Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:02:57.907 PDT Gen. Time: 06/20/2011 00:02:57.907 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (00:02:57.907 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (00:02:57.907 PDT) tcpslice 1308553377.907 1308553377.908 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:02:57.907 PDT Gen. Time: 06/20/2011 00:10:32.462 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (5) (00:03:55.083 PDT) event=1:2003179 (5) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 39921->80 (00:03:55.083 PDT) 53125->80 (00:06:28.409 PDT) 53426->80 (00:07:44.394 PDT) 53490->80 (00:07:58.490 PDT) 53521->80 (00:08:07.499 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (00:02:57.907 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (00:02:57.907 PDT) 143.89.49.74 (00:03:48.751 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 60384->61921 (00:03:48.751 PDT) tcpslice 1308553377.907 1308553377.908 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:12:59.590 PDT Gen. Time: 06/20/2011 00:12:59.590 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (00:12:59.590 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (00:12:59.590 PDT) tcpslice 1308553979.590 1308553979.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:12:59.590 PDT Gen. Time: 06/20/2011 00:20:41.888 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (00:13:14.279 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-enUS-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 54094->80 (00:13:14.279 PDT) 54488->80 (00:14:52.035 PDT) 41939->80 (00:16:25.179 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (00:12:59.590 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (00:12:59.590 PDT) 206.207.248.34 (00:15:34.136 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56490->3128 (00:15:34.136 PDT) tcpslice 1308553979.590 1308553979.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:22:23.081 PDT Gen. Time: 06/20/2011 00:23:04.988 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (00:22:23.081 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 54538->80 (00:22:23.081 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (00:23:04.988 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (00:23:04.988 PDT) tcpslice 1308554543.081 1308554543.082 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: 213.136.106.214 Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:22:23.081 PDT Gen. Time: 06/20/2011 00:27:41.690 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (00:22:23.081 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 54538->80 (00:22:23.081 PDT) 54910->80 (00:23:54.796 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 213.136.106.214 (00:26:27.323 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 37685->53 (00:26:27.323 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (00:27:41.690 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 33045->2128 (00:27:41.690 PDT) 206.207.248.34 (00:23:04.988 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (00:23:04.988 PDT) tcpslice 1308554543.081 1308554543.082 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:29:59.888 PDT Gen. Time: 06/20/2011 00:33:04.469 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (7) (00:29:59.888 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 34779<-80 (00:30:00.085 PDT) ------------------------- event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-esMX-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 34779->80 (00:29:59.888 PDT) 35091->80 (00:31:21.145 PDT) 35277->80 (00:32:01.712 PDT) 35411->80 (00:32:34.883 PDT) ------------------------- event=1:2007671 {tcp} E3[rb] ET POLICY Binary Download Smaller than 1 MB Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 34779<-80 (00:30:00.085 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 34779<-80 (00:30:00.085 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (00:33:04.469 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (00:33:04.469 PDT) tcpslice 1308554999.888 1308554999.889 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:29:59.888 PDT Gen. Time: 06/20/2011 00:38:20.025 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (8) (00:29:59.888 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 34779<-80 (00:30:00.085 PDT) ------------------------- event=1:2003179 (5) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-esMX-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 34779->80 (00:29:59.888 PDT) 35091->80 (00:31:21.145 PDT) 35277->80 (00:32:01.712 PDT) 35411->80 (00:32:34.883 PDT) 40928->80 (00:34:58.626 PDT) ------------------------- event=1:2007671 {tcp} E3[rb] ET POLICY Binary Download Smaller than 1 MB Likely Hostile, [] MAC_Src: 00:21:1C:EE:14:00 34779<-80 (00:30:00.085 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 34779<-80 (00:30:00.085 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (00:33:04.469 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (00:33:04.469 PDT) tcpslice 1308554999.888 1308554999.889 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:39:12.204 PDT Gen. Time: 06/20/2011 00:39:12.204 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (00:39:12.204 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 43167->2126 (00:39:12.204 PDT) tcpslice 1308555552.204 1308555552.205 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:39:12.204 PDT Gen. Time: 06/20/2011 00:43:54.734 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (00:39:34.397 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 42002->80 (00:39:34.397 PDT) 42020->80 (00:39:39.744 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (00:39:12.204 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 43167->2126 (00:39:12.204 PDT) 206.207.248.34 (00:43:06.815 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (00:43:06.815 PDT) tcpslice 1308555552.204 1308555552.205 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: 194.85.105.17 Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:46:59.508 PDT Gen. Time: 06/20/2011 00:49:32.508 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (00:46:59.508 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 45721->80 (00:46:59.508 PDT) 46064->80 (00:48:20.859 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 194.85.105.17 (00:49:32.508 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 59910->53 (00:49:32.508 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308556019.508 1308556019.509 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:53:00.908 PDT Gen. Time: 06/20/2011 00:53:06.035 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (00:53:00.908 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 34573->80 (00:53:00.908 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (00:53:06.035 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (00:53:06.035 PDT) tcpslice 1308556380.908 1308556380.909 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:56:27.844 PDT Gen. Time: 06/20/2011 00:56:27.844 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (00:56:27.844 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41199->2126 (00:56:27.844 PDT) tcpslice 1308556587.844 1308556587.845 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:56:27.844 PDT Gen. Time: 06/20/2011 01:03:10.101 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (00:57:46.431 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 45160->80 (00:57:46.431 PDT) 45409->80 (00:58:46.519 PDT) 45636->80 (00:59:42.784 PDT) 45670->80 (00:59:51.451 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 12.46.129.16 (01:03:10.101 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (01:03:10.101 PDT) 206.207.248.34 (00:56:27.844 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41199->2126 (00:56:27.844 PDT) tcpslice 1308556587.844 1308556587.845 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:08:21.741 PDT Gen. Time: 06/20/2011 01:08:21.741 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (01:08:21.741 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 37030->2126 (01:08:21.741 PDT) tcpslice 1308557301.741 1308557301.742 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: 194.85.105.17 Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:08:21.741 PDT Gen. Time: 06/20/2011 01:14:13.302 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (01:11:06.953 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-esES-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 58550->80 (01:11:06.953 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 194.85.105.17 (01:11:55.284 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 33606->33435 (01:11:55.284 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (01:08:21.741 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 37030->2126 (01:08:21.741 PDT) 192.93.0.4 (01:13:12.245 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 33606->33435 (01:13:12.245 PDT) tcpslice 1308557301.741 1308557301.742 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:14:23.838 PDT Gen. Time: 06/20/2011 01:18:31.804 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (01:14:23.838 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-esES-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 59355->80 (01:14:23.838 PDT) 55129->80 (01:15:24.324 PDT) 55665->80 (01:17:33.927 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (01:18:31.804 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34721->2128 (01:18:31.804 PDT) tcpslice 1308557663.838 1308557663.839 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:14:23.838 PDT Gen. Time: 06/20/2011 01:27:27.910 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (8) (01:14:23.838 PDT) event=1:2003179 (8) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-esES-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 59355->80 (01:14:23.838 PDT) 55129->80 (01:15:24.324 PDT) 55665->80 (01:17:33.927 PDT) 56171->80 (01:19:38.619 PDT) 44361->80 (01:20:38.829 PDT) 45093->80 (01:23:32.731 PDT) 45126->80 (01:23:40.656 PDT) 45334->80 (01:24:28.356 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (01:18:31.804 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34721->2128 (01:18:31.804 PDT) 195.37.16.125 (01:23:12.083 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (01:23:12.083 PDT) tcpslice 1308557663.838 1308557663.839 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:31:17.917 PDT Gen. Time: 06/20/2011 01:31:17.917 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (01:31:17.917 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36849->2126 (01:31:17.917 PDT) tcpslice 1308558677.917 1308558677.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:31:17.917 PDT Gen. Time: 06/20/2011 01:34:25.211 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (01:32:00.301 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-deDE-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 50760->80 (01:32:00.301 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (01:31:17.917 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36849->2126 (01:31:17.917 PDT) 195.37.16.125 (01:33:20.054 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (01:33:20.054 PDT) tcpslice 1308558677.917 1308558677.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:43:20.983 PDT Gen. Time: 06/20/2011 01:43:20.983 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (01:43:20.983 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (01:43:20.983 PDT) tcpslice 1308559400.983 1308559400.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:43:20.983 PDT Gen. Time: 06/20/2011 01:47:45.422 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (01:43:20.983 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58946->2128 (01:44:34.141 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (01:43:20.983 PDT) tcpslice 1308559400.983 1308559400.