Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 27.134.78.183 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 01:40:42.307 PDT Gen. Time: 06/04/2013 01:42:48.285 PDT INBOUND SCAN EXPLOIT 27.134.78.183 (01:40:42.307 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-58476 (01:40:42.307 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 69.43.161.167 (01:42:48.285 PDT) event=1:9930020 {udp} E8[unk] ET ShadowServer confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 58359->33434 (01:42:48.285 PDT) DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370335242.307 1370335242.308 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.105.87.59 Egg Source List: 91.105.87.59 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 02:02:55.762 PDT Gen. Time: 06/04/2013 02:02:58.499 PDT INBOUND SCAN EXPLOIT 91.105.87.59 (02:02:55.762 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2798 (02:02:55.762 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 91.105.87.59 (02:02:58.499 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46296<-5832 (02:02:58.499 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370336575.762 1370336575.763 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.69.200.102, 91.105.87.59, 223.143.229.55 Egg Source List: 192.69.200.102, 91.105.87.59, 223.143.229.55 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 02:02:55.762 PDT Gen. Time: 06/04/2013 02:08:42.492 PDT INBOUND SCAN EXPLOIT 192.69.200.102 (02:06:50.006 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2668 (02:06:50.006 PDT) 91.105.87.59 (02:02:55.762 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2798 (02:02:55.762 PDT) 223.143.229.55 (02:05:54.775 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1490 (02:05:54.775 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.69.200.102 (02:06:53.218 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39312<-5722 (02:06:53.218 PDT) 91.105.87.59 (02:02:58.499 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46296<-5832 (02:02:58.499 PDT) 223.143.229.55 (02:05:58.265 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47861<-9252 (02:05:58.265 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370336575.762 1370336575.763 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 124.123.31.96 Egg Source List: 124.123.31.96 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 02:42:38.598 PDT Gen. Time: 06/04/2013 02:42:41.557 PDT INBOUND SCAN EXPLOIT 124.123.31.96 (02:42:38.598 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2028 (02:42:38.598 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 124.123.31.96 (02:42:41.557 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33909<-6475 (02:42:41.557 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370338958.598 1370338958.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 2.191.87.167, 124.123.31.96 Egg Source List: 124.123.31.96 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 02:42:38.598 PDT Gen. Time: 06/04/2013 02:48:24.961 PDT INBOUND SCAN EXPLOIT 2.191.87.167 (02:44:41.552 PDT) event=1:22009200 {tcp} E2[rb] ET CURRENT_EVENTS Conficker.a Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4332 (02:44:41.552 PDT) 124.123.31.96 (02:42:38.598 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2028 (02:42:38.598 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 124.123.31.96 (02:42:41.557 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33909<-6475 (02:42:41.557 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370338958.598 1370338958.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 183.82.166.233 Egg Source List: 183.82.166.233 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 03:14:41.306 PDT Gen. Time: 06/04/2013 03:14:44.299 PDT INBOUND SCAN EXPLOIT 183.82.166.233 (03:14:41.306 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1821 (03:14:41.306 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 183.82.166.233 (03:14:44.299 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32880<-6023 (03:14:44.299 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370340881.306 1370340881.307 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 79.126.77.190, 183.82.166.233, 213.136.49.6 Egg Source List: 79.126.77.190, 183.82.166.233 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 03:14:41.306 PDT Gen. Time: 06/04/2013 03:18:58.513 PDT INBOUND SCAN EXPLOIT 79.126.77.190 (03:16:34.701 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2960 (03:16:34.701 PDT) 183.82.166.233 (03:14:41.306 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1821 (03:14:41.306 PDT) 213.136.49.6 (03:15:25.080 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-18912 (03:15:25.080 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 79.126.77.190 (03:16:38.181 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39518<-2455 (03:16:38.181 PDT) 183.82.166.233 (03:14:44.299 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32880<-6023 (03:14:44.299 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370340881.306 1370340881.307 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.125.191.45 Egg Source List: 200.125.191.45 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 04:03:45.502 PDT Gen. Time: 06/04/2013 04:03:48.792 PDT INBOUND SCAN EXPLOIT 200.125.191.45 (04:03:45.502 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4566 (04:03:45.502 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.125.191.45 (04:03:48.792 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39455<-4343 (04:03:48.792 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370343825.502 1370343825.503 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.203.172.98 Egg Source List: 190.203.172.98 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 04:12:03.688 PDT Gen. Time: 06/04/2013 04:12:07.117 PDT INBOUND SCAN EXPLOIT 190.203.172.98 (04:12:03.688 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1876 (04:12:03.688 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.203.172.98 (04:12:07.117 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44774<-1072 (04:12:07.117 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370344323.688 1370344323.689 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.229.65.24, 190.203.172.98 Egg Source List: 94.229.65.24, 190.203.172.98 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 04:12:03.688 PDT Gen. Time: 06/04/2013 04:17:25.512 PDT INBOUND SCAN EXPLOIT 94.229.65.24 (04:13:42.421 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2655 (04:13:42.421 PDT) 190.203.172.98 (04:12:03.688 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1876 (04:12:03.688 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.229.65.24 (04:13:46.186 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48039<-6801 (04:13:46.186 PDT) 190.203.172.98 (04:12:07.117 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44774<-1072 (04:12:07.117 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370344323.688 1370344323.689 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 81.198.36.76 Egg Source List: 81.198.36.76 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 04:51:21.385 PDT Gen. Time: 06/04/2013 04:51:24.744 PDT INBOUND SCAN EXPLOIT 81.198.36.76 (04:51:21.385 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4727 (04:51:21.385 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 81.198.36.76 (04:51:24.744 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57289<-4381 (04:51:24.744 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370346681.385 1370346681.386 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 61.62.99.86 Egg Source List: 61.62.99.86 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 05:01:00.636 PDT Gen. Time: 06/04/2013 05:01:03.720 PDT INBOUND SCAN EXPLOIT 61.62.99.86 (05:01:00.636 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4764 (05:01:00.636 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.62.99.86 (05:01:03.720 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37581<-8154 (05:01:03.720 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370347260.636 1370347260.637 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.44.14.43, 186.113.21.230, 201.30.52.250 Egg Source List: 186.113.21.230 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 05:41:06.621 PDT Gen. Time: 06/04/2013 05:43:07.434 PDT INBOUND SCAN EXPLOIT 89.44.14.43 (05:41:38.244 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1902 (05:41:38.244 PDT) 186.113.21.230 (05:43:02.888 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3025 (05:43:02.888 PDT) 201.30.52.250 (05:41:06.621 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3874 (05:41:06.621 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.113.21.230 (05:43:07.434 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34105<-5779 (05:43:07.434 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370349666.621 1370349666.622 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.44.14.43, 186.113.21.230, 201.30.52.250 Egg Source List: 186.113.21.230, 201.30.52.250 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 05:41:06.621 PDT Gen. Time: 06/04/2013 05:45:25.103 PDT INBOUND SCAN EXPLOIT 89.44.14.43 (05:41:38.244 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1902 (05:41:38.244 PDT) 186.113.21.230 (05:43:02.888 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3025 (05:43:02.888 PDT) 201.30.52.250 (05:41:06.621 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3874 (05:41:06.621 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.113.21.230 (05:43:07.434 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34105<-5779 (05:43:07.434 PDT) 201.30.52.250 (05:41:09.313 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54799<-3708 (05:41:09.313 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370349666.621 1370349666.622 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.69.200.102 Egg Source List: 192.69.200.102 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 05:47:56.929 PDT Gen. Time: 06/04/2013 05:47:59.064 PDT INBOUND SCAN EXPLOIT 192.69.200.102 (05:47:56.929 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3708 (05:47:56.929 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 192.69.200.102 (05:47:59.064 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41222<-5722 (05:47:59.064 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370350076.929 1370350076.930 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 62.248.28.115 Egg Source List: 62.248.28.115 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 06:03:21.848 PDT Gen. Time: 06/04/2013 06:03:24.872 PDT INBOUND SCAN EXPLOIT 62.248.28.115 (06:03:21.848 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-43939 (06:03:21.848 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 62.248.28.115 (06:03:24.872 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46672<-2076 (06:03:24.872 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370351001.848 1370351001.849 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 118.163.181.87 Egg Source List: 118.163.181.87 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 06:10:34.658 PDT Gen. Time: 06/04/2013 06:10:38.107 PDT INBOUND SCAN EXPLOIT 118.163.181.87 (06:10:34.658 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4817 (06:10:34.658 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.163.181.87 (06:10:38.107 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33190<-9945 (06:10:38.107 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370351434.658 1370351434.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 223.204.167.112, 61.247.178.246 Egg Source List: 61.247.178.246 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 06:56:14.293 PDT Gen. Time: 06/04/2013 06:56:18.472 PDT INBOUND SCAN EXPLOIT 223.204.167.112 (06:58:22.971 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-47697 (06:58:22.971 PDT) 61.247.178.246 (06:56:14.293 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3884 (06:56:14.293 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.247.178.246 (06:56:18.472 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45233<-6594 (06:56:18.472 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370354174.293 1370354174.294 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 79.126.77.190 Egg Source List: 79.126.77.190 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 07:05:28.685 PDT Gen. Time: 06/04/2013 07:05:31.743 PDT INBOUND SCAN EXPLOIT 79.126.77.190 (07:05:28.685 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3181 (07:05:28.685 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 79.126.77.190 (07:05:31.743 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55396<-2455 (07:05:31.743 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370354728.685 1370354728.686 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.126.177.62 Egg Source List: 125.173.243.253 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 07:20:03.029 PDT Gen. Time: 06/04/2013 07:20:03.029 PDT INBOUND SCAN EXPLOIT 