Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 217.133.61.36 Egg Source List: 186.46.43.34 C & C List: Peer Coord. List: Resource List: Observed Start: 06/04/2013 23:53:10.076 PDT Gen. Time: 06/05/2013 00:17:33.456 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (7) (23:54:44.725 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2880 (23:58:17.031 PDT) 445<-1205 (23:59:49.107 PDT) 445<-2999 (00:03:51.768 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1628 (23:54:45.658 PDT) 445<-3839 (23:56:18.235 PDT) 445<-2880 (23:58:16.277 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1628 (23:54:44.725 PDT) 217.133.61.36 (10) (23:53:10.076 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2495 (23:57:44.701 PDT) 445<-4589 (23:58:49.531 PDT) ------------------------- event=1:22472 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1309 (23:54:18.894 PDT) 445<-4181 (23:56:02.288 PDT) 445<-3685 (00:03:57.967 PDT) 445<-2317 (00:05:41.521 PDT) ------------------------- event=1:22475 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1086 (23:53:10.076 PDT) 445<-1290 (00:01:07.792 PDT) 445<-1489 (00:02:14.572 PDT) 445<-3011 (00:07:33.333 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.46.43.34 (00:17:33.456 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50250<-8848 (00:17:33.456 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370415190.076 1370415190.077 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 178.206.217.184, 217.133.61.36 Egg Source List: 178.206.217.184 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 00:35:13.697 PDT Gen. Time: 06/05/2013 00:38:15.475 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (4) (00:35:49.326 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3362 (00:40:29.323 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1791 (00:35:49.326 PDT) 445<-3700 (00:37:25.041 PDT) 445<-3362 (00:40:26.390 PDT) 178.206.217.184 (00:38:11.652 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3756 (00:38:11.652 PDT) 217.133.61.36 (5) (00:35:13.697 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2411 (00:39:13.361 PDT) 445<-3771 (00:40:24.814 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2110 (00:36:23.551 PDT) 445<-3025 (00:37:31.512 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4852 (00:35:13.697 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.206.217.184 (00:38:15.475 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33667<-4688 (00:38:15.475 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370417713.697 1370417713.698 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 178.206.217.184, 217.133.61.36 Egg Source List: 178.206.217.184 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 00:35:13.697 PDT Gen. Time: 06/05/2013 00:48:15.270 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (8) (00:35:49.326 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3092 (00:43:24.485 PDT) 445<-3044 (00:46:27.321 PDT) 445<-4876 (00:47:59.102 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3362 (00:40:29.323 PDT) 445<-1333 (00:41:53.303 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1791 (00:35:49.326 PDT) 445<-3700 (00:37:25.041 PDT) 445<-3362 (00:40:26.390 PDT) 178.206.217.184 (2) (00:38:11.652 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3756 (00:38:11.652 PDT) 445<-1748 (00:45:09.165 PDT) 217.133.61.36 (7) (00:35:13.697 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2411 (00:39:13.361 PDT) 445<-3771 (00:40:24.814 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2110 (00:36:23.551 PDT) 445<-3025 (00:37:31.512 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4852 (00:35:13.697 PDT) 445<-3041 (00:44:58.178 PDT) 445<-4416 (00:47:10.979 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.206.217.184 (2) (00:38:15.475 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33667<-4688 (00:38:15.475 PDT) 41371<-4688 (00:45:12.106 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370417713.697 1370417713.698 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 178.206.217.184, 217.133.61.36 Egg Source List: 178.206.217.184 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 00:48:54.723 PDT Gen. Time: 06/05/2013 00:52:03.457 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (4) (00:49:32.428 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2292 (00:52:33.481 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2700 (00:49:32.428 PDT) 445<-4381 (00:51:01.284 PDT) 445<-2292 (00:52:32.719 PDT) 178.206.217.184 (00:52:00.342 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3171 (00:52:00.342 PDT) 217.133.61.36 (4) (00:48:54.723 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3799 (00:51:14.442 PDT) 445<-3094 (00:52:52.150 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1167 (00:48:54.723 PDT) 445<-2797 (00:50:02.543 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.206.217.184 (00:52:03.457 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43544<-4688 (00:52:03.457 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370418534.723 1370418534.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 178.206.217.184, 1.162.231.243, 217.133.61.36 Egg Source List: 178.206.217.184, 1.162.231.243, 116.1.19.183 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 00:48:54.723 PDT Gen. Time: 06/05/2013 01:09:59.667 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (7) (00:49:32.428 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1957 (00:58:41.402 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2292 (00:52:33.481 PDT) 445<-4693 (00:54:34.913 PDT) 445<-1957 (00:58:39.474 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2700 (00:49:32.428 PDT) 445<-4381 (00:51:01.284 PDT) 445<-2292 (00:52:32.719 PDT) 178.206.217.184 (2) (00:52:00.342 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3171 (00:52:00.342 PDT) 445<-4140 (00:59:20.130 PDT) 1.162.231.243 (00:56:26.862 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3557 (00:56:26.862 PDT) 217.133.61.36 (7) (00:48:54.723 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3799 (00:51:14.442 PDT) 445<-3094 (00:52:52.150 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1167 (00:48:54.723 PDT) 445<-2797 (00:50:02.543 PDT) 445<-1858 (00:58:01.309 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1159 (00:55:09.064 PDT) 445<-4921 (00:56:51.151 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.206.217.184 (2) (00:52:03.457 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43544<-4688 (00:52:03.457 PDT) 60516<-4688 (00:59:23.948 PDT) 1.162.231.243 (00:56:32.205 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45302<-4680 (00:56:32.205 PDT) 116.1.19.183 (01:06:48.408 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 45625<-6570 (01:06:48.408 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370418534.723 1370418534.