Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 07:00:06.955 PDT Gen. Time: 10/28/2013 07:00:37.909 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 198.133.224.149 (2) (07:00:36.578 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 43508->22 (07:00:36.578 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43508->22 (07:00:36.578 PDT) 204.8.155.227 (07:00:25.885 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53580->22 (07:00:25.885 PDT) 128.10.19.53 (07:00:06.955 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42864->22 (07:00:06.955 PDT) 129.82.12.188 (07:00:15.935 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46406->22 (07:00:15.935 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 158.130.6.253 (07:00:37.909 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (07:00:37.909 PDT) tcpslice 1382968806.955 1382968806.956 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 07:00:06.955 PDT Gen. Time: 10/28/2013 07:08:43.712 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.10.19.53 (2) (07:00:06.955 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42864->22 (07:00:06.955 PDT) 42916->22 (07:01:42.817 PDT) 155.246.12.164 (07:02:03.373 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53067->22 (07:02:03.373 PDT) 165.91.55.9 (2) (07:01:52.645 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 37652->22 (07:01:52.645 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37652->22 (07:01:52.645 PDT) 128.42.142.45 (07:01:06.021 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40948->22 (07:01:06.021 PDT) 131.193.34.38 (07:00:58.684 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58864->22 (07:00:58.684 PDT) 158.130.6.253 (07:01:33.637 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34725->22 (07:01:33.637 PDT) 198.133.224.149 (2) (07:00:36.578 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 43508->22 (07:00:36.578 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43508->22 (07:00:36.578 PDT) 204.8.155.227 (07:00:25.885 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53580->22 (07:00:25.885 PDT) 129.82.12.188 (2) (07:00:15.935 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46406->22 (07:00:15.935 PDT) 46468->22 (07:02:09.873 PDT) 13.7.64.20 (2) (07:01:18.435 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 51350->22 (07:01:18.435 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51350->22 (07:01:18.435 PDT) 130.127.39.153 (07:01:11.276 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53428->22 (07:01:11.276 PDT) 128.208.4.198 (07:01:24.337 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57997->22 (07:01:24.337 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 158.130.6.253 (07:00:37.909 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (07:00:37.909 PDT) 128.8.126.98 (3) (07:02:08.078 PDT-07:05:16.097 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 3: 0->0 (07:02:08.078 PDT-07:05:16.097 PDT) tcpslice 1382968806.955 1382969116.098 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 08:06:13.893 PDT Gen. Time: 10/28/2013 08:08:31.035 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (08:07:07.718 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47015->22 (08:07:07.718 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47018->22 (08:07:09.132 PDT) 128.208.4.197 (08:07:48.814 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52545->22 (08:07:48.814 PDT) 128.10.19.53 (08:07:23.401 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43081->22 (08:07:23.401 PDT) 131.179.150.72 (08:06:13.893 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54726->22 (08:06:13.893 PDT) 72.36.112.79 (08:06:44.582 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49746->22 (08:06:44.582 PDT) 131.179.150.70 (08:07:27.089 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41305->22 (08:07:27.089 PDT) 13.7.64.22 (08:07:44.959 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50094->22 (08:07:44.959 PDT) 128.42.142.45 (08:06:29.214 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41098->22 (08:06:29.214 PDT) 204.8.155.227 (08:06:59.775 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53767->22 (08:06:59.775 PDT) 192.91.235.230 (08:07:16.615 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50338->22 (08:07:16.615 PDT) 129.82.12.188 (2) (08:07:29.336 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46625->22 (08:07:29.336 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46628->22 (08:07:33.779 PDT) 141.212.113.180 (08:07:06.161 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47990->22 (08:07:06.161 PDT) 141.212.113.179 (08:07:40.722 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37942->22 (08:07:40.722 PDT) 128.111.52.59 (08:07:49.992 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 52580->22 (08:07:49.992 PDT) 130.127.39.152 (08:06:52.007 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46582->22 (08:06:52.007 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.91.235.230 (08:08:31.035 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (08:08:31.035 PDT) tcpslice 1382972773.893 1382972773.894 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 08:06:13.893 PDT Gen. Time: 10/28/2013 08:14:50.737 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (08:07:07.718 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47015->22 (08:07:07.718 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47018->22 (08:07:09.132 PDT) 128.208.4.197 (08:07:48.814 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52545->22 (08:07:48.814 PDT) 128.10.19.53 (08:07:23.401 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43081->22 (08:07:23.401 PDT) 131.179.150.72 (08:06:13.893 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54726->22 (08:06:13.893 PDT) 72.36.112.79 (08:06:44.582 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49746->22 (08:06:44.582 PDT) 131.179.150.70 (08:07:27.089 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41305->22 (08:07:27.089 PDT) 13.7.64.22 (08:07:44.959 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50094->22 (08:07:44.959 PDT) 128.42.142.45 (08:06:29.214 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41098->22 (08:06:29.214 PDT) 204.8.155.227 (08:06:59.775 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53767->22 (08:06:59.775 PDT) 192.91.235.230 (08:07:16.615 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50338->22 (08:07:16.615 PDT) 129.82.12.188 (2) (08:07:29.336 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46625->22 (08:07:29.336 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46628->22 (08:07:33.779 PDT) 141.212.113.180 (08:07:06.161 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47990->22 (08:07:06.161 PDT) 141.212.113.179 (08:07:40.722 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37942->22 (08:07:40.722 PDT) 128.111.52.59 (08:07:49.992 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 52580->22 (08:07:49.992 PDT) 130.127.39.152 (08:06:52.007 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46582->22 (08:06:52.007 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 192.91.235.230 (2) (08:08:31.035 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (08:08:31.035 PDT) 0->0 (08:10:01.738 PDT) tcpslice 1382972773.893 1382972773.894 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 08:10:51.212 PDT Gen. Time: 10/28/2013 08:10:51.212 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.8.126.111 (08:10:51.212 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (08:10:51.212 PDT) tcpslice 1382973051.212 1382973051.213 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 08:26:29.383 PDT Gen. Time: 10/28/2013 08:28:48.636 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (08:27:22.513 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47229->22 (08:27:22.513 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47233->22 (08:27:24.951 PDT) 128.208.4.197 (08:28:04.167 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52760->22 (08:28:04.167 PDT) 128.10.19.53 (08:27:39.769 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43296->22 (08:27:39.769 PDT) 131.179.150.72 (08:26:29.383 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54941->22 (08:26:29.383 PDT) 72.36.112.79 (08:26:59.817 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49961->22 (08:26:59.817 PDT) 131.179.150.70 (08:27:43.483 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41520->22 (08:27:43.483 PDT) 13.7.64.22 (08:28:00.513 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50309->22 (08:28:00.513 PDT) 128.42.142.45 (08:26:44.307 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41313->22 (08:26:44.307 PDT) 204.8.155.227 (08:27:15.139 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53982->22 (08:27:15.139 PDT) 192.91.235.230 (08:27:32.686 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50553->22 (08:27:32.686 PDT) 129.82.12.188 (2) (08:27:44.083 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46839->22 (08:27:44.083 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46843->22 (08:27:49.108 PDT) 141.212.113.180 (08:27:21.304 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48205->22 (08:27:21.304 PDT) 141.212.113.179 (08:27:56.055 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38157->22 (08:27:56.055 PDT) 128.111.52.59 (08:28:04.819 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 52794->22 (08:28:04.819 PDT) 130.127.39.152 (08:27:07.452 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46797->22 (08:27:07.452 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (08:28:48.636 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (08:28:48.636 PDT) tcpslice 1382973989.383 1382973989.384 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 08:26:29.383 PDT Gen. Time: 10/28/2013 08:33:53.653 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (08:27:22.513 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47229->22 (08:27:22.513 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47233->22 (08:27:24.951 PDT) 128.208.4.197 (08:28:04.167 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52760->22 (08:28:04.167 PDT) 128.10.19.53 (08:27:39.769 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43296->22 (08:27:39.769 PDT) 131.179.150.72 (08:26:29.383 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54941->22 (08:26:29.383 PDT) 72.36.112.79 (08:26:59.817 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49961->22 (08:26:59.817 PDT) 131.179.150.70 (08:27:43.483 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41520->22 (08:27:43.483 PDT) 13.7.64.22 (08:28:00.513 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50309->22 (08:28:00.513 PDT) 128.42.142.45 (08:26:44.307 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41313->22 (08:26:44.307 PDT) 204.8.155.227 (08:27:15.139 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53982->22 (08:27:15.139 PDT) 192.91.235.230 (08:27:32.686 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50553->22 (08:27:32.686 PDT) 129.82.12.188 (2) (08:27:44.083 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46839->22 (08:27:44.083 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46843->22 (08:27:49.108 PDT) 141.212.113.180 (08:27:21.304 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48205->22 (08:27:21.304 PDT) 141.212.113.179 (08:27:56.055 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38157->22 (08:27:56.055 PDT) 128.111.52.59 (08:28:04.819 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 52794->22 (08:28:04.819 PDT) 130.127.39.152 (08:27:07.452 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46797->22 (08:27:07.452 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (2) (08:28:48.636 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (08:28:48.636 PDT) 0->0 (08:30:18.585 PDT) tcpslice 1382973989.383 1382973989.384 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 08:31:11.852 PDT Gen. Time: 10/28/2013 08:31:11.852 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 141.212.113.180 (08:31:11.852 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (08:31:11.852 PDT) tcpslice 1382974271.852 1382974271.853 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 08:46:54.805 PDT Gen. Time: 10/28/2013 08:49:20.216 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (08:47:51.040 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47448->22 (08:47:51.040 PDT) 128.208.4.197 (2) (08:48:32.317 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 52975->22 (08:48:32.317 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52975->22 (08:48:32.317 PDT) 128.10.19.53 (08:48:05.522 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43511->22 (08:48:05.522 PDT) 131.179.150.72 (08:46:54.805 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55156->22 (08:46:54.805 PDT) 72.36.112.79 (08:47:25.793 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50176->22 (08:47:25.793 PDT) 131.179.150.70 (2) (08:48:08.557 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 41735->22 (08:48:08.557 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41735->22 (08:48:08.557 PDT) 13.7.64.22 (08:48:27.648 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50524->22 (08:48:27.648 PDT) 128.42.142.45 (08:47:10.107 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41528->22 (08:47:10.107 PDT) 204.8.155.227 (08:47:41.411 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54197->22 (08:47:41.411 PDT) 192.91.235.230 (08:47:58.929 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50768->22 (08:47:58.929 PDT) 129.82.12.188 (08:48:15.610 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47058->22 (08:48:15.610 PDT) 141.212.113.180 (2) (08:47:47.614 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48420->22 (08:47:47.614 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48420->22 (08:47:47.614 PDT) 141.212.113.179 (08:48:23.093 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38372->22 (08:48:23.093 PDT) 130.127.39.152 (08:47:33.584 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47012->22 (08:47:33.584 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.79 (08:49:20.216 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (08:49:20.216 PDT) tcpslice 1382975214.805 1382975214.806 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 08:46:54.805 PDT Gen. Time: 10/28/2013 08:55:41.611 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (08:47:51.040 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47448->22 (08:47:51.040 PDT) 128.208.4.197 (2) (08:48:32.317 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 52975->22 (08:48:32.317 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52975->22 (08:48:32.317 PDT) 128.10.19.53 (08:48:05.522 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43511->22 (08:48:05.522 PDT) 131.179.150.72 (08:46:54.805 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55156->22 (08:46:54.805 PDT) 72.36.112.79 (08:47:25.793 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50176->22 (08:47:25.793 PDT) 131.179.150.70 (2) (08:48:08.557 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 41735->22 (08:48:08.557 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41735->22 (08:48:08.557 PDT) 13.7.64.22 (08:48:27.648 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50524->22 (08:48:27.648 PDT) 128.42.142.45 (08:47:10.107 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41528->22 (08:47:10.107 PDT) 204.8.155.227 (08:47:41.411 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54197->22 (08:47:41.411 PDT) 192.91.235.230 (08:47:58.929 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50768->22 (08:47:58.929 PDT) 129.82.12.188 (08:48:15.610 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47058->22 (08:48:15.610 PDT) 141.212.113.180 (2) (08:47:47.614 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48420->22 (08:47:47.614 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48420->22 (08:47:47.614 PDT) 141.212.113.179 (08:48:23.093 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38372->22 (08:48:23.093 PDT) 130.127.39.152 (08:47:33.584 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47012->22 (08:47:33.584 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 158.130.6.253 (08:50:50.073 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (08:50:50.073 PDT) 72.36.112.79 (08:49:20.216 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (08:49:20.216 PDT) tcpslice 1382975214.805 1382975214.806 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 08:51:47.682 PDT Gen. Time: 10/28/2013 08:51:47.682 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (08:51:47.682 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (08:51:47.682 PDT) tcpslice 1382975507.682 1382975507.683 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 09:03:48.630 PDT Gen. Time: 10/28/2013 09:03:48.630 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (09:03:48.630 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (09:03:48.630 PDT) tcpslice 1382976228.630 1382976228.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 09:03:48.630 PDT Gen. Time: 10/28/2013 09:07:14.712 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (3) (09:03:48.630 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (09:03:48.630 PDT) 0->0 (09:05:18.775 PDT) 0->0 (09:06:49.313 PDT) tcpslice 1382976228.630 1382976228.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 09:07:20.480 PDT Gen. Time: 10/28/2013 09:08:19.266 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 131.179.150.72 (09:07:20.480 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55371->22 (09:07:20.480 PDT) 204.8.155.227 (09:08:12.594 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54412->22 (09:08:12.594 PDT) 128.42.142.45 (09:07:35.335 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41743->22 (09:07:35.335 PDT) 72.36.112.79 (09:07:56.894 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50391->22 (09:07:56.894 PDT) 130.127.39.152 (09:08:04.570 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47227->22 (09:08:04.570 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (09:08:19.266 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (24 /24s) (# pkts S/M/O/I=0/39/0/0): 22:39, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (09:08:19.266 PDT) tcpslice 1382976440.480 1382976440.481 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 09:07:20.480 PDT Gen. Time: 10/28/2013 09:15:42.656 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (09:08:22.350 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47663->22 (09:08:22.350 PDT) 128.208.4.197 (2) (09:09:05.656 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53190->22 (09:09:05.656 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53190->22 (09:09:05.656 PDT) 128.10.19.53 (09:08:36.834 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43726->22 (09:08:36.834 PDT) 131.179.150.72 (09:07:20.480 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55371->22 (09:07:20.480 PDT) 72.36.112.79 (09:07:56.894 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50391->22 (09:07:56.894 PDT) 131.179.150.70 (2) (09:08:39.633 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 41950->22 (09:08:39.633 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41950->22 (09:08:39.633 PDT) 13.7.64.22 (09:09:00.871 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50739->22 (09:09:00.871 PDT) 128.42.142.45 (09:07:35.335 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41743->22 (09:07:35.335 PDT) 204.8.155.227 (09:08:12.594 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54412->22 (09:08:12.594 PDT) 192.91.235.230 (09:08:30.121 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50983->22 (09:08:30.121 PDT) 129.82.12.188 (09:08:48.763 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47273->22 (09:08:48.763 PDT) 141.212.113.180 (2) (09:08:19.266 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48635->22 (09:08:19.266 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48635->22 (09:08:19.266 PDT) 141.212.113.179 (09:08:56.343 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38587->22 (09:08:56.343 PDT) 130.127.39.152 (09:08:04.570 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47227->22 (09:08:04.570 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (5) (09:08:19.266 PDT-09:15:16.705 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 39 IPs (24 /24s) (# pkts S/M/O/I=0/39/0/0): 22:39, [] MAC_Src: 1C:DF:0F:66:3D:B0 2: 0->0 (09:08:19.266 PDT-09:09:49.593 PDT) 0->0 (09:11:19.086 PDT) 2: 0->0 (09:13:05.633 PDT-09:15:16.705 PDT) tcpslice 1382976440.480 1382976916.706 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 09:16:31.969 PDT Gen. Time: 10/28/2013 09:16:31.969 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (09:16:31.969 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (09:16:31.969 PDT) tcpslice 1382976991.969 1382976991.970 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 09:27:55.556 PDT Gen. Time: 10/28/2013 09:30:27.887 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (09:28:58.874 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47874->22 (09:28:58.874 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47878->22 (09:29:00.759 PDT) 128.208.4.197 (09:29:41.367 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53405->22 (09:29:41.367 PDT) 128.10.19.53 (09:29:15.040 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43941->22 (09:29:15.040 PDT) 131.179.150.72 (09:27:55.556 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55586->22 (09:27:55.556 PDT) 72.36.112.79 (09:28:26.697 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50606->22 (09:28:26.697 PDT) 131.179.150.70 (09:29:17.900 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42165->22 (09:29:17.900 PDT) 13.7.64.22 (09:29:37.626 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50954->22 (09:29:37.626 PDT) 128.42.142.45 (09:28:10.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41958->22 (09:28:10.454 PDT) 204.8.155.227 (09:28:51.544 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54627->22 (09:28:51.544 PDT) 192.91.235.230 (09:29:08.556 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51198->22 (09:29:08.556 PDT) 129.82.12.188 (2) (09:29:18.344 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47484->22 (09:29:18.344 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47488->22 (09:29:25.626 PDT) 141.212.113.180 (09:28:57.841 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48850->22 (09:28:57.841 PDT) 141.212.113.179 (09:29:33.226 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38802->22 (09:29:33.226 PDT) 128.111.52.59 (09:29:42.145 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53439->22 (09:29:42.145 PDT) 130.127.39.152 (09:28:43.910 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47442->22 (09:28:43.910 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (09:30:27.887 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (09:30:27.887 PDT) tcpslice 1382977675.556 1382977675.557 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 09:27:55.556 PDT Gen. Time: 10/28/2013 09:34:24.721 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (09:28:58.874 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47874->22 (09:28:58.874 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47878->22 (09:29:00.759 PDT) 128.208.4.197 (09:29:41.367 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53405->22 (09:29:41.367 PDT) 128.10.19.53 (09:29:15.040 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43941->22 (09:29:15.040 PDT) 131.179.150.72 (09:27:55.556 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55586->22 (09:27:55.556 PDT) 72.36.112.79 (09:28:26.697 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50606->22 (09:28:26.697 PDT) 131.179.150.70 (09:29:17.900 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42165->22 (09:29:17.900 PDT) 13.7.64.22 (09:29:37.626 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50954->22 (09:29:37.626 PDT) 128.42.142.45 (09:28:10.