Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 14:00:06.858 PDT Gen. Time: 10/31/2013 14:00:39.526 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 198.133.224.149 (2) (14:00:38.032 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 34898->22 (14:00:38.032 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34898->22 (14:00:38.032 PDT) 204.8.155.227 (14:00:24.960 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44904->22 (14:00:24.960 PDT) 128.10.19.53 (14:00:06.858 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34077->22 (14:00:06.858 PDT) 129.82.12.188 (14:00:14.545 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37666->22 (14:00:14.545 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.82.12.188 (14:00:39.526 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (14:00:39.526 PDT) tcpslice 1383253206.858 1383253206.859 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 14:00:06.858 PDT Gen. Time: 10/31/2013 14:08:41.061 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.10.19.53 (2) (14:00:06.858 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34077->22 (14:00:06.858 PDT) 34708->22 (14:01:44.953 PDT) 155.246.12.164 (14:02:07.400 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44990->22 (14:02:07.400 PDT) 165.91.55.9 (2) (14:01:55.104 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 57736->22 (14:01:55.104 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57736->22 (14:01:55.104 PDT) 128.42.142.45 (14:01:08.579 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60759->22 (14:01:08.579 PDT) 131.193.34.38 (14:01:00.429 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50398->22 (14:01:00.429 PDT) 158.130.6.253 (14:01:36.401 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54702->22 (14:01:36.401 PDT) 198.133.224.149 (2) (14:00:38.032 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 34898->22 (14:00:38.032 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34898->22 (14:00:38.032 PDT) 204.8.155.227 (14:00:24.960 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 44904->22 (14:00:24.960 PDT) 129.82.12.188 (2) (14:00:14.545 PDT) event=1:2003068 (2) {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 37666->22 (14:00:14.545 PDT) 38426->22 (14:02:14.266 PDT) 13.7.64.20 (2) (14:01:21.189 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 43005->22 (14:01:21.189 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 43005->22 (14:01:21.189 PDT) 130.127.39.153 (14:01:13.665 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45037->22 (14:01:13.665 PDT) 128.208.4.198 (14:01:27.194 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49691->22 (14:01:27.194 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.82.12.188 (4) (14:00:39.526 PDT-14:05:16.708 PDT) event=777:7777008 (4) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 3: 0->0 (14:02:09.036 PDT-14:05:16.708 PDT) 0->0 (14:00:39.526 PDT) tcpslice 1383253206.858 1383253516.709 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 15:06:15.384 PDT Gen. Time: 10/31/2013 15:08:30.754 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (15:07:18.214 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54120->22 (15:07:18.214 PDT) 128.208.4.197 (2) (15:07:57.548 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 59647->22 (15:07:57.548 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59647->22 (15:07:57.548 PDT) 128.10.19.53 (15:07:32.434 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50183->22 (15:07:32.434 PDT) 131.179.150.72 (15:06:15.384 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33595->22 (15:06:15.384 PDT) 72.36.112.79 (15:06:53.558 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56848->22 (15:06:53.558 PDT) 131.179.150.70 (2) (15:07:35.137 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48407->22 (15:07:35.137 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48407->22 (15:07:35.137 PDT) 13.7.64.22 (15:07:53.877 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57196->22 (15:07:53.877 PDT) 128.42.142.45 (15:06:30.862 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48200->22 (15:06:30.862 PDT) 204.8.155.227 (15:07:08.924 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60869->22 (15:07:08.924 PDT) 192.91.235.230 (15:07:25.850 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57440->22 (15:07:25.850 PDT) 129.82.12.188 (15:07:42.202 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53730->22 (15:07:42.202 PDT) 141.212.113.180 (2) (15:07:15.073 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 55092->22 (15:07:15.073 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55092->22 (15:07:15.073 PDT) 141.212.113.179 (15:07:49.391 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45044->22 (15:07:49.391 PDT) 130.127.39.152 (15:07:00.863 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53684->22 (15:07:00.863 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (15:08:30.754 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/19/2/0): 