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:53:33.736 PDT Gen. Time: 06/20/2011 01:53:33.736 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (01:53:33.736 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (01:53:33.736 PDT) tcpslice 1308560013.736 1308560013.737 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:53:33.736 PDT Gen. Time: 06/20/2011 01:56:48.622 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (01:53:33.736 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58717->2128 (01:55:39.843 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (01:53:33.736 PDT) tcpslice 1308560013.736 1308560013.737 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:03:34.255 PDT Gen. Time: 06/20/2011 02:03:34.255 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (02:03:34.255 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (02:03:34.255 PDT) tcpslice 1308560614.255 1308560614.256 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:03:34.255 PDT Gen. Time: 06/20/2011 02:07:15.501 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:05:56.663 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36427->2126 (02:05:56.663 PDT) 195.37.16.125 (02:03:34.255 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (02:03:34.255 PDT) tcpslice 1308560614.255 1308560614.256 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:13:47.908 PDT Gen. Time: 06/20/2011 02:13:47.908 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (02:13:47.908 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (02:13:47.908 PDT) tcpslice 1308561227.908 1308561227.909 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:16:58.597 PDT Gen. Time: 06/20/2011 02:19:43.521 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (02:16:58.597 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 35945->80 (02:16:58.597 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (02:19:43.521 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52193->2126 (02:19:43.521 PDT) tcpslice 1308561418.597 1308561418.598 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:21:50.816 PDT Gen. Time: 06/20/2011 02:23:49.993 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (02:21:50.816 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 40160->80 (02:21:50.816 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:23:49.993 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (02:23:49.993 PDT) tcpslice 1308561710.816 1308561710.817 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:29:11.437 PDT Gen. Time: 06/20/2011 02:30:27.363 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (02:29:11.437 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 59801->80 (02:29:11.437 PDT) 33965->80 (02:30:02.001 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:30:27.363 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 59279->2128 (02:30:27.363 PDT) tcpslice 1308562151.437 1308562151.438 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:31:58.295 PDT Gen. Time: 06/20/2011 02:33:50.702 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (02:31:58.295 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 34441->80 (02:31:58.295 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:33:50.702 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (02:33:50.702 PDT) tcpslice 1308562318.295 1308562318.296 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:44:02.461 PDT Gen. Time: 06/20/2011 02:44:02.461 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (02:44:02.461 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (02:44:02.461 PDT) tcpslice 1308563042.461 1308563042.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:44:02.461 PDT Gen. Time: 06/20/2011 02:46:41.279 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (02:44:02.461 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 37665->2128 (02:45:14.934 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (02:44:02.461 PDT) tcpslice 1308563042.461 1308563042.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:54:06.675 PDT Gen. Time: 06/20/2011 02:54:06.675 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:54:06.675 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (02:54:06.675 PDT) tcpslice 1308563646.675 1308563646.676 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:54:06.675 PDT Gen. Time: 06/20/2011 02:55:15.628 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (02:54:06.675 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50197->3128 (02:55:15.628 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (02:54:06.675 PDT) tcpslice 1308563646.675 1308563646.676 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:01:15.942 PDT Gen. Time: 06/20/2011 03:04:15.466 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (03:01:15.942 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 56277->80 (03:01:15.942 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (03:04:15.466 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (03:04:15.466 PDT) tcpslice 1308564075.942 1308564075.943 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:01:15.942 PDT Gen. Time: 06/20/2011 03:07:40.615 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (03:01:15.942 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 56277->80 (03:01:15.942 PDT) 57110->80 (03:04:22.889 PDT) 57110->80 (03:04:26.127 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (03:04:15.466 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (03:04:15.466 PDT) 143.89.49.74 (03:06:32.269 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41062->61921 (03:06:32.269 PDT) tcpslice 1308564075.942 1308564075.943 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:14:15.538 PDT Gen. Time: 06/20/2011 03:14:15.538 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (03:14:15.538 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (03:14:15.538 PDT) tcpslice 1308564855.538 1308564855.539 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:19:22.879 PDT Gen. Time: 06/20/2011 03:19:22.879 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (03:19:22.879 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40754->2128 (03:19:22.879 PDT) tcpslice 1308565162.879 1308565162.880 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:22:22.564 PDT Gen. Time: 06/20/2011 03:24:17.758 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (03:22:22.564 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 41586->80 (03:22:22.564 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (03:24:17.758 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (03:24:17.758 PDT) tcpslice 1308565342.564 1308565342.565 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:29:29.282 PDT Gen. Time: 06/20/2011 03:29:29.282 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (03:29:29.282 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 42877->2128 (03:29:29.282 PDT) tcpslice 1308565769.282 1308565769.283 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:33:17.513 PDT Gen. Time: 06/20/2011 03:34:21.397 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (03:33:17.513 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 51995->80 (03:33:17.513 PDT) 52158->80 (03:33:55.518 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 12.46.129.16 (03:34:21.397 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (03:34:21.397 PDT) tcpslice 1308565997.513 1308565997.514 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:37:45.442 PDT Gen. Time: 06/20/2011 03:44:23.285 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (03:37:45.442 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 58001->80 (03:37:45.442 PDT) 58005->80 (03:37:46.256 PDT) 58368->80 (03:39:09.571 PDT) 58963->80 (03:42:33.716 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (03:44:23.285 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (03:44:23.285 PDT) tcpslice 1308566265.442 1308566265.443 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:37:45.442 PDT Gen. Time: 06/20/2011 03:46:21.426 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (03:37:45.442 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 58001->80 (03:37:45.442 PDT) 58005->80 (03:37:46.256 PDT) 58368->80 (03:39:09.571 PDT) 58963->80 (03:42:33.716 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (03:44:40.523 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 46941->3128 (03:44:40.523 PDT) 195.37.16.125 (03:44:23.285 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (03:44:23.285 PDT) tcpslice 1308566265.442 1308566265.443 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:50:37.170 PDT Gen. Time: 06/20/2011 03:54:51.452 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (6) (03:50:37.170 PDT) event=1:2003179 (6) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 57030->80 (03:50:37.170 PDT) 57042->80 (03:50:39.231 PDT) 57191->80 (03:51:19.532 PDT) 57402->80 (03:52:07.475 PDT) 57709->80 (03:53:23.960 PDT) 57823->80 (03:53:49.697 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (03:54:51.452 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (03:54:51.452 PDT) tcpslice 1308567037.170 1308567037.171 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:50:37.170 PDT Gen. Time: 06/20/2011 03:55:59.183 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (6) (03:50:37.170 PDT) event=1:2003179 (6) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 57030->80 (03:50:37.170 PDT) 57042->80 (03:50:39.231 PDT) 57191->80 (03:51:19.532 PDT) 57402->80 (03:52:07.475 PDT) 57709->80 (03:53:23.960 PDT) 57823->80 (03:53:49.697 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (03:54:51.452 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50773->2128 (03:54:58.404 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (03:54:51.452 PDT) tcpslice 1308567037.170 1308567037.171 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:56:19.262 PDT Gen. Time: 06/20/2011 04:04:57.173 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (5) (03:56:19.262 PDT) event=1:2003179 (5) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 45127->80 (03:56:19.262 PDT) 45459->80 (03:57:14.000 PDT) 46028->80 (03:59:25.376 PDT) 51282->80 (04:01:51.756 PDT) 51284->80 (04:01:52.040 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (04:04:57.173 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (04:04:57.173 PDT) tcpslice 1308567379.262 1308567379.263 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:56:19.262 PDT Gen. Time: 06/20/2011 04:17:48.269 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (11) (03:56:19.262 PDT) event=1:2003179 (11) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 45127->80 (03:56:19.262 PDT) 45459->80 (03:57:14.000 PDT) 46028->80 (03:59:25.376 PDT) 51282->80 (04:01:51.756 PDT) 51284->80 (04:01:52.040 PDT) 58788->80 (04:05:04.213 PDT) 58793->80 (04:05:05.173 PDT) 59040->80 (04:06:07.942 PDT) 59361->80 (04:07:21.561 PDT) 48758->80 (04:11:17.603 PDT) 50289->80 (04:15:18.745 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (04:04:57.173 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (04:04:57.173 PDT) 143.89.49.74 (04:06:55.971 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52877->61921 (04:06:55.971 PDT) 195.37.16.125 (04:14:58.895 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (04:14:58.895 PDT) tcpslice 1308567379.262 1308567379.263 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:18:31.501 PDT Gen. Time: 06/20/2011 04:18:31.501 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (04:18:31.501 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50747->3128 (04:18:31.501 PDT) tcpslice 1308568711.501 1308568711.502 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:18:31.501 PDT Gen. Time: 06/20/2011 04:24:13.726 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (04:20:57.191 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 35309->80 (04:20:57.191 PDT) 35358->80 (04:21:09.288 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (04:18:31.501 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50747->3128 (04:18:31.501 PDT) tcpslice 1308568711.501 1308568711.502 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:24:58.977 PDT Gen. Time: 06/20/2011 04:24:58.977 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (04:24:58.977 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (04:24:58.977 PDT) tcpslice 1308569098.977 1308569098.978 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:24:58.977 PDT Gen. Time: 06/20/2011 04:40:16.322 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (13) (04:26:40.815 PDT-04:33:19.230 PDT) event=1:2003179 (13) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 42052->80 (04:26:40.815 PDT) 42504->80 (04:28:27.662 PDT) 56567->80 (04:36:12.788 PDT) 42643->80 (04:29:08.947 PDT) 53024->80 (04:31:09.267 PDT) 3: 53501->80 (04:33:11.573 PDT-04:33:19.230 PDT) 53276->80 (04:32:10.742 PDT) 42226->80 (04:27:18.638 PDT) 56586->80 (04:36:16.509 PDT) 42100->80 (04:26:52.558 PDT) 53520->80 (04:33:20.426 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (04:31:55.359 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52738->2128 (04:31:55.359 PDT) 195.37.16.125 (2) (04:24:58.977 PDT-04:34:59.600 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2: 14503->14503 (04:24:58.977 PDT-04:34:59.600 PDT) tcpslice 1308569098.977 1308569699.601 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:40:33.818 PDT Gen. Time: 06/20/2011 04:45:01.644 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (04:40:33.818 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 35268->80 (04:40:33.818 PDT) 35757->80 (04:42:30.114 PDT) 35967->80 (04:43:21.001 PDT) 36236->80 (04:44:25.290 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (04:45:01.644 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (04:45:01.644 PDT) tcpslice 1308570033.818 1308570033.819 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:40:33.818 PDT Gen. Time: 06/20/2011 04:51:50.861 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (9) (04:40:33.818 PDT) event=1:2003179 (9) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 35268->80 (04:40:33.818 PDT) 35757->80 (04:42:30.114 PDT) 35967->80 (04:43:21.001 PDT) 36236->80 (04:44:25.290 PDT) 49431->80 (04:45:24.074 PDT) 49523->80 (04:45:47.383 PDT) 49759->80 (04:46:49.121 PDT) 50115->80 (04:48:32.952 PDT) 50198->80 (04:49:00.607 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (04:45:33.861 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 38273->2126 (04:45:33.861 PDT) 206.207.248.34 (04:45:01.644 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (04:45:01.644 PDT) tcpslice 1308570033.818 1308570033.819 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:52:02.553 PDT Gen. Time: 06/20/2011 04:55:01.061 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (04:52:02.553 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 59442->80 (04:52:02.553 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (04:55:01.061 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (04:55:01.061 PDT) tcpslice 1308570722.553 1308570722.554 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:55:25.929 PDT Gen. Time: 06/20/2011 04:55:37.280 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (04:55:25.929 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 53099->80 (04:55:25.929 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (04:55:37.280 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34556->2128 (04:55:37.280 PDT) tcpslice 1308570925.929 1308570925.930 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 72.14.213.104, 72.14.213.103, 72.14.213.147, 72.14.213.99, 72.14.213.106, 72.14.213.105, 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:59:07.412 PDT Gen. Time: 06/20/2011 05:05:10.557 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 72.14.213.104 (2) (05:02:06.639 PDT) event=1:2009295 (2) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.vu&num=100&start=0] MAC_Src: 00:21:5A:08:BB:0C 50621->80 (05:02:06.639 PDT) 50889->80 (05:03:18.705 PDT) 72.14.213.103 (05:03:23.871 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.zm&num=100&start=0] MAC_Src: 00:21:5A:08:BB:0C 42519->80 (05:03:23.871 PDT) 72.14.213.147 (05:03:01.988 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.vg&num=100&start=0] MAC_Src: 00:21:5A:08:BB:0C 46089->80 (05:03:01.988 PDT) 72.14.213.99 (2) (05:02:48.815 PDT) event=1:2009295 (2) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.dz&num=100&start=0] MAC_Src: 00:21:5A:08:BB:0C 39640->80 (05:02:48.815 PDT) 40129->80 (05:04:51.775 PDT) 72.14.213.106 (05:04:07.469 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.name&num=100&start=0] MAC_Src: 00:21:5A:08:BB:0C 35752->80 (05:04:07.469 PDT) 72.14.213.105 (05:03:15.020 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.fj&num=100&start=0] MAC_Src: 00:21:5A:08:BB:0C 45238->80 (05:03:15.020 PDT) 212.227.97.179 (6) (04:59:07.412 PDT) event=1:2003179 (6) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 54141->80 (04:59:07.412 PDT) 54971->80 (05:00:17.650 PDT) 55081->80 (05:00:39.564 PDT) 55820->80 (05:03:32.632 PDT) 55891->80 (05:03:50.940 PDT) 55893->80 (05:03:51.660 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (05:05:10.557 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (05:05:10.557 PDT) tcpslice 1308571147.412 1308571147.413 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 72.14.213.104, 72.14.213.103, 72.14.213.147, 72.14.213.99, 72.14.213.106, 72.14.213.105, 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:59:07.412 PDT Gen. Time: 06/20/2011 05:23:33.164 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 72.14.213.104 (2) (05:02:06.639 PDT) event=1:2009295 (2) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.vu&num=100&start=0] MAC_Src: 00:21:5A:08:BB:0C 50621->80 (05:02:06.639 PDT) 50889->80 (05:03:18.705 PDT) 72.14.213.103 (2) (05:03:23.871 PDT) event=1:2009295 (2) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.zm&num=100&start=0] MAC_Src: 00:21:5A:08:BB:0C 42519->80 (05:03:23.871 PDT) 38832->80 (05:06:30.366 PDT) 72.14.213.147 (05:03:01.988 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.vg&num=100&start=0] MAC_Src: 00:21:5A:08:BB:0C 46089->80 (05:03:01.988 PDT) 72.14.213.99 (3) (05:02:48.815 PDT) event=1:2009295 (3) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.dz&num=100&start=0] MAC_Src: 00:21:5A:08:BB:0C 39640->80 (05:02:48.815 PDT) 40129->80 (05:04:51.775 PDT) 37532->80 (05:06:43.538 PDT) 72.14.213.106 (2) (05:04:07.469 PDT) event=1:2009295 (2) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.name&num=100&start=0] MAC_Src: 00:21:5A:08:BB:0C 35752->80 (05:04:07.469 PDT) 41337->80 (05:05:48.186 PDT) 72.14.213.105 (05:03:15.020 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.fj&num=100&start=0] MAC_Src: 00:21:5A:08:BB:0C 45238->80 (05:03:15.020 PDT) 212.227.97.179 (6) (04:59:07.412 PDT) event=1:2003179 (6) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 54141->80 (04:59:07.412 PDT) 54971->80 (05:00:17.650 PDT) 55081->80 (05:00:39.564 PDT) 55820->80 (05:03:32.632 PDT) 55891->80 (05:03:50.940 PDT) 55893->80 (05:03:51.660 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (05:05:10.557 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57900->2126 (05:19:52.052 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (05:05:10.557 PDT) 143.89.49.74 (05:06:53.601 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41705->61921 (05:06:53.601 PDT) 195.37.16.125 (05:15:12.693 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (05:15:12.693 PDT) tcpslice 1308571147.412 1308571147.413 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:25:13.611 PDT Gen. Time: 06/20/2011 05:25:13.611 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (05:25:13.611 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (05:25:13.611 PDT) tcpslice 1308572713.611 1308572713.612 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:30:24.071 PDT Gen. Time: 06/20/2011 05:33:42.375 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (05:30:24.071 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 33024->80 (05:30:24.071 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (05:33:42.375 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 55647->2128 (05:33:42.375 PDT) tcpslice 1308573024.071 1308573024.072 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:34:21.450 PDT Gen. Time: 06/20/2011 05:35:14.318 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (05:34:21.450 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 33919->80 (05:34:21.450 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (05:35:14.318 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (05:35:14.318 PDT) tcpslice 1308573261.450 1308573261.451 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:34:21.450 PDT Gen. Time: 06/20/2011 05:41:23.616 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (5) (05:34:21.450 PDT-05:37:59.849 PDT) event=1:2003179 (5) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 33919->80 (05:34:21.450 PDT) 3: 60453->80 (05:37:53.144 PDT-05:37:59.849 PDT) 60485->80 (05:38:00.053 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (05:35:14.318 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (05:35:14.318 PDT) tcpslice 1308573261.450 1308573479.850 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:45:14.010 PDT Gen. Time: 06/20/2011 05:45:14.010 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (05:45:14.010 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (05:45:14.010 PDT) tcpslice 1308573914.010 1308573914.011 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:50:04.867 PDT Gen. Time: 06/20/2011 05:50:04.867 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (05:50:04.867 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58071->2126 (05:50:04.867 PDT) tcpslice 1308574204.867 1308574204.868 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:50:04.867 PDT Gen. Time: 06/20/2011 05:54:00.449 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (05:50:40.784 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 57648->80 (05:50:40.784 PDT) 57966->80 (05:51:54.885 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (05:50:04.867 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58071->2126 (05:50:04.867 PDT) tcpslice 1308574204.867 1308574204.868 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:55:15.276 PDT Gen. Time: 06/20/2011 05:55:15.276 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (05:55:15.276 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49301->49301 (05:55:15.276 PDT) tcpslice 1308574515.276 1308574515.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:55:15.276 PDT Gen. Time: 06/20/2011 05:59:17.593 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (05:55:55.215 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 44907->80 (05:55:55.215 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (05:55:15.276 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49301->49301 (05:55:15.276 PDT) tcpslice 1308574515.276 1308574515.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:00:06.102 PDT Gen. Time: 06/20/2011 06:00:06.102 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (06:00:06.102 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 59975->3128 (06:00:06.102 PDT) tcpslice 1308574806.102 1308574806.103 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:00:06.102 PDT Gen. Time: 06/20/2011 06:26:40.654 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (17) (06:00:26.051 PDT-06:14:01.986 PDT) event=1:2003179 (17) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 46291->80 (06:00:28.771 PDT) 49894->80 (06:21:08.238 PDT) 42743->80 (06:11:54.713 PDT) 46284->80 (06:00:26.051 PDT) 2: 43223->80 (06:14:01.879 PDT-06:14:01.986 PDT) 44107->80 (06:19:28.573 PDT) 43722->80 (06:17:43.087 PDT) 46874->80 (06:03:10.408 PDT) 36803->80 (06:09:46.635 PDT) 43184->80 (06:15:08.660 PDT) 42464->80 (06:10:37.867 PDT) 50358->80 (06:23:09.218 PDT) 42367->80 (06:10:14.834 PDT) 36043->80 (06:06:25.438 PDT) 43223->80 (06:13:57.299 PDT) 36598->80 (06:08:51.014 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (06:05:17.701 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49301->49301 (06:05:17.701 PDT) 132.239.17.226 (06:11:59.730 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53644->2128 (06:11:59.730 PDT) 206.207.248.34 (3) (06:00:06.102 PDT-06:25:22.167 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 59975->3128 (06:00:06.102 PDT) ------------------------- event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2: 14503->14503 (06:15:22.835 PDT-06:25:22.167 PDT) 143.89.49.74 (06:22:14.055 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 43808->61921 (06:22:14.055 PDT) tcpslice 1308574806.102 1308576322.168 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:29:09.627 PDT Gen. Time: 06/20/2011 06:32:47.404 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (06:29:09.627 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 44213->80 (06:29:09.627 PDT) 59938->80 (06:30:03.276 PDT) 60217->80 (06:31:30.776 PDT) 60315->80 (06:31:57.663 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (06:32:47.404 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53074->2128 (06:32:47.404 PDT) tcpslice 1308576549.627 1308576549.628 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:29:09.627 PDT Gen. Time: 06/20/2011 06:35:25.828 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (06:29:09.627 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 44213->80 (06:29:09.627 PDT) 59938->80 (06:30:03.276 PDT) 60217->80 (06:31:30.776 PDT) 60315->80 (06:31:57.663 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (06:32:47.404 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53074->2128 (06:32:47.404 PDT) 206.207.248.34 (06:35:25.828 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (06:35:25.828 PDT) tcpslice 1308576549.627 1308576549.628 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:44:58.957 PDT Gen. Time: 06/20/2011 06:44:58.957 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (06:44:58.957 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53819->2128 (06:44:58.957 PDT) tcpslice 1308577498.957 1308577498.958 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:44:58.957 PDT Gen. Time: 06/20/2011 06:54:08.665 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (6) (06:46:20.420 PDT) event=1:2003179 (6) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 54175->80 (06:46:20.420 PDT) 54782->80 (06:48:33.832 PDT) 54789->80 (06:48:38.152 PDT) 54826->80 (06:48:48.289 PDT) 41565->80 (06:50:50.228 PDT) 41934->80 (06:52:06.640 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (06:44:58.957 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53819->2128 (06:44:58.957 PDT) 206.207.248.34 (06:45:25.414 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (06:45:25.414 PDT) tcpslice 1308577498.957 1308577498.958 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:55:14.415 PDT Gen. Time: 06/20/2011 06:55:14.415 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (06:55:14.415 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 35137->2126 (06:55:14.415 PDT) tcpslice 1308578114.415 1308578114.416 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:55:14.415 PDT Gen. Time: 06/20/2011 07:02:40.754 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (06:56:26.799 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 41903->80 (06:56:26.799 PDT) 42291->80 (06:58:13.397 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (06:55:14.415 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 35137->2126 (06:55:14.415 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (06:55:27.932 PDT) tcpslice 1308578114.415 1308578114.416 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:02:50.333 PDT Gen. Time: 06/20/2011 07:05:29.758 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (07:02:50.333 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 53852->80 (07:02:50.333 PDT) 54235->80 (07:04:39.843 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (07:05:29.758 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (07:05:29.758 PDT) tcpslice 1308578570.333 1308578570.334 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:02:50.333 PDT Gen. Time: 06/20/2011 07:09:53.026 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (07:02:50.333 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 53852->80 (07:02:50.333 PDT) 54235->80 (07:04:39.843 PDT) 33539->80 (07:06:12.735 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (07:05:29.758 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 45404->3128 (07:08:44.974 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (07:05:29.758 PDT) tcpslice 1308578570.333 1308578570.334 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:13:25.756 PDT Gen. Time: 06/20/2011 07:15:29.506 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (07:13:25.756 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 59626->80 (07:13:25.756 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (07:15:29.506 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (07:15:29.506 PDT) tcpslice 1308579205.756 1308579205.757 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:23:36.804 PDT Gen. Time: 06/20/2011 07:24:30.970 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (07:23:36.804 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 39559->80 (07:23:36.804 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (07:24:30.970 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 33739->2126 (07:24:30.970 PDT) tcpslice 1308579816.804 1308579816.805 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:23:36.804 PDT Gen. Time: 06/20/2011 07:29:29.950 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (07:23:36.804 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 39559->80 (07:23:36.804 PDT) 42930->80 (07:25:37.714 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (07:24:30.970 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 33739->2126 (07:24:30.970 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (07:25:31.968 PDT) tcpslice 1308579816.804 1308579816.805 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:35:31.755 PDT Gen. Time: 06/20/2011 07:35:31.755 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (07:35:31.755 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (07:35:31.755 PDT) tcpslice 1308580531.755 1308580531.756 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:35:31.755 PDT Gen. Time: 06/20/2011 07:38:40.181 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 143.89.49.74 (07:37:03.906 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56529->61921 (07:37:03.906 PDT) 195.37.16.125 (07:35:31.755 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (07:35:31.755 PDT) tcpslice 1308580531.755 1308580531.756 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:45:39.069 PDT Gen. Time: 06/20/2011 07:45:39.069 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (07:45:39.069 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (07:45:39.069 PDT) tcpslice 1308581139.069 1308581139.070 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:45:39.069 PDT Gen. Time: 06/20/2011 07:52:29.074 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (8) (07:45:39.171 PDT-07:46:13.934 PDT) event=1:2003179 (8) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 41139->80 (07:45:39.171 PDT) 41399->80 (07:47:03.070 PDT) 41707->80 (07:48:30.187 PDT) 41270->80 (07:46:20.429 PDT) 41251->80 (07:46:15.437 PDT) 3: 41227->80 (07:46:04.228 PDT-07:46:13.934 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (07:45:39.069 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (07:45:39.069 PDT) 132.239.17.226 (07:47:14.374 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57001->2128 (07:47:14.374 PDT) tcpslice 1308581139.069 1308581173.935 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:55:40.515 PDT Gen. Time: 06/20/2011 07:55:40.515 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (07:55:40.515 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4795->4795 (07:55:40.515 PDT) tcpslice 1308581740.515 1308581740.516 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:55:40.515 PDT Gen. Time: 06/20/2011 08:02:43.431 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (07:59:10.471 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 45326->80 (07:59:10.471 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (07:55:40.515 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36890->3128 (08:02:05.541 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4795->4795 (07:55:40.515 PDT) tcpslice 1308581740.515 1308581740.516 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:05:19.159 PDT Gen. Time: 06/20/2011 08:05:40.869 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (08:05:19.159 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 57021->80 (08:05:19.159 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (08:05:40.869 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (08:05:40.869 PDT) tcpslice 1308582319.159 1308582319.160 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:05:19.159 PDT Gen. Time: 06/20/2011 08:14:21.362 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (6) (08:05:19.159 PDT) event=1:2003179 (6) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 57021->80 (08:05:19.159 PDT) 57377->80 (08:06:57.711 PDT) 57813->80 (08:08:59.285 PDT) 57828->80 (08:09:04.401 PDT) 60351->80 (08:10:05.333 PDT) 60398->80 (08:10:20.105 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (08:13:34.084 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41877->2126 (08:13:34.084 PDT) 206.207.248.34 (08:05:40.869 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (08:05:40.869 PDT) tcpslice 1308582319.159 1308582319.160 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:15:42.852 PDT Gen. Time: 06/20/2011 08:15:42.852 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (08:15:42.852 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (08:15:42.852 PDT) tcpslice 1308582942.852 1308582942.853 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:25:42.740 PDT Gen. Time: 06/20/2011 08:25:42.740 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (08:25:42.740 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (08:25:42.740 PDT) tcpslice 1308583542.740 1308583542.741 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:25:42.740 PDT Gen. Time: 06/20/2011 08:33:03.358 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (7) (08:26:40.797 PDT-08:30:46.005 PDT) event=1:2003179 (7) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 35768->80 (08:26:40.797 PDT) 35955->80 (08:27:36.527 PDT) 36329->80 (08:29:32.209 PDT) 36272->80 (08:29:16.764 PDT) 3: 43128->80 (08:30:41.801 PDT-08:30:46.005 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (08:27:29.808 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40158->2128 (08:27:29.808 PDT) 206.207.248.34 (08:25:42.740 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (08:25:42.740 PDT) tcpslice 1308583542.740 1308583846.006 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:33:21.108 PDT Gen. Time: 06/20/2011 08:35:48.956 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (08:33:21.108 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-deDE-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 43634->80 (08:33:21.108 PDT) 33797->80 (08:35:43.295 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (08:35:48.956 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (08:35:48.956 PDT) tcpslice 1308584001.108 1308584001.109 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:33:21.108 PDT Gen. Time: 06/20/2011 08:37:29.905 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (08:33:21.108 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-deDE-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 43634->80 (08:33:21.108 PDT) 33797->80 (08:35:43.295 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (08:35:48.956 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (08:35:48.956 PDT) 143.89.49.74 (08:37:29.905 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50398->61921 (08:37:29.905 PDT) tcpslice 1308584001.108 1308584001.109 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:45:49.410 PDT Gen. Time: 06/20/2011 08:45:49.410 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (08:45:49.410 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (08:45:49.410 PDT) tcpslice 1308584749.410 1308584749.411 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:49:12.762 PDT Gen. Time: 06/20/2011 08:49:12.762 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (08:49:12.762 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34918->2128 (08:49:12.762 PDT) tcpslice 1308584952.762 1308584952.763 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:55:51.111 PDT Gen. Time: 06/20/2011 08:55:51.111 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (08:55:51.111 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (08:55:51.111 PDT) tcpslice 1308585351.111 1308585351.112 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:55:51.111 PDT Gen. Time: 06/20/2011 09:00:05.359 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (08:58:04.817 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 38433->80 (08:58:04.817 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (08:55:51.111 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (08:55:51.111 PDT) tcpslice 1308585351.111 1308585351.112 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:05:24.836 PDT Gen. Time: 06/20/2011 09:05:24.836 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (09:05:24.836 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 43156->49301 (09:05:24.836 PDT) tcpslice 1308585924.836 1308585924.837 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:05:24.836 PDT Gen. Time: 06/20/2011 09:08:50.550 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (09:05:24.836 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 43156->49301 (09:05:24.836 PDT) 195.37.16.125 (09:05:51.546 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (09:05:51.546 PDT) tcpslice 1308585924.836 1308585924.837 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:15:51.096 PDT Gen. Time: 06/20/2011 09:15:51.096 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (09:15:51.096 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (09:15:51.096 PDT) tcpslice 1308586551.096 1308586551.097 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:15:51.096 PDT Gen. Time: 06/20/2011 09:19:34.501 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (09:17:07.830 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 42865->2126 (09:17:07.830 PDT) 195.37.16.125 (09:15:51.096 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (09:15:51.096 PDT) tcpslice 1308586551.096 1308586551.097 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:25:53.983 PDT Gen. Time: 06/20/2011 09:25:53.983 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (09:25:53.983 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (09:25:53.983 PDT) tcpslice 1308587153.983 1308587153.