Score: 1.1 (>= 0.8) Infected Target: 192.168.1.27 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/11/2013 10:37:24.849 PDT Gen. Time: 09/11/2013 10:39:27.846 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 213.61.149.126 (4) (10:37:24.849 PDT) event=1:2002911 (4) {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:0C:29:3C:5D:5D 35026->5901 (10:37:24.849 PDT) 35185->5901 (10:38:31.703 PDT) 35253->5901 (10:38:59.545 PDT) 35308->5901 (10:39:26.153 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 208.115.237.177 (10:39:27.846 PDT) event=1:9920009 {tcp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:0C:29:3C:5D:5D 60571->443 (10:39:27.846 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378921044.849 1378921044.850 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.27' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.27 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/11/2013 10:37:24.849 PDT Gen. Time: 09/11/2013 10:45:08.809 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 213.61.149.126 (7) (10:37:24.849 PDT) event=1:2002911 (7) {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:0C:29:3C:5D:5D 35026->5901 (10:37:24.849 PDT) 35185->5901 (10:38:31.703 PDT) 35253->5901 (10:38:59.545 PDT) 35308->5901 (10:39:26.153 PDT) 35406->5901 (10:40:07.722 PDT) 35479->5901 (10:40:42.009 PDT) 35526->5901 (10:40:56.644 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 208.115.237.177 (10:39:27.846 PDT) event=1:9920009 {tcp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:0C:29:3C:5D:5D 60571->443 (10:39:27.846 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378921044.849 1378921044.850 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.27' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.27 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/11/2013 12:16:03.332 PDT Gen. Time: 09/11/2013 12:22:21.391 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 213.61.149.126 (11) (12:16:03.332 PDT) event=1:2002911 (11) {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:0C:29:3C:5D:5D 49974->5901 (12:16:03.332 PDT) 50006->5901 (12:16:13.127 PDT) 50063->5901 (12:16:30.828 PDT) 50284->5901 (12:18:06.363 PDT) 50305->5901 (12:18:16.294 PDT) 50367->5901 (12:18:35.750 PDT) 50401->5901 (12:18:45.458 PDT) 50418->5901 (12:18:52.409 PDT) 50446->5901 (12:19:03.371 PDT) 50660->5901 (12:20:37.911 PDT) 50700->5901 (12:20:52.291 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 208.115.237.177 (12:22:21.391 PDT) event=1:9920009 {tcp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:0C:29:3C:5D:5D 47919->443 (12:22:21.391 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378926963.332 1378926963.333 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.27' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.27 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/11/2013 13:25:25.819 PDT Gen. Time: 09/11/2013 13:30:16.118 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 213.61.149.126 (12) (13:25:25.819 PDT) event=1:2002911 (12) {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:0C:29:3C:5D:5D 32843->5901 (13:25:25.819 PDT) 32881->5901 (13:25:42.302 PDT) 32944->5901 (13:26:09.919 PDT) 32988->5901 (13:26:22.790 PDT) 33057->5901 (13:26:55.569 PDT) 33094->5901 (13:27:12.560 PDT) 33153->5901 (13:27:31.604 PDT) 33227->5901 (13:28:05.300 PDT) 33304->5901 (13:28:37.130 PDT) 33383->5901 (13:29:15.160 PDT) 33419->5901 (13:29:31.622 PDT) 33490->5901 (13:30:03.072 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 208.115.237.177 (13:30:16.118 PDT) event=1:9920009 {tcp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:0C:29:3C:5D:5D 58780->443 (13:30:16.118 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378931125.819 1378931125.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.27' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.27 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/11/2013 13:25:25.819 PDT Gen. Time: 09/11/2013 14:20:58.265 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 213.61.149.126 (17) (13:25:25.819 PDT) event=1:2002911 (17) {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:0C:29:3C:5D:5D 32843->5901 (13:25:25.819 PDT) 32881->5901 (13:25:42.302 PDT) 32944->5901 (13:26:09.919 PDT) 32988->5901 (13:26:22.790 PDT) 33057->5901 (13:26:55.569 PDT) 33094->5901 (13:27:12.560 PDT) 33153->5901 (13:27:31.604 PDT) 33227->5901 (13:28:05.300 PDT) 33304->5901 (13:28:37.130 PDT) 33383->5901 (13:29:15.160 PDT) 33419->5901 (13:29:31.622 PDT) 33490->5901 (13:30:03.072 PDT) 33541->5901 (13:30:22.304 PDT) 33641->5901 (13:31:04.988 PDT) 33705->5901 (13:31:30.455 PDT) 33760->5901 (13:31:56.129 PDT) 33817->5901 (13:32:21.690 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 208.115.237.177 (3) (13:30:16.118 PDT) event=1:9920009 (3) {tcp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:0C:29:3C:5D:5D 58780->443 (13:30:16.118 PDT) 34134->443 (13:56:21.074 PDT) 35396->443 (14:07:15.030 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378931125.819 1378931125.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.27' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.27 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/11/2013 14:33:46.079 PDT Gen. Time: 09/11/2013 14:35:34.703 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 213.61.149.126 (14:35:34.703 PDT) event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:0C:29:3C:5D:5D 41142->5901 (14:35:34.703 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 208.115.237.177 (14:33:46.079 PDT) event=1:9920009 {tcp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:0C:29:3C:5D:5D 38005->443 (14:33:46.079 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378935226.079 1378935226.080 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.27' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.27 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/11/2013 14:48:21.114 PDT Gen. Time: 09/11/2013 14:48:54.578 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 213.61.149.126 (14:48:54.578 PDT) event=1:2002911 {tcp} E5[rb] ET SCAN Potential VNC Scan 5900-5920, [] MAC_Src: 00:0C:29:3C:5D:5D 42515->5901 (14:48:54.578 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 208.115.237.177 (14:48:21.114 PDT) event=1:9920009 {tcp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:0C:29:3C:5D:5D 39471->443 (14:48:21.114 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378936101.114 1378936101.115 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.27' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.27 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 09/11/2013 20:05:31.245 PDT Gen. Time: 09/11/2013 20:07:14.608 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 37.187.98.185 (20:05:31.245 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 00:0C:29:3C:5D:5D 57983->22 (20:05:31.245 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port 208.115.237.177 (20:07:14.608 PDT) event=1:9920009 {tcp} E8[std] ET ShadowServer confirmed botnet control server on standard port, [] MAC_Src: 00:0C:29:3C:5D:5D 52549->443 (20:07:14.608 PDT) DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN tcpslice 1378955131.245 1378955131.246 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.27' ============================== SEPARATOR ================================