22:19, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:08:30.754 PDT) tcpslice 1383257175.384 1383257175.385 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 15:06:15.384 PDT Gen. Time: 10/31/2013 15:14:09.181 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (15:07:18.214 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54120->22 (15:07:18.214 PDT) 128.208.4.197 (2) (15:07:57.548 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 59647->22 (15:07:57.548 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59647->22 (15:07:57.548 PDT) 128.10.19.53 (15:07:32.434 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50183->22 (15:07:32.434 PDT) 131.179.150.72 (15:06:15.384 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33595->22 (15:06:15.384 PDT) 72.36.112.79 (15:06:53.558 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56848->22 (15:06:53.558 PDT) 131.179.150.70 (2) (15:07:35.137 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 48407->22 (15:07:35.137 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48407->22 (15:07:35.137 PDT) 13.7.64.22 (15:07:53.877 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57196->22 (15:07:53.877 PDT) 128.42.142.45 (15:06:30.862 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48200->22 (15:06:30.862 PDT) 204.8.155.227 (15:07:08.924 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60869->22 (15:07:08.924 PDT) 192.91.235.230 (15:07:25.850 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57440->22 (15:07:25.850 PDT) 129.82.12.188 (15:07:42.202 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53730->22 (15:07:42.202 PDT) 141.212.113.180 (2) (15:07:15.073 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 55092->22 (15:07:15.073 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55092->22 (15:07:15.073 PDT) 141.212.113.179 (15:07:49.391 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45044->22 (15:07:49.391 PDT) 130.127.39.152 (15:07:00.863 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53684->22 (15:07:00.863 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.111.52.58 (15:08:30.754 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (17 /24s) (# pkts S/M/O/I=0/19/2/0): 22:19, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:08:30.754 PDT) 131.193.34.38 (15:10:00.285 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (23 /24s) (# pkts S/M/O/I=0/32/2/0): 22:32, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:10:00.285 PDT) tcpslice 1383257175.384 1383257175.385 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 15:11:12.240 PDT Gen. Time: 10/31/2013 15:11:12.240 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.8.126.111 (15:11:12.240 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 43 IPs (26 /24s) (# pkts S/M/O/I=0/41/2/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:11:12.240 PDT) tcpslice 1383257472.240 1383257472.241 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 15:26:47.936 PDT Gen. Time: 10/31/2013 15:29:19.489 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:27:44.047 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54332->22 (15:27:44.047 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54336->22 (15:27:45.944 PDT) 128.208.4.197 (15:28:28.360 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59863->22 (15:28:28.360 PDT) 128.10.19.53 (15:28:00.959 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50399->22 (15:28:00.959 PDT) 131.179.150.72 (15:26:47.936 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33811->22 (15:26:47.936 PDT) 72.36.112.79 (15:27:19.637 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57064->22 (15:27:19.637 PDT) 131.179.150.70 (15:28:04.705 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48623->22 (15:28:04.705 PDT) 13.7.64.22 (15:28:24.070 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57412->22 (15:28:24.070 PDT) 128.42.142.45 (15:27:03.352 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48416->22 (15:27:03.352 PDT) 204.8.155.227 (15:27:35.774 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 32852->22 (15:27:35.774 PDT) 192.91.235.230 (15:27:54.137 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57656->22 (15:27:54.137 PDT) 129.82.12.188 (2) (15:28:05.229 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53942->22 (15:28:05.229 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53946->22 (15:28:11.288 PDT) 141.212.113.180 (15:27:42.474 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55308->22 (15:27:42.474 PDT) 141.212.113.179 (15:28:19.414 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45260->22 (15:28:19.414 PDT) 128.111.52.59 (15:28:29.050 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 59897->22 (15:28:29.050 PDT) 130.127.39.152 (15:27:27.952 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53900->22 (15:27:27.952 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (15:29:19.489 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:29:19.489 PDT) tcpslice 1383258407.936 1383258407.937 