Score: 1.3 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/23/2013 09:02:58.129 PDT Gen. Time: 07/23/2013 12:24:28.043 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.47.243.193 (2) (09:02:59.276 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:02:59.276 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:02:59.276 PDT) 192.47.243.208 (09:03:01.700 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:03:01.700 PDT) 192.47.243.191 (09:02:58.967 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (09:02:58.967 PDT) 192.47.243.206 (09:03:01.381 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (09:03:01.381 PDT) 192.47.243.198 (3) (09:03:00.154 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 20->139 (09:03:00.223 PDT) ------------------------- event=1:2002992 {tcp} E5[rb] ET SCAN Rapid POP3 Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20381->110 (09:03:00.169 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:03:00.154 PDT) 192.47.243.213 (2) (09:03:02.448 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:03:02.448 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:03:02.448 PDT) 192.47.243.196 (09:02:59.838 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (09:02:59.838 PDT) 192.47.243.211 (09:03:02.138 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (09:03:02.138 PDT) 192.47.243.188 (09:02:58.439 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:02:58.439 PDT) 192.47.243.203 (2) (09:03:00.912 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:03:00.912 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:03:00.912 PDT) 192.47.243.186 (09:02:58.129 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (09:02:58.129 PDT) 192.47.243.201 (09:03:00.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (09:03:00.601 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.222 (12:24:28.043 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 131 IPs (3 /24s) (# pkts S/M/O/I=319/1461/0/0): 22:128, 139:128, 445:128, 138:64, 1025:64, 1433:64, 2067:64, 3127:64, 5000:64, 9996:64, 27374:64, 136:63, 137:63, 559:63, 2100:63, 3306:63, 4445:63, 5554:63, 10000:63, 6129:61, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:24:28.043 PDT) tcpslice 1374595378.129 1374595378.130 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/23/2013 09:02:58.129 PDT Gen. Time: 07/23/2013 14:36:06.958 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.47.243.193 (2) (09:02:59.276 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:02:59.276 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:02:59.276 PDT) 192.47.243.208 (09:03:01.700 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:03:01.700 PDT) 192.47.243.191 (09:02:58.967 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (09:02:58.967 PDT) 192.47.243.206 (09:03:01.381 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (09:03:01.381 PDT) 192.47.243.198 (3) (09:03:00.154 PDT) event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 20->139 (09:03:00.223 PDT) ------------------------- event=1:2002992 {tcp} E5[rb] ET SCAN Rapid POP3 Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20381->110 (09:03:00.169 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:03:00.154 PDT) 192.47.243.213 (2) (09:03:02.448 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:03:02.448 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:03:02.448 PDT) 192.47.243.196 (09:02:59.838 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (09:02:59.838 PDT) 192.47.243.211 (09:03:02.138 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (09:03:02.138 PDT) 192.47.243.188 (09:02:58.439 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:02:58.439 PDT) 192.47.243.203 (2) (09:03:00.912 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:03:00.912 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:21:1C:EE:14:00 25341->22 (09:03:00.912 PDT) 192.47.243.186 (09:02:58.129 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (09:02:58.129 PDT) 192.47.243.201 (09:03:00.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (09:03:00.601 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.222 (2) (12:24:28.043 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 131 IPs (3 /24s) (# pkts S/M/O/I=319/1461/0/0): 22:128, 139:128, 445:128, 138:64, 1025:64, 1433:64, 2067:64, 3127:64, 5000:64, 9996:64, 27374:64, 136:63, 137:63, 559:63, 2100:63, 3306:63, 4445:63, 5554:63, 10000:63, 6129:61, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (12:24:28.043 PDT) 0->0 (13:53:44.498 PDT) tcpslice 1374595378.129 1374595378.130 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/23/2013 14:39:06.244 PDT Gen. Time: 07/23/2013 15:11:14.672 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.47.243.238 (15) (14:39:06.244 PDT) event=1:2001219 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 3346->22 (14:39:17.858 PDT) 67->22 (14:39:34.141 PDT) ------------------------- event=1:2001569 {tcp} E5[rb] ET SCAN Behavioral Unusual Port NETBIOS traffic, Potential Scan or Infection (60 in 60 secs), [] MAC_Src: 00:21:1C:EE:14:00 20->139 (14:39:31.287 PDT) ------------------------- event=1:2002992 {tcp} E5[rb] ET SCAN Rapid POP3 Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20->110 (14:39:29.890 PDT) ------------------------- event=1:2002994 {tcp} E5[rb] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack, [] MAC_Src: 00:21:1C:EE:14:00 20->143 (14:39:30.031 PDT) ------------------------- event=1:2003068 (10) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 3929->22 (14:39:06.244 PDT) 2824->22 (14:39:12.170 PDT) 3346->22 (14:39:17.858 PDT) 3346->22 (14:39:17.858 PDT) 21->22 (14:39:26.309 PDT) 20->22 (14:39:28.954 PDT) 53->22 (14:39:31.527 PDT) 67->22 (14:39:34.141 PDT) 1034->22 (14:39:39.401 PDT) 34561->22 (14:39:41.944 PDT) 192.47.243.213 (2) (14:40:29.818 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:01:64:FF:CE:EA 25341->22 (14:40:29.818 PDT) 4167->22 (14:40:29.960 PDT) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.222 (15:11:14.672 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 131 IPs (3 /24s) (# pkts S/M/O/I=384/2539/0/0): 22:128, 139:128, 445:128, 136:127, 137:127, 138:127, 559:127, 1025:127, 1433:127, 2067:127, 3306:127, 4445:127, 5000:127, 9996:127, 10000:127, 27374:127, 2100:126, 3127:126, 5554:126, 6129:124, 2082, 44446, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:11:14.672 PDT) tcpslice 1374615546.244 1374615546.245 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.234 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/23/2013 15:11:37.466 PDT Gen. Time: 07/23/2013 15:11:37.466 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT Local Threat Triggered DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.47.243.222 (15:11:37.466 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 131 IPs (3 /24s) (# pkts S/M/O/I=384/2562/2675/0): 22:128, 136:128, 137:128, 138:128, 139:128, 445:128, 559:128, 1025:128, 1433:128, 2067:128, 2100:128, 3127:128, 3306:128, 4445:128, 5000:128, 5554:128, 6129:128, 9996:128, 10000:128, 27374:128, 2082, 44446, [] MAC_Src: 00:01:64:FF:CE:EA 0->0 (15:11:37.466 PDT) tcpslice 1374617497.466 1374617497.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.234' ============================== SEPARATOR ================================