189.126.177.62 (07:23:25.746 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2920 (07:23:25.746 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 125.173.243.253 (07:20:03.029 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51212<-2541 (07:20:03.029 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370355603.029 1370355603.030 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 118.171.121.202 Egg Source List: 118.171.121.202 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 07:39:22.980 PDT Gen. Time: 06/04/2013 07:39:26.470 PDT INBOUND SCAN EXPLOIT 118.171.121.202 (07:39:22.980 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2795 (07:39:22.980 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.171.121.202 (07:39:26.470 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44636<-7198 (07:39:26.470 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370356762.980 1370356762.981 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 200.125.191.45 Egg Source List: 200.125.191.45 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 07:45:10.841 PDT Gen. Time: 06/04/2013 07:45:16.437 PDT INBOUND SCAN EXPLOIT 200.125.191.45 (07:45:10.841 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3535 (07:45:10.841 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.125.191.45 (07:45:16.437 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44937<-4343 (07:45:16.437 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370357110.841 1370357110.842 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.229.65.24, 190.203.172.98, 94.72.174.102 Egg Source List: 94.229.65.24 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 07:53:21.550 PDT Gen. Time: 06/04/2013 07:55:00.839 PDT INBOUND SCAN EXPLOIT 94.229.65.24 (07:54:56.718 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1779 (07:54:56.718 PDT) 190.203.172.98 (07:53:21.550 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3167 (07:53:21.550 PDT) 94.72.174.102 (07:56:49.942 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3817 (07:56:49.942 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.229.65.24 (07:55:00.839 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42186<-6801 (07:55:00.839 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370357601.550 1370357601.551 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.229.65.24, 190.203.172.98, 94.72.174.102 Egg Source List: 94.229.65.24 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 07:53:21.550 PDT Gen. Time: 06/04/2013 07:59:09.104 PDT INBOUND SCAN EXPLOIT 94.229.65.24 (3) (07:54:52.346 PDT) event=1:22008705 {tcp} E2[rb] ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15), [] MAC_Dst: 00:21:5A:08:EC:40 445<-1779 (07:54:52.346 PDT) ------------------------- event=1:22008715 {tcp} E2[rb] ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25), [] MAC_Dst: 00:21:5A:08:EC:40 445<-1779 (07:54:52.346 PDT) ------------------------- event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1779 (07:54:56.718 PDT) 190.203.172.98 (07:53:21.550 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3167 (07:53:21.550 PDT) 94.72.174.102 (07:56:49.942 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3817 (07:56:49.942 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.229.65.24 (07:55:00.839 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42186<-6801 (07:55:00.839 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370357601.550 1370357601.551 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.225.151.52, 81.198.36.76, 190.211.227.12, 66.109.29.42, 176.42.45.234 Egg Source List: 66.109.29.42 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 08:52:39.460 PDT Gen. Time: 06/04/2013 08:58:19.915 PDT INBOUND SCAN EXPLOIT 212.225.151.52 (09:00:31.786 PDT) event=1:22009200 {tcp} E2[rb] ET CURRENT_EVENTS Conficker.a Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1474 (09:00:31.786 PDT) 81.198.36.76 (08:54:56.822 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2865 (08:54:56.822 PDT) 190.211.227.12 (08:56:13.622 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3103 (08:56:13.622 PDT) 66.109.29.42 (08:58:15.414 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1732 (08:58:15.414 PDT) 176.42.45.234 (08:52:39.460 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59196 (08:52:39.460 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 66.109.29.42 (08:58:19.915 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39288<-4782 (08:58:19.915 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370361159.460 1370361159.461 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 202.43.110.38, 78.52.205.202 Egg Source List: 78.52.205.202 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 09:08:48.329 PDT Gen. Time: 06/04/2013 09:12:33.715 PDT INBOUND SCAN EXPLOIT 202.43.110.38 (09:08:48.329 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3881 (09:08:48.329 PDT) 78.52.205.202 (09:12:29.938 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3968 (09:12:29.938 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 78.52.205.202 (09:12:33.715 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56202<-4121 (09:12:33.715 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370362128.329 1370362128.330 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 202.43.110.38, 78.52.205.202 Egg Source List: 202.43.110.38, 78.52.205.202 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 09:08:48.329 PDT Gen. Time: 06/04/2013 09:08:52.072 PDT INBOUND SCAN EXPLOIT 202.43.110.38 (09:08:48.329 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3881 (09:08:48.329 PDT) 78.52.205.202 (09:12:29.938 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3968 (09:12:29.938 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 202.43.110.38 (09:08:52.072 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49719<-7766 (09:08:52.072 PDT) 78.52.205.202 (09:12:33.715 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56202<-4121 (09:12:33.715 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370362128.329 1370362128.330 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 201.30.52.250 Egg Source List: 201.30.52.250 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 09:22:22.567 PDT Gen. Time: 06/04/2013 09:22:26.115 PDT INBOUND SCAN EXPLOIT 201.30.52.250 (09:22:22.567 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1587 (09:22:22.567 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 201.30.52.250 (09:22:26.115 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46940<-3708 (09:22:26.115 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370362942.567 1370362942.568 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.44.14.43, 123.140.89.75 Egg Source List: 123.140.89.75 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 09:40:48.278 PDT Gen. Time: 06/04/2013 09:40:51.117 PDT INBOUND SCAN EXPLOIT 89.44.14.43 (09:42:11.354 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2726 (09:42:11.354 PDT) 123.140.89.75 (09:40:48.278 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2382 (09:40:48.278 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 123.140.89.75 (09:40:51.117 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54002<-7809 (09:40:51.117 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370364048.278 1370364048.279 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.44.14.43, 123.140.89.75 Egg Source List: 89.44.14.43, 123.140.89.75 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 09:40:48.278 PDT Gen. Time: 06/04/2013 09:46:32.723 PDT INBOUND SCAN EXPLOIT 89.44.14.43 (09:42:11.354 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2726 (09:42:11.354 PDT) 123.140.89.75 (09:40:48.278 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2382 (09:40:48.278 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.44.14.43 (09:42:14.073 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55669<-3044 (09:42:14.073 PDT) 123.140.89.75 (09:40:51.117 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54002<-7809 (09:40:51.117 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370364048.278 1370364048.279 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.44.191.39 Egg Source List: 114.44.191.39 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 10:37:50.498 PDT Gen. Time: 06/04/2013 10:37:53.064 PDT INBOUND SCAN EXPLOIT 114.44.191.39 (10:37:50.498 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3678 (10:37:50.498 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.44.191.39 (10:37:53.064 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35789<-6489 (10:37:53.064 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370367470.498 1370367470.499 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 64.79.93.103, 189.89.233.221 Egg Source List: 64.79.93.103 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 10:41:14.692 PDT Gen. Time: 06/04/2013 10:42:11.180 PDT INBOUND SCAN EXPLOIT 64.79.93.103 (10:42:08.617 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3873 (10:42:08.617 PDT) 189.89.233.221 (10:41:14.692 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3609 (10:41:14.692 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 64.79.93.103 (10:42:11.180 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45636<-5557 (10:42:11.180 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370367674.692 1370367674.693 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 201.208.19.164, 64.79.93.103, 189.89.233.221 Egg Source List: 201.208.19.164, 64.79.93.103, 189.89.233.221 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 10:41:14.692 PDT Gen. Time: 06/04/2013 10:47:42.093 PDT INBOUND SCAN EXPLOIT 201.208.19.164 (10:43:37.239 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4406 (10:43:37.239 PDT) 64.79.93.103 (10:42:08.617 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3873 (10:42:08.617 PDT) 189.89.233.221 (10:41:14.692 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3609 (10:41:14.692 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 201.208.19.164 (10:43:41.115 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42630<-2439 (10:43:41.115 PDT) 64.79.93.103 (10:42:11.180 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45636<-5557 (10:42:11.180 PDT) 189.89.233.221 (10:41:18.272 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38715<-3324 (10:41:18.272 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370367674.692 1370367674.693 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.90.243.106, 200.109.187.104 Egg Source List: 186.90.243.106 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 10:50:31.738 PDT Gen. Time: 06/04/2013 10:50:34.509 PDT INBOUND SCAN EXPLOIT 186.90.243.106 (10:50:31.738 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1462 (10:50:31.738 PDT) 200.109.187.104 (10:52:40.363 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2573 (10:52:40.363 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.90.243.106 (10:50:34.509 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55268<-6797 (10:50:34.509 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370368231.738 1370368231.739 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 190.137.169.241 Egg Source List: 200.109.187.104 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 10:52:44.609 PDT Gen. Time: 06/04/2013 10:55:31.491 PDT INBOUND SCAN EXPLOIT 190.137.169.241 (10:55:31.491 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2564 (10:55:31.491 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.109.187.104 (10:52:44.609 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42037<-2836 (10:52:44.609 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370368364.609 1370368364.610 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 110.74.190.14, 190.137.169.241 Egg Source List: 200.109.187.104, 190.137.169.241 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 10:52:44.609 PDT Gen. Time: 06/04/2013 11:01:39.010 PDT INBOUND SCAN EXPLOIT 110.74.190.14 (10:59:15.940 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3524 (10:59:15.940 PDT) 190.137.169.241 (10:55:31.491 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2564 (10:55:31.491 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.109.187.104 (10:52:44.609 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42037<-2836 (10:52:44.609 PDT) 190.137.169.241 (10:55:35.427 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35602<-4064 (10:55:35.427 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370368364.609 1370368364.610 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.126.177.62 Egg Source List: 125.173.243.253 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 11:04:42.466 PDT Gen. Time: 06/04/2013 11:08:09.328 PDT INBOUND SCAN EXPLOIT 189.126.177.62 (11:08:09.328 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2164 (11:08:09.328 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 125.173.243.253 (11:04:42.466 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37309<-2541 (11:04:42.466 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370369082.466 1370369082.