Score: 1.1 (>= 0.8) Infected Target: 192.168.1.138 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2013 16:21:37.849 PDT Gen. Time: 06/20/2013 16:21:37.892 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 105.73.55.37 (16:21:37.849 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:21:37.849 PDT) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 105.73.55.37 (16:21:37.892 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:21:37.892 PDT) tcpslice 1371770497.849 1371770497.850 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.138' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.138 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2013 16:21:37.849 PDT Gen. Time: 06/20/2013 16:27:46.360 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 56.38.8.61 (16:24:08.151 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:24:08.151 PDT) 105.73.55.37 (16:21:37.849 PDT) event=777:7777005 {tcp} E5[bh] Detected moderate malware port scanning of 10 IPs (10 /24s) (# pkts S/M/O/I=0/10/0/0): 445:10, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:21:37.849 PDT) OUTBOUND SCAN 199.50.57.6 (16:23:38.122 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 1102->445 (16:23:38.122 PDT) 118.41.37.45 (16:21:37.930 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 1102->445 (16:21:37.930 PDT) 50.117.228.6 (16:24:08.838 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 2134->445 (16:24:08.838 PDT) 167.53.46.6 (16:22:39.611 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:01:64:FF:CE:EA 3056->445 (16:22:39.611 PDT) 23.83.184.8 (16:22:30.490 PDT) event=1:52009200 {tcp} E5[rb] ET CURRENT_EVENTS Conficker.a Shellcode, [] MAC_Src: 00:01:64:FF:CE:EA 2885->445 (16:22:30.490 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 105.73.55.37 (16:21:37.892 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:21:37.892 PDT) 152.49.18.73 (16:24:08.279 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 445:21, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (16:24:08.279 PDT) tcpslice 1371770497.849 1371770497.850 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.138' ============================== SEPARATOR ================================