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 15:26:47.936 PDT Gen. Time: 10/31/2013 15:35:26.038 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:27:44.047 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54332->22 (15:27:44.047 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54336->22 (15:27:45.944 PDT) 128.208.4.197 (15:28:28.360 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59863->22 (15:28:28.360 PDT) 128.10.19.53 (15:28:00.959 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50399->22 (15:28:00.959 PDT) 131.179.150.72 (15:26:47.936 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33811->22 (15:26:47.936 PDT) 72.36.112.79 (15:27:19.637 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57064->22 (15:27:19.637 PDT) 131.179.150.70 (15:28:04.705 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48623->22 (15:28:04.705 PDT) 13.7.64.22 (15:28:24.070 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57412->22 (15:28:24.070 PDT) 128.42.142.45 (15:27:03.352 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 48416->22 (15:27:03.352 PDT) 204.8.155.227 (15:27:35.774 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 32852->22 (15:27:35.774 PDT) 192.91.235.230 (15:27:54.137 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57656->22 (15:27:54.137 PDT) 129.82.12.188 (2) (15:28:05.229 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 53942->22 (15:28:05.229 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53946->22 (15:28:11.288 PDT) 141.212.113.180 (15:27:42.474 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55308->22 (15:27:42.474 PDT) 141.212.113.179 (15:28:19.414 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45260->22 (15:28:19.414 PDT) 128.111.52.59 (15:28:29.050 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 59897->22 (15:28:29.050 PDT) 130.127.39.152 (15:27:27.952 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 53900->22 (15:27:27.952 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (2) (15:29:19.489 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:29:19.489 PDT) 0->0 (15:30:50.106 PDT) tcpslice 1383258407.936 1383258407.937 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 15:31:50.888 PDT Gen. Time: 10/31/2013 15:31:50.888 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.198 (15:31:50.888 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:31:50.888 PDT) tcpslice 1383258710.888 1383258710.889 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 15:47:29.854 PDT Gen. Time: 10/31/2013 15:49:47.052 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:48:17.278 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54965->22 (15:48:17.278 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54968->22 (15:48:18.733 PDT) 128.208.4.197 (15:49:02.001 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60495->22 (15:49:02.001 PDT) 128.10.19.53 (15:48:33.516 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51031->22 (15:48:33.516 PDT) 131.179.150.72 (15:47:29.854 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34443->22 (15:47:29.854 PDT) 72.36.112.79 (15:47:54.123 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57696->22 (15:47:54.123 PDT) 131.179.150.70 (15:48:36.442 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49255->22 (15:48:36.442 PDT) 13.7.64.22 (15:48:58.303 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58044->22 (15:48:58.303 PDT) 128.42.142.45 (15:47:39.781 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49048->22 (15:47:39.781 PDT) 204.8.155.227 (15:48:09.466 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33484->22 (15:48:09.466 PDT) 192.91.235.230 (15:48:26.443 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58288->22 (15:48:26.443 PDT) 129.82.12.188 (2) (15:48:38.383 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54575->22 (15:48:38.383 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54578->22 (15:48:42.609 PDT) 141.212.113.180 (15:48:15.671 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55940->22 (15:48:15.671 PDT) 141.212.113.179 (15:48:51.594 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45892->22 (15:48:51.594 PDT) 128.111.52.59 (15:49:03.133 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 60530->22 (15:49:03.133 PDT) 130.127.39.152 (15:48:02.008 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54532->22 (15:48:02.008 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (15:49:47.052 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:49:47.052 PDT) tcpslice 1383259649.854 1383259649.855 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 15:47:29.854 PDT Gen. Time: 10/31/2013 15:56:06.601 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (15:48:17.278 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54965->22 (15:48:17.278 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54968->22 (15:48:18.733 PDT) 128.208.4.197 (15:49:02.001 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60495->22 (15:49:02.001 PDT) 128.10.19.53 (15:48:33.516 