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 189.126.177.62 Egg Source List: 189.126.177.62, 125.173.243.253 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 11:04:42.466 PDT Gen. Time: 06/04/2013 11:12:30.537 PDT INBOUND SCAN EXPLOIT 189.126.177.62 (11:08:09.328 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2164 (11:08:09.328 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 189.126.177.62 (2) (11:08:13.150 PDT) event=1:2001683 {tcp} E3[rb] ET MALWARE Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42041<-80 (11:08:13.150 PDT) ------------------------- event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42041<-80 (11:08:13.150 PDT) 125.173.243.253 (11:04:42.466 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37309<-2541 (11:04:42.466 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370369082.466 1370369082.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 121.65.217.2 Egg Source List: 121.65.217.2 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 11:20:10.776 PDT Gen. Time: 06/04/2013 11:20:15.462 PDT INBOUND SCAN EXPLOIT 121.65.217.2 (11:20:10.776 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2080 (11:20:10.776 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 121.65.217.2 (11:20:15.462 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54937<-4256 (11:20:15.462 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370370010.776 1370370010.777 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 46.242.19.55 Egg Source List: 46.242.19.55 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 11:32:41.524 PDT Gen. Time: 06/04/2013 11:32:44.256 PDT INBOUND SCAN EXPLOIT 46.242.19.55 (11:32:41.524 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2581 (11:32:41.524 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 46.242.19.55 (11:32:44.256 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52903<-4728 (11:32:44.256 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370370761.524 1370370761.525 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 201.248.105.165 Egg Source List: 201.248.105.165 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 11:50:28.583 PDT Gen. Time: 06/04/2013 11:50:31.151 PDT INBOUND SCAN EXPLOIT 201.248.105.165 (11:50:28.583 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1670 (11:50:28.583 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 201.248.105.165 (11:50:31.151 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55687<-6534 (11:50:31.151 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370371828.583 1370371828.584 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 116.26.127.138, 93.115.4.94 Egg Source List: 93.115.4.94 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 12:10:09.047 PDT Gen. Time: 06/04/2013 12:13:17.366 PDT INBOUND SCAN EXPLOIT 116.26.127.138 (12:10:09.047 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3859 (12:10:09.047 PDT) 93.115.4.94 (12:13:11.674 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4151 (12:13:11.674 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 93.115.4.94 (12:13:17.366 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45329<-2191 (12:13:17.366 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370373009.047 1370373009.048 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 116.26.127.138, 93.115.4.94 Egg Source List: 116.26.127.138, 93.115.4.94 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 12:10:09.047 PDT Gen. Time: 06/04/2013 12:14:26.277 PDT INBOUND SCAN EXPLOIT 116.26.127.138 (12:10:09.047 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3859 (12:10:09.047 PDT) 93.115.4.94 (12:13:11.674 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4151 (12:13:11.674 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 116.26.127.138 (12:10:14.597 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34664<-5804 (12:10:14.597 PDT) 93.115.4.94 (12:13:17.366 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45329<-2191 (12:13:17.366 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370373009.047 1370373009.048 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 94.72.174.102 Egg Source List: 94.72.174.102 C & C List: 69.64.42.226 Peer Coord. List: Resource List: Observed Start: 06/04/2013 12:20:22.609 PDT Gen. Time: 06/04/2013 12:20:26.406 PDT INBOUND SCAN EXPLOIT 94.72.174.102 (12:20:22.609 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3973 (12:20:22.609 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 94.72.174.102 (12:20:26.406 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35172<-1466 (12:20:26.406 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 69.64.42.226 (12:20:34.487 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->61872 (12:20:34.487 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370373622.609 1370373622.610 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 66.109.29.42 Egg Source List: 66.109.29.42 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 12:39:37.671 PDT Gen. Time: 06/04/2013 12:39:41.359 PDT INBOUND SCAN EXPLOIT 66.109.29.42 (12:39:37.671 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4232 (12:39:37.671 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 66.109.29.42 (12:39:41.359 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39943<-4782 (12:39:41.359 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370374777.671 1370374777.672 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.26.181.115, 181.95.229.216, 186.89.87.225 Egg Source List: 186.89.87.225 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 13:11:32.462 PDT Gen. Time: 06/04/2013 13:11:34.703 PDT INBOUND SCAN EXPLOIT 186.26.181.115 (13:13:34.435 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3481 (13:13:34.435 PDT) 181.95.229.216 (13:12:57.993 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1744 (13:12:57.993 PDT) 186.89.87.225 (13:11:32.462 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3839 (13:11:32.462 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.89.87.225 (13:11:34.703 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46132<-5140 (13:11:34.703 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370376692.462 1370376692.463 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 81.0.82.128, 87.120.252.75 Egg Source List: 87.120.252.75 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 13:28:12.432 PDT Gen. Time: 06/04/2013 13:28:16.027 PDT INBOUND SCAN EXPLOIT 81.0.82.128 (13:29:57.946 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4125 (13:29:57.946 PDT) 87.120.252.75 (13:28:12.432 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3722 (13:28:12.432 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 87.120.252.75 (13:28:16.027 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48704<-6511 (13:28:16.027 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370377692.432 1370377692.433 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 208.14.110.226, 123.140.89.75 Egg Source List: 123.140.89.75 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 13:56:24.119 PDT Gen. Time: 06/04/2013 13:56:26.794 PDT INBOUND SCAN EXPLOIT 208.14.110.226 (13:59:06.002 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1246 (13:59:06.002 PDT) 123.140.89.75 (13:56:24.119 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2034 (13:56:24.119 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 123.140.89.75 (13:56:26.794 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 34546<-7809 (13:56:26.794 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370379384.119 1370379384.120 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.44.191.39 Egg Source List: 114.44.191.39 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 14:19:21.976 PDT Gen. Time: 06/04/2013 14:19:24.291 PDT INBOUND SCAN EXPLOIT 114.44.191.39 (14:19:21.976 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2527 (14:19:21.976 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.44.191.39 (14:19:24.291 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59985<-6489 (14:19:24.291 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370380761.976 1370380761.977 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.44.191.39, 64.79.93.103 Egg Source List: 114.44.191.39, 64.79.93.103 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 14:19:21.976 PDT Gen. Time: 06/04/2013 14:27:33.146 PDT INBOUND SCAN EXPLOIT 114.44.191.39 (14:19:21.976 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2527 (14:19:21.976 PDT) 64.79.93.103 (14:23:17.012 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1635 (14:23:17.012 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.44.191.39 (14:19:24.291 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59985<-6489 (14:19:24.291 PDT) 64.79.93.103 (14:23:19.345 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60760<-5557 (14:23:19.345 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370380761.976 1370380761.977 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 110.74.190.14 Egg Source List: 110.74.190.14 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 14:40:20.975 PDT Gen. Time: 06/04/2013 14:40:23.369 PDT INBOUND SCAN EXPLOIT 110.74.190.14 (14:40:20.975 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1541 (14:40:20.975 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 110.74.190.14 (14:40:23.369 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50182<-7196 (14:40:23.369 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370382020.975 1370382020.976 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.90.243.106 Egg Source List: 186.90.243.106 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 15:16:03.945 PDT Gen. Time: 06/04/2013 15:16:08.580 PDT INBOUND SCAN EXPLOIT 186.90.243.106 (15:16:03.945 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2001 (15:16:03.945 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.90.243.106 (15:16:08.580 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48437<-6797 (15:16:08.580 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370384163.945 1370384163.946 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.90.243.106, 61.227.42.200, 121.65.217.2 Egg Source List: 186.90.243.106, 61.227.42.200, 121.65.217.2 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 15:16:03.945 PDT Gen. Time: 06/04/2013 15:17:20.981 PDT INBOUND SCAN EXPLOIT 186.90.243.106 (15:16:03.945 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2001 (15:16:03.945 PDT) 61.227.42.200 (15:17:16.905 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3165 (15:17:16.905 PDT) 121.65.217.2 (15:19:17.949 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4020 (15:19:17.949 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.90.243.106 (15:16:08.580 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48437<-6797 (15:16:08.580 PDT) 61.227.42.200 (15:17:20.981 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57651<-3008 (15:17:20.981 PDT) 121.65.217.2 (15:19:21.861 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57273<-4256 (15:19:21.861 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370384163.945 1370384163.946 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 113.105.167.52 Egg Source List: 200.75.45.78 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 16:36:47.792 PDT Gen. Time: 06/04/2013 16:36:47.792 PDT INBOUND SCAN EXPLOIT 113.105.167.52 (16:40:58.341 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1862 (16:40:58.341 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 200.75.45.78 (16:36:47.792 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60848<-4746 (16:36:47.792 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370389007.792 1370389007.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 67.111.249.98, 186.89.87.225 Egg Source List: 186.89.87.225 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 16:49:20.363 PDT Gen. Time: 06/04/2013 16:52:53.944 PDT INBOUND SCAN EXPLOIT 67.111.249.98 (16:49:20.363 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-46847 (16:49:20.363 PDT) 186.89.87.225 (16:52:50.156 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3979 (16:52:50.156 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.89.87.225 (16:52:53.944 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43056<-5140 (16:52:53.944 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370389760.363 1370389760.364 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 81.0.82.128 Egg Source List: 81.0.82.128 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 17:11:08.153 PDT Gen. Time: 06/04/2013 17:11:11.187 PDT INBOUND SCAN EXPLOIT 81.0.82.128 (17:11:08.153 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1427 (17:11:08.153 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 81.0.82.128 (17:11:11.187 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60627<-9651 (17:11:11.187 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370391068.153 1370391068.154 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 212.103.189.101, 223.194.75.51 Egg