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41958->22 (09:28:10.454 PDT) 204.8.155.227 (09:28:51.544 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54627->22 (09:28:51.544 PDT) 192.91.235.230 (09:29:08.556 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51198->22 (09:29:08.556 PDT) 129.82.12.188 (2) (09:29:18.344 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47484->22 (09:29:18.344 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47488->22 (09:29:25.626 PDT) 141.212.113.180 (09:28:57.841 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48850->22 (09:28:57.841 PDT) 141.212.113.179 (09:29:33.226 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38802->22 (09:29:33.226 PDT) 128.111.52.59 (09:29:42.145 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53439->22 (09:29:42.145 PDT) 130.127.39.152 (09:28:43.910 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47442->22 (09:28:43.910 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (09:30:27.887 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (09:30:27.887 PDT) 198.133.224.147 (09:31:57.815 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (22 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (09:31:57.815 PDT) tcpslice 1382977675.556 1382977675.557 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 09:38:09.139 PDT Gen. Time: 10/28/2013 09:38:09.139 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.198 (09:38:09.139 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (09:38:09.139 PDT) tcpslice 1382978289.139 1382978289.140 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 09:48:21.666 PDT Gen. Time: 10/28/2013 09:50:50.872 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (09:49:17.580 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48090->22 (09:49:17.580 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48093->22 (09:49:19.032 PDT) 128.208.4.197 (09:50:02.582 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53619->22 (09:50:02.582 PDT) 128.10.19.53 (09:49:34.347 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44156->22 (09:49:34.347 PDT) 131.179.150.72 (09:48:21.666 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55801->22 (09:48:21.666 PDT) 72.36.112.79 (09:48:53.372 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50821->22 (09:48:53.372 PDT) 131.179.150.70 (09:49:37.302 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42380->22 (09:49:37.302 PDT) 13.7.64.22 (09:49:58.585 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51168->22 (09:49:58.585 PDT) 128.42.142.45 (09:48:36.581 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42173->22 (09:48:36.581 PDT) 204.8.155.227 (09:49:09.294 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54842->22 (09:49:09.294 PDT) 192.91.235.230 (09:49:26.970 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51413->22 (09:49:26.970 PDT) 129.82.12.188 (2) (09:49:39.422 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47700->22 (09:49:39.422 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47703->22 (09:49:44.834 PDT) 141.212.113.180 (09:49:15.917 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49065->22 (09:49:15.917 PDT) 141.212.113.179 (09:49:53.661 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39016->22 (09:49:53.661 PDT) 128.111.52.59 (09:50:03.983 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53654->22 (09:50:03.983 PDT) 130.127.39.152 (09:49:01.248 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47657->22 (09:49:01.248 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (09:50:50.872 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (09:50:50.872 PDT) tcpslice 1382978901.666 1382978901.667 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 09:48:21.666 PDT Gen. Time: 10/28/2013 09:56:35.388 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (09:49:17.580 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48090->22 (09:49:17.580 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48093->22 (09:49:19.032 PDT) 128.208.4.197 (09:50:02.582 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53619->22 (09:50:02.582 PDT) 128.10.19.53 (09:49:34.347 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44156->22 (09:49:34.347 PDT) 131.179.150.72 (09:48:21.666 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55801->22 (09:48:21.666 PDT) 72.36.112.79 (09:48:53.372 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50821->22 (09:48:53.372 PDT) 131.179.150.70 (09:49:37.302 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42380->22 (09:49:37.302 PDT) 13.7.64.22 (09:49:58.585 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51168->22 (09:49:58.585 PDT) 128.42.142.45 (09:48:36.581 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42173->22 (09:48:36.581 PDT) 204.8.155.227 (09:49:09.294 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54842->22 (09:49:09.294 PDT) 192.91.235.230 (09:49:26.970 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51413->22 (09:49:26.970 PDT) 129.82.12.188 (2) (09:49:39.422 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 47700->22 (09:49:39.422 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47703->22 (09:49:44.834 PDT) 141.212.113.180 (09:49:15.917 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49065->22 (09:49:15.917 PDT) 141.212.113.179 (09:49:53.661 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39016->22 (09:49:53.661 PDT) 128.111.52.59 (09:50:03.983 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53654->22 (09:50:03.983 PDT) 130.127.39.152 (09:49:01.248 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47657->22 (09:49:01.248 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (2) (09:50:50.872 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (09:50:50.872 PDT) 0->0 (09:52:20.339 PDT) tcpslice 1382978901.666 1382978901.667 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 09:53:18.519 PDT Gen. Time: 10/28/2013 09:53:18.519 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (09:53:18.519 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (09:53:18.519 PDT) tcpslice 1382979198.519 1382979198.520 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 10:09:01.390 PDT Gen. Time: 10/28/2013 10:11:34.263 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (10:10:00.575 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48308->22 (10:10:00.575 PDT) 128.208.4.197 (2) (10:10:40.779 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53835->22 (10:10:40.779 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53835->22 (10:10:40.779 PDT) 128.10.19.53 (10:10:14.995 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44371->22 (10:10:14.995 PDT) 131.179.150.72 (10:09:01.390 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56016->22 (10:09:01.390 PDT) 72.36.112.79 (10:09:33.695 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51036->22 (10:09:33.695 PDT) 131.179.150.70 (2) (10:10:19.022 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 42595->22 (10:10:19.022 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42595->22 (10:10:19.022 PDT) 13.7.64.22 (10:10:37.038 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51384->22 (10:10:37.038 PDT) 128.42.142.45 (10:09:16.457 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42388->22 (10:09:16.457 PDT) 204.8.155.227 (10:09:51.203 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55057->22 (10:09:51.203 PDT) 192.91.235.230 (10:10:08.119 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51628->22 (10:10:08.119 PDT) 129.82.12.188 (10:10:25.551 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47918->22 (10:10:25.551 PDT) 141.212.113.180 (2) (10:09:57.614 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49280->22 (10:09:57.614 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49280->22 (10:09:57.614 PDT) 141.212.113.179 (10:10:32.674 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39232->22 (10:10:32.674 PDT) 130.127.39.152 (10:09:42.389 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47872->22 (10:09:42.389 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (10:11:34.263 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (10:11:34.263 PDT) tcpslice 1382980141.390 1382980141.391 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 10:09:01.390 PDT Gen. Time: 10/28/2013 10:16:39.665 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (10:10:00.575 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48308->22 (10:10:00.575 PDT) 128.208.4.197 (2) (10:10:40.779 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53835->22 (10:10:40.779 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53835->22 (10:10:40.779 PDT) 128.10.19.53 (10:10:14.995 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44371->22 (10:10:14.995 PDT) 131.179.150.72 (10:09:01.390 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56016->22 (10:09:01.390 PDT) 72.36.112.79 (10:09:33.695 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51036->22 (10:09:33.695 PDT) 131.179.150.70 (2) (10:10:19.022 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 42595->22 (10:10:19.022 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42595->22 (10:10:19.022 PDT) 13.7.64.22 (10:10:37.038 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51384->22 (10:10:37.038 PDT) 128.42.142.45 (10:09:16.457 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42388->22 (10:09:16.457 PDT) 204.8.155.227 (10:09:51.203 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55057->22 (10:09:51.203 PDT) 192.91.235.230 (10:10:08.119 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51628->22 (10:10:08.119 PDT) 129.82.12.188 (10:10:25.551 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47918->22 (10:10:25.551 PDT) 141.212.113.180 (2) (10:09:57.614 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49280->22 (10:09:57.614 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49280->22 (10:09:57.614 PDT) 141.212.113.179 (10:10:32.674 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39232->22 (10:10:32.674 PDT) 130.127.39.152 (10:09:42.389 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 47872->22 (10:09:42.389 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (10:13:04.181 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (10:13:04.181 PDT) 13.7.64.22 (10:11:34.263 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (10:11:34.263 PDT) tcpslice 1382980141.390 1382980141.391 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 10:14:04.476 PDT Gen. Time: 10/28/2013 10:14:04.476 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (10:14:04.476 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (10:14:04.476 PDT) tcpslice 1382980444.476 1382980444.477 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 10:29:48.620 PDT Gen. Time: 10/28/2013 10:32:08.527 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (10:30:40.