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 82.48.225.74, 222.168.45.154, 217.133.61.36, 37.104.31.181 Egg Source List: 82.48.225.74 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 01:10:18.200 PDT Gen. Time: 06/05/2013 01:12:52.949 PDT INBOUND SCAN EXPLOIT 82.48.225.74 (01:12:50.364 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3988 (01:12:50.364 PDT) 222.168.45.154 (3) (01:10:18.200 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1314 (01:10:19.207 PDT) 445<-1274 (01:13:25.599 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1314 (01:10:18.200 PDT) 217.133.61.36 (4) (01:11:05.786 PDT) event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1435 (01:13:25.158 PDT) 445<-4776 (01:15:02.627 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3108 (01:11:05.786 PDT) 445<-4261 (01:12:13.366 PDT) 37.104.31.181 (2) (01:10:25.965 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4945 (01:10:25.965 PDT) 445<-4542 (01:11:44.915 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 82.48.225.74 (01:12:52.949 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47245<-1730 (01:12:52.949 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370419818.200 1370419818.201 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 82.48.225.74, 222.168.45.154, 80.88.171.4, 128.72.221.160, 217.133.61.36, 37.104.31.181 Egg Source List: 82.48.225.74, 37.208.34.60, 91.67.184.233, 128.72.221.160 C & C List: 69.64.42.226 Peer Coord. List: Resource List: Observed Start: 06/05/2013 01:10:18.200 PDT Gen. Time: 06/05/2013 01:37:25.127 PDT INBOUND SCAN EXPLOIT 82.48.225.74 (01:12:50.364 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3988 (01:12:50.364 PDT) 222.168.45.154 (4) (01:10:18.200 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1314 (01:10:19.207 PDT) 445<-1274 (01:13:25.599 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1314 (01:10:18.200 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1365 (01:17:00.951 PDT) 80.88.171.4 (01:17:58.434 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3061 (01:17:58.434 PDT) 128.72.221.160 (01:17:40.074 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1847 (01:17:40.074 PDT) 217.133.61.36 (6) (01:11:05.786 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1813 (01:16:13.823 PDT) 445<-1742 (01:18:02.982 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1435 (01:13:25.158 PDT) 445<-4776 (01:15:02.627 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3108 (01:11:05.786 PDT) 445<-4261 (01:12:13.366 PDT) 37.104.31.181 (4) (01:10:25.965 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4945 (01:10:25.965 PDT) 445<-4542 (01:11:44.915 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1043 (01:16:06.524 PDT) 445<-3302 (01:18:16.972 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 82.48.225.74 (01:12:52.949 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 47245<-1730 (01:12:52.949 PDT) 37.208.34.60 (01:24:33.369 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55248<-6155 (01:24:33.369 PDT) 91.67.184.233 (01:24:07.345 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 50728<-3946 (01:24:07.345 PDT) 128.72.221.160 (3) (01:17:49.873 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 49951<-8933 (01:17:49.873 PDT) 33062<-8933 (01:24:33.357 PDT) 56436<-8933 (01:31:48.361 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 69.64.42.226 (01:21:04.542 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->55311 (01:21:04.542 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370419818.200 1370419818.201 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 128.72.221.160, 217.133.61.36, 37.104.31.181 Egg Source List: 128.72.221.160 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 01:37:40.055 PDT Gen. Time: 06/05/2013 01:38:32.725 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (6) (01:37:40.055 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1751 (01:42:44.079 PDT) 445<-3520 (01:44:16.847 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1629 (01:39:43.677 PDT) 445<-3977 (01:41:14.687 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3823 (01:37:40.055 PDT) 445<-1629 (01:39:35.499 PDT) 128.72.221.160 (01:38:30.162 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3073 (01:38:30.162 PDT) 217.133.61.36 (01:39:09.685 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2453 (01:39:09.685 PDT) 37.104.31.181 (3) (01:38:05.504 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4863 (01:38:05.504 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4380 (01:42:17.880 PDT) 445<-2523 (01:43:23.035 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.72.221.160 (01:38:32.725 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 44392<-8933 (01:38:32.725 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370421460.055 1370421460.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 178.207.117.6, 222.168.45.154, 115.171.10.161, 128.72.221.160, 217.133.61.36, 37.104.31.181 Egg Source List: 128.72.221.160 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 01:44:28.803 PDT Gen. Time: 06/05/2013 01:45:00.395 PDT INBOUND SCAN EXPLOIT 178.207.117.6 (01:49:56.203 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2000 (01:49:56.203 PDT) 222.168.45.154 (3) (01:45:46.738 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1339 (01:45:46.738 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1918 (01:49:20.792 PDT) 445<-4045 (01:47:51.557 PDT) 115.171.10.161 (01:50:36.094 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1317 (01:50:36.094 PDT) 128.72.221.160 (01:44:57.897 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1605 (01:44:57.897 PDT) 217.133.61.36 (2) (01:47:28.488 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4043 (01:49:11.560 PDT) 445<-4049 (01:47:28.488 PDT) 37.104.31.181 (5) (01:44:28.803 PDT-01:47:49.549 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 2: 445<-4830 (01:47:46.148 PDT-01:47:49.549 PDT) 445<-2507 (01:49:28.390 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1043 (01:44:28.803 PDT) 445<-2306 (01:46:09.353 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 128.72.221.160 (01:45:00.395 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59315<-8933 (01:45:00.395 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370421868.803 1370422069.550 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 178.207.117.6, 222.168.45.154, 115.171.10.161, 128.72.221.160, 217.133.61.36, 37.104.31.181 Egg Source List: 178.207.117.6, 128.72.221.160 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 01:44:28.803 PDT Gen. Time: 06/05/2013 01:49:59.740 PDT INBOUND SCAN EXPLOIT 178.207.117.6 (01:49:56.203 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2000 (01:49:56.203 PDT) 222.168.45.154 (6) (01:45:46.738 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1339 (01:45:46.738 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3645 (01:50:56.647 PDT) 445<-1336 (01:52:24.405 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1918 (01:49:20.792 PDT) 445<-4045 (01:47:51.557 PDT) 445<-3645 (01:50:54.395 PDT) 115.171.10.161 (01:50:36.094 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1317 (01:50:36.094 PDT) 128.72.221.160 (2) (01:44:57.897 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1605 (01:44:57.897 PDT) 445<-1112 (01:53:03.761 PDT) 217.133.61.36 (3) (01:47:28.488 