:50:32.354 PDT) tcpslice 1369137032.354 1369137032.355 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 04:55:36.272 PDT Gen. Time: 05/21/2013 04:55:36.272 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.3.208.1 (04:55:36.272 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:55:36.272 PDT) tcpslice 1369137336.272 1369137336.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 04:55:36.272 PDT Gen. Time: 05/21/2013 04:59:24.371 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.3.208.1 (2) (04:55:36.272 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:55:36.272 PDT) 0->0 (04:58:44.191 PDT) tcpslice 1369137336.272 1369137336.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 05:01:49.096 PDT Gen. Time: 05/21/2013 05:01:49.096 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.3.208.1 (05:01:49.096 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 30 IPs (30 /24s) (# pkts S/M/O/I=0/30/0/0): 445:30, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:01:49.096 PDT) tcpslice 1369137709.096 1369137709.097 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 05:06:25.364 PDT Gen. Time: 05/21/2013 05:06:25.364 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.3.208.1 (05:06:25.364 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 (05:06:25.364 PDT) tcpslice 1369137985.364 1369137985.365 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 05:06:25.364 PDT Gen. Time: 05/21/2013 05:10:32.528 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.3.208.1 (2) (05:06:25.364 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 (05:06:25.364 PDT) (05:10:09.117 PDT) tcpslice 1369137985.364 1369137985.365 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 05:11:12.544 PDT Gen. Time: 05/21/2013 05:11:12.544 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.3.208.1 (05:11:12.544 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/33/0/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (05:11:12.544 PDT) tcpslice 1369138272.544 1369138272.545 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 06:50:32.969 PDT Gen. Time: 05/21/2013 06:50:32.969 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.50 (06:50:32.969 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/0/1): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:50:32.969 PDT) tcpslice 1369144232.969 1369144232.970 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 06:50:32.969 PDT Gen. Time: 05/21/2013 06:54:33.388 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.50 (2) (06:50:32.969 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/20/0/1): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:50:32.969 PDT) 0->0 (06:52:51.929 PDT) tcpslice 1369144232.969 1369144232.970 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 06:59:31.962 PDT Gen. Time: 05/21/2013 06:59:31.962 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.50 (06:59:31.962 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/24/0/1): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:59:31.962 PDT) tcpslice 1369144771.962 1369144771.963 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 06:59:31.962 PDT Gen. Time: 05/21/2013 07:03:20.960 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.50 (2) (06:59:31.962 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 25 IPs (25 /24s) (# pkts S/M/O/I=0/24/0/1): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (06:59:31.962 PDT) 0->0 (07:01:29.526 PDT) tcpslice 1369144771.962 1369144771.963 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:04:10.063 PDT Gen. Time: 05/21/2013 07:04:10.063 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.50 (07:04:10.063 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/28/0/1): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:04:10.063 PDT) tcpslice 1369145050.063 1369145050.064 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:04:10.063 PDT Gen. Time: 05/21/2013 07:07:50.474 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.50 (2) (07:04:10.063 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/28/0/1): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:04:10.063 PDT) 0->0 (07:07:19.906 PDT) tcpslice 1369145050.063 1369145050.064 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:12:21.277 PDT Gen. Time: 05/21/2013 07:12:21.277 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.50 (07:12:21.277 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/32/0/1): 445:32, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:12:21.277 PDT) tcpslice 1369145541.277 1369145541.278 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:18:07.946 PDT Gen. Time: 05/21/2013 07:18:07.946 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.50 (07:18:07.946 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/35/0/1): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:18:07.946 PDT) tcpslice 1369145887.946 1369145887.947 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:18:07.946 PDT Gen. Time: 05/21/2013 07:22:11.895 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.50 (2) (07:18:07.946 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/35/0/1): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:18:07.946 PDT) 0->0 (07:21:38.670 PDT) tcpslice 1369145887.946 1369145887.947 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:23:21.676 PDT Gen. Time: 05/21/2013 07:23:21.676 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.50 (07:23:21.676 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/37/0/1): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:23:21.676 PDT) tcpslice 1369146201.676 1369146201.677 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:27:27.455 PDT Gen. Time: 05/21/2013 07:27:27.455 