Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:05:39.554 PDT Gen. Time: 06/20/2011 00:05:39.554 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (00:05:39.554 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48261->2126 (00:05:39.554 PDT) tcpslice 1308553539.554 1308553539.555 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:09:10.779 PDT Gen. Time: 06/20/2011 00:09:24.789 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (00:09:10.779 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->59264 (00:09:10.779 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (00:09:24.789 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (00:09:24.789 PDT) tcpslice 1308553750.779 1308553750.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:19:26.043 PDT Gen. Time: 06/20/2011 00:19:36.313 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (00:19:26.043 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->47236 (00:19:26.043 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (00:19:36.313 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (00:19:36.313 PDT) tcpslice 1308554366.043 1308554366.044 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:19:26.043 PDT Gen. Time: 06/20/2011 00:23:04.988 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (00:19:26.043 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->47236 (00:19:26.043 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (00:20:41.888 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46624->2128 (00:20:41.888 PDT) 206.207.248.34 (00:19:36.313 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (00:19:36.313 PDT) tcpslice 1308554366.043 1308554366.044 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 213.136.106.214 Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:26:47.424 PDT Gen. Time: 06/20/2011 00:29:39.005 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 213.136.106.214 (00:26:47.424 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 60236->53 (00:26:47.424 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (00:29:39.005 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (00:29:39.005 PDT) tcpslice 1308554807.424 1308554807.425 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:30:37.296 PDT Gen. Time: 06/20/2011 00:31:58.969 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (00:31:58.969 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 53221->80 (00:31:58.969 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (00:30:37.296 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->53518 (00:30:37.296 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308555037.296 1308555037.297 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:38:20.025 PDT Gen. Time: 06/20/2011 00:38:20.025 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (00:38:20.025 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41178->3128 (00:38:20.025 PDT) tcpslice 1308555500.025 1308555500.026 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:38:20.025 PDT Gen. Time: 06/20/2011 00:42:20.130 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (00:41:06.953 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->47975 (00:41:06.953 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (00:38:20.025 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41178->3128 (00:38:20.025 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (00:39:53.975 PDT) tcpslice 1308555500.025 1308555500.026 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 194.85.105.17 Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:49:12.920 PDT Gen. Time: 06/20/2011 00:50:01.313 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 194.85.105.17 (00:49:12.920 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 55591->53 (00:49:12.920 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (00:50:01.313 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 14503->14503 (00:50:01.313 PDT) tcpslice 1308556152.920 1308556152.921 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3, 194.85.105.17 Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:49:12.920 PDT Gen. Time: 06/20/2011 00:53:53.191 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (00:51:30.897 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->55398 (00:51:30.897 PDT) 194.85.105.17 (00:49:12.920 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 55591->53 (00:49:12.920 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (00:50:01.313 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 14503->14503 (00:50:01.313 PDT) tcpslice 1308556152.920 1308556152.921 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 00:55:18.947 PDT Gen. Time: 06/20/2011 00:55:18.947 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (00:55:18.947 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60732->3128 (00:55:18.947 PDT) tcpslice 1308556518.947 1308556518.948 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:00:05.286 PDT Gen. Time: 06/20/2011 01:00:05.286 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (01:00:05.286 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (01:00:05.286 PDT) tcpslice 1308556805.286 1308556805.287 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:00:05.286 PDT Gen. Time: 06/20/2011 01:03:10.101 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (01:01:37.557 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->36321 (01:01:37.557 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (01:00:05.286 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (01:00:05.286 PDT) tcpslice 1308556805.286 1308556805.287 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:08:20.890 PDT Gen. Time: 06/20/2011 01:08:20.890 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (01:08:20.890 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52959->2126 (01:08:20.890 PDT) tcpslice 1308557300.890 1308557300.891 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:08:20.890 PDT Gen. Time: 06/20/2011 01:12:02.978 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (01:08:20.890 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52959->2126 (01:08:20.890 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (01:10:07.804 PDT) tcpslice 1308557300.890 1308557300.891 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:20:07.155 PDT Gen. Time: 06/20/2011 01:20:07.155 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (01:20:07.155 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (01:20:07.155 PDT) tcpslice 1308558007.155 1308558007.156 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:29:36.766 PDT Gen. Time: 06/20/2011 01:29:36.766 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (01:29:36.766 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59620->3128 (01:29:36.766 PDT) tcpslice 1308558576.766 1308558576.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:29:36.766 PDT Gen. Time: 06/20/2011 01:33:05.109 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (01:29:36.766 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59620->3128 (01:29:36.766 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (01:30:08.792 PDT) tcpslice 1308558576.766 1308558576.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:37:44.623 PDT Gen. Time: 06/20/2011 01:40:09.939 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (01:37:44.623 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->52394 (01:37:44.623 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (01:40:09.939 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (01:40:09.939 PDT) tcpslice 1308559064.623 1308559064.624 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:44:43.325 PDT Gen. Time: 06/20/2011 01:44:43.325 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (01:44:43.325 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56964->2126 (01:44:43.325 PDT) tcpslice 1308559483.325 1308559483.326 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:44:43.325 PDT Gen. Time: 06/20/2011 01:51:18.247 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (01:47:45.422 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 56251->80 (01:47:45.422 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (01:48:03.741 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->56001 (01:48:03.741 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (01:44:43.325 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56964->2126 (01:44:43.325 PDT) 206.207.248.34 (01:50:17.335 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (01:50:17.335 PDT) tcpslice 1308559483.325 1308559483.326 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:58:33.494 PDT Gen. Time: 06/20/2011 01:58:39.723 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (01:58:33.494 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 35064->80 (01:58:33.494 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (01:58:39.723 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->50234 (01:58:39.723 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308560313.494 1308560313.495 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 01:58:33.494 PDT Gen. Time: 06/20/2011 02:02:28.942 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (01:58:33.494 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 35064->80 (01:58:33.494 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (01:58:39.723 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->50234 (01:58:39.723 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:00:20.341 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 14503->14503 (02:00:20.341 PDT) tcpslice 1308560313.494 1308560313.495 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:02:38.113 PDT Gen. Time: 06/20/2011 02:02:38.113 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:02:38.113 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46824->3128 (02:02:38.113 PDT) tcpslice 1308560558.113 1308560558.114 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:08:58.613 PDT Gen. Time: 06/20/2011 02:10:22.343 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (02:08:58.613 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->60477 (02:08:58.613 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (02:10:22.343 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (02:10:22.343 PDT) tcpslice 1308560938.613 1308560938.614 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:16:27.790 PDT Gen. Time: 06/20/2011 02:19:02.585 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (02:16:27.790 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 55735->80 (02:16:27.790 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (02:19:02.585 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->60763 (02:19:02.585 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308561387.790 1308561387.791 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:16:27.790 PDT Gen. Time: 06/20/2011 02:20:23.129 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (02:16:27.790 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 55735->80 (02:16:27.790 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (02:19:02.585 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->60763 (02:19:02.585 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (02:20:23.129 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (02:20:23.129 PDT) 206.207.248.34 (02:19:39.706 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39887->3128 (02:19:39.706 PDT) tcpslice 1308561387.790 1308561387.791 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:29:22.551 PDT Gen. Time: 06/20/2011 02:30:23.126 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (02:29:22.551 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->51399 (02:29:22.551 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:30:23.126 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (02:30:23.126 PDT) tcpslice 1308562162.551 1308562162.552 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:36:23.719 PDT Gen. Time: 06/20/2011 02:36:23.719 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:36:23.719 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51682->3128 (02:36:23.719 PDT) tcpslice 1308562583.719 1308562583.720 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:39:36.529 