Source List: 223.194.75.51 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 17:20:56.201 PDT Gen. Time: 06/04/2013 17:20:59.153 PDT INBOUND SCAN EXPLOIT 212.103.189.101 (17:22:37.088 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-15735 (17:22:37.088 PDT) 223.194.75.51 (17:20:56.201 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4542 (17:20:56.201 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 223.194.75.51 (17:20:59.153 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48626<-4214 (17:20:59.153 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370391656.201 1370391656.202 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 118.111.27.113, 186.52.216.95, 171.226.209.190, 79.175.163.134 Egg Source List: 79.175.163.134 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 17:54:24.094 PDT Gen. Time: 06/04/2013 17:57:04.638 PDT INBOUND SCAN EXPLOIT 118.111.27.113 (18:01:27.405 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3380 (18:01:27.405 PDT) 186.52.216.95 (17:59:06.263 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2446 (17:59:06.263 PDT) 171.226.209.190 (17:54:24.094 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1392 (17:54:24.094 PDT) 79.175.163.134 (17:57:01.677 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4132 (17:57:01.677 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 79.175.163.134 (17:57:04.638 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38640<-4701 (17:57:04.638 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370393664.094 1370393664.095 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 124.116.160.177 Egg Source List: 124.116.160.177 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 18:06:41.288 PDT Gen. Time: 06/04/2013 18:06:45.262 PDT INBOUND SCAN EXPLOIT 124.116.160.177 (18:06:41.288 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1525 (18:06:41.288 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 124.116.160.177 (18:06:45.262 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49592<-8246 (18:06:45.262 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370394401.288 1370394401.289 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 220.135.117.56, 124.116.160.177, 105.132.67.114, 198.20.182.86 Egg Source List: 124.116.160.177, 105.132.67.114 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 18:06:41.288 PDT Gen. Time: 06/04/2013 18:14:57.590 PDT INBOUND SCAN EXPLOIT 220.135.117.56 (18:12:46.093 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4276 (18:12:46.093 PDT) 124.116.160.177 (18:06:41.288 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1525 (18:06:41.288 PDT) 105.132.67.114 (18:09:54.351 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2610 (18:09:54.351 PDT) 198.20.182.86 (18:11:24.316 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3238 (18:11:24.316 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 124.116.160.177 (18:06:45.262 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49592<-8246 (18:06:45.262 PDT) 105.132.67.114 (18:09:56.908 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58052<-1529 (18:09:56.908 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370394401.288 1370394401.289 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 114.42.144.138 Egg Source List: 114.42.144.138 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 19:22:26.805 PDT Gen. Time: 06/04/2013 19:22:29.961 PDT INBOUND SCAN EXPLOIT 114.42.144.138 (19:22:26.805 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2075 (19:22:26.805 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 114.42.144.138 (19:22:29.961 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48400<-5302 (19:22:29.961 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370398946.805 1370398946.806 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 85.153.17.4, 85.154.240.84 Egg Source List: 85.153.17.4 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 19:49:15.929 PDT Gen. Time: 06/04/2013 19:49:18.506 PDT INBOUND SCAN EXPLOIT 85.153.17.4 (19:49:15.929 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2939 (19:49:15.929 PDT) 85.154.240.84 (19:50:01.862 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1073 (19:50:01.862 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 85.153.17.4 (19:49:18.506 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 36796<-1933 (19:49:18.506 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370400555.929 1370400555.930 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 109.108.10.124 Egg Source List: 109.108.10.124 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 21:05:56.819 PDT Gen. Time: 06/04/2013 21:09:00.205 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (3) (21:05:56.819 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2837 (21:05:56.819 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2526 (21:10:04.841 PDT) 445<-4077 (21:11:29.758 PDT) 109.108.10.124 (21:08:57.312 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3245 (21:08:57.312 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 109.108.10.124 (21:09:00.205 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58810<-2017 (21:09:00.205 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370405156.819 1370405156.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 82.48.225.74, 222.168.45.154 Egg Source List: 82.48.225.74 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 21:25:13.035 PDT Gen. Time: 06/04/2013 21:31:57.756 PDT INBOUND SCAN EXPLOIT 82.48.225.74 (21:31:53.682 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4141 (21:31:53.682 PDT) 222.168.45.154 (11) (21:25:13.035 PDT-21:28:14.587 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1096 (21:34:18.295 PDT) 445<-2579 (21:31:17.706 PDT) 445<-3811 (21:32:47.280 PDT) ------------------------- event=1:22472 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 2: 445<-4010 (21:28:12.798 PDT-21:28:14.587 PDT) 445<-2579 (21:31:16.723 PDT) 445<-1249 (21:29:44.722 PDT) ------------------------- event=1:22475 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1052 (21:25:13.035 PDT) 2: 445<-2632 (21:26:41.645 PDT-21:26:43.776 PDT) 445<-2965 (21:36:21.042 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 82.48.225.74 (21:31:57.756 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38390<-1730 (21:31:57.756 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370406313.035 1370406494.588 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 118.111.27.113, 79.175.163.134 Egg Source List: 118.111.27.113 