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.66.122.50 (07:27:27.455 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/39/0/1): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:27:27.455 PDT) tcpslice 1369146447.455 1369146447.456 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:27:27.455 PDT Gen. Time: 05/21/2013 07:31:20.084 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.56.5 (2) (07:29:19.354 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (41 /24s) (# pkts S/M/O/I=0/40/0/1): 445:40, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:29:19.354 PDT) 0->0 (07:31:13.775 PDT) 190.66.122.50 (07:27:27.455 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/39/0/1): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:27:27.455 PDT) tcpslice 1369146447.455 1369146447.456 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:37:13.039 PDT Gen. Time: 05/21/2013 07:37:13.039 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.56.5 (07:37:13.039 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/44/0/1): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:37:13.039 PDT) tcpslice 1369147033.039 1369147033.040 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:37:13.039 PDT Gen. Time: 05/21/2013 07:40:23.257 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.56.5 (2) (07:37:13.039 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/44/0/1): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:37:13.039 PDT) (07:38:57.001 PDT) tcpslice 1369147033.039 1369147033.040 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:40:30.964 PDT Gen. Time: 05/21/2013 07:40:30.964 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.56.5 (07:40:30.964 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 50 IPs (49 /24s) (# pkts S/M/O/I=0/49/0/1): 445:49, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:40:30.964 PDT) tcpslice 1369147230.964 1369147230.965 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:40:30.964 PDT Gen. Time: 05/21/2013 07:44:27.278 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.56.5 (2) (07:40:30.964 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 50 IPs (49 /24s) (# pkts S/M/O/I=0/49/0/1): 445:49, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:40:30.964 PDT) (07:42:42.040 PDT) tcpslice 1369147230.964 1369147230.965 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:45:01.439 PDT Gen. Time: 05/21/2013 07:45:01.439 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.42.56.5 (07:45:01.439 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 55 IPs (53 /24s) (# pkts S/M/O/I=0/54/0/1): 445:54, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:45:01.439 PDT) tcpslice 1369147501.439 1369147501.440 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:45:01.439 PDT Gen. Time: 05/21/2013 07:49:28.442 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (07:47:51.625 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 57 IPs (55 /24s) (# pkts S/M/O/I=0/56/0/1): 445:56, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:47:51.625 PDT) 186.42.56.5 (07:45:01.439 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 55 IPs (53 /24s) (# pkts S/M/O/I=0/54/0/1): 445:54, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:45:01.439 PDT) tcpslice 1369147501.439 1369147501.440 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:50:12.481 PDT Gen. Time: 05/21/2013 07:50:12.481 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (07:50:12.481 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 58 IPs (56 /24s) (# pkts S/M/O/I=0/57/0/1): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 (07:50:12.481 PDT) tcpslice 1369147812.481 1369147812.482 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:50:12.481 PDT Gen. Time: 05/21/2013 07:53:20.712 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (2) (07:50:12.481 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 58 IPs (56 /24s) (# pkts S/M/O/I=0/57/0/1): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 (07:50:12.481 PDT) 0->0 (07:52:14.687 PDT) tcpslice 1369147812.481 1369147812.482 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:56:11.812 PDT Gen. Time: 05/21/2013 07:56:11.812 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (07:56:11.812 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 60 IPs (58 /24s) (# pkts S/M/O/I=0/59/0/1): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:56:11.812 PDT) tcpslice 1369148171.812 1369148171.813 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 07:56:11.812 PDT Gen. Time: 05/21/2013 07:59:32.205 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (2) (07:56:11.812 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 60 IPs (58 /24s) (# pkts S/M/O/I=0/59/0/1): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (07:56:11.812 PDT) 0->0 (07:58:02.097 PDT) tcpslice 1369148171.812 1369148171.813 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:00:55.790 PDT Gen. Time: 05/21/2013 08:00:55.790 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (08:00:55.790 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 65 IPs (63 /24s) (# pkts S/M/O/I=0/64/0/1): 445:64, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:00:55.790 PDT) tcpslice 1369148455.790 1369148455.791 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:00:55.790 PDT Gen. Time: 05/21/2013 08:04:32.375 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (2) (08:00:55.790 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 65 IPs (63 /24s) (# pkts S/M/O/I=0/64/0/1): 445:64, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:00:55.790 PDT) 0->0 (08:02:28.467 PDT) tcpslice 1369148455.790 1369148455.791 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:05:23.752 