PDT Gen. Time: 06/20/2011 02:40:30.603 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (02:39:36.529 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->55390 (02:39:36.529 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:40:30.603 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (02:40:30.603 PDT) tcpslice 1308562776.529 1308562776.530 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:47:01.734 PDT Gen. Time: 06/20/2011 02:47:01.734 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:47:01.734 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49830->2126 (02:47:01.734 PDT) tcpslice 1308563221.734 1308563221.735 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:50:36.339 PDT Gen. Time: 06/20/2011 02:50:39.535 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (02:50:36.339 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->37890 (02:50:36.339 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:50:39.535 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (02:50:39.535 PDT) tcpslice 1308563436.339 1308563436.340 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:59:39.221 PDT Gen. Time: 06/20/2011 02:59:39.221 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (02:59:39.221 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34156->2128 (02:59:39.221 PDT) tcpslice 1308563979.221 1308563979.222 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 02:59:39.221 PDT Gen. Time: 06/20/2011 03:06:32.269 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (03:02:17.051 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 41594->80 (03:02:17.051 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (03:01:04.520 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->55321 (03:01:04.520 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (02:59:39.221 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34156->2128 (02:59:39.221 PDT) 195.37.16.125 (03:00:52.791 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:00:52.791 PDT) tcpslice 1308563979.221 1308563979.222 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:08:17.204 PDT Gen. Time: 06/20/2011 03:10:00.571 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (03:08:17.204 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 33441->80 (03:08:17.204 PDT) 33491->80 (03:08:28.417 PDT) 33109->80 (03:09:10.849 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (03:10:00.571 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36576->3128 (03:10:00.571 PDT) tcpslice 1308564497.204 1308564497.205 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:08:17.204 PDT Gen. Time: 06/20/2011 03:11:31.527 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (03:08:17.204 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 33441->80 (03:08:17.204 PDT) 33491->80 (03:08:28.417 PDT) 33109->80 (03:09:10.849 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (03:11:31.527 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->57905 (03:11:31.527 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (03:10:00.571 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36576->3128 (03:10:00.571 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (03:10:54.203 PDT) tcpslice 1308564497.204 1308564497.205 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:21:00.485 PDT Gen. Time: 06/20/2011 03:21:00.485 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (03:21:00.485 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (03:21:00.485 PDT) tcpslice 1308565260.485 1308565260.486 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:21:00.485 PDT Gen. Time: 06/20/2011 03:24:11.340 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (03:21:37.494 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->37021 (03:21:37.494 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (03:21:00.485 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (03:21:00.485 PDT) tcpslice 1308565260.485 1308565260.486 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:24:51.866 PDT Gen. Time: 06/20/2011 03:26:23.609 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (03:24:51.866 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 45357->80 (03:24:51.866 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (03:26:23.609 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41150->3128 (03:26:23.609 PDT) tcpslice 1308565491.866 1308565491.867 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:31:04.451 PDT Gen. Time: 06/20/2011 03:31:04.451 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 143.89.49.74 (03:31:04.451 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:31:04.451 PDT) tcpslice 1308565864.451 1308565864.452 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:41:04.831 PDT Gen. Time: 06/20/2011 03:41:04.831 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (03:41:04.831 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (03:41:04.831 PDT) tcpslice 1308566464.831 1308566464.832 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:41:04.831 PDT Gen. Time: 06/20/2011 03:44:40.523 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (03:41:04.831 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38834->3128 (03:43:33.442 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (03:41:04.831 PDT) tcpslice 1308566464.831 1308566464.832 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:46:51.007 PDT Gen. Time: 06/20/2011 03:47:31.762 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (03:46:51.007 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 44341->80 (03:46:51.007 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (03:47:31.762 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->53111 (03:47:31.762 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308566811.007 1308566811.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:46:51.007 PDT Gen. Time: 06/20/2011 03:49:48.013 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (03:46:51.007 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 44341->80 (03:46:51.007 PDT) 44589->80 (03:47:58.635 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (03:47:31.762 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->53111 (03:47:31.762 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308566811.007 1308566811.008 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:51:07.202 PDT Gen. Time: 06/20/2011 03:51:07.202 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (03:51:07.202 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:51:07.202 PDT) tcpslice 1308567067.202 1308567067.203 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:51:07.202 PDT Gen. Time: 06/20/2011 03:55:59.183 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (03:52:39.361 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 34619->80 (03:52:39.361 PDT) 37780->80 (03:54:04.347 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (03:51:07.202 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:51:07.202 PDT) 132.239.17.226 (03:53:43.025 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47820->2128 (03:53:43.025 PDT) tcpslice 1308567067.202 1308567067.203 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:58:06.807 PDT Gen. Time: 06/20/2011 03:59:39.096 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (03:59:39.096 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 52317->80 (03:59:39.096 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (03:58:06.807 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->39690 (03:58:06.807 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308567486.807 1308567486.808 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 03:58:06.807 PDT Gen. Time: 06/20/2011 04:02:50.355 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (03:59:39.096 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 52317->80 (03:59:39.096 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (03:58:06.807 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->39690 (03:58:06.807 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (04:01:10.306 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (04:01:10.306 PDT) tcpslice 1308567486.807 1308567486.808 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:08:30.337 PDT Gen. Time: 06/20/2011 04:10:57.352 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (04:08:30.337 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->47777 (04:08:30.337 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (04:10:57.352 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38176->2126 (04:10:57.352 PDT) tcpslice 1308568110.337 1308568110.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:08:30.337 PDT Gen. Time: 06/20/2011 04:15:13.489 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (04:11:13.017 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 46825->80 (04:11:13.017 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (04:08:30.337 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->47777 (04:08:30.337 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 12.46.129.16 (04:11:16.408 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:11:16.408 PDT) 206.207.248.34 (04:10:57.352 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38176->2126 (04:10:57.352 PDT) tcpslice 1308568110.337 1308568110.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:17:48.269 PDT Gen. Time: 06/20/2011 04:20:30.434 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (04:17:48.269 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 41449->80 (04:17:48.269 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (04:20:30.434 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->39219 (04:20:30.434 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308568668.269 1308568668.270 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:17:48.269 PDT Gen. Time: 06/20/2011 04:21:37.308 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (04:17:48.269 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 41449->80 (04:17:48.269 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (04:20:30.434 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->39219 (04:20:30.434 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (04:21:37.308 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (04:21:37.308 PDT) tcpslice 1308568668.269 1308568668.270 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:29:35.584 PDT Gen. Time: 06/20/2011 04:29:35.584 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (04:29:35.584 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57889->2128 (04:29:35.584 PDT) tcpslice 1308569375.584 1308569375.585 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:29:35.584 PDT Gen. Time: 06/20/2011 04:32:35.803 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (04:30:38.102 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->47788 (04:30:38.102 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (04:29:35.584 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57889->2128 (04:29:35.584 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (04:31:45.611 PDT) tcpslice 1308569375.584 1308569375.585 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:40:21.265 PDT Gen. Time: 06/20/2011 04:40:38.223 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (04:40:21.265 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 60534->80 (04:40:21.265 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (04:40:38.223 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->49149 (04:40:38.223 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308570021.265 1308570021.266 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:40:21.265 PDT Gen. Time: 06/20/2011 04:44:23.147 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (04:40:21.265 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 60534->80 (04:40:21.265 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (04:40:38.223 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->49149 (04:40:38.223 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (04:41:47.164 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:41:47.164 PDT) 206.207.248.34 (04:44:23.147 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45871->2128 (04:44:23.147 PDT) tcpslice 1308570021.265 