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48523->22 (10:30:40.601 PDT) 128.208.4.197 (2) (10:31:21.395 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54050->22 (10:31:21.395 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54050->22 (10:31:21.395 PDT) 128.10.19.53 (10:30:55.781 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44586->22 (10:30:55.781 PDT) 131.179.150.72 (10:29:48.620 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56231->22 (10:29:48.620 PDT) 72.36.112.79 (10:30:14.248 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51251->22 (10:30:14.248 PDT) 131.179.150.70 (2) (10:30:59.079 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 42810->22 (10:30:59.079 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42810->22 (10:30:59.079 PDT) 13.7.64.22 (10:31:17.166 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51599->22 (10:31:17.166 PDT) 128.42.142.45 (10:29:58.435 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42603->22 (10:29:58.435 PDT) 204.8.155.227 (10:30:31.151 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55272->22 (10:30:31.151 PDT) 192.91.235.230 (10:30:48.877 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51843->22 (10:30:48.877 PDT) 129.82.12.188 (10:31:06.045 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48133->22 (10:31:06.045 PDT) 141.212.113.180 (2) (10:30:37.579 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49495->22 (10:30:37.579 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49495->22 (10:30:37.579 PDT) 141.212.113.179 (10:31:12.780 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39447->22 (10:31:12.780 PDT) 130.127.39.152 (10:30:23.360 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48087->22 (10:30:23.360 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (10:32:08.527 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (10:32:08.527 PDT) tcpslice 1382981388.620 1382981388.621 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 10:29:48.620 PDT Gen. Time: 10/28/2013 10:38:17.435 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (10:30:40.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48523->22 (10:30:40.601 PDT) 128.208.4.197 (2) (10:31:21.395 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54050->22 (10:31:21.395 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54050->22 (10:31:21.395 PDT) 128.10.19.53 (10:30:55.781 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44586->22 (10:30:55.781 PDT) 131.179.150.72 (10:29:48.620 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56231->22 (10:29:48.620 PDT) 72.36.112.79 (10:30:14.248 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51251->22 (10:30:14.248 PDT) 131.179.150.70 (2) (10:30:59.079 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 42810->22 (10:30:59.079 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42810->22 (10:30:59.079 PDT) 13.7.64.22 (10:31:17.166 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51599->22 (10:31:17.166 PDT) 128.42.142.45 (10:29:58.435 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42603->22 (10:29:58.435 PDT) 204.8.155.227 (10:30:31.151 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55272->22 (10:30:31.151 PDT) 192.91.235.230 (10:30:48.877 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51843->22 (10:30:48.877 PDT) 129.82.12.188 (10:31:06.045 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48133->22 (10:31:06.045 PDT) 141.212.113.180 (2) (10:30:37.579 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49495->22 (10:30:37.579 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49495->22 (10:30:37.579 PDT) 141.212.113.179 (10:31:12.780 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39447->22 (10:31:12.780 PDT) 130.127.39.152 (10:30:23.360 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48087->22 (10:30:23.360 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (10:32:08.527 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (10:32:08.527 PDT) 198.133.224.147 (2) (10:33:38.292 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (10:33:38.292 PDT) (10:35:08.612 PDT) tcpslice 1382981388.620 1382981388.621 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 10:39:03.298 PDT Gen. Time: 10/28/2013 10:39:03.298 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.147 (10:39:03.298 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (25 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (10:39:03.298 PDT) tcpslice 1382981943.298 1382981943.299 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 10:50:22.408 PDT Gen. Time: 10/28/2013 10:52:42.749 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (10:51:15.733 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48738->22 (10:51:15.733 PDT) 128.208.4.197 (2) (10:51:54.465 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54265->22 (10:51:54.465 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54265->22 (10:51:54.465 PDT) 128.10.19.53 (10:51:30.483 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44801->22 (10:51:30.483 PDT) 131.179.150.72 (10:50:22.408 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56446->22 (10:50:22.408 PDT) 72.36.112.79 (10:50:48.851 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51466->22 (10:50:48.851 PDT) 131.179.150.70 (2) (10:51:33.459 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 43025->22 (10:51:33.459 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43025->22 (10:51:33.459 PDT) 13.7.64.22 (10:51:50.726 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51814->22 (10:51:50.726 PDT) 128.42.142.45 (10:50:37.292 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42818->22 (10:50:37.292 PDT) 204.8.155.227 (10:51:05.558 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55487->22 (10:51:05.558 PDT) 192.91.235.230 (10:51:23.594 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52058->22 (10:51:23.594 PDT) 129.82.12.188 (10:51:39.238 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48348->22 (10:51:39.238 PDT) 141.212.113.180 (2) (10:51:12.789 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49710->22 (10:51:12.789 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49710->22 (10:51:12.789 PDT) 141.212.113.179 (10:51:46.185 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39662->22 (10:51:46.185 PDT) 130.127.39.152 (10:50:57.567 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48302->22 (10:50:57.567 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (10:52:42.749 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (10:52:42.749 PDT) tcpslice 1382982622.408 1382982622.409 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 10:50:22.408 PDT Gen. Time: 10/28/2013 10:58:14.489 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (10:51:15.733 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48738->22 (10:51:15.733 PDT) 128.208.4.197 (2) (10:51:54.465 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54265->22 (10:51:54.465 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54265->22 (10:51:54.465 PDT) 128.10.19.53 (10:51:30.483 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44801->22 (10:51:30.483 PDT) 131.179.150.72 (10:50:22.408 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56446->22 (10:50:22.408 PDT) 72.36.112.79 (10:50:48.851 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51466->22 (10:50:48.851 PDT) 131.179.150.70 (2) (10:51:33.459 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 43025->22 (10:51:33.459 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43025->22 (10:51:33.459 PDT) 13.7.64.22 (10:51:50.726 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51814->22 (10:51:50.726 PDT) 128.42.142.45 (10:50:37.292 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42818->22 (10:50:37.292 PDT) 204.8.155.227 (10:51:05.558 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55487->22 (10:51:05.558 PDT) 192.91.235.230 (10:51:23.594 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52058->22 (10:51:23.594 PDT) 129.82.12.188 (10:51:39.238 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48348->22 (10:51:39.238 PDT) 141.212.113.180 (2) (10:51:12.789 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49710->22 (10:51:12.789 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49710->22 (10:51:12.789 PDT) 141.212.113.179 (10:51:46.185 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39662->22 (10:51:46.185 PDT) 130.127.39.152 (10:50:57.567 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48302->22 (10:50:57.567 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (2) (10:52:42.749 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (10:52:42.749 PDT) 0->0 (10:54:12.427 PDT) tcpslice 1382982622.408 1382982622.409 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 11:01:21.199 PDT Gen. Time: 10/28/2013 11:01:21.199 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (11:01:21.199 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (11:01:21.199 PDT) tcpslice 1382983281.199 1382983281.200 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 11:04:41.270 PDT Gen. Time: 10/28/2013 11:04:41.270 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (11:04:41.270 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (11:04:41.270 PDT) tcpslice 1382983481.270 1382983481.271 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 11:10:05.383 PDT Gen. Time: 10/28/2013 11:10:05.383 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (11:10:05.383 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (11:10:05.383 PDT) tcpslice 1382983805.383 1382983805.384 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 11:10:05.383 PDT Gen. Time: 10/28/2013 11:19:23.504 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (11:11:37.074 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48951->22 (11:11:37.074 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48953->22 (11:11:38.022 PDT) 128.208.4.197 (11:12:25.009 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54479->22 (11:12:25.009 PDT) 128.10.19.53 (11:11:53.181 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45016->22 (11:11:53.181 PDT) 131.179.150.72 (11:10:43.712 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56661->22 (11:10:43.712 PDT) 72.36.112.79 (11:11:12.541 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51681->22 (11:11:12.541 PDT) 131.179.150.70 (11:11:56.036 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43240->22 (11:11:56.036 PDT) 13.7.64.22 (11:12:21.152 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52028->22 (11:12:21.152 PDT) 128.42.142.45 (11:10:53.916 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43033->22 (11:10:53.916 PDT) 204.8.155.227 (11:11:28.128 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55702->22 (11:11:28.128 PDT) 192.91.235.230 (11:11:46.252 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52273->22 (11:11:46.252 PDT) 129.82.12.188 (2) (11:12:02.418 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48561->22 (11:12:02.418 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48563->22 (11:12:05.884 PDT) 141.212.113.180 (11:11:34.956 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49925->22 (11:11:34.956 PDT) 141.212.113.179 (11:12:15.554 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39876->22 (11:12:15.554 PDT) 128.111.52.59 (11:12:27.223 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54515->22 (11:12:27.223 PDT) 130.127.39.152 (11:11:20.262 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48517->22 (11:11:20.262 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (4) (11:10:05.383 PDT-11:14:35.268 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 