Score: 1.3 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/28/2013 11:49:21.930 PDT Gen. Time: 05/28/2013 14:26:10.768 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.47.243.4 (2) (11:50:47.650 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (11:50:47.650 PDT) 3354->22 (11:50:47.799 PDT) 192.47.243.231 (15) (11:49:21.930 PDT) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 1324->22 (11:49:33.528 PDT) 67->22 (11:49:49.510 PDT) ------------------------- event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 20->139 (11:49:46.708 PDT) ------------------------- event=1:2002992 {tcp} E5[rb] ET SCAN Rapid POP3 Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20->110 (11:49:45.298 PDT) ------------------------- event=1:2002994 {tcp} E5[rb] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20->143 (11:49:45.439 PDT) ------------------------- event=1:2003068 (10) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 1294->22 (11:49:21.930 PDT) 2982->22 (11:49:27.819 PDT) 1324->22 (11:49:33.527 PDT) 1324->22 (11:49:33.528 PDT) 21->22 (11:49:41.798 PDT) 20->22 (11:49:44.388 PDT) 53->22 (11:49:46.959 PDT) 67->22 (11:49:49.510 PDT) 1034->22 (11:49:54.618 PDT) 34561->22 (11:49:57.168 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.215 (14:26:10.768 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (1 /24s) (# pkts S/M/O/I=96/638/0/0): 22:33, 139:33, 445:33, 2100:33, 3306:33, 4445:33, 27374:33, 136:32, 137:32, 138:32, 1025:32, 1433:32, 5000:32, 5554:32, 3127:31, 6129:31, 10000:31, 559:30, 2067:30, 9996:30, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:26:10.768 PDT) tcpslice 1369766961.930 1369766961.931 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 05/28/2013 14:26:16.935 PDT Gen. Time: 05/28/2013 14:26:16.935 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.209 (14:26:16.935 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 49 IPs (1 /24s) (# pkts S/M/O/I=145/972/34506/0): 22:49, 136:49, 137:49, 138:49, 139:49, 445:49, 1433:49, 2100:49, 3306:49, 4445:49, 5554:49, 6129:49, 27374:49, 559:48, 1025:48, 3127:48, 5000:48, 9996:48, 10000:48, 2067:47, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (14:26:16.935 PDT) tcpslice 1369776376.935 1369776376.936 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================