1308570021.266 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:46:39.140 PDT Gen. Time: 06/20/2011 04:51:00.204 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (04:46:39.140 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 44478->80 (04:46:39.140 PDT) 58642->80 (04:49:32.248 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (04:51:00.204 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->36933 (04:51:00.204 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308570399.140 1308570399.141 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:46:39.140 PDT Gen. Time: 06/20/2011 04:51:50.861 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (04:46:39.140 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 44478->80 (04:46:39.140 PDT) 58642->80 (04:49:32.248 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (04:51:00.204 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->36933 (04:51:00.204 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (04:51:47.710 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (04:51:47.710 PDT) tcpslice 1308570399.140 1308570399.141 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:54:23.291 PDT Gen. Time: 06/20/2011 04:55:05.356 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (04:54:23.291 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 48117->80 (04:54:23.291 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (04:55:05.356 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52759->2126 (04:55:05.356 PDT) tcpslice 1308570863.291 1308570863.292 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 04:54:23.291 PDT Gen. Time: 06/20/2011 05:00:17.650 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (04:54:23.291 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 48117->80 (04:54:23.291 PDT) 48615->80 (04:56:14.754 PDT) 48659->80 (04:56:24.613 PDT) 48903->80 (04:57:27.252 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (04:55:05.356 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52759->2126 (04:55:05.356 PDT) tcpslice 1308570863.291 1308570863.292 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:01:30.123 PDT Gen. Time: 06/20/2011 05:01:50.343 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (05:01:30.123 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->40037 (05:01:30.123 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (05:01:50.343 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (05:01:50.343 PDT) tcpslice 1308571290.123 1308571290.124 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 72.14.213.104, 72.14.213.147, 72.14.213.103, 72.14.213.99, 72.14.213.106, 72.14.213.105, 91.209.175.101, 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:01:30.123 PDT Gen. Time: 06/20/2011 05:10:29.060 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 72.14.213.104 (05:04:19.696 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.co&num=100&start=0] MAC_Src: 00:21:5A:08:EC:40 50445->80 (05:04:19.696 PDT) 72.14.213.147 (3) (05:04:02.391 PDT) event=1:2009295 (3) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.ve&num=100&start=0] MAC_Src: 00:21:5A:08:EC:40 45468->80 (05:04:02.391 PDT) 45728->80 (05:05:08.750 PDT) 46097->80 (05:06:49.128 PDT) 72.14.213.103 (2) (05:02:10.853 PDT) event=1:2009295 (2) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.mp&num=100&start=0] MAC_Src: 00:21:5A:08:EC:40 54007->80 (05:02:10.853 PDT) 59306->80 (05:04:25.234 PDT) 72.14.213.99 (05:03:49.205 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.uy&num=100&start=0] MAC_Src: 00:21:5A:08:EC:40 59344->80 (05:03:49.205 PDT) 72.14.213.106 (05:03:07.026 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.tn&num=100&start=0] MAC_Src: 00:21:5A:08:EC:40 56172->80 (05:03:07.026 PDT) 72.14.213.105 (2) (05:04:15.698 PDT) event=1:2009295 (2) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/search?tbs=cdr:1,cd_min:2010.1.1.,cd_max:2010.12.31.&q=koblenz site:.tw&num=100&start=0] MAC_Src: 00:21:5A:08:EC:40 34933->80 (05:04:15.698 PDT) 35319->80 (05:05:52.929 PDT) 91.209.175.101 (05:03:26.096 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/] MAC_Src: 00:21:5A:08:EC:40 50844->80 (05:03:26.096 PDT) 212.227.97.179 (3) (05:02:41.865 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 34335->80 (05:02:41.865 PDT) 34434->80 (05:03:07.673 PDT) 33048->80 (05:05:57.878 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (05:01:30.123 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->40037 (05:01:30.123 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (05:10:07.317 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57696->2128 (05:10:07.317 PDT) 206.207.248.34 (05:01:50.343 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (05:01:50.343 PDT) tcpslice 1308571290.123 1308571290.124 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:11:43.466 PDT Gen. Time: 06/20/2011 05:11:46.148 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (05:11:43.466 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 54701->80 (05:11:43.466 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (05:11:46.148 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->43437 (05:11:46.148 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308571903.466 1308571903.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:11:43.466 PDT Gen. Time: 06/20/2011 05:15:05.549 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (05:11:43.466 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 54701->80 (05:11:43.466 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (05:11:46.148 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->43437 (05:11:46.148 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (05:11:54.364 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (05:11:54.364 PDT) tcpslice 1308571903.466 1308571903.467 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:15:27.702 PDT Gen. Time: 06/20/2011 05:21:56.081 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (05:15:27.702 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 54565->80 (05:15:27.702 PDT) 55179->80 (05:18:07.536 PDT) 55318->80 (05:18:43.556 PDT) 40251->80 (05:19:57.122 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (05:21:56.081 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (05:21:56.081 PDT) tcpslice 1308572127.702 1308572127.703 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:15:27.702 PDT Gen. Time: 06/20/2011 05:23:33.164 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (05:15:27.702 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 54565->80 (05:15:27.702 PDT) 55179->80 (05:18:07.536 PDT) 55318->80 (05:18:43.556 PDT) 40251->80 (05:19:57.122 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (05:21:56.081 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56230->2128 (05:22:11.188 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (05:21:56.081 PDT) tcpslice 1308572127.702 1308572127.703 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:24:24.153 PDT Gen. Time: 06/20/2011 05:25:18.854 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (05:25:18.854 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 53335->80 (05:25:18.854 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (05:24:24.153 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->50758 (05:24:24.153 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308572664.153 1308572664.154 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:31:56.672 PDT Gen. Time: 06/20/2011 05:31:56.672 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (05:31:56.672 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (05:31:56.672 PDT) tcpslice 1308573116.672 1308573116.673 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:41:59.970 PDT Gen. Time: 06/20/2011 05:41:59.970 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (05:41:59.970 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (05:41:59.970 PDT) tcpslice 1308573719.970 1308573719.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:41:59.970 PDT Gen. Time: 06/20/2011 05:45:14.010 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (05:43:20.249 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 33538->80 (05:43:20.249 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (05:41:59.970 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (05:41:59.970 PDT) tcpslice 1308573719.970 1308573719.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:45:27.156 PDT Gen. Time: 06/20/2011 05:46:35.438 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (05:46:35.438 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 39704->80 (05:46:35.438 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (05:45:27.156 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->33159 (05:45:27.156 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308573927.156 1308573927.157 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:45:27.156 PDT Gen. Time: 06/20/2011 05:49:29.144 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (05:46:35.438 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 39704->80 (05:46:35.438 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (05:45:27.156 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->33159 (05:45:27.156 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (05:48:28.149 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39685->2128 (05:48:28.149 PDT) tcpslice 1308573927.156 1308573927.157 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:52:03.939 PDT Gen. Time: 06/20/2011 05:52:03.939 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (05:52:03.939 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (05:52:03.939 PDT) tcpslice 1308574323.939 1308574323.940 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:52:03.939 PDT Gen. Time: 06/20/2011 05:57:52.711 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (05:54:00.449 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 41854->80 (05:54:00.449 PDT) 41964->80 (05:54:26.229 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (05:55:37.105 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->46075 (05:55:37.105 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (05:52:03.939 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (05:52:03.939 PDT) tcpslice 1308574323.939 1308574323.940 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:58:24.212 PDT Gen. Time: 06/20/2011 06:02:07.700 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (05:58:24.212 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 42951->80 (05:58:24.212 PDT) 43005->80 (05:58:38.216 PDT) 43317->80 (06:01:01.003 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (06:02:07.700 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (06:02:07.700 PDT) tcpslice 1308574704.212 1308574704.213 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 05:58:24.212 PDT Gen. Time: 06/20/2011 06:08:08.901 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (5) (05:58:24.212 PDT) event=1:2003179 (5) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 42951->80 (05:58:24.212 PDT) 43005->80 (05:58:38.216 PDT) 43317->80 (06:01:01.003 PDT) 58997->80 (06:03:57.001 PDT) 59041->80 (06:04:08.071 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (06:05:55.964 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->47300 (06:05:55.964 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (06:02:53.959 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40206->2126 (06:02:53.959 PDT) 206.207.248.34 (06:02:07.700 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (06:02:07.700 PDT) tcpslice 1308574704.212 1308574704.213 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:08:13.992 PDT Gen. Time: 06/20/2011 06:12:13.600 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (06:08:13.992 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 60007->80 (06:08:13.992 PDT) 60127->80 (06:08:46.974 PDT) 46075->80 (06:09:51.726 PDT) 46117->80 (06:10:00.676 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 12.46.129.16 (06:12:13.600 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (06:12:13.600 PDT) tcpslice 1308575293.992 1308575293.993 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:08:13.992 PDT Gen. Time: 06/20/2011 06:24:33.470 