PDT Gen. Time: 05/21/2013 08:05:23.752 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (08:05:23.752 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 68 IPs (66 /24s) (# pkts S/M/O/I=0/67/0/1): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 (08:05:23.752 PDT) tcpslice 1369148723.752 1369148723.753 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:05:23.752 PDT Gen. Time: 05/21/2013 08:09:25.011 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (2) (08:05:23.752 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 68 IPs (66 /24s) (# pkts S/M/O/I=0/67/0/1): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 (08:05:23.752 PDT) (08:08:23.794 PDT) tcpslice 1369148723.752 1369148723.753 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:11:49.676 PDT Gen. Time: 05/21/2013 08:11:49.676 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (08:11:49.676 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 72 IPs (70 /24s) (# pkts S/M/O/I=0/71/0/1): 445:71, [] MAC_Src: 00:21:1C:EE:14:00 (08:11:49.676 PDT) tcpslice 1369149109.676 1369149109.677 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:14:57.451 PDT Gen. Time: 05/21/2013 08:14:57.451 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (08:14:57.451 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 73 IPs (71 /24s) (# pkts S/M/O/I=0/72/0/1): 445:72, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:14:57.451 PDT) tcpslice 1369149297.451 1369149297.452 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:14:57.451 PDT Gen. Time: 05/21/2013 08:19:36.089 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (2) (08:14:57.451 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 73 IPs (71 /24s) (# pkts S/M/O/I=0/72/0/1): 445:72, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:14:57.451 PDT) 0->0 (08:16:45.684 PDT) tcpslice 1369149297.451 1369149297.452 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:21:37.656 PDT Gen. Time: 05/21/2013 08:21:37.656 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (08:21:37.656 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 75 IPs (73 /24s) (# pkts S/M/O/I=0/74/0/1): 445:74, [] MAC_Src: 00:21:1C:EE:14:00 (08:21:37.656 PDT) tcpslice 1369149697.656 1369149697.657 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:21:37.656 PDT Gen. Time: 05/21/2013 08:24:36.096 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.70.2.8 (2) (08:21:37.656 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 75 IPs (73 /24s) (# pkts S/M/O/I=0/74/0/1): 445:74, [] MAC_Src: 00:21:1C:EE:14:00 (08:21:37.656 PDT) 0->0 (08:23:33.439 PDT) tcpslice 1369149697.656 1369149697.657 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:28:47.331 PDT Gen. Time: 05/21/2013 08:28:47.331 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (08:28:47.331 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 79 IPs (77 /24s) (# pkts S/M/O/I=0/78/0/1): 445:78, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:28:47.331 PDT) tcpslice 1369150127.331 1369150127.332 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:33:17.475 PDT Gen. Time: 05/21/2013 08:33:17.475 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (08:33:17.475 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 81 IPs (79 /24s) (# pkts S/M/O/I=0/80/0/1): 445:80, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:33:17.475 PDT) tcpslice 1369150397.475 1369150397.476 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:37:10.788 PDT Gen. Time: 05/21/2013 08:37:10.788 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (08:37:10.788 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 83 IPs (81 /24s) (# pkts S/M/O/I=0/82/0/1): 445:82, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:37:10.788 PDT) tcpslice 1369150630.788 1369150630.789 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:45:34.407 PDT Gen. Time: 05/21/2013 08:45:34.407 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (08:45:34.407 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 84 IPs (82 /24s) (# pkts S/M/O/I=0/83/0/1): 445:83, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:45:34.407 PDT) tcpslice 1369151134.407 1369151134.408 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:45:34.407 PDT Gen. Time: 05/21/2013 08:49:43.378 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (2) (08:45:34.407 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 84 IPs (82 /24s) (# pkts S/M/O/I=0/83/0/1): 445:83, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:45:34.407 PDT) (08:47:28.919 PDT) tcpslice 1369151134.407 1369151134.408 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:51:07.300 PDT Gen. Time: 05/21/2013 08:51:07.300 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (08:51:07.300 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 86 IPs (84 /24s) (# pkts S/M/O/I=0/85/0/1): 445:85, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:51:07.300 PDT) tcpslice 1369151467.300 1369151467.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:51:07.300 PDT Gen. Time: 05/21/2013 08:55:21.767 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (2) (08:51:07.300 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 86 IPs (84 /24s) (# pkts S/M/O/I=0/85/0/1): 445:85, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:51:07.300 PDT) 0->0 (08:53:30.371 PDT) tcpslice 1369151467.300 1369151467.