Infected Target: 192.168.19.156 Score: 1.0 (>= 0.8) Infector List: Egg Source List: C & C List: 93.174.95.145 Peer Coord. List: Resource List: Observed Start: 11/24/2009 15:45:07.084 PST Gen. Time: 11/24/2009 15:45:08.825 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 93.174.95.145 (15:45:07.084 PST) event=1:2008189 {tcp} E4[rb] ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin, [/spm/s_alive.php?id=80155511136222344936838061986084&tick=1655984&ver=480&smtp=ok] MAC_Src: 00:0E:39:DB:3C:00 1134->80 (15:45:07.084 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 217.72.192.149 (15:45:08.825 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 1145->25 (15:45:08.825 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1259106307.084 1259106307.085 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.19.156' ============================== SEPARATOR ================================ Infected Target: 192.168.19.156 Score: 2.6 (>= 0.8) Infector List: Egg Source List: C & C List: 93.174.95.145 (8) Peer Coord. List: Resource List: 208.67.222.222 (7) Observed Start: 11/24/2009 15:45:07.084 PST Report End: 11/24/2009 15:48:14.889 PST Gen. Time: 11/24/2009 15:49:03.951 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 93.174.95.145 (8) (15:45:07.084 PST) event=1:2008189 (8) {tcp} E4[rb] ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin, [/spm/s_alive.php?id=80155511136222344936838061986084&tick=1655984&ver=480&smtp=ok] MAC_Src: 00:0E:39:DB:3C:00 1134->80 (15:45:07.084 PST) 1416->80 (15:45:30.903 PST) 1661->80 (15:45:54.719 PST) 1911->80 (15:46:35.561 PST) 2162->80 (15:46:58.383 PST) 2447->80 (15:47:26.214 PST) 2696->80 (15:47:51.035 PST) 2946->80 (15:48:22.881 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 205.188.159.216 (3) (15:45:11.753 PST-15:48:14.889 PST) event=777:7777005 (3) {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (28 /24s) (# pkts S/M/O/I=298/0/1337/0): 25:1337, 53u:298, [] MAC_Src: 00:0E:39:DB:3C:00 2: 0->0 (15:46:41.000 PST-15:48:14.889 PST) 0->0 (15:45:11.753 PST) OUTBOUND SCAN 64.18.5.14 (15:46:38.119 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 1960->25 (15:46:38.119 PST) 217.72.192.188 (15:45:11.383 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 1221->25 (15:45:11.383 PST) 61.9.168.122 (2) (15:45:13.470 PST) event=1:2000328 (2) {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 1291->25 (15:45:13.470 PST) 2156->25 (15:46:44.595 PST) 217.72.192.149 (15:45:08.825 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 1145->25 (15:45:08.825 PST) 216.33.127.20 (15:45:37.469 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:0E:39:DB:3C:00 1637->25 (15:45:37.469 PST) 217.12.11.35 (15:47:02.723 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 2241->25 (15:47:02.723 PST) 205.188.159.216 (15:45:58.279 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 1690->25 (15:45:58.279 PST) 65.55.92.184 (15:45:57.454 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 1736->25 (15:45:57.454 PST) 67.195.168.31 (3) (15:45:36.373 PST) event=1:2000328 (3) {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 1421->25 (15:45:36.373 PST) 1436->25 (15:45:40.138 PST) 1923->25 (15:46:38.471 PST) 206.248.154.58 (15:46:01.504 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 1860->25 (15:46:01.504 PST) 216.32.180.22 (15:45:32.489 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 1433->25 (15:45:32.489 PST) 213.46.255.2 (15:45:13.134 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:0E:39:DB:3C:00 1248->25 (15:45:13.134 PST) 72.32.115.2 (15:45:34.525 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 1551->25 (15:45:34.525 PST) 98.137.54.237 (15:46:43.334 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 2100->25 (15:46:43.334 PST) ATTACK PREP 208.67.222.222 (7) (15:45:13.580 PST) event=1:2003330 (7) {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:A0:8E:BB:59:15 1332->53 (15:45:13.580 PST) 1528->53 (15:45:33.952 PST) 1829->53 (15:46:00.032 PST) 2065->53 (15:46:40.533 PST) 2420->53 (15:47:07.915 PST) 2579->53 (15:47:29.701 PST) 2873->53 (15:47:57.450 PST) PEER COORDINATION DECLARE BOT 208.67.222.222 (2) (15:45:18.437 PST) event=1:9910014 (2) {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:A0:8E:BB:59:15 1411->53 (15:45:18.437 PST) 2273->53 (15:47:01.715 PST) tcpslice 1259106307.084 1259106494.890 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.19.156' ============================== SEPARATOR ================================ Infected Target: 192.168.19.156 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/24/2009 15:47:57.183 PST Gen. Time: 11/24/2009 15:49:58.370 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 205.188.159.216 (15:49:58.370 PST) event=777:7777005 {udp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=513/0/3154/0): 25:3154, 53u:513, [] MAC_Src: 00:0E:39:DB:3C:00 0->0 (15:49:58.370 PST) OUTBOUND SCAN 65.55.92.184 (15:47:57.183 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:0E:39:DB:3C:00 2861->25 (15:47:57.183 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1259106477.183 1259106477.184 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.19.156' ============================== SEPARATOR ================================ Infected Target: 192.168.19.156 Score: 2.6 (>= 0.8) Infector List: Egg Source List: C & C List: 93.174.95.145 (3) Peer Coord. List: Resource List: 208.67.222.222 Observed Start: 11/24/2009 15:47:57.183 PST Report End: 11/24/2009 15:50:35.860 PST Gen. Time: 11/24/2009 15:51:59.963 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 93.174.95.145 (3) (15:50:30.726 PST) event=1:2008189 (3) {tcp} E4[rb] ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin, [/spm/s_alive.php?id=80155511136222344936838061986084&tick=1979640&ver=480&smtp=ok] MAC_Src: 00:0E:39:DB:3C:00 3141->80 (15:50:30.726 PST) 3385->80 (15:50:56.643 PST) 3634->80 (15:51:22.602 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 205.188.159.216 (2) (15:49:58.370 PST) event=777:7777005 (2) {udp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=513/0/3154/0): 25:3154, 53u:513, [] MAC_Src: 00:0E:39:DB:3C:00 0->0 (15:49:58.370 PST) 0->0 (15:51:28.015 PST) OUTBOUND SCAN 209.202.254.41 (15:51:30.615 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 3798->25 (15:51:30.615 PST) 72.14.221.27 (15:50:34.406 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 3172->25 (15:50:34.406 PST) 207.115.21.20 (15:51:26.399 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 3695->25 (15:51:26.399 PST) 217.12.11.35 (15:50:58.274 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 3393->25 (15:50:58.274 PST) 65.55.92.184 (15:47:57.183 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:0E:39:DB:3C:00 2861->25 (15:47:57.183 PST) 64.12.138.88 (2) (15:50:34.092 PST-15:50:35.860 PST) event=1:2000328 (2) {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 2: 3160->25 (15:50:34.092 PST-15:50:35.860 PST) 65.55.37.88 (15:48:26.614 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:0E:39:DB:3C:00 3051->25 (15:48:26.614 PST) 67.195.168.31 (2) (15:51:00.267 PST) event=1:2000328 (2) {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 3679->25 (15:51:27.025 PST) 3395->25 (15:51:00.267 PST) 209.86.93.227 (15:51:02.461 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 3441->25 (15:51:02.461 PST) 206.46.232.11 (15:51:04.061 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:00:5E:00:01:6F 3560->25 (15:51:04.061 PST) ATTACK PREP 208.67.222.222 (15:51:04.893 PST) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:A0:8E:BB:59:15 3584->53 (15:51:04.893 PST) PEER COORDINATION DECLARE BOT 208.67.222.222 (15:51:04.903 PST) event=1:9910014 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:A0:8E:BB:59:15 3588->53 (15:51:04.903 PST) tcpslice 1259106477.183 1259106635.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.19.156' ============================== SEPARATOR ================================ Infected Target: 192.168.19.156 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/24/2009 15:50:37.639 PST Gen. Time: 11/24/2009 15:52:58.976 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 132.234.242.59 (15:52:58.976 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (28 /24s) (# pkts S/M/O/I=640/0/4400/0): 25:4400, 53u:640, [] MAC_Src: 00:0E:39:DB:3C:00 0->0 (15:52:58.976 PST) OUTBOUND SCAN 207.69.189.41 (15:51:05.849 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:0E:39:DB:3C:00 3601->25 (15:51:05.849 PST) 194.134.42.41 (15:50:37.639 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:0E:39:DB:3C:00 3328->25 (15:50:37.639 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1259106637.639 1259106637.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.19.156' ============================== SEPARATOR ================================ Infected Target: 192.168.19.156 Score: 1.3 (>= 0.8) Infector List: Egg Source List: C & C List: 93.174.95.145 Peer Coord. List: Resource List: Observed Start: 11/24/2009 15:50:37.639 PST Gen. Time: 11/24/2009 15:54:37.934 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 93.174.95.145 (15:53:44.400 PST) event=1:2008189 {tcp} E4[rb] ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin, [/spm/s_alive.php?id=80155511136222344936838061986084&tick=2173359&ver=480&smtp=ok] MAC_Src: 00:0E:39:DB:3C:00 3908->80 (15:53:44.400 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 132.234.242.59 (15:52:58.976 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (28 /24s) (# pkts S/M/O/I=640/0/4400/0): 25:4400, 53u:640, [] MAC_Src: 00:0E:39:DB:3C:00 0->0 (15:52:58.976 PST) OUTBOUND SCAN 207.69.189.41 (15:51:05.849 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:0E:39:DB:3C:00 3601->25 (15:51:05.849 PST) 194.134.42.41 (15:50:37.639 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:0E:39:DB:3C:00 3328->25 (15:50:37.639 PST) 205.158.62.207 (15:51:31.947 PST) event=1:2000328 {tcp} E5[rb] ET POLICY Outbound Multiple Non-SMTP Server Emails (20 in 120 secs), [] MAC_Src: 00:0E:39:DB:3C:00 3836->25 (15:51:31.947 PST) ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1259106637.639 1259106637.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.19.156' ============================== SEPARATOR ================================ Infected Target: 192.168.19.156 Score: 0.8 (>= 0.8) Infector List: Egg Source List: C & C List: 93.174.95.145 Peer Coord. List: Resource List: Observed Start: 11/24/2009 16:05:37.864 PST Gen. Time: 11/24/2009 16:08:44.663 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 93.174.95.145 (16:08:44.663 PST) event=1:2008189 {tcp} E4[rb] ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin, [/spm/s_alive.php?id=80155511136222344936838061986084&tick=3073671&ver=480&smtp=ok] MAC_Src: 00:0E:39:DB:3C:00 3977->80 (16:08:44.663 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) 132.234.242.59 (16:05:37.864 PST) event=777:7777005 {tcp} E5[bh] Detected intense non-malware port scanning of 30 IPs (29 /24s) (# pkts S/M/O/I=642/0/4702/0): 25:4702, 53u:642, [] MAC_Src: 00:0E:39:DB:3C:00 0->0 (16:05:37.864 PST) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1259107537.864 1259107537.865 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.19.156' ============================== SEPARATOR ================================