Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 03:13:21.967 PDT Gen. Time: 07/03/2013 03:13:21.967 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 71.114.134.16 (03:13:21.967 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (03:13:21.967 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372846401.967 1372846401.968 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 04:26:38.458 PDT Gen. Time: 07/03/2013 04:26:38.458 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 96.237.24.205 (04:26:38.458 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (04:26:38.458 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372850798.458 1372850798.459 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 04:26:38.458 PDT Gen. Time: 07/03/2013 04:31:10.711 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 210.172.255.102 (04:27:47.164 PDT) event=1:2002910 {tcp} E5[rb] ET SCAN Potential VNC Scan 5800-5820, [] MAC_Src: 00:21:5A:08:EC:40 54011->5802 (04:27:47.164 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 96.237.24.205 (04:26:38.458 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (04:26:38.458 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372850798.458 1372850798.459 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 04:32:09.584 PDT Gen. Time: 07/03/2013 04:32:37.130 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 210.172.255.102 (04:32:09.584 PDT) event=1:2002910 {tcp} E5[rb] ET SCAN Potential VNC Scan 5800-5820, [] MAC_Src: 00:21:5A:08:EC:40 59856->5802 (04:32:09.584 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 36.224.39.189 (04:32:37.130 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (04:32:37.130 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372851129.584 1372851129.585 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 05:37:38.792 PDT Gen. Time: 07/03/2013 05:37:38.792 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 36.224.35.237 (05:37:38.792 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (05:37:38.792 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372855058.792 1372855058.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 07:28:03.735 PDT Gen. Time: 07/03/2013 07:28:03.735 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 31.162.190.58 (07:28:03.735 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (07:28:03.735 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372861683.735 1372861683.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 07:31:16.009 PDT Gen. Time: 07/03/2013 07:31:16.009 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 192.183.234.162 (07:31:16.009 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (07:31:16.009 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372861876.009 1372861876.010 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 08:07:29.912 PDT Gen. Time: 07/03/2013 08:07:29.912 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 111.250.41.151 (08:07:29.912 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (08:07:29.912 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372864049.912 1372864049.913 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 08:27:39.720 PDT Gen. Time: 07/03/2013 08:27:39.720 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 118.160.221.150 (08:27:39.720 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (08:27:39.720 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372865259.720 1372865259.721 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 08:27:39.720 PDT Gen. Time: 07/03/2013 08:31:40.453 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 118.160.221.150 (08:27:39.720 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (08:27:39.720 PDT) 1.165.244.162 (08:30:58.308 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (08:30:58.308 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372865259.720 1372865259.721 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 08:37:39.645 PDT Gen. Time: 07/03/2013 08:37:39.645 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 66.86.12.146 (08:37:39.645 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (08:37:39.645 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372865859.645 1372865859.646 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 08:49:26.217 PDT Gen. Time: 07/03/2013 08:49:26.217 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 50.102.167.203 (08:49:26.217 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (08:49:26.217 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372866566.217 1372866566.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 08:57:02.371 PDT Gen. Time: 07/03/2013 08:57:02.371 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 36.224.39.189 (08:57:02.371 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (08:57:02.371 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372867022.371 1372867022.372 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 09:53:55.536 PDT Gen. Time: 07/03/2013 09:53:55.536 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 79.100.2.21 (09:53:55.536 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (09:53:55.536 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372870435.536 1372870435.537 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 11:45:13.523 PDT Gen. Time: 07/03/2013 11:45:13.523 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 68.236.124.193 (11:45:13.523 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (11:45:13.523 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372877113.523 1372877113.524 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 11:45:13.523 PDT Gen. Time: 07/03/2013 11:49:34.891 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 79.189.39.181 (11:47:31.805 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (11:47:31.805 PDT) 68.236.124.193 (11:45:13.523 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (11:45:13.523 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372877113.523 1372877113.524 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 202.150.208.75 Peer Coord. List: Resource List: Observed Start: 07/03/2013 12:36:46.933 PDT Gen. Time: 07/03/2013 12:37:53.027 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 202.150.208.75 (12:36:46.933 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 47113->53 (12:36:46.933 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 83.12.227.212 (12:37:53.027 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (12:37:53.027 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372880206.933 1372880206.934 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 202.150.208.75 Peer Coord. List: Resource List: Observed Start: 07/03/2013 12:36:46.933 PDT Gen. Time: 07/03/2013 12:40:43.141 