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51031->22 (15:48:33.516 PDT) 131.179.150.72 (15:47:29.854 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34443->22 (15:47:29.854 PDT) 72.36.112.79 (15:47:54.123 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57696->22 (15:47:54.123 PDT) 131.179.150.70 (15:48:36.442 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49255->22 (15:48:36.442 PDT) 13.7.64.22 (15:48:58.303 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58044->22 (15:48:58.303 PDT) 128.42.142.45 (15:47:39.781 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49048->22 (15:47:39.781 PDT) 204.8.155.227 (15:48:09.466 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33484->22 (15:48:09.466 PDT) 192.91.235.230 (15:48:26.443 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58288->22 (15:48:26.443 PDT) 129.82.12.188 (2) (15:48:38.383 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 54575->22 (15:48:38.383 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54578->22 (15:48:42.609 PDT) 141.212.113.180 (15:48:15.671 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55940->22 (15:48:15.671 PDT) 141.212.113.179 (15:48:51.594 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 45892->22 (15:48:51.594 PDT) 128.111.52.59 (15:49:03.133 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 60530->22 (15:49:03.133 PDT) 130.127.39.152 (15:48:02.008 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54532->22 (15:48:02.008 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.197 (15:49:47.052 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:49:47.052 PDT) 131.193.34.38 (15:51:17.562 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:51:17.562 PDT) tcpslice 1383259649.854 1383259649.855 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 15:52:14.030 PDT Gen. Time: 10/31/2013 15:52:14.030 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.208.4.198 (15:52:14.030 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (15:52:14.030 PDT) tcpslice 1383259934.030 1383259934.031 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 16:03:22.643 PDT Gen. Time: 10/31/2013 16:03:22.643 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 158.130.6.253 (16:03:22.643 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:03:22.643 PDT) tcpslice 1383260602.643 1383260602.644 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 16:03:22.643 PDT Gen. Time: 10/31/2013 16:05:57.531 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 158.130.6.253 (16:03:22.643 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (14 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:03:22.643 PDT) 72.36.112.79 (16:04:57.754 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (20 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:04:57.754 PDT) tcpslice 1383260602.643 1383260602.644 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 16:06:42.791 PDT Gen. Time: 10/31/2013 16:06:42.791 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (16:06:42.791 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:06:42.791 PDT) tcpslice 1383260802.791 1383260802.792 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 16:06:42.791 PDT Gen. Time: 10/31/2013 16:16:32.705 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (16:08:54.700 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55183->22 (16:08:54.700 PDT) 128.208.4.197 (2) (16:09:34.893 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 60710->22 (16:09:34.893 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60710->22 (16:09:34.893 PDT) 128.10.19.53 (16:09:09.568 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51246->22 (16:09:09.568 PDT) 131.179.150.72 (16:07:56.979 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34658->22 (16:07:56.979 PDT) 72.36.112.79 (16:08:29.836 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57911->22 (16:08:29.836 PDT) 131.179.150.70 (2) (16:09:12.410 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49470->22 (16:09:12.410 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49470->22 (16:09:12.410 PDT) 13.7.64.22 (16:09:31.105 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58259->22 (16:09:31.105 PDT) 128.42.142.45 (16:08:12.207 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49263->22 (16:08:12.207 PDT) 204.8.155.227 (16:08:45.146 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33699->22 (16:08:45.146 PDT) 192.91.235.230 (16:09:02.594 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58503->22 (16:09:02.594 PDT) 129.82.12.188 (16:09:18.840 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54793->22 (16:09:18.840 PDT) 141.212.113.180 (2) (16:08:51.477 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 56155->22 (16:08:51.477 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56155->22 (16:08:51.477 PDT) 141.212.113.179 (16:09:26.436 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46107->22 (16:09:26.436 PDT) 130.127.39.152 (16:08:37.575 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54747->22 (16:08:37.575 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 128.36.233.153 (7) (16:06:42.791 PDT-16:16:25.447 PDT) event=777:7777008 (7) {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 7: 0->0 (16:06:42.791 PDT-16:16:25.447 PDT) tcpslice 1383260802.791 1383261385.448 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 16:28:27.586 PDT Gen. Time: 10/31/2013 16:30:54.775 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:29:25.557 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 55394->22 (16:29:25.557 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55398->22 (16:29:27.457 PDT) 128.208.4.197 (16:30:05.883 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60925->22 (16:30:05.883 PDT) 128.10.19.53 (16:29:41.532 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51461->22 (16:29:41.532 PDT) 131.179.150.72 (16:28:27.586 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34873->22 (16:28:27.586 PDT) 72.36.112.79 (16:29:02.728 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58126->22 (16:29:02.728 PDT) 131.179.150.70 (16:29:44.412 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49685->22 (16:29:44.412 PDT) 13.7.64.22 (16:30:01.865 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58474->22 (16:30:01.865 PDT) 128.42.142.45 (16:28:42.874 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49478->22 (16:28:42.874 PDT) 204.8.155.227 (16:29:18.144 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33914->22 (16:29:18.144 PDT) 192.91.235.230 (16:29:35.080 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58718->22 (16:29:35.080 PDT) 129.82.12.188 (2) (16:29:44.877 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 55004->22 (16:29:44.877 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55008->22 (16:29:50.375 PDT) 141.212.113.180 (16:29:24.499 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56370->22 (16:29:24.499 PDT) 141.212.113.179 (16:29:57.108 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46322->22 (16:29:57.108 PDT) 128.111.52.59 (16:30:06.605 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 60959->22 (16:30:06.605 PDT) 130.127.39.152 (16:29:10.469 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54962->22 (16:29:10.469 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.226 (16:30:54.775 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:30:54.775 PDT) tcpslice 1383262107.586 1383262107.587 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 16:28:27.586 PDT Gen. Time: 10/31/2013 16:36:54.090 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (16:29:25.557 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 55394->22 (16:29:25.557 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55398->22 (16:29:27.457 PDT) 128.208.4.197 (16:30:05.883 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 60925->22 (16:30:05.883 PDT) 128.10.19.53 (16:29:41.532 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51461->22 (16:29:41.532 PDT) 131.179.150.72 (16:28:27.586 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34873->22 (16:28:27.586 PDT) 72.36.112.79 (16:29:02.728 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58126->22 (16:29:02.728 PDT) 131.179.150.70 (16:29:44.412 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49685->22 (16:29:44.412 PDT) 13.7.64.22 (16:30:01.865 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58474->22 (16:30:01.865 PDT) 128.42.142.45 (16:28:42.874 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49478->22 (16:28:42.874 PDT) 204.8.155.227 (16:29:18.144 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33914->22 (16:29:18.144 PDT) 192.91.235.230 (16:29:35.080 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58718->22 (16:29:35.080 PDT) 129.82.12.188 (2) (16:29:44.877 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 55004->22 (16:29:44.877 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55008->22 (16:29:50.375 PDT) 141.212.113.180 (16:29:24.499 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56370->22 (16:29:24.499 PDT) 141.212.113.179 (16:29:57.108 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46322->22 (16:29:57.108 PDT) 128.111.52.59 (16:30:06.605 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 60959->22 (16:30:06.605 PDT) 130.127.39.152 (16:29:10.469 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 54962->22 (16:29:10.469 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 204.8.155.226 (16:30:54.775 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:30:54.775 PDT) 131.193.34.38 (16:32:24.681 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 34 IPs (22 /24s) (# pkts S/M/O/I=0/34/0/0): 22:34, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:32:24.681 PDT) tcpslice 1383262107.586 1383262107.587 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 16:33:19.827 PDT Gen. Time: 10/31/2013 16:33:19.827 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.193.34.38 (16:33:19.827 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:33:19.827 