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (17) (06:08:13.992 PDT-06:15:32.214 PDT) event=1:2003179 (17) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 60007->80 (06:08:13.992 PDT) 46779->80 (06:12:57.210 PDT) 46117->80 (06:10:00.676 PDT) 2: 57174->80 (06:15:26.924 PDT-06:15:32.214 PDT) 46995->80 (06:13:52.666 PDT) 2: 56880->80 (06:14:02.599 PDT-06:14:07.204 PDT) 57289->80 (06:15:58.938 PDT) 57005->80 (06:14:37.567 PDT) 46075->80 (06:09:51.726 PDT) 57348->80 (06:16:19.832 PDT) 57065->80 (06:14:56.081 PDT) 60127->80 (06:08:46.974 PDT) 57124->80 (06:15:12.702 PDT) 57228->80 (06:15:41.366 PDT) 56946->80 (06:14:22.382 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (06:18:38.704 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->36871 (06:18:38.704 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (06:13:26.674 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58996->2128 (06:13:26.674 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (06:22:20.698 PDT) 12.46.129.16 (06:12:13.600 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (06:12:13.600 PDT) tcpslice 1308575293.992 1308575732.215 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:27:23.477 PDT Gen. Time: 06/20/2011 06:30:52.769 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (06:27:23.477 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 33879->80 (06:27:23.477 PDT) 33940->80 (06:27:44.372 PDT) 38087->80 (06:30:19.885 PDT) 38191->80 (06:30:47.606 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (06:30:52.769 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->52535 (06:30:52.769 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308576443.477 1308576443.478 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:27:23.477 PDT Gen. Time: 06/20/2011 06:35:25.828 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (5) (06:27:23.477 PDT) event=1:2003179 (5) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 33879->80 (06:27:23.477 PDT) 33940->80 (06:27:44.372 PDT) 38087->80 (06:30:19.885 PDT) 38191->80 (06:30:47.606 PDT) 38473->80 (06:32:06.251 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (06:30:52.769 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->52535 (06:30:52.769 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (06:32:27.741 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4876->4876 (06:32:27.741 PDT) 132.239.17.226 (06:31:34.341 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54675->2128 (06:31:34.341 PDT) tcpslice 1308576443.477 1308576443.478 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:38:10.723 PDT Gen. Time: 06/20/2011 06:41:07.859 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (06:38:10.723 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 51893->80 (06:38:10.723 PDT) 51989->80 (06:38:33.635 PDT) 52038->80 (06:38:47.928 PDT) 40626->80 (06:39:16.718 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (06:41:07.859 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->35299 (06:41:07.859 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308577090.723 1308577090.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:38:10.723 PDT Gen. Time: 06/20/2011 06:42:30.735 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (06:38:10.723 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 51893->80 (06:38:10.723 PDT) 51989->80 (06:38:33.635 PDT) 52038->80 (06:38:47.928 PDT) 40626->80 (06:39:16.718 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (06:41:07.859 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->35299 (06:41:07.859 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (06:42:30.735 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (06:42:30.735 PDT) tcpslice 1308577090.723 1308577090.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:45:50.265 PDT Gen. Time: 06/20/2011 06:45:50.265 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (06:45:50.265 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40046->2126 (06:45:50.265 PDT) tcpslice 1308577550.265 1308577550.266 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:51:01.199 PDT Gen. Time: 06/20/2011 06:51:25.795 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (06:51:01.199 PDT-06:51:07.204 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 2: 43912->80 (06:51:01.199 PDT-06:51:07.204 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (06:51:25.795 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->33063 (06:51:25.795 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308577861.199 1308577867.205 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:51:01.199 PDT Gen. Time: 06/20/2011 06:57:13.729 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (5) (06:51:01.199 PDT-06:51:07.204 PDT) event=1:2003179 (5) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 2: 43912->80 (06:51:01.199 PDT-06:51:07.204 PDT) 44251->80 (06:52:35.263 PDT) 44453->80 (06:53:28.092 PDT) 52301->80 (06:54:08.665 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (06:51:25.795 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->33063 (06:51:25.795 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (06:52:38.487 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48019->3128 (06:57:13.729 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (06:52:38.487 PDT) tcpslice 1308577861.199 1308577867.205 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:59:29.949 PDT Gen. Time: 06/20/2011 07:01:45.113 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (06:59:29.949 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 58667->80 (06:59:29.949 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (07:01:45.113 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->41805 (07:01:45.113 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308578369.949 1308578369.950 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 06:59:29.949 PDT Gen. Time: 06/20/2011 07:02:50.333 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (06:59:29.949 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 58667->80 (06:59:29.949 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (07:01:45.113 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->41805 (07:01:45.113 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (07:02:40.754 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (07:02:40.754 PDT) tcpslice 1308578369.949 1308578369.950 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:02:52.594 PDT Gen. Time: 06/20/2011 07:09:06.927 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (07:02:52.594 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 59363->80 (07:02:52.594 PDT) 59431->80 (07:03:14.137 PDT) 39494->80 (07:04:38.196 PDT) 39828->80 (07:06:14.345 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (07:09:06.927 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33221->2128 (07:09:06.927 PDT) tcpslice 1308578572.594 1308578572.595 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:10:02.472 PDT Gen. Time: 06/20/2011 07:11:57.245 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (07:10:02.472 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 46714->80 (07:10:02.472 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (07:11:57.245 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->40289 (07:11:57.245 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308579002.472 1308579002.473 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:10:02.472 PDT Gen. Time: 06/20/2011 07:12:41.444 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (07:10:02.472 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 46714->80 (07:10:02.472 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (07:11:57.245 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->40289 (07:11:57.245 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (07:12:41.444 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (07:12:41.444 PDT) tcpslice 1308579002.472 1308579002.473 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:22:28.278 PDT Gen. Time: 06/20/2011 07:22:44.145 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (07:22:28.278 PDT-07:22:29.089 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 2: 51697->80 (07:22:28.278 PDT-07:22:29.089 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (07:22:44.145 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (07:22:44.145 PDT) tcpslice 1308579748.278 1308579749.090 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 2.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 (2), 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:22:28.278 PDT Gen. Time: 06/20/2011 07:37:03.906 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (07:22:28.278 PDT-07:22:29.089 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 2: 51697->80 (07:22:28.278 PDT-07:22:29.089 PDT) 33178->80 (07:26:22.380 PDT) 44158->80 (07:30:34.836 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (2) (07:24:07.041 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->46015 (07:24:07.041 PDT) 3124->60297 (07:35:37.245 PDT) C and C DNS CHECK-IN 192.168.1.230 (07:33:22.535 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: hstcorp.co.kr (malware), [] MAC_Src: 00:21:5A:08:EC:40 42402->53 (07:33:22.535 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (3) (07:22:44.145 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35469->2128 (07:28:20.111 PDT) ------------------------- event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (07:22:44.145 PDT) 2122->2122 (07:32:46.319 PDT) tcpslice 1308579748.278 1308579749.090 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:42:49.639 PDT Gen. Time: 06/20/2011 07:42:49.639 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (07:42:49.639 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (07:42:49.639 PDT) tcpslice 1308580969.639 1308580969.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:42:49.639 PDT Gen. Time: 06/20/2011 07:47:03.070 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (07:44:22.881 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 42301->80 (07:44:22.881 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (07:45:55.676 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->50512 (07:45:55.676 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (07:42:49.639 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (07:42:49.639 PDT) 132.239.17.226 (07:44:15.049 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59509->2128 (07:44:15.049 PDT) tcpslice 1308580969.639 1308580969.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 07:47:08.127 PDT Gen. Time: 06/20/2011 07:52:54.552 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (07:47:08.127 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 42862->80 (07:47:08.127 PDT) 43073->80 (07:48:10.567 PDT) 43081->80 (07:48:15.270 PDT) 52910->80 (07:49:23.824 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (07:52:54.552 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (07:52:54.552 PDT) tcpslice 1308581228.127 1308581228.128 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:01:27.320 PDT Gen. Time: 06/20/2011 08:03:11.631 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (08:01:27.320 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 49311->80 (08:01:27.320 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (08:03:11.631 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (08:03:11.631 PDT) tcpslice 1308582087.320 1308582087.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:01:27.320 PDT Gen. Time: 06/20/2011 08:05:15.857 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (08:01:27.320 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 49311->80 (08:01:27.320 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (08:03:44.495 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58402->2126 (08:03:44.495 PDT) 206.207.248.34 (08:03:11.631 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (08:03:11.631 PDT) tcpslice 1308582087.320 1308582087.