PDT) event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4043 (01:49:11.560 PDT) 445<-4049 (01:47:28.488 PDT) 445<-2056 (01:51:21.368 PDT) 37.104.31.181 (5) (01:44:28.803 PDT-01:47:49.549 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 2: 445<-4830 (01:47:46.148 PDT-01:47:49.549 PDT) 445<-2507 (01:49:28.390 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1043 (01:44:28.803 PDT) 445<-2306 (01:46:09.353 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.207.117.6 (01:49:59.740 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43283<-4688 (01:49:59.740 PDT) 128.72.221.160 (2) (01:45:00.395 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 59315<-8933 (01:45:00.395 PDT) 45403<-8933 (01:53:06.760 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370421868.803 1370422069.550 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 85.95.254.28 Egg Source List: 85.95.254.28 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 01:56:43.950 PDT Gen. Time: 06/05/2013 01:56:48.552 PDT INBOUND SCAN EXPLOIT 85.95.254.28 (01:56:43.950 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2173 (01:56:43.950 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 85.95.254.28 (01:56:48.552 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57802<-8079 (01:56:48.552 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370422603.950 1370422603.951 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 62.149.73.181, 222.168.45.154, 178.207.117.6, 37.104.31.181, 85.95.254.28 Egg Source List: 178.207.117.6, 85.95.254.28 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 01:56:43.950 PDT Gen. Time: 06/05/2013 01:57:07.157 PDT INBOUND SCAN EXPLOIT 62.149.73.181 (02:02:42.625 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4841 (02:02:42.625 PDT) 222.168.45.154 (02:01:30.785 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4432 (02:01:30.785 PDT) 178.207.117.6 (01:57:00.993 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4798 (01:57:00.993 PDT) 37.104.31.181 (4) (01:57:11.174 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3675 (01:59:49.966 PDT) 445<-3988 (02:01:58.621 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4566 (01:57:11.174 PDT) 445<-1926 (01:58:42.623 PDT) 85.95.254.28 (01:56:43.950 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2173 (01:56:43.950 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.207.117.6 (01:57:07.157 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 43056<-4688 (01:57:07.157 PDT) 85.95.254.28 (01:56:48.552 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 57802<-8079 (01:56:48.552 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370422603.950 1370422603.951 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 178.207.117.6, 222.168.45.154, 37.104.31.181 Egg Source List: 178.207.117.6 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 02:03:00.341 PDT Gen. Time: 06/05/2013 02:04:06.958 PDT INBOUND SCAN EXPLOIT 178.207.117.6 (02:04:04.122 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2584 (02:04:04.122 PDT) 222.168.45.154 (4) (02:03:00.341 PDT) event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2229 (02:06:19.773 PDT) 445<-4733 (02:08:04.557 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2389 (02:03:00.341 PDT) 445<-2229 (02:06:14.503 PDT) 37.104.31.181 (2) (02:05:54.543 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2724 (02:05:54.543 PDT) 445<-4288 (02:07:26.890 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.207.117.6 (02:04:06.958 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46462<-4688 (02:04:06.958 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370422980.341 1370422980.342 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 37.203.115.186, 178.207.117.6, 222.168.45.154, 93.122.136.82, 37.104.31.181 Egg Source List: 37.203.115.186, 178.207.117.6, 93.122.136.82 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 02:03:00.341 PDT Gen. Time: 06/05/2013 02:16:31.334 PDT INBOUND SCAN EXPLOIT 37.203.115.186 (02:10:15.455 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2888 (02:10:15.455 PDT) 178.207.117.6 (02:04:04.122 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2584 (02:04:04.122 PDT) 222.168.45.154 (8) (02:03:00.341 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2529 (02:09:48.941 PDT) 445<-2065 (02:12:39.633 PDT) 445<-3706 (02:14:09.964 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2229 (02:06:19.773 PDT) 445<-4733 (02:08:04.557 PDT) 445<-2529 (02:09:42.816 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2389 (02:03:00.341 PDT) 445<-2229 (02:06:14.503 PDT) 93.122.136.82 (02:09:58.901 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1926 (02:09:58.901 PDT) 37.104.31.181 (6) (02:05:54.543 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1089 (02:12:25.866 PDT) 445<-1617 (02:14:33.682 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1933 (02:09:05.225 PDT) 445<-3730 (02:10:45.117 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2724 (02:05:54.543 PDT) 445<-4288 (02:07:26.890 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 37.203.115.186 (02:10:19.712 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 55555<-6536 (02:10:19.712 PDT) 178.207.117.6 (02:04:06.958 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46462<-4688 (02:04:06.958 PDT) 93.122.136.82 (02:10:07.151 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 58712<-1459 (02:10:07.151 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370422980.341 1370422980.342 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 178.207.117.6, 37.104.31.181 Egg Source List: 178.207.117.6 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 02:17:04.495 PDT Gen. Time: 06/05/2013 02:17:07.548 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (4) (02:18:45.600 PDT) event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2943 (02:20:17.860 PDT) 445<-4624 (02:21:46.261 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1145 (02:18:45.600 PDT) 445<-2943 (02:20:16.200 PDT) 178.207.117.6 (02:17:04.495 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1407 (02:17:04.495 PDT) 37.104.31.181 (3) (02:17:50.778 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1823 (02:20:34.673 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1298 (02:17:50.778 PDT) 445<-3783 (02:18:58.520 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.207.117.6 (02:17:07.548 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35313<-4688 (02:17:07.548 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370423824.495 1370423824.496 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 178.207.117.6, 222.168.45.154, 37.104.31.181 Egg Source List: 178.207.117.6 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 02:22:14.167 PDT Gen. Time: 06/05/2013 02:24:05.089 PDT INBOUND SCAN EXPLOIT 178.207.117.6 (02:24:01.120 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3275 (02:24:01.120 PDT) 222.168.45.154 (4) (02:23:18.665 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2730 (02:23:19.518 PDT) 445<-4649 (02:24:49.000 PDT) 445<-4415 (02:27:51.253 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2730 (02:23:18.665 PDT) 37.104.31.181 (4) (02:22:14.167 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4917 (02:24:26.798 PDT) 445<-2118 (02:26:35.965 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3702 (02:22:14.167 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3029 (02:28:46.898 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.207.117.6 (02:24:05.089 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52449<-4688 (02:24:05.089 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370424134.167 1370424134.168 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.93.142.70, 178.207.117.6, 222.168.45.154, 37.104.31.181 Egg Source List: 178.207.117.6 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 02:22:14.167 PDT Gen. Time: 06/05/2013 02:37:03.832 PDT INBOUND SCAN EXPLOIT 186.93.142.70 (02:33:28.389 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2141 (02:33:28.389 PDT) 178.207.117.6 (2) (02:24:01.120 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3275 (02:24:01.120 PDT) 445<-2515 (02:31:04.995 PDT) 222.168.45.154 (7) (02:23:18.665 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2730 (02:23:19.518 PDT) 445<-4649 (02:24:49.000 PDT) 445<-4415 (02:27:51.253 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2730 (02:23:18.665 PDT) 445<-1896 (02:32:25.283 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2180 (02:29:22.922 PDT) 445<-4015 (02:30:57.293 PDT) 37.104.31.181 (7) (02:22:14.167 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4917 (02:24:26.798 PDT) 445<-2118 (02:26:35.965 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3702 (02:22:14.167 PDT) 445<-2896 (02:32:03.633 PDT) 445<-1746 (02:33:10.055 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3029 (02:28:46.898 PDT) 445<-1051 (02:30:24.297 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.207.117.6 (2) (02:24:05.089 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52449<-4688 (02:24:05.089 PDT) 37438<-4688 (02:31:07.888 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370424134.167 1370424134.168 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 178.207.117.6 Egg Source List: 178.207.117.6 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 02:38:11.076 PDT Gen. Time: 06/05/2013 02:38:15.800 PDT INBOUND SCAN EXPLOIT 178.207.117.6 (02:38:11.076 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1893 (02:38:11.076 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.207.117.6 (02:38:15.800 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48206<-4688 (02:38:15.800 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370425091.076 1370425091.077 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 178.207.117.6, 37.104.31.181 Egg Source List: 186.93.142.70, 178.207.117.6, 203.114.109.117, 88.150.178.103 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 02:33:32.800 PDT Gen. Time: 06/05/2013 03:04:47.104 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (9) (02:38:32.015 PDT) event=1:22469 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1438 (02:38:32.015 PDT) 445<-3545 (02:40:01.719 PDT) 445<-1316 (02:51:44.346 PDT) 445<-3757 (02:53:42.901 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1699 (02:45:05.554 PDT) 445<-3374 (02:50:14.368 PDT) 445<-1316 (02:51:41.685 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2123 (02:42:03.753 PDT) 445<-3905 (02:43:35.562 PDT) 178.207.117.6 (02:38:11.076 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1893 (02:38:11.076 PDT) 37.104.31.181 (7) (02:42:28.568 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2720 (02:48:28.162 PDT) 445<-4594 (02:50:05.785 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2052 (02:45:43.337 PDT) 445<-4682 (02:46:52.606 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2300 (02:42:28.568 PDT) 445<-4032 (02:44:08.039 PDT) 445<-3933 (02:54:00.034 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 186.93.142.70 (02:33:32.800 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51576<-2800 (02:33:32.800 PDT) 178.207.117.6 (02:38:15.800 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48206<-4688 (02:38:15.800 PDT) 203.114.109.117 (02:59:59.499 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38735<-7971 (02:59:59.499 PDT) 88.150.178.103 (02:59:55.633 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 48649<-7034 (02:59:55.633 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370424812.800 1370424812.801 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 193.68.59.207, 222.59.17.244, 37.104.31.181 Egg Source List: 222.59.17.244 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 03:05:00.185 PDT Gen. Time: 06/05/2013 03:06:07.416 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (5) (03:05:24.252 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3238 (03:05:32.424 PDT) 445<-4856 (03:06:55.641 PDT) 445<-2589 (03:08:25.437 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3238 (03:05:24.252 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4951 (03:10:28.729 PDT) 193.68.59.207 (03:09:49.707 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2599 (03:09:49.707 PDT) 222.59.17.244 (03:06:04.015 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2361 (03:06:04.015 PDT) 37.104.31.181 (5) (03:05:00.185 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2498 (03:10:53.924 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3442 (03:08:08.443 PDT) 445<-3044 (03:09:14.420 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2329 (03:05:00.185 PDT) 445<-4624 (03:06:30.233 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 222.59.17.244 (03:06:07.416 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46357<-2635 (03:06:07.416 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370426700.185 1370426700.186 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 203.189.149.123, 37.104.31.181 Egg Source List: 203.189.149.123 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 03:11:59.498 PDT Gen. Time: 06/05/2013 03:13:37.153 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (3) (03:11:59.498 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4257 (03:13:32.406 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2616 (03:11:59.498 PDT) 445<-4257 (03:13:30.935 PDT) 203.189.149.123 (03:13:32.052 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-39085 (03:13:32.052 PDT) 37.104.31.181 (03:12:00.057 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2507 (03:12:00.057 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 203.189.149.123 (03:13:37.153 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33561<-3141 (03:13:37.153 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370427119.498 1370427119.499 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 203.189.149.123, 37.104.31.181 Egg Source List: 193.68.59.207, 203.189.149.123 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 03:09:52.086 PDT Gen. Time: 06/05/2013 03:15:14.506 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (4) (03:11:59.498 PDT) event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4257 (03:13:32.406 PDT) 445<-1762 (03:15:01.193 