4: 0->0 (11:10:05.383 PDT-11:14:35.268 PDT) tcpslice 1382983805.383 1382984075.269 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 11:15:49.083 PDT Gen. Time: 10/28/2013 11:15:49.083 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (11:15:49.083 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (11:15:49.083 PDT) tcpslice 1382984149.083 1382984149.084 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 11:31:17.397 PDT Gen. Time: 10/28/2013 11:33:57.775 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (11:32:23.778 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49167->22 (11:32:23.778 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49168->22 (11:32:24.242 PDT) 128.208.4.197 (11:33:10.937 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54695->22 (11:33:10.937 PDT) 128.10.19.53 (11:32:39.871 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45231->22 (11:32:39.871 PDT) 131.179.150.72 (11:31:17.397 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56876->22 (11:31:17.397 PDT) 72.36.112.79 (11:31:49.320 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51896->22 (11:31:49.320 PDT) 131.179.150.70 (11:32:44.013 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43455->22 (11:32:44.013 PDT) 13.7.64.22 (11:33:06.296 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52244->22 (11:33:06.296 PDT) 128.42.142.45 (11:31:32.380 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43248->22 (11:31:32.380 PDT) 204.8.155.227 (11:32:13.524 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55917->22 (11:32:13.524 PDT) 192.91.235.230 (11:32:32.269 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52488->22 (11:32:32.269 PDT) 129.82.12.188 (2) (11:32:51.222 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48777->22 (11:32:51.222 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48778->22 (11:32:53.234 PDT) 141.212.113.180 (11:32:21.065 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50140->22 (11:32:21.065 PDT) 141.212.113.179 (11:33:01.543 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40092->22 (11:33:01.543 PDT) 128.111.52.59 (11:33:13.872 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54732->22 (11:33:13.872 PDT) 130.127.39.152 (11:32:04.891 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48732->22 (11:32:04.891 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.79 (11:33:57.775 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (11:33:57.775 PDT) tcpslice 1382985077.397 1382985077.398 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 11:31:17.397 PDT Gen. Time: 10/28/2013 11:39:09.220 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (11:32:23.778 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49167->22 (11:32:23.778 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49168->22 (11:32:24.242 PDT) 128.208.4.197 (11:33:10.937 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54695->22 (11:33:10.937 PDT) 128.10.19.53 (11:32:39.871 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45231->22 (11:32:39.871 PDT) 131.179.150.72 (11:31:17.397 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56876->22 (11:31:17.397 PDT) 72.36.112.79 (11:31:49.320 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51896->22 (11:31:49.320 PDT) 131.179.150.70 (11:32:44.013 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43455->22 (11:32:44.013 PDT) 13.7.64.22 (11:33:06.296 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52244->22 (11:33:06.296 PDT) 128.42.142.45 (11:31:32.380 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43248->22 (11:31:32.380 PDT) 204.8.155.227 (11:32:13.524 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55917->22 (11:32:13.524 PDT) 192.91.235.230 (11:32:32.269 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52488->22 (11:32:32.269 PDT) 129.82.12.188 (2) (11:32:51.222 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48777->22 (11:32:51.222 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48778->22 (11:32:53.234 PDT) 141.212.113.180 (11:32:21.065 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50140->22 (11:32:21.065 PDT) 141.212.113.179 (11:33:01.543 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40092->22 (11:33:01.543 PDT) 128.111.52.59 (11:33:13.872 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54732->22 (11:33:13.872 PDT) 130.127.39.152 (11:32:04.891 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48732->22 (11:32:04.891 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.79 (3) (11:33:57.775 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (11:33:57.775 PDT) 0->0 (11:35:27.406 PDT) 0->0 (11:38:09.150 PDT) tcpslice 1382985077.397 1382985077.398 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 11:52:00.666 PDT Gen. Time: 10/28/2013 11:54:39.655 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (11:52:56.316 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49380->22 (11:52:56.316 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49383->22 (11:52:57.786 PDT) 128.208.4.197 (11:53:53.346 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54910->22 (11:53:53.346 PDT) 128.10.19.53 (11:53:20.773 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45446->22 (11:53:20.773 PDT) 131.179.150.72 (11:52:00.666 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57091->22 (11:52:00.666 PDT) 72.36.112.79 (11:52:31.352 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52111->22 (11:52:31.352 PDT) 131.179.150.70 (11:53:23.908 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43670->22 (11:53:23.908 PDT) 13.7.64.22 (11:53:49.389 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52459->22 (11:53:49.389 PDT) 128.42.142.45 (11:52:15.478 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43463->22 (11:52:15.478 PDT) 204.8.155.227 (11:52:47.600 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56132->22 (11:52:47.600 PDT) 192.91.235.230 (11:53:05.481 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52703->22 (11:53:05.481 PDT) 129.82.12.188 (2) (11:53:31.864 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48990->22 (11:53:31.864 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48993->22 (11:53:36.932 PDT) 141.212.113.180 (11:52:54.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50355->22 (11:52:54.601 PDT) 141.212.113.179 (11:53:44.834 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40307->22 (11:53:44.834 PDT) 128.111.52.59 (11:53:54.767 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54945->22 (11:53:54.767 PDT) 130.127.39.152 (11:52:39.560 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48947->22 (11:52:39.560 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (11:54:39.655 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (11:54:39.655 PDT) tcpslice 1382986320.666 1382986320.667 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 11:52:00.666 PDT Gen. Time: 10/28/2013 12:00:32.945 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (11:52:56.316 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49380->22 (11:52:56.316 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49383->22 (11:52:57.786 PDT) 128.208.4.197 (11:53:53.346 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54910->22 (11:53:53.346 PDT) 128.10.19.53 (11:53:20.773 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45446->22 (11:53:20.773 PDT) 131.179.150.72 (11:52:00.666 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57091->22 (11:52:00.666 PDT) 72.36.112.79 (11:52:31.352 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52111->22 (11:52:31.352 PDT) 131.179.150.70 (11:53:23.908 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43670->22 (11:53:23.908 PDT) 13.7.64.22 (11:53:49.389 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52459->22 (11:53:49.389 PDT) 128.42.142.45 (11:52:15.478 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43463->22 (11:52:15.478 PDT) 204.8.155.227 (11:52:47.600 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56132->22 (11:52:47.600 PDT) 192.91.235.230 (11:53:05.481 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52703->22 (11:53:05.481 PDT) 129.82.12.188 (2) (11:53:31.864 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48990->22 (11:53:31.864 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48993->22 (11:53:36.932 PDT) 141.212.113.180 (11:52:54.601 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50355->22 (11:52:54.601 PDT) 141.212.113.179 (11:53:44.834 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40307->22 (11:53:44.834 PDT) 128.111.52.59 (11:53:54.767 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54945->22 (11:53:54.767 PDT) 130.127.39.152 (11:52:39.560 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48947->22 (11:52:39.560 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (2) (11:54:39.655 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (11:54:39.655 PDT) 0->0 (11:56:09.040 PDT) tcpslice 1382986320.666 1382986320.667 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 11:57:14.933 PDT Gen. Time: 10/28/2013 11:57:14.933 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (11:57:14.933 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (11:57:14.933 PDT) tcpslice 1382986634.933 1382986634.934 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 14:00:06.404 PDT Gen. Time: 10/28/2013 14:00:32.218 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 198.133.224.149 (2) (14:00:30.809 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46729->22 (14:00:30.809 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46729->22 (14:00:30.809 PDT) 204.8.155.227 (14:00:21.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56736->22 (14:00:21.454 PDT) 128.10.19.53 (14:00:06.404 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45932->22 (14:00:06.404 PDT) 129.82.12.188 (14:00:13.011 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49513->22 (14:00:13.011 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.44 (14:00:32.218 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (14:00:32.218 PDT) tcpslice 1382994006.404 1382994006.405 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 14:00:06.404 PDT Gen. Time: 10/28/2013 14:09:44.154 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.10.19.53 (2) (14:00:06.404 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45932->22 (14:00:06.404 PDT) 46544->22 (14:01:40.147 PDT) 155.246.12.164 (14:02:01.449 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56813->22 (14:02:01.449 PDT) 165.91.55.9 (2) (14:01:50.236 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 41335->22 (14:01:50.236 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41335->22 (14:01:50.236 PDT) 128.42.142.45 (14:01:03.822 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44364->22 (14:01:03.822 PDT) 131.193.34.38 (14:00:52.397 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33977->22 (14:00:52.397 PDT) 158.130.6.253 (14:01:31.670 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38311->22 (14:01:31.670 PDT) 198.133.224.149 (2) (14:00:30.809 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 46729->22 (14:00:30.809 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46729->22 (14:00:30.809 PDT) 204.8.155.227 (14:00:21.