PDT) tcpslice 1383262399.827 1383262399.828 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 16:49:02.430 PDT Gen. Time: 10/31/2013 16:51:26.855 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (16:49:56.847 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55613->22 (16:49:56.847 PDT) 128.208.4.197 (2) (16:50:36.810 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 32907->22 (16:50:36.810 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 32907->22 (16:50:36.810 PDT) 128.10.19.53 (16:50:11.058 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51676->22 (16:50:11.058 PDT) 131.179.150.72 (16:49:02.430 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35088->22 (16:49:02.430 PDT) 72.36.112.79 (16:49:30.779 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58341->22 (16:49:30.779 PDT) 131.179.150.70 (2) (16:50:13.968 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49900->22 (16:50:13.968 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49900->22 (16:50:13.968 PDT) 13.7.64.22 (16:50:32.124 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58689->22 (16:50:32.124 PDT) 128.42.142.45 (16:49:17.450 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49693->22 (16:49:17.450 PDT) 204.8.155.227 (16:49:47.473 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34129->22 (16:49:47.473 PDT) 192.91.235.230 (16:50:04.505 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58933->22 (16:50:04.505 PDT) 129.82.12.188 (16:50:20.508 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55223->22 (16:50:20.508 PDT) 141.212.113.180 (2) (16:49:53.872 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 56585->22 (16:49:53.872 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56585->22 (16:49:53.872 PDT) 141.212.113.179 (16:50:27.628 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46537->22 (16:50:27.628 PDT) 130.127.39.152 (16:49:39.759 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55177->22 (16:49:39.759 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.22 (16:51:26.855 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:51:26.855 PDT) tcpslice 1383263342.430 1383263342.431 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 16:49:02.430 PDT Gen. Time: 10/31/2013 16:58:18.574 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (16:49:56.847 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55613->22 (16:49:56.847 PDT) 128.208.4.197 (2) (16:50:36.810 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 32907->22 (16:50:36.810 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 32907->22 (16:50:36.810 PDT) 128.10.19.53 (16:50:11.058 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51676->22 (16:50:11.058 PDT) 131.179.150.72 (16:49:02.430 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35088->22 (16:49:02.430 PDT) 72.36.112.79 (16:49:30.779 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58341->22 (16:49:30.779 PDT) 131.179.150.70 (2) (16:50:13.968 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 49900->22 (16:50:13.968 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49900->22 (16:50:13.968 PDT) 13.7.64.22 (16:50:32.124 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58689->22 (16:50:32.124 PDT) 128.42.142.45 (16:49:17.450 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49693->22 (16:49:17.450 PDT) 204.8.155.227 (16:49:47.473 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34129->22 (16:49:47.473 PDT) 192.91.235.230 (16:50:04.505 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58933->22 (16:50:04.505 PDT) 129.82.12.188 (16:50:20.508 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55223->22 (16:50:20.508 PDT) 141.212.113.180 (2) (16:49:53.872 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 56585->22 (16:49:53.872 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56585->22 (16:49:53.872 PDT) 141.212.113.179 (16:50:27.628 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46537->22 (16:50:27.628 PDT) 130.127.39.152 (16:49:39.759 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55177->22 (16:49:39.759 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (16:52:56.109 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 33 IPs (22 /24s) (# pkts S/M/O/I=0/33/0/0): 22:33, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:52:56.109 PDT) 13.7.64.22 (16:51:26.855 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:51:26.855 PDT) tcpslice 1383263342.430 1383263342.431 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 16:53:51.370 PDT Gen. Time: 10/31/2013 16:53:51.370 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 13.7.64.20 (16:53:51.370 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (16:53:51.370 PDT) tcpslice 1383263631.370 1383263631.371 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 17:09:29.055 PDT Gen. Time: 10/31/2013 17:11:51.637 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (17:10:25.035 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 55824->22 (17:10:25.035 