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:57:55.807 PDT Gen. Time: 05/21/2013 08:57:55.807 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (08:57:55.807 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 91 IPs (89 /24s) (# pkts S/M/O/I=0/90/0/1): 445:90, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:57:55.807 PDT) tcpslice 1369151875.807 1369151875.808 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 08:57:55.807 PDT Gen. Time: 05/21/2013 09:00:55.078 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (2) (08:57:55.807 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 91 IPs (89 /24s) (# pkts S/M/O/I=0/90/0/1): 445:90, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (08:57:55.807 PDT) (08:59:57.305 PDT) tcpslice 1369151875.807 1369151875.808 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 09:01:43.450 PDT Gen. Time: 05/21/2013 09:01:43.450 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (09:01:43.450 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 95 IPs (93 /24s) (# pkts S/M/O/I=0/94/0/1): 445:94, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:01:43.450 PDT) tcpslice 1369152103.450 1369152103.451 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 09:05:10.747 PDT Gen. Time: 05/21/2013 09:05:10.747 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (09:05:10.747 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 96 IPs (94 /24s) (# pkts S/M/O/I=0/95/0/1): 445:95, [] MAC_Src: 00:21:1C:EE:14:00 (09:05:10.747 PDT) tcpslice 1369152310.747 1369152310.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 09:05:10.747 PDT Gen. Time: 05/21/2013 09:08:11.322 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (2) (09:05:10.747 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 96 IPs (94 /24s) (# pkts S/M/O/I=0/95/0/1): 445:95, [] MAC_Src: 00:21:1C:EE:14:00 (09:05:10.747 PDT) 0->0 (09:06:55.078 PDT) tcpslice 1369152310.747 1369152310.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 09:08:52.503 PDT Gen. Time: 05/21/2013 09:08:52.503 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (09:08:52.503 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 98 IPs (96 /24s) (# pkts S/M/O/I=0/97/0/1): 445:97, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:08:52.503 PDT) tcpslice 1369152532.503 1369152532.504 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 09:08:52.503 PDT Gen. Time: 05/21/2013 09:12:29.070 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (2) (09:08:52.503 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 98 IPs (96 /24s) (# pkts S/M/O/I=0/97/0/1): 445:97, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:08:52.503 PDT) 0->0 (09:12:26.300 PDT) tcpslice 1369152532.503 1369152532.504 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 09:14:33.417 PDT Gen. Time: 05/21/2013 09:14:33.417 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (09:14:33.417 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 101 IPs (99 /24s) (# pkts S/M/O/I=0/100/0/1): 445:100, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:14:33.417 PDT) tcpslice 1369152873.417 1369152873.418 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 09:21:06.437 PDT Gen. Time: 05/21/2013 09:21:06.437 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (09:21:06.437 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 102 IPs (100 /24s) (# pkts S/M/O/I=0/101/0/1): 445:101, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:21:06.437 PDT) tcpslice 1369153266.437 1369153266.438 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 09:21:06.437 PDT Gen. Time: 05/21/2013 09:23:41.102 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (2) (09:21:06.437 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 102 IPs (100 /24s) (# pkts S/M/O/I=0/101/0/1): 445:101, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:21:06.437 PDT) 0->0 (09:23:07.247 PDT) tcpslice 1369153266.437 1369153266.438 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 09:25:21.466 PDT Gen. Time: 05/21/2013 09:25:21.466 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (09:25:21.466 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 104 IPs (102 /24s) (# pkts S/M/O/I=0/103/0/1): 445:103, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:25:21.466 PDT) tcpslice 1369153521.466 1369153521.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 09:25:21.466 PDT Gen. Time: 05/21/2013 09:29:06.813 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.112.244.67 (2) (09:25:21.466 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 104 IPs (102 /24s) (# pkts S/M/O/I=0/103/0/1): 445:103, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (09:25:21.466 PDT) 0->0 (09:27:23.419 PDT) tcpslice 1369153521.466 1369153521.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 11:22:57.188 PDT Gen. Time: 05/21/2013 11:23:08.545 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 186.117.139.25 (11:22:57.188 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:22:57.188 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (11:23:08.545 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:23:08.545 PDT) tcpslice 1369160577.188 1369160577.189 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 11:28:45.310 PDT Gen. Time: 05/21/2013 11:28:45.310 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (11:28:45.310 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 22 IPs (22 /24s) (# pkts S/M/O/I=0/22/0/0): 445:22, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:28:45.310 PDT) tcpslice 1369160925.310 1369160925.311 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 11:36:59.178 PDT Gen. Time: 05/21/2013 11:36:59.178 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (11:36:59.178 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:36:59.178 PDT) tcpslice 1369161419.178 1369161419.179 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 11:43:22.328 PDT Gen. Time: 05/21/2013 11:43:22.328 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (11:43:22.328 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 (11:43:22.328 PDT) tcpslice 1369161802.328 1369161802.329 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 11:43:22.328 PDT Gen. Time: 05/21/2013 11:47:49.168 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (2) (11:43:22.328 PDT) event=777:7777008 (2) {icmp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 (11:43:22.328 PDT) 0->0 (11:45:53.519 PDT) tcpslice 1369161802.328 1369161802.329 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 11:49:15.548 PDT Gen. Time: 05/21/2013 11:49:15.548 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (11:49:15.548 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:49:15.548 PDT) tcpslice 1369162155.548 1369162155.549 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 11:49:15.548 PDT Gen. Time: 05/21/2013 11:52:56.354 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (2) (11:49:15.548 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 29 IPs (29 /24s) (# pkts S/M/O/I=0/29/0/0): 445:29, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:49:15.548 PDT) 0->0 (11:52:28.233 PDT) tcpslice 1369162155.548 1369162155.549 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 11:55:01.862 PDT Gen. Time: 05/21/2013 11:55:01.862 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (11:55:01.862 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (32 /24s) (# pkts S/M/O/I=0/31/1/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:55:01.862 PDT) tcpslice 1369162501.862 1369162501.863 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 11:58:28.504 PDT Gen. Time: 05/21/2013 11:58:28.504 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (11:58:28.504 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=0/33/1/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:58:28.504 PDT) tcpslice 1369162708.504 1369162708.505 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 11:58:28.504 PDT Gen. Time: 05/21/2013 12:02:16.073 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (2) (11:58:28.504 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (34 /24s) (# pkts S/M/O/I=0/33/1/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (11:58:28.504 PDT) 0->0 (12:01:55.313 PDT) tcpslice 1369162708.504 1369162708.505 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:07:08.505 PDT Gen. Time: 05/21/2013 12:07:08.505 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (12:07:08.505 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/35/1/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:07:08.505 PDT) tcpslice 1369163228.505 1369163228.506 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:07:08.505 PDT Gen. Time: 05/21/2013 12:10:20.255 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (2) (12:07:08.505 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 36 IPs (36 /24s) (# pkts S/M/O/I=0/35/1/0): 445:35, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:07:08.505 PDT) 0->0 (12:09:13.199 PDT) tcpslice 1369163228.505 1369163228.506 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:11:12.726 PDT Gen. Time: 05/21/2013 12:11:12.726 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (12:11:12.726 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/37/1/0): 445:37, [] MAC_Src: 00:21:1C:EE:14:00 (12:11:12.726 PDT) tcpslice 1369163472.726 1369163472.727 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:18:42.362 PDT Gen. Time: 05/21/2013 12:18:42.362 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (12:18:42.362 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/39/1/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:18:42.362 PDT) tcpslice 1369163922.362 1369163922.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:18:42.362 PDT Gen. Time: 05/21/2013 12:22:05.832 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (2) (12:18:42.362 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/39/1/0): 445:39, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:18:42.362 PDT) 0->0 (12:20:29.528 PDT) tcpslice 1369163922.362 1369163922.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:23:40.537 PDT Gen. Time: 05/21/2013 12:23:40.537 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (12:23:40.537 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/44/1/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:23:40.537 PDT) tcpslice 1369164220.537 1369164220.538 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:28:03.758 PDT Gen. Time: 05/21/2013 12:28:03.758 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (12:28:03.758 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (46 /24s) (# pkts S/M/O/I=0/45/1/0): 445:45, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:28:03.758 PDT) tcpslice 1369164483.758 1369164483.759 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:28:03.758 PDT Gen. Time: 05/21/2013 12:32:29.421 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (2) (12:28:03.758 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 46 IPs (46 /24s) (# pkts S/M/O/I=0/45/1/0): 445:45, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:28:03.758 PDT) 0->0 (12:30:46.917 PDT) tcpslice 1369164483.758 1369164483.759 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:34:42.795 PDT Gen. Time: 05/21/2013 12:34:42.795 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (12:34:42.795 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 50 IPs (50 /24s) (# pkts S/M/O/I=0/49/1/0): 445:49, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:34:42.795 PDT) tcpslice 1369164882.795 1369164882.796 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:34:42.795 PDT Gen. Time: 05/21/2013 12:38:36.238 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (2) (12:34:42.795 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 50 IPs (50 /24s) (# pkts S/M/O/I=0/49/1/0): 445:49, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:34:42.795 PDT) (12:37:06.500 PDT) tcpslice 1369164882.795 1369164882.796 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:41:42.289 PDT Gen. Time: 05/21/2013 12:41:42.289 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (12:41:42.289 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/52/1/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:41:42.289 PDT) tcpslice 1369165302.289 1369165302.290 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:41:42.289 PDT Gen. Time: 05/21/2013 12:45:38.539 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (2) (12:41:42.289 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/52/1/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:41:42.289 PDT) 0->0 (12:43:13.574 PDT) tcpslice 1369165302.289 1369165302.290 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:49:43.547 PDT Gen. Time: 05/21/2013 12:49:43.547 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (12:49:43.547 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 56 IPs (56 /24s) (# pkts S/M/O/I=0/55/1/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:49:43.547 PDT) tcpslice 1369165783.547 1369165783.548 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 12:56:17.579 PDT Gen. Time: 05/21/2013 12:56:17.579 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (12:56:17.579 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 58 IPs (58 /24s) (# pkts S/M/O/I=0/57/1/0): 445:57, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (12:56:17.579 PDT) tcpslice 1369166177.579 1369166177.580 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 13:01:15.783 PDT Gen. Time: 05/21/2013 13:01:15.783 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (13:01:15.783 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 60 IPs (60 /24s) (# pkts S/M/O/I=0/59/1/0): 445:59, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:01:15.783 PDT) tcpslice 1369166475.783 1369166475.784 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 13:04:46.292 PDT Gen. Time: 05/21/2013 13:04:46.292 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (13:04:46.292 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 61 IPs (61 /24s) (# pkts S/M/O/I=0/60/1/0): 445:60, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:04:46.292 PDT) tcpslice 1369166686.292 1369166686.293 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 13:04:46.292 PDT Gen. Time: 05/21/2013 13:08:13.260 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (2) (13:04:46.292 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 61 IPs (61 /24s) (# pkts S/M/O/I=0/60/1/0): 445:60, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:04:46.292 PDT) 0->0 (13:06:57.119 PDT) tcpslice 1369166686.292 1369166686.293 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 13:13:58.639 PDT Gen. Time: 05/21/2013 13:13:58.639 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (13:13:58.639 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 63 IPs (63 /24s) (# pkts S/M/O/I=0/62/1/0): 445:62, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:13:58.639 PDT) tcpslice 1369167238.639 1369167238.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 13:19:10.529 PDT Gen. Time: 05/21/2013 13:19:10.529 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (13:19:10.529 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 64 IPs (64 /24s) (# pkts S/M/O/I=0/63/1/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:19:10.529 PDT) tcpslice 1369167550.529 1369167550.530 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 13:19:10.529 PDT Gen. Time: 05/21/2013 13:22:18.930 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (2) (13:19:10.529 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 64 IPs (64 /24s) (# pkts S/M/O/I=0/63/1/0): 445:63, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:19:10.529 PDT) (13:20:48.566 PDT) tcpslice 1369167550.529 1369167550.530 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 13:22:38.197 PDT Gen. Time: 05/21/2013 13:22:38.197 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.117.139.25 (13:22:38.197 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 68 IPs (68 /24s) (# pkts S/M/O/I=0/67/1/0): 445:67, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (13:22:38.197 PDT) tcpslice 1369167758.197 1369167758.198 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 15:34:59.837 PDT Gen. Time: 05/21/2013 15:35:44.188 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 181.69.12.102 (15:34:59.837 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:34:59.837 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (15:35:44.188 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:35:44.188 PDT) tcpslice 1369175699.837 1369175699.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 15:34:59.837 PDT Gen. Time: 05/21/2013 15:39:06.323 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 181.69.12.102 (15:34:59.837 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 20 IPs (20 /24s) (# pkts S/M/O/I=0/20/0/0): 445:20, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:34:59.837 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (3) (15:35:44.188 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:35:44.188 PDT) 0->0 (15:37:20.603 PDT) 0->0 (15:38:53.163 PDT) tcpslice 1369175699.837 1369175699.