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2616 (03:11:59.498 PDT) 445<-4257 (03:13:30.935 PDT) 203.189.149.123 (03:13:32.052 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-39085 (03:13:32.052 PDT) 37.104.31.181 (03:12:00.057 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2507 (03:12:00.057 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 193.68.59.207 (03:09:52.086 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 51043<-4302 (03:09:52.086 PDT) 203.189.149.123 (03:13:37.153 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33561<-3141 (03:13:37.153 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370426992.086 1370426992.087 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 75.37.116.42, 37.104.31.181 Egg Source List: 193.68.59.207 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 03:15:21.490 PDT Gen. Time: 06/05/2013 03:27:33.811 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (8) (03:16:32.889 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3400 (03:16:33.711 PDT) 445<-1093 (03:18:03.509 PDT) 445<-3241 (03:20:05.879 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3400 (03:16:32.889 PDT) 445<-4425 (03:25:11.179 PDT) 445<-1646 (03:26:41.523 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1643 (03:22:07.612 PDT) 445<-3224 (03:23:40.133 PDT) 75.37.116.42 (03:25:41.881 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3720 (03:25:41.881 PDT) 37.104.31.181 (8) (03:15:21.490 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1617 (03:20:42.930 PDT) 445<-1386 (03:22:21.643 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1403 (03:17:58.973 PDT) 445<-1501 (03:19:07.536 PDT) ------------------------- event=1:22475 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2140 (03:15:21.490 PDT) 445<-1567 (03:16:53.254 PDT) 445<-2641 (03:26:12.017 PDT) 445<-3236 (03:27:20.907 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 193.68.59.207 (03:27:33.811 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46709<-4302 (03:27:33.811 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370427321.490 1370427321.491 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 75.37.116.42, 37.104.31.181 Egg Source List: 193.68.59.207 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 03:15:21.490 PDT Gen. Time: 06/05/2013 03:36:25.655 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (8) (03:16:32.889 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3400 (03:16:33.711 PDT) 445<-1093 (03:18:03.509 PDT) 445<-3241 (03:20:05.879 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3400 (03:16:32.889 PDT) 445<-4425 (03:25:11.179 PDT) 445<-1646 (03:26:41.523 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1643 (03:22:07.612 PDT) 445<-3224 (03:23:40.133 PDT) 75.37.116.42 (03:25:41.881 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3720 (03:25:41.881 PDT) 37.104.31.181 (8) (03:15:21.490 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1617 (03:20:42.930 PDT) 445<-1386 (03:22:21.643 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1403 (03:17:58.973 PDT) 445<-1501 (03:19:07.536 PDT) ------------------------- event=1:22475 (4) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2140 (03:15:21.490 PDT) 445<-1567 (03:16:53.254 PDT) 445<-2641 (03:26:12.017 PDT) 445<-3236 (03:27:20.907 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 193.68.59.207 (2) (03:27:33.811 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46709<-4302 (03:27:33.811 PDT) 38175<-4302 (03:32:27.059 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370427321.490 1370427321.491 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 193.68.59.207, 37.104.31.181 Egg Source List: 193.68.59.207 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 03:38:15.835 PDT Gen. Time: 06/05/2013 03:41:42.375 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (3) (03:39:23.360 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1475 (03:40:55.081 PDT) 445<-3331 (03:42:25.860 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3981 (03:39:23.360 PDT) 193.68.59.207 (03:41:39.480 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2594 (03:41:39.480 PDT) 37.104.31.181 (3) (03:38:15.835 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2923 (03:41:32.414 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4907 (03:38:15.835 PDT) 445<-1938 (03:39:51.335 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 193.68.59.207 (03:41:42.375 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54991<-4302 (03:41:42.375 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370428695.835 1370428695.836 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 193.68.59.207, 37.43.4.89, 37.104.31.181 Egg Source List: 193.68.59.207, 37.43.4.89 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 03:38:15.835 PDT Gen. Time: 06/05/2013 04:01:11.992 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (8) (03:39:23.360 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1475 (03:40:55.081 PDT) 445<-3331 (03:42:25.860 PDT) 445<-1281 (03:43:57.204 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3981 (03:39:23.360 PDT) 445<-1327 (03:50:33.227 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3724 (03:46:01.453 PDT) 445<-1600 (03:47:33.699 PDT) 445<-1327 (03:50:32.495 PDT) 193.68.59.207 (2) (03:41:39.480 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2594 (03:41:39.480 PDT) 445<-3221 (03:46:01.917 PDT) 37.43.4.89 (03:48:31.504 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3952 (03:48:31.504 PDT) 37.104.31.181 (6) (03:38:15.835 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2923 (03:41:32.414 PDT) 445<-4979 (03:43:40.980 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4907 (03:38:15.835 PDT) 445<-1938 (03:39:51.335 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3148 (03:47:03.315 PDT) 445<-4993 (03:48:44.794 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 193.68.59.207 (3) (03:41:42.375 PDT) event=1:2001685 (3) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54991<-4302 (03:41:42.375 PDT) 56109<-4302 (03:46:05.686 PDT) 44880<-4302 (03:51:00.969 PDT) 37.43.4.89 (03:48:42.335 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42747<-7168 (03:48:42.335 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370428695.835 1370428695.836 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.42.200.10, 222.168.45.154, 193.68.59.207, 37.104.31.181 Egg Source List: 89.42.200.10 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 04:01:41.449 PDT Gen. Time: 06/05/2013 04:06:45.569 PDT INBOUND SCAN EXPLOIT 89.42.200.10 (04:06:42.298 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1411 (04:06:42.298 PDT) 222.168.45.154 (3) (04:01:41.449 PDT) event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4196 (04:03:13.393 PDT) 445<-3298 (04:06:14.690 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2440 (04:01:41.449 PDT) 193.68.59.207 (04:04:45.421 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1212 (04:04:45.421 PDT) 37.104.31.181 (3) (04:01:45.573 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3873 (04:05:36.356 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2830 (04:01:45.573 PDT) 445<-1606 (04:04:01.509 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.42.200.10 (04:06:45.569 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54265<-8394 (04:06:45.569 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370430101.449 1370430101.450 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 89.42.200.10, 38.67.131.26, 222.168.45.154, 37.208.34.60, 193.68.59.207, 37.104.31.181 Egg Source List: 89.42.200.10, 38.67.131.26, 37.208.34.60, 193.68.59.207 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 04:01:41.449 PDT Gen. Time: 06/05/2013 04:17:51.231 PDT INBOUND SCAN EXPLOIT 89.42.200.10 (04:06:42.298 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1411 (04:06:42.298 PDT) 38.67.131.26 (04:07:14.921 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2109 (04:07:14.921 PDT) 222.168.45.154 (6) (04:01:41.449 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4459 (04:07:51.842 PDT) 445<-1737 (04:09:19.898 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4196 (04:03:13.393 PDT) 445<-3298 (04:06:14.690 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2440 (04:01:41.449 PDT) 445<-4648 (04:12:51.722 PDT) 37.208.34.60 (04:13:36.912 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1908 (04:13:36.912 PDT) 193.68.59.207 (2) (04:04:45.421 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1212 (04:04:45.421 PDT) 445<-3221 (04:09:34.846 PDT) 37.104.31.181 (6) (04:01:45.573 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1486 (04:09:30.414 PDT) 445<-4539 (04:11:34.998 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3873 (04:05:36.356 PDT) 445<-2782 (04:07:49.376 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2830 (04:01:45.573 PDT) 445<-1606 (04:04:01.509 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 89.42.200.10 (04:06:45.569 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 54265<-8394 (04:06:45.569 PDT) 38.67.131.26 (04:07:17.515 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33294<-1096 (04:07:17.515 PDT) 37.208.34.60 (04:13:39.696 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 42691<-6155 (04:13:39.696 PDT) 193.68.59.207 (2) (04:04:48.318 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 35729<-4302 (04:04:48.318 PDT) 35811<-4302 (04:09:37.441 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370430101.449 1370430101.450 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 103.4.144.40, 190.203.96.130, 37.104.31.181 Egg Source List: 103.4.144.40 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 04:18:08.684 PDT Gen. Time: 06/05/2013 04:22:49.616 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (7) (04:20:27.149 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4558 (04:23:34.964 PDT) 445<-1738 (04:25:01.798 PDT) 445<-2897 (04:26:37.189 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2238 (04:20:28.091 PDT) 445<-3315 (04:21:59.689 PDT) 445<-4558 (04:23:32.100 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2238 (04:20:27.149 PDT) 103.4.144.40 (04:22:45.302 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2563 (04:22:45.302 PDT) 190.203.96.130 (04:26:58.220 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2062 (04:26:58.220 PDT) 37.104.31.181 (5) (04:18:08.684 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1418 (04:19:47.069 PDT) 445<-3730 (04:20:52.773 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1501 (04:18:08.684 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2306 (04:23:38.454 PDT) 445<-4017 (04:25:50.058 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 103.4.144.40 (04:22:49.616 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40305<-2352 (04:22:49.616 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370431088.684 1370431088.685 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 37.104.31.181 Egg Source List: 190.203.96.130 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 04:27:01.988 PDT Gen. Time: 06/05/2013 04:27:01.988 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (2) (04:28:37.292 PDT) event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4540 (04:28:37.292 PDT) 445<-2202 (04:30:38.132 PDT) 37.104.31.181 (3) (04:27:58.720 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4975 (04:30:49.064 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1778 (04:27:58.720 PDT) 445<-2176 (04:29:37.663 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.203.96.130 (04:27:01.988 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 41206<-7818 (04:27:01.988 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370431621.988 1370431621.989 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 106.51.129.138, 1.162.231.243, 37.104.31.181 Egg Source List: 1.162.231.243 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 04:32:08.297 PDT Gen. Time: 06/05/2013 04:38:44.056 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (6) (04:32:08.297 PDT-04:36:45.897 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 2: 445<-3337 (04:36:43.741 PDT-04:36:45.897 PDT) 445<-4474 (04:38:15.670 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2039 (04:35:11.142 PDT) 445<-3337 (04:36:42.836 PDT) 445<-3506 (04:32:08.297 PDT) 106.51.129.138 (04:35:34.689 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4959 (04:35:34.689 PDT) 1.162.231.243 (04:38:38.708 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4055 (04:38:38.708 PDT) 37.104.31.181 (5) (04:32:21.394 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1280 (04:32:21.394 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4993 (04:38:24.901 PDT) 445<-3788 (04:37:15.753 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1249 (04:35:43.663 PDT) 445<-1048 (04:34:32.545 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 1.162.231.243 (04:38:44.056 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32940<-4680 (04:38:44.056 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370431928.297 1370432205.898 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 106.51.129.138, 1.162.231.243, 37.104.31.181 Egg Source List: 37.208.34.60, 106.51.129.138, 1.162.231.243 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 04:32:08.297 PDT Gen. Time: 06/05/2013 05:19:15.160 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (8) (04:32:08.297 PDT-04:36:45.897 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 2: 445<-3337 (04:36:43.741 PDT-04:36:45.897 PDT) 445<-4474 (04:38:15.670 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2039 (04:35:11.142 PDT) 445<-3337 (04:36:42.836 PDT) 445<-3506 (04:32:08.297 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3424 (04:41:49.210 PDT) 445<-1034 (04:43:50.997 PDT) 106.51.129.138 (04:35:34.689 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4959 (04:35:34.689 PDT) 1.162.231.243 (04:38:38.708 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4055 (04:38:38.708 PDT) 37.104.31.181 (8) (04:32:21.394 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1280 (04:32:21.394 PDT) 445<-4572 (04:40:07.508 PDT) 445<-4089 (04:41:38.447 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4993 (04:38:24.901 