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:29:44.014 PDT Gen. Time: 06/20/2011 09:29:44.014 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (09:29:44.014 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56234->2126 (09:29:44.014 PDT) tcpslice 1308587384.014 1308587384.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:35:33.160 PDT Gen. Time: 06/20/2011 09:35:53.264 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (09:35:33.160 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-frFR-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 49315->80 (09:35:33.160 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (09:35:53.264 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (09:35:53.264 PDT) tcpslice 1308587733.160 1308587733.161 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:45:53.433 PDT Gen. Time: 06/20/2011 09:45:53.433 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (09:45:53.433 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (09:45:53.433 PDT) tcpslice 1308588353.433 1308588353.434 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:45:53.433 PDT Gen. Time: 06/20/2011 09:49:55.609 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (09:46:08.797 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56730->2126 (09:46:08.797 PDT) 195.37.16.125 (09:45:53.433 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (09:45:53.433 PDT) tcpslice 1308588353.433 1308588353.434 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:55:53.102 PDT Gen. Time: 06/20/2011 09:55:53.102 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (09:55:53.102 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (09:55:53.102 PDT) tcpslice 1308588953.102 1308588953.103 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:05:54.561 PDT Gen. Time: 06/20/2011 10:05:54.561 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (10:05:54.561 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (10:05:54.561 PDT) tcpslice 1308589554.561 1308589554.562 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:05:54.561 PDT Gen. Time: 06/20/2011 10:09:11.937 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (10:06:34.239 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-deDE-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 34144->80 (10:06:34.239 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:07:02.865 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 46514->3128 (10:07:02.865 PDT) 195.37.16.125 (10:05:54.561 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (10:05:54.561 PDT) tcpslice 1308589554.561 1308589554.562 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:16:02.303 PDT Gen. Time: 06/20/2011 10:16:02.303 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:16:02.303 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (10:16:02.303 PDT) tcpslice 1308590162.303 1308590162.304 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:16:02.303 PDT Gen. Time: 06/20/2011 10:20:32.854 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (10:16:14.227 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 52507->80 (10:16:14.227 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:16:02.303 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (10:16:02.303 PDT) tcpslice 1308590162.303 1308590162.304 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:24:28.950 PDT Gen. Time: 06/20/2011 10:24:30.566 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (10:24:28.950 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 50951->80 (10:24:28.950 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:24:30.566 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48522->3128 (10:24:30.566 PDT) tcpslice 1308590668.950 1308590668.951 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:24:28.950 PDT Gen. Time: 06/20/2011 10:28:59.843 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (10:24:28.950 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 50951->80 (10:24:28.950 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:24:30.566 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48522->3128 (10:24:30.566 PDT) 195.37.16.125 (10:26:02.713 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (10:26:02.713 PDT) tcpslice 1308590668.950 1308590668.951 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:35:05.176 PDT Gen. Time: 06/20/2011 10:35:05.176 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:35:05.176 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 33751->2128 (10:35:05.176 PDT) tcpslice 1308591305.176 1308591305.177 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:35:05.176 PDT Gen. Time: 06/20/2011 10:37:45.975 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (10:36:09.493 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4795->4795 (10:36:09.493 PDT) 206.207.248.34 (10:35:05.176 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 33751->2128 (10:35:05.176 PDT) tcpslice 1308591305.176 1308591305.177 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:45:09.667 PDT Gen. Time: 06/20/2011 10:45:09.667 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:45:09.667 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 55583->3128 (10:45:09.667 PDT) tcpslice 1308591909.667 1308591909.668 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:45:09.667 PDT Gen. Time: 06/20/2011 10:46:49.420 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (10:45:09.667 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 55583->3128 (10:45:09.667 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (10:46:13.195 PDT) tcpslice 1308591909.667 1308591909.668 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:56:06.661 PDT Gen. Time: 06/20/2011 10:56:06.661 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (10:56:06.661 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49011->2128 (10:56:06.661 PDT) tcpslice 1308592566.661 1308592566.662 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:56:06.661 PDT Gen. Time: 06/20/2011 10:59:10.096 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (10:56:06.661 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49011->2128 (10:56:06.661 PDT) 206.207.248.34 (10:56:15.275 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (10:56:15.275 PDT) tcpslice 1308592566.661 1308592566.662 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:06:17.206 PDT Gen. Time: 06/20/2011 11:06:17.206 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (11:06:17.206 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (11:06:17.206 PDT) tcpslice 1308593177.206 1308593177.207 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:06:17.206 PDT Gen. Time: 06/20/2011 11:09:56.792 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (11:09:25.946 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41155->3128 (11:09:25.946 PDT) 195.37.16.125 (11:06:17.206 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (11:06:17.206 PDT) tcpslice 1308593177.206 1308593177.207 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:16:20.752 PDT Gen. Time: 06/20/2011 11:16:20.752 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 143.89.49.74 (11:16:20.752 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (11:16:20.752 PDT) tcpslice 1308593780.752 1308593780.753 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:16:20.752 PDT Gen. Time: 06/20/2011 11:20:03.695 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (11:19:51.774 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49142->2126 (11:19:51.774 PDT) 143.89.49.74 (11:16:20.752 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (11:16:20.752 PDT) tcpslice 1308593780.752 1308593780.753 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:26:21.145 PDT Gen. Time: 06/20/2011 11:26:21.145 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (11:26:21.145 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (11:26:21.145 PDT) tcpslice 1308594381.145 1308594381.146 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:36:23.171 PDT Gen. Time: 06/20/2011 11:36:23.171 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (11:36:23.171 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (11:36:23.171 PDT) tcpslice 1308594983.171 1308594983.172 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:36:23.171 PDT Gen. Time: 06/20/2011 11:40:18.573 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (11:36:23.171 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53641->2128 (11:37:01.417 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (11:36:23.171 PDT) tcpslice 1308594983.171 1308594983.172 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:46:24.948 PDT Gen. Time: 06/20/2011 11:46:24.948 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (11:46:24.948 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (11:46:24.948 PDT) tcpslice 1308595584.948 1308595584.949 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:46:24.948 PDT Gen. Time: 06/20/2011 11:51:05.908 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (11:46:24.948 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36820->2126 (11:48:52.863 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (11:46:24.948 PDT) tcpslice 1308595584.948 1308595584.949 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:56:24.393 PDT Gen. Time: 06/20/2011 11:56:24.393 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (11:56:24.393 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (11:56:24.393 PDT) tcpslice 1308596184.393 1308596184.394 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:02:12.781 PDT Gen. Time: 06/20/2011 12:02:12.781 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (12:02:12.781 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50072->3128 (12:02:12.781 PDT) tcpslice 1308596532.781 1308596532.782 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:06:25.011 PDT Gen. Time: 06/20/2011 12:06:25.011 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (12:06:25.011 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4876->4876 (12:06:25.011 PDT) tcpslice 1308596785.011 1308596785.012 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:16:25.124 PDT Gen. Time: 06/20/2011 12:16:25.124 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (12:16:25.124 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (12:16:25.124 PDT) tcpslice 1308597385.124 1308597385.125 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:16:25.124 PDT Gen. Time: 06/20/2011 12:20:53.784 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (12:19:46.943 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52341->2128 (12:19:46.943 PDT) 195.37.16.125 (12:16:25.124 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (12:16:25.124 PDT) tcpslice 1308597385.124 1308597385.125 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:26:26.429 PDT Gen. Time: 06/20/2011 12:26:26.429 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (12:26:26.429 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (12:26:26.429 PDT) tcpslice 1308597986.429 1308597986.430 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:33:44.595 PDT Gen. Time: 06/20/2011 12:33:44.595 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (12:33:44.595 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52588->2126 (12:33:44.595 PDT) tcpslice 1308598424.595 1308598424.596 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:36:27.096 PDT Gen. Time: 06/20/2011 12:36:27.096 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (12:36:27.096 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (12:36:27.096 PDT) tcpslice 1308598587.096 1308598587.097 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:43:47.300 PDT Gen. Time: 06/20/2011 12:43:47.300 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (12:43:47.300 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41025->2126 (12:43:47.300 PDT) tcpslice 1308599027.300 1308599027.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:43:47.300 PDT Gen. Time: 06/20/2011 12:46:44.934 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (12:43:47.300 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41025->2126 (12:43:47.300 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (12:46:27.231 PDT) tcpslice 1308599027.300 1308599027.