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:05:33.534 PDT Gen. Time: 06/20/2011 08:08:26.144 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (08:05:33.534 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 50295->80 (08:05:33.534 PDT) 50333->80 (08:05:46.525 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (08:08:26.144 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->48242 (08:08:26.144 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308582333.534 1308582333.535 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:13:26.672 PDT Gen. Time: 06/20/2011 08:13:26.672 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (08:13:26.672 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (08:13:26.672 PDT) tcpslice 1308582806.672 1308582806.673 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:13:26.672 PDT Gen. Time: 06/20/2011 08:22:21.577 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (8) (08:14:21.362 PDT) event=1:2003179 (8) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-frFR-patch.exe] MAC_Src: 00:21:5A:08:EC:40 38391->80 (08:14:21.362 PDT) 38441->80 (08:14:36.404 PDT) 38655->80 (08:15:36.821 PDT) 38964->80 (08:17:16.263 PDT) 39073->80 (08:17:50.190 PDT) 47056->80 (08:19:41.396 PDT) 47065->80 (08:19:46.657 PDT) 47328->80 (08:21:06.496 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (08:19:04.849 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->38410 (08:19:04.849 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (08:14:36.257 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42529->2126 (08:14:36.257 PDT) 206.207.248.34 (08:13:26.672 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (08:13:26.672 PDT) tcpslice 1308582806.672 1308582806.673 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:23:33.941 PDT Gen. Time: 06/20/2011 08:23:33.941 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (08:23:33.941 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:23:33.941 PDT) tcpslice 1308583413.941 1308583413.942 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:23:33.941 PDT Gen. Time: 06/20/2011 08:28:21.120 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (08:23:54.422 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 39116->80 (08:23:54.422 PDT) 39280->80 (08:24:42.105 PDT) 39317->80 (08:24:53.338 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (08:23:33.941 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:23:33.941 PDT) tcpslice 1308583413.941 1308583413.942 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:29:10.761 PDT Gen. Time: 06/20/2011 08:29:10.761 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (08:29:10.761 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51421->2128 (08:29:10.761 PDT) tcpslice 1308583750.761 1308583750.762 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:29:10.761 PDT Gen. Time: 06/20/2011 08:33:03.358 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (08:29:29.576 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->52585 (08:29:29.576 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (08:29:10.761 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51421->2128 (08:29:10.761 PDT) tcpslice 1308583750.761 1308583750.762 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:33:41.664 PDT Gen. Time: 06/20/2011 08:33:41.664 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (08:33:41.664 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (08:33:41.664 PDT) tcpslice 1308584021.664 1308584021.665 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:33:41.664 PDT Gen. Time: 06/20/2011 08:45:49.410 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (5) (08:36:27.270 PDT-08:39:32.439 PDT) event=1:2003179 (5) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 48698->80 (08:36:27.270 PDT) 53896->80 (08:41:21.809 PDT) 49201->80 (08:38:49.691 PDT) 2: 53507->80 (08:39:30.344 PDT-08:39:32.439 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (08:39:40.000 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->55248 (08:39:40.000 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (08:33:41.664 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (08:33:41.664 PDT) 206.207.248.34 (2) (08:39:20.993 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36115->3128 (08:39:20.993 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:43:42.768 PDT) tcpslice 1308584021.664 1308584372.440 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:49:35.028 PDT Gen. Time: 06/20/2011 08:50:31.913 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (08:49:35.028 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 34354->80 (08:49:35.028 PDT) 34389->80 (08:49:46.735 PDT) 34497->80 (08:50:20.549 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (08:50:31.913 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->55211 (08:50:31.913 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308584975.028 1308584975.029 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 08:49:35.028 PDT Gen. Time: 06/20/2011 09:00:05.359 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (8) (08:49:35.028 PDT) event=1:2003179 (8) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 34354->80 (08:49:35.028 PDT) 34389->80 (08:49:46.735 PDT) 34497->80 (08:50:20.549 PDT) 34683->80 (08:51:16.386 PDT) 34784->80 (08:51:45.588 PDT) 35027->80 (08:53:05.721 PDT) 41102->80 (08:56:10.301 PDT) 41500->80 (08:57:50.023 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (08:50:31.913 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->55211 (08:50:31.913 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (08:51:00.245 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40000->2128 (08:51:00.245 PDT) 143.89.49.74 (08:53:54.736 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (08:53:54.736 PDT) tcpslice 1308584975.028 1308584975.029 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:00:31.580 PDT Gen. Time: 06/20/2011 09:00:55.385 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (09:00:31.580 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 35815->80 (09:00:31.580 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (09:00:55.385 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->45165 (09:00:55.385 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308585631.580 1308585631.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 91.209.175.101, 212.227.97.179 C & C List: 218.6.19.3 (3) Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:00:31.580 PDT Gen. Time: 06/20/2011 09:24:20.156 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.209.175.101 (2) (09:03:16.862 PDT) event=1:2009295 (2) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0), [/com] MAC_Src: 00:21:5A:08:EC:40 58889->80 (09:03:16.862 PDT) 58889->80 (09:03:17.033 PDT) 212.227.97.179 (15) (09:00:31.580 PDT-09:09:25.972 PDT) event=1:2003179 (15) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 39310->80 (09:09:18.113 PDT) 35815->80 (09:00:31.580 PDT) 40398->80 (09:13:32.729 PDT) 50590->80 (09:04:39.606 PDT) 35965->80 (09:14:27.387 PDT) 50431->80 (09:04:00.032 PDT) 39837->80 (09:11:26.586 PDT) 39367->80 (09:09:32.086 PDT) 2: 39310->80 (09:09:24.739 PDT-09:09:25.972 PDT) 36544->80 (09:17:00.349 PDT) 39970->80 (09:11:59.424 PDT) 39336->80 (09:09:28.560 PDT) 51453->80 (09:08:50.550 PDT) 39839->80 (09:11:28.010 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (3) (09:00:55.385 PDT) event=1:3810007 (3) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->45165 (09:00:55.385 PDT) 3124->38104 (09:11:03.346 PDT) 3124->53093 (09:21:23.355 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (09:03:58.064 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4876->4876 (09:03:58.064 PDT) 132.239.17.226 (2) (09:11:05.675 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33799->2128 (09:11:05.675 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (09:14:11.371 PDT) 195.37.16.125 (09:24:20.156 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (09:24:20.156 PDT) tcpslice 1308585631.580 1308586165.973 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:29:42.737 PDT Gen. Time: 06/20/2011 09:29:42.737 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (09:29:42.737 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55001->2126 (09:29:42.737 PDT) tcpslice 1308587382.737 1308587382.738 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:29:42.737 PDT Gen. Time: 06/20/2011 09:35:31.091 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (09:31:31.009 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 42130->80 (09:31:31.009 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (09:34:58.329 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->48678 (09:34:58.329 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (09:34:22.956 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (09:34:22.956 PDT) 206.207.248.34 (09:29:42.737 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55001->2126 (09:29:42.737 PDT) tcpslice 1308587382.737 1308587382.738 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:44:11.910 PDT Gen. Time: 06/20/2011 09:44:32.268 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (09:44:11.910 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 45877->80 (09:44:11.910 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (09:44:32.268 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (09:44:32.268 PDT) tcpslice 1308588251.910 1308588251.911 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:44:11.910 PDT Gen. Time: 06/20/2011 09:48:53.097 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (09:44:11.910 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 45877->80 (09:44:11.910 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (09:47:08.853 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->59911 (09:47:08.853 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (09:44:32.268 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39469->2126 (09:46:06.952 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (09:44:32.268 PDT) tcpslice 1308588251.910 1308588251.911 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:55:00.893 PDT Gen. Time: 06/20/2011 09:55:00.893 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (09:55:00.893 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (09:55:00.893 PDT) tcpslice 1308588900.893 1308588900.894 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 09:55:00.893 PDT Gen. Time: 06/20/2011 09:58:36.925 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (09:58:10.524 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->46173 (09:58:10.524 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (09:55:00.893 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (09:55:00.893 PDT) tcpslice 1308588900.893 1308588900.894 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:00:12.966 PDT Gen. Time: 06/20/2011 10:05:09.687 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (10:00:12.966 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 33654->80 (10:00:12.966 PDT) 34198->80 (10:02:31.523 PDT) 34330->80 (10:03:08.961 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:05:09.687 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (10:05:09.687 PDT) tcpslice 1308589212.966 1308589212.967 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:07:43.630 PDT Gen. Time: 06/20/2011 10:07:57.358 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (10:07:43.630 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 60808->80 (10:07:43.630 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:07:57.358 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48304->3128 (10:07:57.358 PDT) tcpslice 1308589663.630 1308589663.