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56736->22 (14:00:21.454 PDT) 129.82.12.188 (2) (14:00:13.011 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49513->22 (14:00:13.011 PDT) 50257->22 (14:02:08.098 PDT) 13.7.64.20 (2) (14:01:15.549 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54835->22 (14:01:15.549 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54835->22 (14:01:15.549 PDT) 130.127.39.153 (14:01:08.929 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56871->22 (14:01:08.929 PDT) 128.208.4.198 (14:01:21.672 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33286->22 (14:01:21.672 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.79 (3) (14:02:02.900 PDT-14:05:02.721 PDT) event=777:7777008 (3) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 3: 0->0 (14:02:02.900 PDT-14:05:02.721 PDT) 128.84.154.44 (14:00:32.218 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (14:00:32.218 PDT) tcpslice 1382994006.404 1382994302.722 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 15:03:10.929 PDT Gen. Time: 10/28/2013 15:08:49.232 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:07:16.291 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 34650->22 (15:07:16.291 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34654->22 (15:07:18.255 PDT) 128.208.4.197 (15:08:03.470 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40181->22 (15:08:03.470 PDT) 128.10.19.53 (15:07:32.615 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58950->22 (15:07:32.615 PDT) 131.179.150.72 (15:06:19.248 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42362->22 (15:06:19.248 PDT) 72.36.112.79 (15:06:52.771 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37382->22 (15:06:52.771 PDT) 131.179.150.70 (15:07:36.224 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57174->22 (15:07:36.224 PDT) 13.7.64.22 (15:07:59.461 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37730->22 (15:07:59.461 PDT) 128.42.142.45 (2) (15:03:10.929 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56957->22 (15:03:10.929 PDT) 56967->22 (15:06:34.454 PDT) 204.8.155.227 (15:07:08.964 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41403->22 (15:07:08.964 PDT) 192.91.235.230 (15:07:25.732 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37974->22 (15:07:25.732 PDT) 129.82.12.188 (2) (15:07:36.904 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 34260->22 (15:07:36.904 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34264->22 (15:07:44.711 PDT) 141.212.113.180 (15:07:15.176 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35626->22 (15:07:15.176 PDT) 141.212.113.179 (15:07:54.919 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53811->22 (15:07:54.919 PDT) 130.127.39.152 (15:07:01.347 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34218->22 (15:07:01.347 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (15:08:49.232 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:08:49.232 PDT) tcpslice 1382997790.929 1382997790.930 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 15:03:10.929 PDT Gen. Time: 10/28/2013 15:14:54.457 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:07:16.291 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 34650->22 (15:07:16.291 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34654->22 (15:07:18.255 PDT) 128.208.4.197 (15:08:03.470 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40181->22 (15:08:03.470 PDT) 128.10.19.53 (15:07:32.615 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58950->22 (15:07:32.615 PDT) 131.179.150.72 (15:06:19.248 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42362->22 (15:06:19.248 PDT) 72.36.112.79 (15:06:52.771 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37382->22 (15:06:52.771 PDT) 131.179.150.70 (15:07:36.224 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57174->22 (15:07:36.224 PDT) 13.7.64.22 (15:07:59.461 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37730->22 (15:07:59.461 PDT) 128.42.142.45 (2) (15:03:10.929 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56957->22 (15:03:10.929 PDT) 56967->22 (15:06:34.454 PDT) 204.8.155.227 (15:07:08.964 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41403->22 (15:07:08.964 PDT) 192.91.235.230 (15:07:25.732 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37974->22 (15:07:25.732 PDT) 129.82.12.188 (2) (15:07:36.904 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 34260->22 (15:07:36.904 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34264->22 (15:07:44.711 PDT) 141.212.113.180 (15:07:15.176 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35626->22 (15:07:15.176 PDT) 141.212.113.179 (15:07:54.919 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53811->22 (15:07:54.919 PDT) 130.127.39.152 (15:07:01.347 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34218->22 (15:07:01.347 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (2) (15:08:49.232 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:08:49.232 PDT) 0->0 (15:10:19.364 PDT) tcpslice 1382997790.929 1382997790.930 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 15:11:17.311 PDT Gen. Time: 10/28/2013 15:11:17.311 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (15:11:17.311 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:11:17.311 PDT) tcpslice 1382998277.311 1382998277.312 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 15:27:00.245 PDT Gen. Time: 10/28/2013 15:29:30.713 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (15:28:01.558 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35291->22 (15:28:01.558 PDT) 128.208.4.197 (2) (15:28:46.081 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 40818->22 (15:28:46.081 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40818->22 (15:28:46.081 PDT) 128.10.19.53 (15:28:19.858 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59587->22 (15:28:19.858 PDT) 131.179.150.72 (15:27:00.245 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42999->22 (15:27:00.245 PDT) 72.36.112.79 (15:27:32.762 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38019->22 (15:27:32.762 PDT) 131.179.150.70 (2) (15:28:24.420 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 57811->22 (15:28:24.420 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57811->22 (15:28:24.420 PDT) 13.7.64.22 (15:28:42.385 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38367->22 (15:28:42.385 PDT) 128.42.142.45 (15:27:15.201 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57604->22 (15:27:15.201 PDT) 204.8.155.227 (15:27:47.572 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42040->22 (15:27:47.572 PDT) 192.91.235.230 (15:28:09.063 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38611->22 (15:28:09.063 PDT) 129.82.12.188 (15:28:31.092 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34901->22 (15:28:31.092 PDT) 141.212.113.180 (2) (15:27:57.534 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 36263->22 (15:27:57.534 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36263->22 (15:27:57.534 PDT) 141.212.113.179 (15:28:37.874 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54448->22 (15:28:37.874 PDT) 130.127.39.152 (15:27:40.157 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34855->22 (15:27:40.157 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 72.36.112.79 (15:29:30.713 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:29:30.713 PDT) tcpslice 1382999220.245 1382999220.246 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 15:27:00.245 PDT Gen. Time: 10/28/2013 15:36:13.394 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (15:28:01.558 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35291->22 (15:28:01.558 PDT) 128.208.4.197 (2) (15:28:46.081 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 40818->22 (15:28:46.081 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 40818->22 (15:28:46.081 PDT) 128.10.19.53 (15:28:19.858 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59587->22 (15:28:19.858 PDT) 131.179.150.72 (15:27:00.245 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42999->22 (15:27:00.245 PDT) 72.36.112.79 (15:27:32.762 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38019->22 (15:27:32.762 PDT) 131.179.150.70 (2) (15:28:24.420 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 57811->22 (15:28:24.420 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57811->22 (15:28:24.420 PDT) 13.7.64.22 (15:28:42.385 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38367->22 (15:28:42.385 PDT) 128.42.142.45 (15:27:15.201 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57604->22 (15:27:15.201 PDT) 204.8.155.227 (15:27:47.572 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42040->22 (15:27:47.572 PDT) 192.91.235.230 (15:28:09.063 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38611->22 (15:28:09.063 PDT) 129.82.12.188 (15:28:31.092 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34901->22 (15:28:31.092 PDT) 141.212.113.180 (2) (15:27:57.534 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 36263->22 (15:27:57.534 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36263->22 (15:27:57.534 PDT) 141.212.113.179 (15:28:37.874 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54448->22 (15:28:37.874 PDT) 130.127.39.152 (15:27:40.157 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34855->22 (15:27:40.157 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 158.130.6.253 (2) (15:31:00.178 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:31:00.178 PDT) 0->0 (15:33:17.165 PDT) 72.36.112.79 (15:29:30.713 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:29:30.713 PDT) tcpslice 1382999220.245 1382999220.246 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 15:47:40.040 PDT Gen. Time: 10/28/2013 15:50:01.502 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (15:48:32.342 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35516->22 (15:48:32.342 PDT) 128.10.19.53 (2) (15:48:47.253 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 59812->22 (15:48:47.253 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59812->22 (15:48:47.253 PDT) 131.179.150.72 (15:47:40.040 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43219->22 (15:47:40.040 PDT) 72.36.112.79 (15:48:07.789 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38239->22 (15:48:07.789 PDT) 131.179.150.70 (15:48:51.704 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58036->22 (15:48:51.704 PDT) 13.7.64.22 (2) (15:49:10.504 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 38592->22 (15:49:10.504 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38592->22 (15:49:10.504 PDT) 128.42.142.45 (4) (15:47:55.094 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 57849->22 (15:48:25.335 PDT) ------------------------- event=1:2003068 (3) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57824->22 (15:47:55.094 PDT) 57844->22 (15:48:22.215 PDT) 57849->22 (15:48:25.335 PDT) 192.91.235.230 (15:48:40.240 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38836->22 (15:48:40.240 PDT) 129.82.12.188 (15:48:58.