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:55:14.036 PDT Gen. Time: 06/20/2011 12:55:14.036 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (12:55:14.036 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41657->2126 (12:55:14.036 PDT) tcpslice 1308599714.036 1308599714.037 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:55:14.036 PDT Gen. Time: 06/20/2011 12:58:41.783 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (12:55:14.036 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41657->2126 (12:55:14.036 PDT) 195.37.16.125 (12:56:27.072 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (12:56:27.072 PDT) tcpslice 1308599714.036 1308599714.037 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:06:27.009 PDT Gen. Time: 06/20/2011 13:06:27.009 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (13:06:27.009 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (13:06:27.009 PDT) tcpslice 1308600387.009 1308600387.010 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:06:27.009 PDT Gen. Time: 06/20/2011 13:10:11.648 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (13:09:32.937 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57009->2126 (13:09:32.937 PDT) 206.207.248.34 (13:06:27.009 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (13:06:27.009 PDT) tcpslice 1308600387.009 1308600387.010 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:16:27.483 PDT Gen. Time: 06/20/2011 13:16:27.483 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (13:16:27.483 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (13:16:27.483 PDT) tcpslice 1308600987.483 1308600987.484 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:21:19.723 PDT Gen. Time: 06/20/2011 13:21:19.723 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (13:21:19.723 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49019->3128 (13:21:19.723 PDT) tcpslice 1308601279.723 1308601279.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:26:27.030 PDT Gen. Time: 06/20/2011 13:26:27.030 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (13:26:27.030 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (13:26:27.030 PDT) tcpslice 1308601587.030 1308601587.031 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:35:17.959 PDT Gen. Time: 06/20/2011 13:35:17.959 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (13:35:17.959 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50106->2128 (13:35:17.959 PDT) tcpslice 1308602117.959 1308602117.960 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:35:17.959 PDT Gen. Time: 06/20/2011 13:41:54.814 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (13:37:17.372 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 36890->80 (13:37:17.372 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (13:35:17.959 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50106->2128 (13:35:17.959 PDT) 195.37.16.125 (13:36:29.099 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (13:36:29.099 PDT) tcpslice 1308602117.959 1308602117.960 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:44:35.300 PDT Gen. Time: 06/20/2011 13:46:30.176 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (13:44:35.300 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-ruRU-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 36634->80 (13:44:35.300 PDT) 36238->80 (13:44:59.392 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (13:46:30.176 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (13:46:30.176 PDT) tcpslice 1308602675.300 1308602675.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:44:35.300 PDT Gen. Time: 06/20/2011 13:51:15.418 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (13:44:35.300 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-ruRU-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 36634->80 (13:44:35.300 PDT) 36238->80 (13:44:59.392 PDT) 36966->80 (13:48:03.300 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (13:48:11.313 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54492->2128 (13:48:11.313 PDT) 195.37.16.125 (13:46:30.176 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (13:46:30.176 PDT) tcpslice 1308602675.300 1308602675.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:56:34.543 PDT Gen. Time: 06/20/2011 13:56:34.543 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (13:56:34.543 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (13:56:34.543 PDT) tcpslice 1308603394.543 1308603394.544 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:56:34.543 PDT Gen. Time: 06/20/2011 14:00:35.973 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (13:56:34.543 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56714->2126 (13:58:46.473 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (13:56:34.543 PDT) tcpslice 1308603394.543 1308603394.544 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:06:34.308 PDT Gen. Time: 06/20/2011 14:06:34.308 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (14:06:34.308 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (14:06:34.308 PDT) tcpslice 1308603994.308 1308603994.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:12:03.986 PDT Gen. Time: 06/20/2011 14:12:03.986 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (14:12:03.986 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58735->2126 (14:12:03.986 PDT) tcpslice 1308604323.986 1308604323.987 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:16:36.051 PDT Gen. Time: 06/20/2011 14:16:36.051 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:16:36.051 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (14:16:36.051 PDT) tcpslice 1308604596.051 1308604596.052 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:26:37.603 PDT Gen. Time: 06/20/2011 14:26:37.603 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (14:26:37.603 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (14:26:37.603 PDT) tcpslice 1308605197.603 1308605197.604 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:26:37.603 PDT Gen. Time: 06/20/2011 14:29:59.745 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:28:27.749 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52401->3125 (14:28:27.749 PDT) 206.207.248.34 (14:26:37.603 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (14:26:37.603 PDT) tcpslice 1308605197.603 1308605197.604 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:36:40.230 PDT Gen. Time: 06/20/2011 14:36:40.230 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (14:36:40.230 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (14:36:40.230 PDT) tcpslice 1308605800.230 1308605800.231 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:46:41.497 PDT Gen. Time: 06/20/2011 14:46:41.497 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (14:46:41.497 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (14:46:41.497 PDT) tcpslice 1308606401.497 1308606401.498 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:51:14.704 PDT Gen. Time: 06/20/2011 14:51:14.704 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:51:14.704 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 55403->2128 (14:51:14.704 PDT) tcpslice 1308606674.704 1308606674.705 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:56:41.896 PDT Gen. Time: 06/20/2011 14:56:41.896 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (14:56:41.896 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (14:56:41.896 PDT) tcpslice 1308607001.896 1308607001.897 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:03:07.321 PDT Gen. Time: 06/20/2011 15:03:07.321 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (15:03:07.321 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 44512->2126 (15:03:07.321 PDT) tcpslice 1308607387.321 1308607387.322 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:06:42.341 PDT Gen. Time: 06/20/2011 15:06:42.341 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (15:06:42.341 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (15:06:42.341 PDT) tcpslice 1308607602.341 1308607602.342 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:13:23.821 PDT Gen. Time: 06/20/2011 15:13:23.821 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (15:13:23.821 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52129->2128 (15:13:23.821 PDT) tcpslice 1308608003.821 1308608003.822 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:13:23.821 PDT Gen. Time: 06/20/2011 15:17:26.649 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (15:13:23.821 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52129->2128 (15:13:23.821 PDT) 195.37.16.125 (15:16:42.897 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (15:16:42.897 PDT) tcpslice 1308608003.821 1308608003.822 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:26:21.999 PDT Gen. Time: 06/20/2011 15:26:21.999 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (15:26:21.999 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56843->2126 (15:26:21.999 PDT) tcpslice 1308608781.999 1308608782.000 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:26:21.999 PDT Gen. Time: 06/20/2011 15:31:42.744 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (15:27:48.751 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 55656->80 (15:27:48.751 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (15:26:21.999 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56843->2126 (15:26:21.999 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (15:26:44.353 PDT) tcpslice 1308608781.999 1308608782.000 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:36:28.964 PDT Gen. Time: 06/20/2011 15:36:28.964 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (15:36:28.964 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40735->2126 (15:36:28.964 PDT) tcpslice 1308609388.964 1308609388.965 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:36:28.964 PDT Gen. Time: 06/20/2011 15:40:35.774 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (15:36:28.964 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40735->2126 (15:36:28.964 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (15:36:44.089 PDT) tcpslice 1308609388.964 1308609388.965 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:46:44.090 PDT Gen. Time: 06/20/2011 15:46:44.090 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (15:46:44.090 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (15:46:44.090 PDT) tcpslice 1308610004.090 1308610004.091 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:46:44.090 PDT Gen. Time: 06/20/2011 15:50:45.848 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (15:48:37.656 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 60359->2128 (15:48:37.656 PDT) 206.207.248.34 (15:46:44.090 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (15:46:44.090 PDT) tcpslice 1308610004.090 1308610004.091 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:56:45.512 PDT Gen. Time: 06/20/2011 15:56:45.512 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (15:56:45.512 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (15:56:45.512 PDT) tcpslice 1308610605.512 1308610605.513 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:06:26.878 PDT Gen. Time: 06/20/2011 16:06:26.878 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:06:26.878 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50083->2128 (16:06:26.878 PDT) tcpslice 1308611186.878 1308611186.879 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:06:26.878 PDT Gen. Time: 06/20/2011 16:09:25.323 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:06:26.878 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50083->2128 (16:06:26.878 PDT) 195.37.16.125 (16:06:45.447 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (16:06:45.447 PDT) tcpslice 1308611186.878 1308611186.879 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:16:45.378 PDT Gen. Time: 06/20/2011 16:16:45.378 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (16:16:45.378 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 8016->8016 (16:16:45.378 PDT) tcpslice 1308611805.378 1308611805.379 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:23:17.045 PDT Gen. Time: 06/20/2011 16:23:17.045 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:23:17.045 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36400->2128 (16:23:17.045 PDT) tcpslice 1308612197.045 1308612197.046 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:23:17.045 PDT Gen. Time: 06/20/2011 16:29:42.428 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (16:27:03.723 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esMX-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 55682->80 (16:27:03.723 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:23:17.045 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36400->2128 (16:23:17.045 PDT) 206.207.248.34 (16:26:47.210 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (16:26:47.210 PDT) tcpslice 1308612197.045 1308612197.046 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:36:42.090 PDT Gen. Time: 06/20/2011 16:36:42.090 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:36:42.090 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 51905->2126 (16:36:42.090 PDT) tcpslice 1308613002.090 1308613002.091 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:36:42.090 PDT Gen. Time: 06/20/2011 16:43:13.148 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (16:39:23.937 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 59195->80 (16:39:23.937 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:36:42.090 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 51905->2126 (16:36:42.090 PDT) 206.207.248.34 (16:36:48.161 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (16:36:48.161 PDT) tcpslice 1308613002.090 1308613002.091 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:46:57.023 PDT Gen. Time: 06/20/2011 16:46:57.023 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (16:46:57.023 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (16:46:57.023 PDT) tcpslice 1308613617.023 1308613617.024 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:55:56.779 PDT Gen. Time: 06/20/2011 16:55:56.779 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (16:55:56.779 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41058->2126 (16:55:56.779 PDT) tcpslice 1308614156.779 1308614156.