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 (2) Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:07:43.630 PDT Gen. Time: 06/20/2011 10:20:32.854 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (17) (10:07:43.630 PDT-10:13:50.946 PDT) event=1:2003179 (17) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 42129->80 (10:16:33.680 PDT) 42471->80 (10:18:02.474 PDT) 41680->80 (10:14:52.108 PDT) 32773->80 (10:08:28.164 PDT) 42221->80 (10:16:56.835 PDT) 33041->80 (10:10:17.262 PDT) 60808->80 (10:07:43.630 PDT) 41924->80 (10:15:47.987 PDT) 33377->80 (10:11:40.822 PDT) 42409->80 (10:17:47.963 PDT) 33320->80 (10:11:28.283 PDT) 41561->80 (10:14:21.430 PDT) 2: 33870->80 (10:13:50.595 PDT-10:13:50.946 PDT) 41724->80 (10:15:01.346 PDT) 42184->80 (10:16:47.933 PDT) 33870->80 (10:13:46.662 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (2) (10:08:36.215 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->44595 (10:08:36.215 PDT) 3124->42386 (10:19:06.177 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (10:15:10.277 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (10:15:10.277 PDT) 206.207.248.34 (10:07:57.358 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48304->3128 (10:07:57.358 PDT) tcpslice 1308589663.630 1308590030.947 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:21:14.910 PDT Gen. Time: 06/20/2011 10:24:38.561 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (10:21:14.910 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 57108->80 (10:21:14.910 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:24:38.561 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50136->2128 (10:24:38.561 PDT) tcpslice 1308590474.910 1308590474.911 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:21:14.910 PDT Gen. Time: 06/20/2011 10:25:22.884 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (10:21:14.910 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 57108->80 (10:21:14.910 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 12.46.129.16 (10:25:22.884 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (10:25:22.884 PDT) 206.207.248.34 (10:24:38.561 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50136->2128 (10:24:38.561 PDT) tcpslice 1308590474.910 1308590474.911 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:27:42.154 PDT Gen. Time: 06/20/2011 10:30:26.319 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (10:27:42.154 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 56484->80 (10:27:42.154 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (10:30:26.319 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->37905 (10:30:26.319 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308590862.154 1308590862.155 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:35:23.572 PDT Gen. Time: 06/20/2011 10:35:23.572 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (10:35:23.572 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (10:35:23.572 PDT) tcpslice 1308591323.572 1308591323.573 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:35:23.572 PDT Gen. Time: 06/20/2011 10:43:08.128 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (10:37:07.623 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 38139->80 (10:37:07.623 PDT) 51409->80 (10:39:28.923 PDT) 51445->80 (10:39:39.998 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (10:40:48.099 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->49184 (10:40:48.099 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (10:35:23.572 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45378->2128 (10:38:08.332 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (10:35:23.572 PDT) tcpslice 1308591323.572 1308591323.573 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:44:59.392 PDT Gen. Time: 06/20/2011 10:45:28.215 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (10:44:59.392 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 37943->80 (10:44:59.392 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.116.60.211 (10:45:28.215 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (10:45:28.215 PDT) tcpslice 1308591899.392 1308591899.393 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:55:34.983 PDT Gen. Time: 06/20/2011 10:55:34.983 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:55:34.983 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (10:55:34.983 PDT) tcpslice 1308592534.983 1308592534.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 10:55:34.983 PDT Gen. Time: 06/20/2011 10:59:10.096 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (10:59:10.096 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52962->2126 (10:59:10.096 PDT) 206.207.248.34 (10:55:34.983 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (10:55:34.983 PDT) tcpslice 1308592534.983 1308592534.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:05:40.148 PDT Gen. Time: 06/20/2011 11:05:40.148 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (11:05:40.148 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (11:05:40.148 PDT) tcpslice 1308593140.148 1308593140.149 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:11:20.091 PDT Gen. Time: 06/20/2011 11:11:25.287 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (11:11:20.091 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->58475 (11:11:20.091 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (11:11:25.287 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46640->2126 (11:11:25.287 PDT) tcpslice 1308593480.091 1308593480.092 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:15:56.769 PDT Gen. Time: 06/20/2011 11:15:56.769 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (11:15:56.769 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (11:15:56.769 PDT) tcpslice 1308593756.769 1308593756.770 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:21:23.210 PDT Gen. Time: 06/20/2011 11:22:42.308 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (11:21:23.210 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->58591 (11:21:23.210 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (11:22:42.308 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56351->2128 (11:22:42.308 PDT) tcpslice 1308594083.210 1308594083.211 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:26:00.679 PDT Gen. Time: 06/20/2011 11:26:00.679 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (11:26:00.679 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (11:26:00.679 PDT) tcpslice 1308594360.679 1308594360.680 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:35:45.041 PDT Gen. Time: 06/20/2011 11:35:45.041 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (11:35:45.041 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48079->3128 (11:35:45.041 PDT) tcpslice 1308594945.041 1308594945.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:35:45.041 PDT Gen. Time: 06/20/2011 11:38:52.829 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (11:36:09.313 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (11:36:09.313 PDT) 206.207.248.34 (11:35:45.041 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48079->3128 (11:35:45.041 PDT) tcpslice 1308594945.041 1308594945.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:41:29.855 PDT Gen. Time: 06/20/2011 11:45:38.112 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (11:45:38.112 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 40865->80 (11:45:38.112 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (11:41:29.855 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->57270 (11:41:29.855 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308595289.855 1308595289.856 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:41:29.855 PDT Gen. Time: 06/20/2011 11:48:02.403 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (11:45:38.112 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 40865->80 (11:45:38.112 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (11:41:29.855 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->57270 (11:41:29.855 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (11:46:11.735 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (11:46:11.735 PDT) tcpslice 1308595289.855 1308595289.856 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:48:49.377 PDT Gen. Time: 06/20/2011 11:48:49.377 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (11:48:49.377 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55298->2126 (11:48:49.377 PDT) tcpslice 1308595729.377 1308595729.378 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 11:54:37.148 PDT Gen. Time: 06/20/2011 11:56:11.834 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (11:54:37.148 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->58928 (11:54:37.148 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (11:56:11.834 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (11:56:11.834 PDT) tcpslice 1308596077.148 1308596077.149 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:02:08.766 PDT Gen. Time: 06/20/2011 12:02:08.766 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (12:02:08.766 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57975->2128 (12:02:08.766 PDT) tcpslice 1308596528.766 1308596528.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:02:08.766 PDT Gen. Time: 06/20/2011 12:06:34.712 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (12:02:33.098 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 43655->80 (12:02:33.098 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (12:04:38.811 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->55932 (12:04:38.811 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (12:02:08.766 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57975->2128 (12:02:08.766 PDT) 206.207.248.34 (12:06:13.031 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (12:06:13.031 PDT) tcpslice 1308596528.766 1308596528.767 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:12:55.695 PDT Gen. Time: 06/20/2011 12:14:47.774 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (12:12:55.695 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 41819->80 (12:12:55.695 PDT) 33663->80 (12:14:00.106 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (12:14:47.774 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->46750 (12:14:47.774 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308597175.695 1308597175.696 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:12:55.695 PDT Gen. Time: 06/20/2011 12:16:15.965 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (12:12:55.695 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 41819->80 (12:12:55.695 PDT) 33663->80 (12:14:00.106 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (12:14:47.774 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->46750 (12:14:47.774 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (12:16:15.965 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (12:16:15.965 PDT) tcpslice 1308597175.695 1308597175.696 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:17:36.882 PDT Gen. Time: 06/20/2011 12:17:36.882 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (12:17:36.882 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34934->2128 (12:17:36.882 PDT) tcpslice 1308597456.882 1308597456.883 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:25:10.730 PDT Gen. Time: 06/20/2011 12:26:17.717 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (12:25:10.730 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->52572 (12:25:10.730 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (12:26:17.717 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (12:26:17.717 PDT) tcpslice 1308597910.730 1308597910.731 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:25:10.730 PDT Gen. Time: 06/20/2011 12:29:17.505 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (12:25:10.730 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->52572 (12:25:10.730 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (12:26:17.717 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43404->3128 (12:28:25.805 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (12:26:17.717 PDT) tcpslice 1308597910.730 1308597910.731 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:32:31.488 PDT Gen. Time: 06/20/2011 12:36:25.175 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (12:32:31.488 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 33253->80 (12:32:31.488 PDT) 33350->80 (12:33:00.712 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (12:36:25.175 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (12:36:25.175 PDT) tcpslice 1308598351.488 1308598351.489 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:37:04.108 PDT Gen. Time: 06/20/2011 12:37:19.938 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (12:37:19.938 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 52847->80 (12:37:19.938 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (12:37:04.108 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->36875 (12:37:04.108 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308598624.108 1308598624.109 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 (2) Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:37:04.108 PDT Gen. Time: 06/20/2011 12:49:49.470 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (9) (12:37:19.938 PDT) event=1:2003179 (9) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 52847->80 (12:37:19.938 PDT) 52921->80 (12:37:36.563 PDT) 53025->80 (12:38:05.851 PDT) 41901->80 (12:40:37.088 PDT) 42027->80 (12:41:12.755 PDT) 42451->80 (12:43:12.336 PDT) 55662->80 (12:45:47.605 PDT) 55790->80 (12:46:24.485 PDT) 55943->80 (12:47:03.852 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (2) (12:37:04.108 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->36875 (12:37:04.108 PDT) 3124->35843 (12:48:26.300 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (12:43:46.446 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50769->2126 (12:43:46.446 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (12:46:43.698 PDT) tcpslice 1308598624.108 1308598624.109 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:55:13.090 PDT Gen. Time: 06/20/2011 12:55:13.090 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (12:55:13.090 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38553->2126 (12:55:13.090 PDT) tcpslice 1308599713.090 1308599713.091 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 12:55:13.090 PDT Gen. Time: 06/20/2011 12:58:41.783 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (12:58:41.783 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->59861 (12:58:41.783 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (12:55:13.090 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38553->2126 (12:55:13.090 PDT) 206.207.248.34 (12:56:49.267 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (12:56:49.267 PDT) tcpslice 1308599713.090 1308599713.091 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:05:58.035 PDT Gen. Time: 06/20/2011 13:05:58.035 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (13:05:58.035 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47968->2128 (13:05:58.035 PDT) tcpslice 1308600358.035 1308600358.036 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:05:58.035 PDT Gen. Time: 06/20/2011 13:08:45.637 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (13:08:45.637 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->37629 (13:08:45.637 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (13:05:58.035 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47968->2128 (13:05:58.035 PDT) 206.207.248.34 (13:06:50.421 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (13:06:50.421 PDT) tcpslice 1308600358.035 1308600358.036 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:16:43.591 PDT Gen. Time: 06/20/2011 13:16:43.591 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (13:16:43.591 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45056->2128 (13:16:43.591 PDT) tcpslice 1308601003.591 1308601003.592 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:16:43.591 PDT Gen. Time: 06/20/2011 13:21:19.723 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (13:17:58.481 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 44243->80 (13:17:58.481 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (13:20:16.191 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->50427 (13:20:16.191 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (13:16:43.591 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45056->2128 (13:16:43.591 PDT) 206.207.248.34 (13:16:59.599 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (13:16:59.599 PDT) tcpslice 1308601003.591 1308601003.592 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:25:16.956 PDT Gen. Time: 06/20/2011 13:27:00.777 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (13:25:16.956 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 57378->80 (13:25:16.956 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (13:27:00.777 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (13:27:00.777 PDT) tcpslice 1308601516.956 1308601516.957 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:25:16.956 PDT Gen. Time: 06/20/2011 13:31:50.097 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (13:25:16.956 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 57378->80 (13:25:16.956 PDT) 57916->80 (13:27:23.510 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (13:30:41.547 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->40827 (13:30:41.547 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (13:27:00.777 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (13:27:00.777 PDT) tcpslice 1308601516.956 1308601516.957 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:34:50.899 PDT Gen. Time: 06/20/2011 13:34:50.899 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (13:34:50.899 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36431->2128 (13:34:50.899 PDT) tcpslice 1308602090.899 1308602090.900 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:34:50.899 PDT Gen. Time: 06/20/2011 13:37:58.042 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (13:34:50.899 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36431->2128 (13:34:50.899 PDT) 206.207.248.34 (13:37:03.489 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (13:37:03.489 PDT) tcpslice 1308602090.899 1308602090.900 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:47:09.753 PDT Gen. Time: 06/20/2011 13:47:09.753 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (13:47:09.753 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (13:47:09.753 PDT) tcpslice 1308602829.753 1308602829.754 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:47:09.753 PDT Gen. Time: 06/20/2011 13:55:54.440 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (13:47:41.116 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-ruRU-patch.exe] MAC_Src: 00:21:5A:08:EC:40 41068->80 (13:47:41.116 PDT) 53179->80 (13:50:20.326 PDT) 53659->80 (13:52:23.627 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (13:51:15.418 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->51720 (13:51:15.418 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (13:47:09.753 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34853->2128 (13:53:55.349 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (13:47:09.753 PDT) tcpslice 1308602829.753 1308602829.754 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:57:19.481 PDT Gen. Time: 06/20/2011 13:57:19.481 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (13:57:19.481 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (13:57:19.481 PDT) tcpslice 1308603439.481 1308603439.482 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 (2) Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:57:19.481 PDT Gen. Time: 06/20/2011 14:16:06.932 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (9) (14:01:43.822 PDT) event=1:2003179 (9) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-ruRU-patch.exe] MAC_Src: 00:21:5A:08:EC:40 58783->80 (14:01:43.822 PDT) 58879->80 (14:02:02.747 PDT) 60936->80 (14:04:29.560 PDT) 33305->80 (14:06:58.676 PDT) 52001->80 (14:09:32.066 PDT) 52901->80 (14:13:20.444 PDT) 52905->80 (14:13:22.393 PDT) 50603->80 (14:13:59.886 PDT) 50603->80 (14:14:04.333 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (2) (14:01:15.444 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->43585 (14:01:15.444 PDT) 3124->42669 (14:14:11.929 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (13:57:19.481 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (13:57:19.481 PDT) 132.239.17.226 (14:07:19.369 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (14:07:19.369 PDT) 206.207.248.34 (14:06:52.956 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58993->2126 (14:06:52.956 PDT) tcpslice 1308603439.481 1308603439.482 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:16:37.266 PDT Gen. Time: 06/20/2011 14:17:21.413 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (14:16:37.266 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-ruRU-patch.exe] MAC_Src: 00:21:5A:08:EC:40 51311->80 (14:16:37.266 PDT) 51439->80 (14:17:17.524 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (14:17:21.413 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (14:17:21.413 PDT) tcpslice 1308604597.266 1308604597.267 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:16:37.266 PDT Gen. Time: 06/20/2011 14:21:29.242 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (14:16:37.266 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-ruRU-patch.exe] MAC_Src: 00:21:5A:08:EC:40 51311->80 (14:16:37.266 PDT) 51439->80 (14:17:17.524 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (14:17:21.413 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41498->2126 (14:17:21.686 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (14:17:21.413 PDT) tcpslice 1308604597.266 1308604597.267 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:25:46.251 PDT Gen. Time: 06/20/2011 14:27:35.680 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (14:25:46.251 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->54166 (14:25:46.251 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:27:35.680 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (14:27:35.680 PDT) tcpslice 1308605146.251 1308605146.252 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:25:46.251 PDT Gen. Time: 06/20/2011 14:29:59.745 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (14:25:46.251 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->54166 (14:25:46.251 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (14:27:35.680 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34451->2128 (14:28:52.850 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (14:27:35.680 PDT) tcpslice 1308605146.251 1308605146.252 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:36:33.376 PDT Gen. Time: 06/20/2011 14:37:14.461 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (14:36:33.376 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 53613->80 (14:36:33.376 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (14:37:14.461 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->45976 (14:37:14.461 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308605793.376 1308605793.377 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:36:33.376 PDT Gen. Time: 06/20/2011 14:45:25.311 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (4) (14:36:33.376 PDT) event=1:2003179 (4) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 53613->80 (14:36:33.376 PDT) 46089->80 (14:38:58.684 PDT) 46415->80 (14:40:23.095 PDT) 46669->80 (14:41:21.384 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (14:37:14.461 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->45976 (14:37:14.461 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (14:37:35.426 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46095->3125 (14:44:11.092 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (14:37:35.426 PDT) tcpslice 1308605793.376 1308605793.377 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:47:42.342 PDT Gen. Time: 06/20/2011 14:47:43.676 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (14:47:42.342 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->32808 (14:47:42.342 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:47:43.676 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:47:43.676 PDT) tcpslice 1308606462.342 1308606462.343 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:47:42.342 PDT Gen. Time: 06/20/2011 14:55:39.516 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (14:48:30.988 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 57086->80 (14:48:30.988 PDT) 49823->80 (14:49:09.729 PDT) 50462->80 (14:52:00.331 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (14:47:42.342 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->32808 (14:47:42.342 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:47:43.676 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:47:43.676 PDT) tcpslice 1308606462.342 1308606462.343 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:56:40.500 