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 202.150.208.75 (12:36:46.933 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 47113->53 (12:36:46.933 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 83.12.227.212 (12:37:53.027 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (12:37:53.027 PDT) 1.165.244.162 (12:40:22.676 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (12:40:22.676 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372880206.933 1372880206.934 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 12:46:17.268 PDT Gen. Time: 07/03/2013 12:46:17.268 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 71.99.19.40 (12:46:17.268 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (12:46:17.268 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372880777.268 1372880777.269 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 12:46:17.268 PDT Gen. Time: 07/03/2013 12:50:31.155 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 180.155.136.55 (12:49:04.282 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (12:49:04.282 PDT) 71.99.19.40 (12:46:17.268 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (12:46:17.268 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372880777.268 1372880777.269 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 12:52:41.954 PDT Gen. Time: 07/03/2013 12:52:41.954 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 71.126.50.70 (12:52:41.954 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (12:52:41.954 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372881161.954 1372881161.955 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 12:52:41.954 PDT Gen. Time: 07/03/2013 12:56:36.642 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 71.126.50.70 (12:52:41.954 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (12:52:41.954 PDT) 96.237.24.205 (12:55:15.410 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (12:55:15.410 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372881161.954 1372881161.955 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 12:58:56.027 PDT Gen. Time: 07/03/2013 12:58:56.027 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 71.110.198.240 (12:58:56.027 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (12:58:56.027 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372881536.027 1372881536.028 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 12:58:56.027 PDT Gen. Time: 07/03/2013 13:02:41.456 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 71.110.198.240 (12:58:56.027 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (12:58:56.027 PDT) 71.241.101.49 (13:02:04.029 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (13:02:04.029 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372881536.027 1372881536.028 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 13:05:03.055 PDT Gen. Time: 07/03/2013 13:05:03.055 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 71.178.132.129 (13:05:03.055 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (13:05:03.055 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372881903.055 1372881903.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 13:11:16.149 PDT Gen. Time: 07/03/2013 13:11:16.149 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 114.41.86.118 (13:11:16.149 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (13:11:16.149 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372882276.149 1372882276.150 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 13:11:16.149 PDT Gen. Time: 07/03/2013 13:14:43.117 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 114.41.86.118 (13:11:16.149 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (13:11:16.149 PDT) 1.163.3.58 (13:13:32.126 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (13:13:32.126 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372882276.149 1372882276.150 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 13:17:22.123 PDT Gen. Time: 07/03/2013 13:17:22.123 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 114.42.77.209 (13:17:22.123 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (13:17:22.123 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372882642.123 1372882642.124 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 13:58:01.249 PDT Gen. Time: 07/03/2013 13:58:01.249 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 95.51.207.89 (13:58:01.249 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (13:58:01.249 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372885081.249 1372885081.250 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 14:03:41.136 PDT Gen. Time: 07/03/2013 14:03:41.136 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 95.51.207.89 (14:03:41.136 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (14:03:41.136 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372885421.136 1372885421.137 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 14:07:18.120 PDT Gen. Time: 07/03/2013 14:07:18.120 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 101.80.23.169 (14:07:18.120 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (14:07:18.120 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372885638.120 1372885638.121 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 15:40:24.378 PDT Gen. Time: 07/03/2013 15:40:24.378 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 114.36.182.243 (15:40:24.378 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (15:40:24.378 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372891224.378 1372891224.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 17:19:14.022 PDT Gen. Time: 07/03/2013 17:19:14.022 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 178.60.156.189 (17:19:14.022 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (17:19:14.022 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372897154.022 1372897154.023 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 17:41:14.381 PDT Gen. Time: 07/03/2013 17:41:14.381 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 71.116.253.221 (17:41:14.381 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (17:41:14.381 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372898474.381 1372898474.382 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/03/2013 19:58:35.141 PDT Gen. Time: 07/03/2013 19:58:35.141 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT 27.153.176.33 (19:58:35.141 PDT) event=1:9910002 {udp} E8[rb] BOTHUNTER CURRENT_EVENTS Excessive NXDOMAIN responses by internal host, [] MAC_Src: 00:21:1C:EE:14:00 47113<-53 (19:58:35.141 PDT) OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1372906715.141 1372906715.142 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================