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35126->22 (15:48:58.454 PDT) 141.212.113.180 (15:48:29.308 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36488->22 (15:48:29.308 PDT) 141.212.113.179 (15:49:05.894 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54673->22 (15:49:05.894 PDT) 130.127.39.152 (15:48:15.557 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35075->22 (15:48:15.557 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (15:50:01.502 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:50:01.502 PDT) tcpslice 1383000460.040 1383000460.041 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 15:47:40.040 PDT Gen. Time: 10/28/2013 15:56:31.181 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (15:48:32.342 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35516->22 (15:48:32.342 PDT) 128.10.19.53 (2) (15:48:47.253 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 59812->22 (15:48:47.253 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59812->22 (15:48:47.253 PDT) 131.179.150.72 (15:47:40.040 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43219->22 (15:47:40.040 PDT) 72.36.112.79 (15:48:07.789 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38239->22 (15:48:07.789 PDT) 131.179.150.70 (15:48:51.704 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58036->22 (15:48:51.704 PDT) 13.7.64.22 (2) (15:49:10.504 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 38592->22 (15:49:10.504 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38592->22 (15:49:10.504 PDT) 128.42.142.45 (4) (15:47:55.094 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 57849->22 (15:48:25.335 PDT) ------------------------- event=1:2003068 (3) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57824->22 (15:47:55.094 PDT) 57844->22 (15:48:22.215 PDT) 57849->22 (15:48:25.335 PDT) 192.91.235.230 (15:48:40.240 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38836->22 (15:48:40.240 PDT) 129.82.12.188 (15:48:58.454 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35126->22 (15:48:58.454 PDT) 141.212.113.180 (15:48:29.308 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36488->22 (15:48:29.308 PDT) 141.212.113.179 (15:49:05.894 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54673->22 (15:49:05.894 PDT) 130.127.39.152 (15:48:15.557 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35075->22 (15:48:15.557 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (15:51:31.858 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (22 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:51:31.858 PDT) 128.208.4.197 (15:50:01.502 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:50:01.502 PDT) tcpslice 1383000460.040 1383000460.041 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 16:01:18.430 PDT Gen. Time: 10/28/2013 16:01:18.430 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (16:01:18.430 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:01:18.430 PDT) tcpslice 1383001278.430 1383001278.431 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 16:01:18.430 PDT Gen. Time: 10/28/2013 16:06:28.452 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.42.142.45 (16:03:31.438 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58039->22 (16:03:31.438 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (4) (16:01:18.430 PDT-16:06:28.452 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 4: 0->0 (16:01:18.430 PDT-16:06:28.452 PDT) tcpslice 1383001278.430 1383001588.453 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 16:08:01.997 PDT Gen. Time: 10/28/2013 16:08:01.997 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (16:08:01.997 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:08:01.997 PDT) tcpslice 1383001681.997 1383001681.998 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 16:08:01.997 PDT Gen. Time: 10/28/2013 16:16:09.619 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (16:08:59.799 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35736->22 (16:08:59.799 PDT) 128.208.4.197 (2) (16:09:46.753 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 41263->22 (16:09:46.753 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41263->22 (16:09:46.753 PDT) 128.10.19.53 (16:09:14.849 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60032->22 (16:09:14.849 PDT) 131.179.150.72 (16:08:01.998 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43444->22 (16:08:01.998 PDT) 72.36.112.79 (16:08:34.876 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38464->22 (16:08:34.876 PDT) 131.179.150.70 (2) (16:09:18.047 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 58256->22 (16:09:18.047 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58256->22 (16:09:18.047 PDT) 13.7.64.22 (16:09:37.392 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38812->22 (16:09:37.392 PDT) 128.42.142.45 (16:08:17.231 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58049->22 (16:08:17.231 PDT) 204.8.155.227 (16:08:50.505 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42485->22 (16:08:50.505 PDT) 192.91.235.230 (16:09:07.819 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39056->22 (16:09:07.819 PDT) 129.82.12.188 (16:09:24.622 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35346->22 (16:09:24.622 PDT) 141.212.113.180 (2) (16:08:56.878 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 36708->22 (16:08:56.878 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36708->22 (16:08:56.878 PDT) 141.212.113.179 (16:09:32.511 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54893->22 (16:09:32.511 PDT) 130.127.39.152 (16:08:43.018 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35300->22 (16:08:43.018 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (5) (16:08:01.997 PDT-16:14:19.492 PDT) event=777:7777008 (5) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 5: 0->0 (16:08:01.997 PDT-16:14:19.492 PDT) tcpslice 1383001681.997 1383002059.493 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 16:16:30.564 PDT Gen. Time: 10/28/2013 16:16:30.564 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (16:16:30.564 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:16:30.564 PDT) tcpslice 1383002190.564 1383002190.565 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 16:16:30.564 PDT Gen. Time: 10/28/2013 16:21:33.781 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.42.142.45 (16:18:36.613 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58259->22 (16:18:36.613 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.149 (2) (16:16:30.564 PDT-16:18:32.474 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 2: 0->0 (16:16:30.564 PDT-16:18:32.474 PDT) tcpslice 1383002190.564 1383002312.475 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 16:28:45.421 PDT Gen. Time: 10/28/2013 16:31:20.155 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:29:41.986 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 35954->22 (16:29:41.986 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35956->22 (16:29:42.941 PDT) 128.208.4.197 (16:30:24.735 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41483->22 (16:30:24.735 PDT) 128.10.19.53 (16:29:58.016 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60252->22 (16:29:58.016 PDT) 131.179.150.72 (16:28:45.421 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43664->22 (16:28:45.421 PDT) 72.36.112.79 (16:29:14.213 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38684->22 (16:29:14.213 PDT) 131.179.150.70 (16:30:01.239 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58476->22 (16:30:01.239 PDT) 13.7.64.22 (16:30:19.937 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39032->22 (16:30:19.937 PDT) 128.42.142.45 (16:29:01.127 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58269->22 (16:29:01.127 PDT) 204.8.155.227 (16:29:33.672 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42705->22 (16:29:33.672 PDT) 192.91.235.230 (16:29:50.641 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39276->22 (16:29:50.641 PDT) 129.82.12.188 (2) (16:30:05.040 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 35564->22 (16:30:05.040 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35566->22 (16:30:08.115 PDT) 141.212.113.180 (16:29:39.963 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36928->22 (16:29:39.963 PDT) 141.212.113.179 (16:30:15.201 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55113->22 (16:30:15.201 PDT) 128.111.52.59 (16:30:26.606 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 41519->22 (16:30:26.606 PDT) 130.127.39.152 (16:29:26.139 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35520->22 (16:29:26.139 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.8 (16:31:20.155 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:31:20.155 PDT) tcpslice 1383002925.421 1383002925.422 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 16:28:45.421 PDT Gen. Time: 10/28/2013 16:37:44.473 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:29:41.986 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 35954->22 (16:29:41.986 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35956->22 (16:29:42.941 PDT) 128.208.4.197 (16:30:24.735 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41483->22 (16:30:24.735 PDT) 128.10.19.53 (16:29:58.016 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60252->22 (16:29:58.016 PDT) 131.179.150.72 (16:28:45.421 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43664->22 (16:28:45.421 PDT) 72.36.112.79 (16:29:14.213 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38684->22 (16:29:14.213 PDT) 131.179.150.70 (16:30:01.239 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58476->22 (16:30:01.239 PDT) 13.7.64.22 (16:30:19.937 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39032->22 (16:30:19.937 PDT) 128.42.142.45 (16:29:01.127 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58269->22 (16:29:01.127 PDT) 204.8.155.227 (16:29:33.672 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42705->22 (16:29:33.672 PDT) 192.91.235.230 (16:29:50.641 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39276->22 (16:29:50.641 PDT) 129.82.12.188 (2) (16:30:05.040 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 35564->22 (16:30:05.040 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35566->22 (16:30:08.115 PDT) 141.212.113.180 (16:29:39.963 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36928->22 (16:29:39.963 PDT) 141.212.113.179 (16:30:15.201 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55113->22 (16:30:15.201 PDT) 128.111.52.59 (16:30:26.606 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 41519->22 (16:30:26.606 PDT) 130.127.39.152 (16:29:26.139 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35520->22 (16:29:26.139 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.147 (16:32:50.597 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:32:50.597 PDT) 165.91.55.8 (16:31:20.155 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:31:20.155 PDT) tcpslice 1383002925.421 1383002925.422 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 16:33:51.026 PDT Gen. Time: 10/28/2013 16:33:51.026 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 198.133.224.147 (16:33:51.026 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:33:51.026 PDT) tcpslice 1383003231.026 1383003231.