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55828->22 (17:10:27.188 PDT) 128.208.4.197 (17:11:05.997 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33122->22 (17:11:05.997 PDT) 128.10.19.53 (17:10:41.634 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51891->22 (17:10:41.634 PDT) 131.179.150.72 (17:09:29.055 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35303->22 (17:09:29.055 PDT) 72.36.112.79 (17:10:02.325 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58556->22 (17:10:02.325 PDT) 131.179.150.70 (17:10:44.427 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50115->22 (17:10:44.427 PDT) 13.7.64.22 (17:11:02.196 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58904->22 (17:11:02.196 PDT) 128.42.142.45 (17:09:44.254 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49908->22 (17:09:44.254 PDT) 204.8.155.227 (17:10:17.648 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34344->22 (17:10:17.648 PDT) 192.91.235.230 (17:10:34.886 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59148->22 (17:10:34.886 PDT) 129.82.12.188 (2) (17:10:44.807 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 55434->22 (17:10:44.807 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55438->22 (17:10:50.490 PDT) 141.212.113.180 (17:10:23.849 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56800->22 (17:10:23.849 PDT) 141.212.113.179 (17:10:57.709 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46752->22 (17:10:57.709 PDT) 128.111.52.59 (17:11:06.673 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 33156->22 (17:11:06.673 PDT) 130.127.39.152 (17:10:10.045 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55392->22 (17:10:10.045 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.8 (17:11:51.637 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:11:51.637 PDT) tcpslice 1383264569.055 1383264569.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 17:09:29.055 PDT Gen. Time: 10/31/2013 17:18:24.252 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (17:10:25.035 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 55824->22 (17:10:25.035 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55828->22 (17:10:27.188 PDT) 128.208.4.197 (17:11:05.997 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33122->22 (17:11:05.997 PDT) 128.10.19.53 (17:10:41.634 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 51891->22 (17:10:41.634 PDT) 131.179.150.72 (17:09:29.055 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35303->22 (17:09:29.055 PDT) 72.36.112.79 (17:10:02.325 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58556->22 (17:10:02.325 PDT) 131.179.150.70 (17:10:44.427 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50115->22 (17:10:44.427 PDT) 13.7.64.22 (17:11:02.196 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58904->22 (17:11:02.196 PDT) 128.42.142.45 (17:09:44.254 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 49908->22 (17:09:44.254 PDT) 204.8.155.227 (17:10:17.648 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34344->22 (17:10:17.648 PDT) 192.91.235.230 (17:10:34.886 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59148->22 (17:10:34.886 PDT) 129.82.12.188 (2) (17:10:44.807 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 55434->22 (17:10:44.807 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55438->22 (17:10:50.490 PDT) 141.212.113.180 (17:10:23.849 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56800->22 (17:10:23.849 PDT) 141.212.113.179 (17:10:57.709 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46752->22 (17:10:57.709 PDT) 128.111.52.59 (17:11:06.673 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 33156->22 (17:11:06.673 PDT) 130.127.39.152 (17:10:10.045 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55392->22 (17:10:10.045 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.8 (2) (17:11:51.637 PDT) event=777:7777008 (2) {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:11:51.637 PDT) 0->0 (17:13:21.815 PDT) tcpslice 1383264569.055 1383264569.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 17:14:28.208 PDT Gen. Time: 10/31/2013 17:14:28.208 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 165.91.55.10 (17:14:28.208 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 41 IPs (24 /24s) (# pkts S/M/O/I=0/41/0/0): 22:41, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:14:28.208 PDT) tcpslice 1383264868.208 1383264868.209 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 17:30:01.066 PDT Gen. Time: 10/31/2013 17:32:23.365 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (17:30:53.371 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 56042->22 (17:30:53.371 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56043->22 (17:30:53.849 PDT) 128.208.4.197 (17:31:34.529 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33337->22 (17:31:34.529 PDT) 128.10.19.53 (17:31:09.212 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52106->22 (17:31:09.212 PDT) 131.179.150.72 (17:30:01.066 