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 21:39:21.711 PDT Gen. Time: 06/04/2013 21:43:32.642 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (8) (21:39:21.711 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2765 (21:43:57.708 PDT) 445<-4165 (21:45:26.266 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3539 (21:40:55.420 PDT) 445<-1226 (21:42:25.746 PDT) 445<-2765 (21:43:55.774 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2018 (21:39:21.711 PDT) 445<-3539 (21:40:53.815 PDT) 445<-3067 (21:48:30.022 PDT) 118.111.27.113 (21:43:29.923 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2367 (21:43:29.923 PDT) 79.175.163.134 (21:43:44.524 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1866 (21:43:44.524 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 118.111.27.113 (21:43:32.642 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41194<-2344 (21:43:32.642 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370407161.711 1370407161.712 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 220.135.117.56, 222.168.45.154, 27.78.215.167, 202.136.242.221 Egg Source List: 220.135.117.56 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 21:50:30.732 PDT Gen. Time: 06/04/2013 21:54:05.921 PDT INBOUND SCAN EXPLOIT 220.135.117.56 (21:54:03.597 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3198 (21:54:03.597 PDT) 222.168.45.154 (8) (21:50:30.732 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2344 (21:55:04.688 PDT) 445<-4095 (21:56:35.988 PDT) 445<-1835 (21:58:07.886 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2848 (21:52:04.491 PDT) 445<-4496 (21:53:33.301 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1079 (21:50:30.732 PDT) 445<-2848 (21:52:03.073 PDT) 445<-3906 (22:00:10.290 PDT) 27.78.215.167 (21:58:42.348 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2893 (21:58:42.348 PDT) 202.136.242.221 (21:52:22.204 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-58171 (21:52:22.204 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 220.135.117.56 (21:54:05.921 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56086<-6577 (21:54:05.921 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370407830.732 1370407830.733 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 220.135.117.56, 222.168.45.154, 27.78.215.167, 202.136.242.221 Egg Source List: 220.135.117.56 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 21:50:30.732 PDT Gen. Time: 06/04/2013 22:06:50.388 PDT INBOUND SCAN EXPLOIT 220.135.117.56 (21:54:03.597 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3198 (21:54:03.597 PDT) 222.168.45.154 (14) (21:50:30.732 PDT-22:04:44.412 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1835 (21:58:07.886 PDT) 445<-2344 (21:55:04.688 PDT) 445<-4095 (21:56:35.988 PDT) ------------------------- event=1:22472 (5) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2982 (22:03:13.545 PDT) 445<-4496 (21:53:33.301 PDT) 445<-2848 (21:52:04.491 PDT) 2: 445<-4208 (22:04:42.970 PDT-22:04:44.412 PDT) ------------------------- event=1:22475 (6) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1079 (21:50:30.732 PDT) 2: 445<-3906 (22:00:10.290 PDT-22:00:11.748 PDT) 445<-1331 (22:01:40.065 PDT) 445<-2848 (21:52:03.073 PDT) 445<-2982 (22:03:11.574 PDT) 27.78.215.167 (21:58:42.348 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2893 (21:58:42.348 PDT) 202.136.242.221 (21:52:22.204 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-58171 (21:52:22.204 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 220.135.117.56 (21:54:05.921 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56086<-6577 (21:54:05.921 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370407830.732 1370408684.413 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154 Egg Source List: 37.203.115.186 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 22:23:58.059 PDT Gen. Time: 06/04/2013 22:23:58.059 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (22:28:02.943 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1409 (22:28:02.943 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 37.203.115.186 (22:23:58.059 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46669<-6536 (22:23:58.059 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370409838.059 1370409838.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 190.144.27.78, 222.59.77.116 Egg Source List: 222.59.77.116 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 22:35:38.917 PDT Gen. Time: 06/04/2013 22:38:56.587 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (3) (22:35:38.917 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3936 (22:35:39.854 PDT) 445<-1693 (22:37:09.956 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3936 (22:35:38.917 PDT) 190.144.27.78 (22:38:51.096 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59765 (22:38:51.096 PDT) 222.59.77.116 (22:38:52.350 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2166 (22:38:52.350 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 222.59.77.116 (22:38:56.587 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53640<-2635 (22:38:56.587 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370410538.917 1370410538.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 190.144.27.78, 222.59.77.116 Egg Source List: 222.59.77.116 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 22:35:38.917 PDT Gen. Time: 06/04/2013 22:48:15.963 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (10) (22:35:38.917 PDT-22:44:17.952 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1693 (22:37:09.956 PDT) 445<-4003 (22:39:14.102 PDT) 445<-3936 (22:35:39.854 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3936 (22:35:38.917 PDT) 445<-2428 (22:45:48.108 PDT) 445<-4160 (22:47:17.943 PDT) ------------------------- event=1:22475 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2428 (22:45:47.253 PDT) 445<-2163 (22:41:14.403 PDT) 2: 445<-1088 (22:44:15.398 PDT-22:44:17.952 PDT) 190.144.27.78 (22:38:51.096 PDT) event=1:22465 {tcp} E2[rb] GPL NETBIOS SMB-DS IPC$ share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-59765 (22:38:51.096 PDT) 222.59.77.116 (22:38:52.350 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2166 (22:38:52.350 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 222.59.77.116 (22:38:56.587 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 53640<-2635 (22:38:56.587 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370410538.917 1370411057.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================