PDT) 445<-3788 (04:37:15.753 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1249 (04:35:43.663 PDT) 445<-1048 (04:34:32.545 PDT) 445<-2754 (04:43:52.267 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 37.208.34.60 (05:15:05.427 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 52383<-6155 (05:15:05.427 PDT) 106.51.129.138 (04:35:43.291 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38874<-1103 (04:35:43.291 PDT) 1.162.231.243 (04:38:44.056 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 32940<-4680 (04:38:44.056 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370431928.297 1370432205.898 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 85.95.254.28, 37.104.31.181 Egg Source List: 85.95.254.28 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 05:29:59.208 PDT Gen. Time: 06/05/2013 05:38:03.250 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (8) (05:29:59.208 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3972 (05:33:01.797 PDT) 445<-1226 (05:34:32.892 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1412 (05:30:00.228 PDT) 445<-2800 (05:31:30.014 PDT) 445<-3183 (05:41:08.918 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1412 (05:29:59.208 PDT) 445<-4467 (05:38:07.750 PDT) 445<-1827 (05:39:38.264 PDT) 85.95.254.28 (05:37:59.740 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4142 (05:37:59.740 PDT) 37.104.31.181 (6) (05:30:18.842 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1950 (05:33:35.198 PDT) 445<-2921 (05:35:13.741 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3783 (05:30:18.842 PDT) 445<-4720 (05:31:56.745 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4052 (05:38:30.861 PDT) 445<-1980 (05:39:37.913 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 85.95.254.28 (05:38:03.250 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 46115<-8079 (05:38:03.250 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370435399.208 1370435399.209 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 178.207.117.6, 222.168.45.154, 37.104.31.181 Egg Source List: 178.207.117.6 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 05:41:48.829 PDT Gen. Time: 06/05/2013 05:44:31.011 PDT INBOUND SCAN EXPLOIT 178.207.117.6 (05:44:27.734 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2393 (05:44:27.734 PDT) 222.168.45.154 (3) (05:44:10.806 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2767 (05:45:42.032 PDT) 445<-3888 (05:47:15.673 PDT) ------------------------- event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1525 (05:44:10.806 PDT) 37.104.31.181 (4) (05:41:48.829 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4906 (05:45:04.981 PDT) 445<-3787 (05:46:43.390 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4223 (05:41:48.829 PDT) 445<-2306 (05:43:25.939 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 178.207.117.6 (05:44:31.011 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56632<-4688 (05:44:31.011 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370436108.829 1370436108.830 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 190.141.144.92, 180.234.109.246, 105.132.123.83, 37.104.31.181 Egg Source List: 180.234.109.246 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 06:00:00.176 PDT Gen. Time: 06/05/2013 06:05:47.805 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (5) (06:00:07.201 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1376 (06:04:01.954 PDT) 445<-2470 (06:05:32.743 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2616 (06:00:07.201 PDT) 445<-1376 (06:03:58.335 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1244 (06:09:03.318 PDT) 190.141.144.92 (06:08:14.210 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1319 (06:08:14.210 PDT) 180.234.109.246 (06:05:42.732 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1395 (06:05:42.732 PDT) 105.132.123.83 (06:05:57.877 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2288 (06:05:57.877 PDT) 37.104.31.181 (7) (06:00:00.176 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4946 (06:06:23.710 PDT) 445<-1502 (06:07:30.811 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3375 (06:03:09.365 PDT) 445<-4267 (06:05:18.071 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1950 (06:00:00.176 PDT) 445<-2720 (06:01:31.029 PDT) 445<-3613 (06:09:41.149 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 180.234.109.246 (06:05:47.805 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60703<-3803 (06:05:47.805 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370437200.176 1370437200.177 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 190.141.144.92, 180.234.109.246, 105.132.123.83, 37.104.31.181 Egg Source List: 180.234.109.246, 105.132.123.83 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 06:00:00.176 PDT Gen. Time: 06/05/2013 06:10:27.570 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (5) (06:00:07.201 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1376 (06:04:01.954 PDT) 445<-2470 (06:05:32.743 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2616 (06:00:07.201 PDT) 445<-1376 (06:03:58.335 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1244 (06:09:03.318 PDT) 190.141.144.92 (06:08:14.210 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1319 (06:08:14.210 PDT) 180.234.109.246 (06:05:42.732 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1395 (06:05:42.732 PDT) 105.132.123.83 (06:05:57.877 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2288 (06:05:57.877 PDT) 37.104.31.181 (7) (06:00:00.176 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4946 (06:06:23.710 PDT) 445<-1502 (06:07:30.811 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3375 (06:03:09.365 PDT) 445<-4267 (06:05:18.071 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1950 (06:00:00.176 PDT) 445<-2720 (06:01:31.029 PDT) 445<-3613 (06:09:41.149 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 180.234.109.246 (06:05:47.805 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 60703<-3803 (06:05:47.805 PDT) 105.132.123.83 (06:06:01.580 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38340<-4480 (06:06:01.580 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370437200.176 1370437200.177 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 37.104.31.181 Egg Source List: 190.141.144.92 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 06:08:16.950 PDT Gen. Time: 06/05/2013 06:08:16.950 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (3) (06:10:33.112 PDT) event=1:22472 {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3825 (06:12:06.176 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2638 (06:10:33.112 PDT) 445<-3825 (06:12:05.197 PDT) 37.104.31.181 (06:11:19.005 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1048 (06:11:19.005 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.141.144.92 (06:08:16.950 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56454<-9953 (06:08:16.950 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370437696.950 1370437696.951 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 186.93.142.70, 