Score: 0.8 (>= 0.8) Infected Target: 192.168.1.130 Infector List: 213.230.19.253 Egg Source List: 213.230.19.253 C & C List: Peer Coord. List: Resource List: Observed Start: 09/02/2013 01:28:02.240 PDT Gen. Time: 09/02/2013 01:28:05.545 PDT INBOUND SCAN EXPLOIT 213.230.19.253 (01:28:02.240 PDT) event=1:22009200 {tcp} E2[rb] ET CURRENT_EVENTS Conficker.a Shellcode, [] MAC_Dst: 00:30:48:30:03:AE 445<-20710 (01:28:02.240 PDT) EXPLOIT (INTERNAL ATK SRC) EXPLOIT (ATK FROM INTERNAL SRC) CLIENT-INITIATED EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 213.230.19.253 (01:28:05.545 PDT) event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 1028<-1987 (01:28:05.545 PDT) EGG DOWNLOAD (INTERNAL SRC) EGG DOWNLOAD (DL FROM INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL BOT) C and C TRAFFIC (INTERNAL CnC) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (ATK TO INTERNAL TARGET) OUTBOUND ATTACK (INTERNAL TARGET) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378110482.240 1378110482.241 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.130' ============================== SEPARATOR ================================