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 15:41:44.760 PDT Gen. Time: 05/21/2013 15:41:44.760 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (15:41:44.760 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:41:44.760 PDT) tcpslice 1369176104.760 1369176104.761 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 15:41:44.760 PDT Gen. Time: 05/21/2013 15:45:39.180 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (2) (15:41:44.760 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 27 IPs (27 /24s) (# pkts S/M/O/I=0/27/0/0): 445:27, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:41:44.760 PDT) 0->0 (15:44:27.041 PDT) tcpslice 1369176104.760 1369176104.761 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 15:48:27.167 PDT Gen. Time: 05/21/2013 15:48:27.167 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (15:48:27.167 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:48:27.167 PDT) tcpslice 1369176507.167 1369176507.168 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 15:48:27.167 PDT Gen. Time: 05/21/2013 15:52:18.398 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (2) (15:48:27.167 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 31 IPs (31 /24s) (# pkts S/M/O/I=0/31/0/0): 445:31, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:48:27.167 PDT) 0->0 (15:51:30.163 PDT) tcpslice 1369176507.167 1369176507.168 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 15:56:09.572 PDT Gen. Time: 05/21/2013 15:56:09.572 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (15:56:09.572 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/38/0/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:56:09.572 PDT) tcpslice 1369176969.572 1369176969.573 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 15:56:09.572 PDT Gen. Time: 05/21/2013 16:00:25.742 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (2) (15:56:09.572 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 38 IPs (38 /24s) (# pkts S/M/O/I=0/38/0/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (15:56:09.572 PDT) 0->0 (15:58:47.778 PDT) tcpslice 1369176969.572 1369176969.573 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:01:30.878 PDT Gen. Time: 05/21/2013 16:01:30.878 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (16:01:30.878 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/40/0/0): 445:40, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:01:30.878 PDT) tcpslice 1369177290.878 1369177290.879 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:01:30.878 PDT Gen. Time: 05/21/2013 16:05:22.592 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (2) (16:01:30.878 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 40 IPs (40 /24s) (# pkts S/M/O/I=0/40/0/0): 445:40, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:01:30.878 PDT) 0->0 (16:03:42.130 PDT) tcpslice 1369177290.878 1369177290.879 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:08:45.237 PDT Gen. Time: 05/21/2013 16:08:45.237 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (16:08:45.237 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (42 /24s) (# pkts S/M/O/I=0/42/0/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:08:45.237 PDT) tcpslice 1369177725.237 1369177725.238 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:08:45.237 PDT Gen. Time: 05/21/2013 16:12:25.362 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (2) (16:08:45.237 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (42 /24s) (# pkts S/M/O/I=0/42/0/0): 445:42, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:08:45.237 PDT) (16:10:53.581 PDT) tcpslice 1369177725.237 1369177725.238 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:15:01.685 PDT Gen. Time: 05/21/2013 16:15:01.685 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (16:15:01.685 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 44 IPs (44 /24s) (# pkts S/M/O/I=0/44/0/0): 445:44, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:15:01.685 PDT) tcpslice 1369178101.685 1369178101.686 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:21:19.733 PDT Gen. Time: 05/21/2013 16:21:19.733 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (16:21:19.733 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/45/0/0): 445:45, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:21:19.733 PDT) tcpslice 1369178479.733 1369178479.734 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:21:19.733 PDT Gen. Time: 05/21/2013 16:25:20.555 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (2) (16:21:19.733 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 45 IPs (45 /24s) (# pkts S/M/O/I=0/45/0/0): 445:45, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:21:19.733 PDT) 0->0 (16:23:59.509 PDT) tcpslice 1369178479.733 1369178479.734 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:29:11.578 PDT Gen. Time: 05/21/2013 16:29:11.578 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (16:29:11.578 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 47 IPs (47 /24s) (# pkts S/M/O/I=0/47/0/0): 445:47, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:29:11.578 PDT) tcpslice 1369178951.578 1369178951.579 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:33:46.581 PDT Gen. Time: 05/21/2013 16:33:46.581 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.69.12.102 (16:33:46.581 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 50 IPs (50 /24s) (# pkts S/M/O/I=0/50/0/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:33:46.581 PDT) tcpslice 1369179226.581 1369179226.582 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:33:46.581 PDT Gen. Time: 05/21/2013 16:37:18.351 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.47.49.96 (16:35:25.766 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 52 IPs (52 /24s) (# pkts S/M/O/I=0/52/0/0): 445:52, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:35:25.766 PDT) 181.69.12.102 (16:33:46.581 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 50 IPs (50 /24s) (# pkts S/M/O/I=0/50/0/0): 445:50, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:33:46.581 PDT) tcpslice 1369179226.581 1369179226.582 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:39:19.294 PDT Gen. Time: 05/21/2013 16:39:19.294 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.47.49.96 (16:39:19.294 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/53/0/0): 445:53, [] MAC_Src: 00:21:1C:EE:14:00 (16:39:19.294 PDT) tcpslice 1369179559.294 1369179559.