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:55:56.779 PDT Gen. Time: 06/20/2011 16:59:42.056 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (16:55:56.779 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41058->2126 (16:55:56.779 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (16:56:59.898 PDT) tcpslice 1308614156.779 1308614156.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:06:02.660 PDT Gen. Time: 06/20/2011 17:06:02.660 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (17:06:02.660 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53465->2128 (17:06:02.660 PDT) tcpslice 1308614762.660 1308614762.661 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:06:02.660 PDT Gen. Time: 06/20/2011 17:10:07.121 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (17:06:02.660 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53465->2128 (17:06:02.660 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (17:06:59.961 PDT) tcpslice 1308614762.660 1308614762.661 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:17:00.411 PDT Gen. Time: 06/20/2011 17:17:00.411 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (17:17:00.411 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (17:17:00.411 PDT) tcpslice 1308615420.411 1308615420.412 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:22:08.130 PDT Gen. Time: 06/20/2011 17:22:08.130 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (17:22:08.130 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 37005->3128 (17:22:08.130 PDT) tcpslice 1308615728.130 1308615728.131 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:27:00.883 PDT Gen. Time: 06/20/2011 17:27:00.883 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (17:27:00.883 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (17:27:00.883 PDT) tcpslice 1308616020.883 1308616020.884 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:27:00.883 PDT Gen. Time: 06/20/2011 17:31:30.741 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (17:28:25.272 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 35230->80 (17:28:25.272 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (17:27:00.883 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (17:27:00.883 PDT) tcpslice 1308616020.883 1308616020.884 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:35:26.819 PDT Gen. Time: 06/20/2011 17:35:26.819 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (17:35:26.819 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52410->2128 (17:35:26.819 PDT) tcpslice 1308616526.819 1308616526.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:35:26.819 PDT Gen. Time: 06/20/2011 17:40:05.809 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (17:35:26.819 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52410->2128 (17:35:26.819 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (17:37:00.318 PDT) tcpslice 1308616526.819 1308616526.820 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:47:00.956 PDT Gen. Time: 06/20/2011 17:47:00.956 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (17:47:00.956 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (17:47:00.956 PDT) tcpslice 1308617220.956 1308617220.957 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:47:00.956 PDT Gen. Time: 06/20/2011 17:51:02.305 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (17:47:06.831 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54432->2126 (17:47:06.831 PDT) 195.37.16.125 (17:47:00.956 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (17:47:00.956 PDT) tcpslice 1308617220.956 1308617220.957 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:57:02.414 PDT Gen. Time: 06/20/2011 17:57:02.414 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (17:57:02.414 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (17:57:02.414 PDT) tcpslice 1308617822.414 1308617822.415 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:00:29.978 PDT Gen. Time: 06/20/2011 18:00:29.978 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:00:29.978 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 59506->2126 (18:00:29.978 PDT) tcpslice 1308618029.978 1308618029.979 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:07:03.716 PDT Gen. Time: 06/20/2011 18:07:03.716 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 12.46.129.16 (18:07:03.716 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (18:07:03.716 PDT) tcpslice 1308618423.716 1308618423.717 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:11:47.578 PDT Gen. Time: 06/20/2011 18:11:47.578 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (18:11:47.578 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 37252->2128 (18:11:47.578 PDT) tcpslice 1308618707.578 1308618707.579 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:17:03.058 PDT Gen. Time: 06/20/2011 18:17:03.058 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:17:03.058 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 9331->9331 (18:17:03.058 PDT) tcpslice 1308619023.058 1308619023.059 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:27:04.499 PDT Gen. Time: 06/20/2011 18:27:04.499 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (18:27:04.499 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (18:27:04.499 PDT) tcpslice 1308619624.499 1308619624.500 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:27:04.499 PDT Gen. Time: 06/20/2011 18:29:30.334 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:28:05.695 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 33066->2128 (18:28:05.695 PDT) 195.37.16.125 (18:27:04.499 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (18:27:04.499 PDT) tcpslice 1308619624.499 1308619624.500 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:37:10.818 PDT Gen. Time: 06/20/2011 18:37:10.818 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:37:10.818 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (18:37:10.818 PDT) tcpslice 1308620230.818 1308620230.819 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:37:10.818 PDT Gen. Time: 06/20/2011 18:41:03.072 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (18:37:42.434 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-esMX-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 47535->80 (18:37:42.434 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:37:10.818 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (18:37:10.818 PDT) tcpslice 1308620230.818 1308620230.819 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:41:58.758 PDT Gen. Time: 06/20/2011 18:41:58.758 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (18:41:58.758 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58405->2128 (18:41:58.758 PDT) tcpslice 1308620518.758 1308620518.759 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:47:10.607 PDT Gen. Time: 06/20/2011 18:47:10.607 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (18:47:10.607 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (18:47:10.607 PDT) tcpslice 1308620830.607 1308620830.608 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:47:10.607 PDT Gen. Time: 06/20/2011 18:51:15.088 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (18:47:43.053 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-esMX-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 56865->80 (18:47:43.053 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (18:47:10.607 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (18:47:10.607 PDT) tcpslice 1308620830.607 1308620830.608 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:54:53.041 PDT Gen. Time: 06/20/2011 18:54:53.041 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:54:53.041 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 38450->3125 (18:54:53.041 PDT) tcpslice 1308621293.041 1308621293.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:54:53.041 PDT Gen. Time: 06/20/2011 18:58:17.514 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:54:53.041 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 38450->3125 (18:54:53.041 PDT) 195.37.16.125 (18:57:10.155 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (18:57:10.155 PDT) tcpslice 1308621293.041 1308621293.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:05:23.699 PDT Gen. Time: 06/20/2011 19:05:23.699 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (19:05:23.699 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 45419->3128 (19:05:23.699 PDT) tcpslice 1308621923.699 1308621923.700 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:07:14.731 PDT Gen. Time: 06/20/2011 19:07:14.731 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (19:07:14.731 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 9936->9935 (19:07:14.731 PDT) tcpslice 1308622034.731 1308622034.732 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:15:52.216 PDT Gen. Time: 06/20/2011 19:15:52.216 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (19:15:52.216 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49891->2128 (19:15:52.216 PDT) tcpslice 1308622552.216 1308622552.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:15:52.216 PDT Gen. Time: 06/20/2011 19:20:00.862 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (19:17:34.153 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4795->4795 (19:17:34.153 PDT) 132.239.17.226 (19:15:52.216 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49891->2128 (19:15:52.216 PDT) tcpslice 1308622552.216 1308622552.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:26:49.317 PDT Gen. Time: 06/20/2011 19:26:49.317 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (19:26:49.317 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 46518->2128 (19:26:49.317 PDT) tcpslice 1308623209.317 1308623209.318 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:26:49.317 PDT Gen. Time: 06/20/2011 19:31:19.056 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (19:28:00.955 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 42687->80 (19:28:00.955 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (19:26:49.317 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 46518->2128 (19:26:49.317 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (19:27:39.401 PDT) tcpslice 1308623209.317 1308623209.318 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:37:39.951 PDT Gen. Time: 06/20/2011 19:37:39.951 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (19:37:39.951 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (19:37:39.951 PDT) tcpslice 1308623859.951 1308623859.952 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:39:58.773 PDT Gen. Time: 06/20/2011 19:39:58.773 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (19:39:58.773 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53023->2126 (19:39:58.773 PDT) tcpslice 1308623998.773 1308623998.