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35518->22 (17:30:01.066 PDT) 72.36.112.79 (17:30:28.693 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58771->22 (17:30:28.693 PDT) 131.179.150.70 (17:31:12.655 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50330->22 (17:31:12.655 PDT) 13.7.64.22 (17:31:30.666 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59119->22 (17:31:30.666 PDT) 128.42.142.45 (17:30:16.639 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50123->22 (17:30:16.639 PDT) 204.8.155.227 (17:30:44.134 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34559->22 (17:30:44.134 PDT) 192.91.235.230 (17:31:02.146 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59363->22 (17:31:02.146 PDT) 129.82.12.188 (2) (17:31:17.448 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 55652->22 (17:31:17.448 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55653->22 (17:31:18.982 PDT) 141.212.113.180 (17:30:50.645 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57015->22 (17:30:50.645 PDT) 141.212.113.179 (17:31:25.889 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46967->22 (17:31:25.889 PDT) 128.111.52.59 (17:31:37.064 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 33374->22 (17:31:37.064 PDT) 130.127.39.152 (17:30:36.444 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55607->22 (17:30:36.444 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (17:32:23.365 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:32:23.365 PDT) tcpslice 1383265801.066 1383265801.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 17:30:01.066 PDT Gen. Time: 10/31/2013 17:38:54.435 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK 128.111.52.58 (2) (17:30:53.371 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 56042->22 (17:30:53.371 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 56043->22 (17:30:53.849 PDT) 128.208.4.197 (17:31:34.529 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 33337->22 (17:31:34.529 PDT) 128.10.19.53 (17:31:09.212 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 52106->22 (17:31:09.212 PDT) 131.179.150.72 (17:30:01.066 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 35518->22 (17:30:01.066 PDT) 72.36.112.79 (17:30:28.693 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 58771->22 (17:30:28.693 PDT) 131.179.150.70 (17:31:12.655 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50330->22 (17:31:12.655 PDT) 13.7.64.22 (17:31:30.666 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59119->22 (17:31:30.666 PDT) 128.42.142.45 (17:30:16.639 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 50123->22 (17:30:16.639 PDT) 204.8.155.227 (17:30:44.134 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 34559->22 (17:30:44.134 PDT) 192.91.235.230 (17:31:02.146 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 59363->22 (17:31:02.146 PDT) 129.82.12.188 (2) (17:31:17.448 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 55652->22 (17:31:17.448 PDT) ------------------------- event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55653->22 (17:31:18.982 PDT) 141.212.113.180 (17:30:50.645 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 57015->22 (17:30:50.645 PDT) 141.212.113.179 (17:31:25.889 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 46967->22 (17:31:25.889 PDT) 128.111.52.59 (17:31:37.064 PDT) event=1:2001219 {tcp} E5[rb] ET SCAN Potential SSH Scan (20 in 60 secs), [] MAC_Src: 1C:DF:0F:66:3D:B0 33374->22 (17:31:37.064 PDT) 130.127.39.152 (17:30:36.444 PDT) event=1:2003068 {tcp} E5[rb] ET SCAN Potential SSH Scan OUTBOUND, [] MAC_Src: 1C:DF:0F:66:3D:B0 55607->22 (17:30:36.444 PDT) OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 131.179.150.72 (17:32:23.365 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/21/0/0): 22:21, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:32:23.365 PDT) 129.63.159.101 (17:33:53.859 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 32 IPs (21 /24s) (# pkts S/M/O/I=0/32/0/0): 22:32, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:33:53.859 PDT) tcpslice 1383265801.066 1383265801.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.41 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/31/2013 17:34:43.433 PDT Gen. Time: 10/31/2013 17:34:43.433 PDT INBOUND SCAN EXPLOIT EXPLOIT (INTERNAL) EXPLOIT MALWARE DNS EGG DOWNLOAD EGG DOWNLOAD (INTERNAL) C and C TRAFFIC C and C TRAFFIC (INTERNAL) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND ATTACK OUTBOUND ATTACK (INTERNAL) ATTACK PREP PEER COORDINATION Info PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT OUTBOUND INTENSE MALWARE PORT SCAN 129.63.159.101 (17:34:43.433 PDT) event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 38 IPs (23 /24s) (# pkts S/M/O/I=0/38/0/0): 22:38, [] MAC_Src: 1C:DF:0F:66:3D:B0 0->0 (17:34:43.433 PDT) tcpslice 1383266083.433 1383266083.434 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.41' ============================== SEPARATOR ================================