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:39:19.294 PDT Gen. Time: 05/21/2013 16:43:20.180 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 186.47.49.96 (16:39:19.294 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 53 IPs (53 /24s) (# pkts S/M/O/I=0/53/0/0): 445:53, [] MAC_Src: 00:21:1C:EE:14:00 (16:39:19.294 PDT) 190.69.147.66 (2) (16:41:30.617 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 55 IPs (55 /24s) (# pkts S/M/O/I=0/55/0/0): 445:55, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:41:30.617 PDT) 0->0 (16:43:06.583 PDT) tcpslice 1369179559.294 1369179559.295 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:44:48.917 PDT Gen. Time: 05/21/2013 16:44:48.917 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.69.147.66 (16:44:48.917 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 58 IPs (58 /24s) (# pkts S/M/O/I=0/58/0/0): 445:58, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:44:48.917 PDT) tcpslice 1369179888.917 1369179888.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 16:44:48.917 PDT Gen. Time: 05/21/2013 16:48:21.289 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 190.69.147.66 (2) (16:44:48.917 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 58 IPs (58 /24s) (# pkts S/M/O/I=0/58/0/0): 445:58, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (16:44:48.917 PDT) 0->0 (16:47:03.158 PDT) tcpslice 1369179888.917 1369179888.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 19:13:09.982 PDT Gen. Time: 05/21/2013 19:13:09.982 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.173.120 (19:13:09.982 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:13:09.982 PDT) tcpslice 1369188789.982 1369188789.983 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 19:13:09.982 PDT Gen. Time: 05/21/2013 19:17:04.063 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.173.120 (2) (19:13:09.982 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:13:09.982 PDT) 0->0 (19:16:07.351 PDT) tcpslice 1369188789.982 1369188789.983 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 19:18:54.949 PDT Gen. Time: 05/21/2013 19:18:54.949 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.173.120 (19:18:54.949 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 24 IPs (24 /24s) (# pkts S/M/O/I=0/24/0/0): 445:24, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:18:54.949 PDT) tcpslice 1369189134.949 1369189134.950 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 19:24:02.848 PDT Gen. Time: 05/21/2013 19:24:02.848 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.173.120 (19:24:02.848 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:24:02.848 PDT) tcpslice 1369189442.848 1369189442.849 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 19:24:02.848 PDT Gen. Time: 05/21/2013 19:27:14.491 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.173.120 (2) (19:24:02.848 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 28 IPs (28 /24s) (# pkts S/M/O/I=0/28/0/0): 445:28, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:24:02.848 PDT) 0->0 (19:26:05.781 PDT) tcpslice 1369189442.848 1369189442.849 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 19:29:17.369 PDT Gen. Time: 05/21/2013 19:29:17.369 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.173.120 (19:29:17.369 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/33/0/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:29:17.369 PDT) tcpslice 1369189757.369 1369189757.370 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 19:29:17.369 PDT Gen. Time: 05/21/2013 19:32:35.283 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.173.120 (2) (19:29:17.369 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (33 /24s) (# pkts S/M/O/I=0/33/0/0): 445:33, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:29:17.369 PDT) 0->0 (19:31:39.575 PDT) tcpslice 1369189757.369 1369189757.370 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 19:36:26.859 PDT Gen. Time: 05/21/2013 19:36:26.859 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.173.120 (19:36:26.859 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (35 /24s) (# pkts S/M/O/I=0/34/1/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:36:26.859 PDT) tcpslice 1369190186.859 1369190186.860 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 19:36:26.859 PDT Gen. Time: 05/21/2013 19:40:17.575 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.173.120 (2) (19:36:26.859 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 35 IPs (35 /24s) (# pkts S/M/O/I=0/34/1/0): 445:34, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:36:26.859 PDT) (19:39:44.935 PDT) tcpslice 1369190186.859 1369190186.860 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.98 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/21/2013 19:45:15.779 PDT Gen. Time: 05/21/2013 19:45:15.779 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 181.112.173.120 (19:45:15.779 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (39 /24s) (# pkts S/M/O/I=0/38/1/0): 445:38, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (19:45:15.779 PDT) tcpslice 1369190715.779 1369190715.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.98' ============================== SEPARATOR ================================