222.168.45.154, 190.141.144.92, 37.104.31.181 Egg Source List: 190.141.144.92 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 06:08:16.950 PDT Gen. Time: 06/05/2013 06:18:32.985 PDT INBOUND SCAN EXPLOIT 186.93.142.70 (06:14:40.687 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3067 (06:14:40.687 PDT) 222.168.45.154 (8) (06:10:33.112 PDT) event=1:22469 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1799 (06:15:09.310 PDT) 445<-3029 (06:16:37.950 PDT) 445<-4244 (06:18:09.399 PDT) ------------------------- event=1:22472 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3825 (06:12:06.176 PDT) 445<-4323 (06:13:36.410 PDT) 445<-1799 (06:15:08.216 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2638 (06:10:33.112 PDT) 445<-3825 (06:12:05.197 PDT) 190.141.144.92 (06:14:04.745 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3825 (06:14:04.745 PDT) 37.104.31.181 (5) (06:11:19.005 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2052 (06:15:41.437 PDT) 445<-4536 (06:16:47.177 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2250 (06:12:24.973 PDT) 445<-4158 (06:14:09.259 PDT) ------------------------- event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1048 (06:11:19.005 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.141.144.92 (2) (06:08:16.950 PDT) event=1:2001685 (2) {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 56454<-9953 (06:08:16.950 PDT) 37683<-9953 (06:14:10.399 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370437696.950 1370437696.951 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 190.141.144.92 Egg Source List: 190.141.144.92 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 06:19:44.529 PDT Gen. Time: 06/05/2013 06:19:55.095 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (06:19:44.529 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1393 (06:19:44.529 PDT) 190.141.144.92 (06:19:51.792 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2875 (06:19:51.792 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.141.144.92 (06:19:55.095 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33639<-9953 (06:19:55.095 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370438384.529 1370438384.530 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 61.19.32.54, 181.226.97.10, 190.141.144.92, 93.57.70.124, 37.104.31.181 Egg Source List: 61.19.32.54, 181.226.97.10, 190.141.144.92 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 06:19:44.529 PDT Gen. Time: 06/05/2013 06:29:16.030 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (5) (06:19:44.529 PDT) event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2528 (06:26:17.646 PDT) 445<-3732 (06:27:48.592 PDT) ------------------------- event=1:22475 (3) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1393 (06:19:44.529 PDT) 445<-2617 (06:21:12.614 PDT) 445<-2528 (06:26:16.190 PDT) 61.19.32.54 (06:24:21.656 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3419 (06:24:21.656 PDT) 181.226.97.10 (06:23:08.298 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1132 (06:23:08.298 PDT) 190.141.144.92 (2) (06:19:51.792 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2875 (06:19:51.792 PDT) 445<-1783 (06:25:33.687 PDT) 93.57.70.124 (06:22:32.642 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-55359 (06:22:32.642 PDT) 37.104.31.181 (6) (06:20:06.212 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3482 (06:26:05.014 PDT) 445<-2974 (06:27:43.161 PDT) ------------------------- event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1953 (06:23:22.813 PDT) 445<-1283 (06:24:59.681 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3161 (06:20:06.212 PDT) 445<-2415 (06:21:43.535 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 61.19.32.54 (06:24:25.500 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 38621<-5124 (06:24:25.500 PDT) 181.226.97.10 (06:23:12.311 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 40142<-9126 (06:23:12.311 PDT) 190.141.144.92 (06:19:55.095 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 33639<-9953 (06:19:55.095 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370438384.529 1370438384.530 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154 Egg Source List: 190.141.144.92 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 06:25:36.950 PDT Gen. Time: 06/05/2013 06:25:36.950 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (06:29:18.477 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4988 (06:29:18.477 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.141.144.92 (06:25:36.950 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 37533<-9953 (06:25:36.950 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370438736.950 1370438736.951 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 190.141.144.92, 37.104.31.181 Egg Source List: 190.141.144.92 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 06:30:50.171 PDT Gen. Time: 06/05/2013 06:31:18.083 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (06:30:50.171 PDT) event=1:22469 {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2168 (06:30:50.171 PDT) 190.141.144.92 (06:31:15.190 PDT) event=1:22009201 {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4097 (06:31:15.190 PDT) 37.104.31.181 (06:31:02.574 PDT) event=1:22475 {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3639 (06:31:02.574 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.141.144.92 (06:31:18.083 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39695<-9953 (06:31:18.083 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370439050.171 1370439050.172 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 222.168.45.154, 190.141.144.92, 37.104.31.181 Egg Source List: 190.141.144.92 C & C List: Peer Coord. List: Resource List: Observed Start: 06/05/2013 06:30:50.171 PDT Gen. Time: 06/05/2013 06:39:03.897 PDT INBOUND SCAN EXPLOIT 222.168.45.154 (4) (06:30:50.171 PDT) event=1:22469 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS D$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-2168 (06:30:50.171 PDT) 445<-3369 (06:32:21.204 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4668 (06:33:53.780 PDT) 445<-1879 (06:35:24.854 PDT) 190.141.144.92 (2) (06:31:15.190 PDT) event=1:22009201 (2) {tcp} E2[rb] ET TROJAN Conficker.b Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 445<-4097 (06:31:15.190 PDT) 445<-2459 (06:36:56.226 PDT) 37.104.31.181 (4) (06:31:02.574 PDT) event=1:22472 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS C$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-1558 (06:34:17.368 PDT) 445<-4896 (06:35:26.330 PDT) ------------------------- event=1:22475 (2) {tcp} E2[rb] GPL NETBIOS SMB-DS ADMIN$ unicode share access, [] MAC_Dst: 00:21:5A:08:EC:40 445<-3639 (06:31:02.574 PDT) 445<-2008 (06:33:11.257 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 190.141.144.92 (06:31:18.083 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 39695<-9953 (06:31:18.083 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1370439050.171 1370439050.172 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================