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:47:39.204 PDT Gen. Time: 06/20/2011 19:47:39.204 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (19:47:39.204 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (19:47:39.204 PDT) tcpslice 1308624459.204 1308624459.205 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:55:16.126 PDT Gen. Time: 06/20/2011 19:55:16.126 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (19:55:16.126 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 44747->3125 (19:55:16.126 PDT) tcpslice 1308624916.126 1308624916.127 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:55:16.126 PDT Gen. Time: 06/20/2011 19:58:20.603 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (19:55:16.126 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 44747->3125 (19:55:16.126 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (19:57:43.123 PDT) tcpslice 1308624916.126 1308624916.127 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:05:47.699 PDT Gen. Time: 06/20/2011 20:05:47.699 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:05:47.699 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 47853->2128 (20:05:47.699 PDT) tcpslice 1308625547.699 1308625547.700 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:07:43.065 PDT Gen. Time: 06/20/2011 20:07:43.065 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (20:07:43.065 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (20:07:43.065 PDT) tcpslice 1308625663.065 1308625663.066 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:17:44.789 PDT Gen. Time: 06/20/2011 20:17:44.789 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (20:17:44.789 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (20:17:44.789 PDT) tcpslice 1308626264.789 1308626264.790 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:17:44.789 PDT Gen. Time: 06/20/2011 20:21:21.844 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:20:05.843 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40463->3128 (20:20:05.843 PDT) 195.37.16.125 (20:17:44.789 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (20:17:44.789 PDT) tcpslice 1308626264.789 1308626264.790 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:27:44.155 PDT Gen. Time: 06/20/2011 20:27:44.155 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (20:27:44.155 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (20:27:44.155 PDT) tcpslice 1308626864.155 1308626864.156 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:27:44.155 PDT Gen. Time: 06/20/2011 20:31:20.007 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (20:27:44.155 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (20:27:44.155 PDT) 10844->10844 (20:29:58.484 PDT) tcpslice 1308626864.155 1308626864.156 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:32:12.678 PDT Gen. Time: 06/20/2011 20:32:12.678 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (20:32:12.678 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34459->2126 (20:32:12.678 PDT) tcpslice 1308627132.678 1308627132.679 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:37:47.364 PDT Gen. Time: 06/20/2011 20:39:59.167 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (20:37:47.364 PDT-20:37:53.611 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-esMX-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 3: 55350->80 (20:37:47.364 PDT-20:37:53.611 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (20:39:59.167 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (20:39:59.167 PDT) tcpslice 1308627467.364 1308627473.612 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:43:06.916 PDT Gen. Time: 06/20/2011 20:43:06.916 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (20:43:06.916 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 47620->2128 (20:43:06.916 PDT) tcpslice 1308627786.916 1308627786.917 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:43:06.916 PDT Gen. Time: 06/20/2011 20:48:52.141 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (20:43:36.471 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 52902->80 (20:43:36.471 PDT) 43941->80 (20:44:54.431 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (20:43:06.916 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 47620->2128 (20:43:06.916 PDT) tcpslice 1308627786.916 1308627786.917 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:50:07.344 PDT Gen. Time: 06/20/2011 20:50:07.344 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (20:50:07.344 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (20:50:07.344 PDT) tcpslice 1308628207.344 1308628207.345 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:55:12.255 PDT Gen. Time: 06/20/2011 20:55:12.255 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:55:12.255 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 59960->3128 (20:55:12.255 PDT) tcpslice 1308628512.255 1308628512.256 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:00:17.102 PDT Gen. Time: 06/20/2011 21:00:17.102 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (21:00:17.102 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (21:00:17.102 PDT) tcpslice 1308628817.102 1308628817.103 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 91.209.175.101, 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:00:17.102 PDT Gen. Time: 06/20/2011 21:09:28.459 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.209.175.101 (2) (21:04:27.821 PDT) event=1:2009295 (2) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/sec] MAC_Src: 00:21:5A:08:BB:0C 44361->80 (21:04:27.821 PDT) 44361->80 (21:04:28.003 PDT) 212.227.97.179 (2) (21:03:54.554 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-esMX-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 37763->80 (21:03:54.554 PDT) 43243->80 (21:05:54.261 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (21:00:17.102 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (21:00:17.102 PDT) tcpslice 1308628817.102 1308628817.103 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:10:26.858 PDT Gen. Time: 06/20/2011 21:10:26.858 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (21:10:26.858 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (21:10:26.858 PDT) tcpslice 1308629426.858 1308629426.859 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:10:26.858 PDT Gen. Time: 06/20/2011 21:13:59.982 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (21:11:17.285 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57901->2128 (21:11:17.285 PDT) 206.207.248.34 (21:10:26.858 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (21:10:26.858 PDT) tcpslice 1308629426.858 1308629426.859 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:20:26.843 PDT Gen. Time: 06/20/2011 21:20:26.843 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (21:20:26.843 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (21:20:26.843 PDT) tcpslice 1308630026.843 1308630026.844 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:29:41.125 PDT Gen. Time: 06/20/2011 21:30:26.039 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (21:29:41.125 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 44322->80 (21:29:41.125 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (21:30:26.039 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (21:30:26.039 PDT) tcpslice 1308630581.125 1308630581.126 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:34:17.702 PDT Gen. Time: 06/20/2011 21:34:17.702 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (21:34:17.702 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41209->2128 (21:34:17.702 PDT) tcpslice 1308630857.702 1308630857.703 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:40:26.907 PDT Gen. Time: 06/20/2011 21:40:26.907 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (21:40:26.907 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (21:40:26.907 PDT) tcpslice 1308631226.907 1308631226.908 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:45:38.811 PDT Gen. Time: 06/20/2011 21:45:38.811 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (21:45:38.811 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 45609->2128 (21:45:38.811 PDT) tcpslice 1308631538.811 1308631538.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:50:26.491 PDT Gen. Time: 06/20/2011 21:50:26.491 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (21:50:26.491 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 11753->11753 (21:50:26.491 PDT) tcpslice 1308631826.491 1308631826.492 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:00:26.076 PDT Gen. Time: 06/20/2011 22:00:26.076 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (22:00:26.076 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (22:00:26.076 PDT) tcpslice 1308632426.076 1308632426.077 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:07:36.235 PDT Gen. Time: 06/20/2011 22:07:36.235 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (22:07:36.235 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53606->49301 (22:07:36.235 PDT) tcpslice 1308632856.235 1308632856.236 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:07:36.235 PDT Gen. Time: 06/20/2011 22:10:20.064 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (22:09:17.636 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 40448->80 (22:09:17.636 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (22:07:36.235 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53606->49301 (22:07:36.235 PDT) tcpslice 1308632856.235 1308632856.236 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:10:29.216 PDT Gen. Time: 06/20/2011 22:10:29.216 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (22:10:29.216 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (22:10:29.216 PDT) tcpslice 1308633029.216 1308633029.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:10:29.216 PDT Gen. Time: 06/20/2011 22:23:42.679 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (22:14:30.331 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:BB:0C 34909->80 (22:14:30.331 PDT) 42373->80 (22:18:33.937 PDT) 58296->80 (22:20:32.748 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (3) (22:10:29.216 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 51438->2126 (22:21:53.961 PDT) ------------------------- event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (22:10:29.216 PDT) 14503->14503 (22:20:33.201 PDT) tcpslice 1308633029.216 1308633029.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 141.108.14.6 Egg Source List: 141.108.14.6 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:29:56.306 PDT Gen. Time: 06/20/2011 22:29:57.283 PDT INBOUND SCAN EXPLOIT 141.108.14.6 (22:29:56.306 PDT) event=1:22009200 {tcp} E2[rb] ET CURRENT_EVENTS Conficker.a Shellcode, [] MAC_Dst: 00:30:48:30:03:AE 445<-4807 (22:29:56.306 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 141.108.14.6 (22:29:57.283 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 1028<-7647 (22:29:57.283 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308634196.306 1308634196.307 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:30:34.053 PDT Gen. Time: 06/20/2011 22:30:34.053 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (22:30:34.053 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (22:30:34.053 PDT) tcpslice 1308634234.053 1308634234.054 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 141.108.14.6 Egg Source List: 141.108.14.6 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:29:56.306 PDT Gen. Time: 06/20/2011 22:33:58.174 PDT INBOUND SCAN EXPLOIT 141.108.14.6 (2) (22:29:56.306 PDT-22:29:59.347 PDT) event=1:22009200 (2) {tcp} E2[rb] ET CURRENT_EVENTS Conficker.a Shellcode, [] MAC_Dst: 00:30:48:30:03:AE 2: 445<-4807 (22:29:56.306 PDT-22:29:59.347 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 141.108.14.6 (3) (22:29:57.282 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 1028<-7647 (22:29:57.283 PDT) ------------------------- event=1:2001685 {tcp} E3[rb] ET MALWARE Possible Windows executable sent when remote host claims to send an image, [] MAC_Src: 00:21:1C:EE:14:00 1028<-7647 (22:29:57.282 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 1028<-7647 (22:29:57.283 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308634196.306 1308634199.348 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:40:34.010 PDT Gen. Time: 06/20/2011 22:40:34.010 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (22:40:34.010 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (22:40:34.010 PDT) tcpslice 1308634834.010 1308634834.011 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:44:14.141 PDT Gen. Time: 06/20/2011 22:44:14.141 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (22:44:14.141 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34400->2128 (22:44:14.141 PDT) tcpslice 1308635054.141 1308635054.142 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:50:34.336 PDT Gen. Time: 06/20/2011 22:50:34.336 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (22:50:34.336 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 14503->14503 (22:50:34.336 PDT) tcpslice 1308635434.336 1308635434.337 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:54:54.998 PDT Gen. Time: 06/20/2011 22:54:54.998 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (22:54:54.998 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50086->3125 (22:54:54.998 PDT) tcpslice 1308635694.998 1308635694.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================