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 16:49:23.816 PDT Gen. Time: 10/28/2013 16:51:39.828 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:50:15.304 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 36177->22 (16:50:15.304 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36177->22 (16:50:15.304 PDT) 128.208.4.197 (16:50:55.400 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41704->22 (16:50:55.400 PDT) 128.10.19.53 (16:50:30.009 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60473->22 (16:50:30.009 PDT) 131.179.150.72 (16:49:23.816 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43884->22 (16:49:23.816 PDT) 72.36.112.79 (16:49:45.947 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38905->22 (16:49:45.947 PDT) 131.179.150.70 (16:50:33.563 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58697->22 (16:50:33.563 PDT) 13.7.64.22 (16:50:51.487 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39253->22 (16:50:51.487 PDT) 128.42.142.45 (16:49:33.938 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58489->22 (16:49:33.938 PDT) 204.8.155.227 (16:50:05.835 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42926->22 (16:50:05.835 PDT) 192.91.235.230 (16:50:22.825 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39497->22 (16:50:22.825 PDT) 129.82.12.188 (2) (16:50:40.123 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 35787->22 (16:50:40.123 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35787->22 (16:50:40.123 PDT) 141.212.113.180 (16:50:12.295 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37149->22 (16:50:12.295 PDT) 141.212.113.179 (16:50:47.063 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55334->22 (16:50:47.063 PDT) 128.111.52.59 (16:50:58.055 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41742->22 (16:50:58.055 PDT) 130.127.39.152 (16:49:58.305 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35741->22 (16:49:58.305 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (16:51:39.828 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:51:39.828 PDT) tcpslice 1383004163.816 1383004163.817 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 16:49:23.816 PDT Gen. Time: 10/28/2013 16:58:05.259 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:50:15.304 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 36177->22 (16:50:15.304 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36177->22 (16:50:15.304 PDT) 128.208.4.197 (16:50:55.400 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41704->22 (16:50:55.400 PDT) 128.10.19.53 (16:50:30.009 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60473->22 (16:50:30.009 PDT) 131.179.150.72 (16:49:23.816 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43884->22 (16:49:23.816 PDT) 72.36.112.79 (16:49:45.947 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 38905->22 (16:49:45.947 PDT) 131.179.150.70 (16:50:33.563 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58697->22 (16:50:33.563 PDT) 13.7.64.22 (16:50:51.487 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39253->22 (16:50:51.487 PDT) 128.42.142.45 (16:49:33.938 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58489->22 (16:49:33.938 PDT) 204.8.155.227 (16:50:05.835 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42926->22 (16:50:05.835 PDT) 192.91.235.230 (16:50:22.825 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39497->22 (16:50:22.825 PDT) 129.82.12.188 (2) (16:50:40.123 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 35787->22 (16:50:40.123 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35787->22 (16:50:40.123 PDT) 141.212.113.180 (16:50:12.295 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37149->22 (16:50:12.295 PDT) 141.212.113.179 (16:50:47.063 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55334->22 (16:50:47.063 PDT) 128.111.52.59 (16:50:58.055 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41742->22 (16:50:58.055 PDT) 130.127.39.152 (16:49:58.305 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35741->22 (16:49:58.305 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (2) (16:51:39.828 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (16 /24s) (# pkts S/M/O/I=0/20/1/0): 22:20, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:51:39.828 PDT) 0->0 (16:53:10.239 PDT) 139.78.141.243 (16:55:47.302 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (25 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:55:47.302 PDT) tcpslice 1383004163.816 1383004163.817 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 16:58:17.830 PDT Gen. Time: 10/28/2013 16:58:17.830 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 139.78.141.243 (16:58:17.830 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (25 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:58:17.830 PDT) tcpslice 1383004697.830 1383004697.831 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 17:02:33.245 PDT Gen. Time: 10/28/2013 17:02:33.245 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 139.78.141.243 (17:02:33.245 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (25 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:02:33.245 PDT) tcpslice 1383004953.245 1383004953.246 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 17:09:22.701 PDT Gen. Time: 10/28/2013 17:09:22.701 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 139.78.141.243 (17:09:22.701 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (25 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:09:22.701 PDT) tcpslice 1383005362.701 1383005362.702 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 17:09:22.701 PDT Gen. Time: 10/28/2013 17:18:47.114 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (17:10:57.228 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36392->22 (17:10:57.228 PDT) 128.208.4.197 (2) (17:11:39.908 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 41919->22 (17:11:39.908 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 41919->22 (17:11:39.908 PDT) 128.10.19.53 (17:11:12.511 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60688->22 (17:11:12.511 PDT) 131.179.150.72 (17:10:06.315 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44100->22 (17:10:06.315 PDT) 72.36.112.79 (17:10:31.495 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39120->22 (17:10:31.495 PDT) 131.179.150.70 (2) (17:11:16.296 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 58912->22 (17:11:16.296 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58912->22 (17:11:16.296 PDT) 13.7.64.22 (17:11:36.091 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39468->22 (17:11:36.091 PDT) 128.42.142.45 (17:10:16.933 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58705->22 (17:10:16.933 PDT) 204.8.155.227 (17:10:47.798 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43141->22 (17:10:47.798 PDT) 192.91.235.230 (17:11:05.260 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39712->22 (17:11:05.260 PDT) 129.82.12.188 (17:11:24.220 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36002->22 (17:11:24.220 PDT) 141.212.113.180 (2) (17:10:54.136 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 37364->22 (17:10:54.136 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37364->22 (17:10:54.136 PDT) 141.212.113.179 (17:11:31.695 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55549->22 (17:11:31.695 PDT) 130.127.39.152 (17:10:39.944 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35956->22 (17:10:39.944 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 139.78.141.243 (4) (17:09:22.701 PDT-17:13:53.030 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (25 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 4: 0->0 (17:09:22.701 PDT-17:13:53.030 PDT) tcpslice 1383005362.701 1383005633.031 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 17:15:13.305 PDT Gen. Time: 10/28/2013 17:15:13.305 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 139.78.141.243 (17:15:13.305 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 42 IPs (25 /24s) (# pkts S/M/O/I=0/41/1/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:15:13.305 PDT) tcpslice 1383005713.305 1383005713.306 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 17:30:56.721 PDT Gen. Time: 10/28/2013 17:33:31.910 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (17:32:00.780 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36607->22 (17:32:00.780 PDT) 128.208.4.197 (2) (17:32:46.024 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 42134->22 (17:32:46.024 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42134->22 (17:32:46.024 PDT) 128.10.19.53 (17:32:16.136 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60903->22 (17:32:16.136 PDT) 131.179.150.72 (17:30:56.721 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44315->22 (17:30:56.721 PDT) 72.36.112.79 (17:31:23.907 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39335->22 (17:31:23.907 PDT) 131.179.150.70 (2) (17:32:19.905 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 59127->22 (17:32:19.905 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59127->22 (17:32:19.905 PDT) 13.7.64.22 (17:32:41.318 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39683->22 (17:32:41.318 PDT) 128.42.142.45 (17:31:12.065 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58920->22 (17:31:12.065 PDT) 204.8.155.227 (17:31:50.559 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43356->22 (17:31:50.559 PDT) 192.91.235.230 (17:32:08.765 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39927->22 (17:32:08.765 PDT) 129.82.12.188 (17:32:28.648 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36217->22 (17:32:28.648 PDT) 141.212.113.180 (2) (17:31:57.084 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 37579->22 (17:31:57.084 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37579->22 (17:31:57.084 PDT) 141.212.113.179 (17:32:36.010 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55764->22 (17:32:36.010 PDT) 130.127.39.152 (17:31:41.382 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36171->22 (17:31:41.382 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.70 (17:33:31.910 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:33:31.910 PDT) tcpslice 1383006656.721 1383006656.722 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 17:30:56.721 PDT Gen. Time: 10/28/2013 17:39:24.927 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (17:32:00.780 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36607->22 (17:32:00.780 PDT) 128.208.4.197 (2) (17:32:46.024 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 42134->22 (17:32:46.024 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 42134->22 (17:32:46.024 PDT) 128.10.19.53 (17:32:16.136 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60903->22 (17:32:16.136 PDT) 131.179.150.72 (17:30:56.721 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44315->22 (17:30:56.721 PDT) 72.36.112.79 (17:31:23.907 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39335->22 (17:31:23.907 PDT) 131.179.150.70 (2) (17:32:19.905 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 59127->22 (17:32:19.905 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59127->22 (17:32:19.905 PDT) 13.7.64.22 (17:32:41.318 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39683->22 (17:32:41.318 PDT) 128.42.142.45 (17:31:12.065 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58920->22 (17:31:12.065 PDT) 204.8.155.227 (17:31:50.559 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43356->22 (17:31:50.559 PDT) 192.91.235.230 (17:32:08.765 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 39927->22 (17:32:08.765 PDT) 129.82.12.188 (17:32:28.648 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36217->22 (17:32:28.648 PDT) 141.212.113.180 (2) (17:31:57.084 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 37579->22 (17:31:57.084 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37579->22 (17:31:57.084 PDT) 141.212.113.179 (17:32:36.010 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55764->22 (17:32:36.010 PDT) 130.127.39.152 (17:31:41.382 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 36171->22 (17:31:41.382 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.63.159.101 (17:35:01.254 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:35:01.254 PDT) 131.179.150.70 (17:33:31.910 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:33:31.910 PDT) tcpslice 1383006656.721 1383006656.722 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/28/2013 17:36:00.058 PDT Gen. Time: 10/28/2013 17:36:00.058 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.84.154.45 (17:36:00.058 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:36:00.058 PDT) tcpslice 1383006960.058 1383006960.059 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================