Score: 0.8 (>= 0.8) Infected Target: 192.168.1.12 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/17/2013 03:55:11.054 PDT Gen. Time: 10/17/2013 03:55:11.054 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.0.1.232 (03:55:11.054 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (5 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:55:11.054 PDT) tcpslice 1382007311.054 1382007311.055 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.12' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.12 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/17/2013 03:55:11.054 PDT Gen. Time: 10/17/2013 03:58:28.123 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.0.1.232 (03:55:11.054 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (5 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (03:55:11.054 PDT) 204.2.102.200 (03:57:19.044 PDT) event=777:7777008 {icmp} E8[bh] Detected intense malware port scanning of 204 IPs (28 /24s) (# pkts S/M/O/I=0/200/2/2): 22:200, [] MAC_Src: 00:21:1C:EE:14:00 (03:57:19.044 PDT) tcpslice 1382007311.054 1382007311.055 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.12' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.12 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/17/2013 04:14:03.501 PDT Gen. Time: 10/17/2013 04:14:03.501 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.212.9.87 (04:14:03.501 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (9 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:14:03.501 PDT) tcpslice 1382008443.501 1382008443.502 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.12' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.12 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/17/2013 04:14:03.501 PDT Gen. Time: 10/17/2013 04:18:19.410 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.212.9.87 (2) (04:14:03.501 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (9 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:14:03.501 PDT) 0->0 (04:17:34.464 PDT) tcpslice 1382008443.501 1382008443.502 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.12' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.12 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/17/2013 04:29:30.524 PDT Gen. Time: 10/17/2013 04:29:30.524 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.186.26.103 (04:29:30.524 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (21 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 00:21:1C:EE:14:00 0->0 (04:29:30.524 PDT) tcpslice 1382009370.524 1382009370.525 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.12' ============================== SEPARATOR ================================