PDT Gen. Time: 06/20/2011 14:57:45.002 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (14:56:40.500 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 34998->80 (14:56:40.500 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:57:45.002 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:57:45.002 PDT) tcpslice 1308607000.500 1308607000.501 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 14:56:40.500 PDT Gen. Time: 06/20/2011 15:00:40.724 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (14:56:40.500 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 34998->80 (14:56:40.500 PDT) 35253->80 (14:57:51.453 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (14:58:41.500 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->34803 (14:58:41.500 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:57:45.002 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:57:45.002 PDT) tcpslice 1308607000.500 1308607000.501 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:02:55.232 PDT Gen. Time: 06/20/2011 15:02:55.232 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (15:02:55.232 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43758->2126 (15:02:55.232 PDT) tcpslice 1308607375.232 1308607375.233 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:07:46.112 PDT Gen. Time: 06/20/2011 15:07:46.112 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (15:07:46.112 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (15:07:46.112 PDT) tcpslice 1308607666.112 1308607666.113 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:07:46.112 PDT Gen. Time: 06/20/2011 15:11:12.720 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (15:10:19.576 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->41790 (15:10:19.576 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (15:07:46.112 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (15:07:46.112 PDT) tcpslice 1308607666.112 1308607666.113 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:13:41.747 PDT Gen. Time: 06/20/2011 15:13:41.747 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (15:13:41.747 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57319->2128 (15:13:41.747 PDT) tcpslice 1308608021.747 1308608021.748 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:17:46.337 PDT Gen. Time: 06/20/2011 15:17:46.337 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (15:17:46.337 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (15:17:46.337 PDT) tcpslice 1308608266.337 1308608266.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:17:46.337 PDT Gen. Time: 06/20/2011 15:20:46.209 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (15:20:46.209 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->35660 (15:20:46.209 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (15:17:46.337 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (15:17:46.337 PDT) tcpslice 1308608266.337 1308608266.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:24:26.301 PDT Gen. Time: 06/20/2011 15:24:26.301 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (15:24:26.301 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41514->3128 (15:24:26.301 PDT) tcpslice 1308608666.301 1308608666.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:24:26.301 PDT Gen. Time: 06/20/2011 15:29:01.828 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (15:27:48.434 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (15:27:48.434 PDT) 206.207.248.34 (15:24:26.301 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41514->3128 (15:24:26.301 PDT) tcpslice 1308608666.301 1308608666.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:31:15.107 PDT Gen. Time: 06/20/2011 15:33:50.285 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (15:33:50.285 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 38385->80 (15:33:50.285 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (15:31:15.107 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->41500 (15:31:15.107 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308609075.107 1308609075.108 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:31:15.107 PDT Gen. Time: 06/20/2011 15:36:23.042 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (15:33:50.285 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 38385->80 (15:33:50.285 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (15:31:15.107 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->41500 (15:31:15.107 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (15:36:23.042 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47027->2126 (15:36:23.042 PDT) tcpslice 1308609075.107 1308609075.108 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:37:23.494 PDT Gen. Time: 06/20/2011 15:38:02.559 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (15:37:23.494 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 37465->80 (15:37:23.494 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (15:38:02.559 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (15:38:02.559 PDT) tcpslice 1308609443.494 1308609443.495 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:37:23.494 PDT Gen. Time: 06/20/2011 15:41:46.964 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (15:37:23.494 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 37465->80 (15:37:23.494 PDT) 37758->80 (15:38:30.088 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (15:41:16.174 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->44153 (15:41:16.174 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (15:38:02.559 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (15:38:02.559 PDT) tcpslice 1308609443.494 1308609443.495 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:47:20.388 PDT Gen. Time: 06/20/2011 15:47:20.388 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (15:47:20.388 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54008->2128 (15:47:20.388 PDT) tcpslice 1308610040.388 1308610040.389 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:47:20.388 PDT Gen. Time: 06/20/2011 15:52:07.145 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (15:51:18.173 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->53576 (15:51:18.173 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (15:48:12.403 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (15:48:12.403 PDT) 132.239.17.226 (15:47:20.388 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54008->2128 (15:47:20.388 PDT) tcpslice 1308610040.388 1308610040.389 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:57:36.231 PDT Gen. Time: 06/20/2011 15:57:36.231 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (15:57:36.231 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44360->3128 (15:57:36.231 PDT) tcpslice 1308610656.231 1308610656.232 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 15:57:36.231 PDT Gen. Time: 06/20/2011 16:01:08.630 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (15:58:16.999 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (15:58:16.999 PDT) 206.207.248.34 (15:57:36.231 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44360->3128 (15:57:36.231 PDT) tcpslice 1308610656.231 1308610656.232 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:07:20.412 PDT Gen. Time: 06/20/2011 16:07:44.932 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (16:07:20.412 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esMX-patch.exe] MAC_Src: 00:21:5A:08:EC:40 57059->80 (16:07:20.412 PDT) 57078->80 (16:07:22.389 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:07:44.932 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50627->2128 (16:07:44.932 PDT) tcpslice 1308611240.412 1308611240.413 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:07:20.412 PDT Gen. Time: 06/20/2011 16:11:18.964 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (16:07:20.412 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esMX-patch.exe] MAC_Src: 00:21:5A:08:EC:40 57059->80 (16:07:20.412 PDT) 57078->80 (16:07:22.389 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (16:07:44.932 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50627->2128 (16:07:44.932 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (16:08:16.723 PDT) tcpslice 1308611240.412 1308611240.413 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:18:21.490 PDT Gen. Time: 06/20/2011 16:18:21.490 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:18:21.490 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (16:18:21.490 PDT) tcpslice 1308611901.490 1308611901.491 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:24:53.047 PDT Gen. Time: 06/20/2011 16:25:55.136 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (16:25:55.136 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 36694->80 (16:25:55.136 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (16:24:53.047 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->43270 (16:24:53.047 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308612293.047 1308612293.048 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:24:53.047 PDT Gen. Time: 06/20/2011 16:29:42.428 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (16:25:55.136 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enGB-patch.exe] MAC_Src: 00:21:5A:08:EC:40 36694->80 (16:25:55.136 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (16:24:53.047 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->43270 (16:24:53.047 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:29:05.701 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42273->2128 (16:29:05.701 PDT) 206.207.248.34 (16:28:31.006 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (16:28:31.006 PDT) tcpslice 1308612293.047 1308612293.048 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:38:31.006 PDT Gen. Time: 06/20/2011 16:38:31.006 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (16:38:31.006 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (16:38:31.006 PDT) tcpslice 1308613111.006 1308613111.007 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:38:31.006 PDT Gen. Time: 06/20/2011 16:46:41.713 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (2) (16:39:15.764 PDT) event=1:2003179 (2) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.0/WoW-3.2.0.10192-to-3.3.0.10958-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 39519->80 (16:39:15.764 PDT) 40282->80 (16:43:13.148 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (16:45:38.816 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->51130 (16:45:38.816 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:43:57.259 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51283->3125 (16:43:57.259 PDT) 206.207.248.34 (16:38:31.006 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (16:38:31.006 PDT) tcpslice 1308613111.006 1308613111.007 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:48:31.907 PDT Gen. Time: 06/20/2011 16:48:31.907 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:48:31.907 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (16:48:31.907 PDT) tcpslice 1308613711.907 1308613711.908 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:55:53.474 PDT Gen. Time: 06/20/2011 16:55:53.474 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (16:55:53.474 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51706->2126 (16:55:53.474 PDT) tcpslice 1308614153.474 1308614153.475 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 16:55:53.474 PDT Gen. Time: 06/20/2011 16:59:42.056 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (16:56:01.919 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->44654 (16:56:01.919 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (16:58:31.769 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (16:58:31.769 PDT) 206.207.248.34 (16:55:53.474 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51706->2126 (16:55:53.474 PDT) tcpslice 1308614153.474 1308614153.475 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:08:48.183 PDT Gen. Time: 06/20/2011 17:08:48.183 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 12.46.129.16 (17:08:48.183 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (17:08:48.183 PDT) tcpslice 1308614928.183 1308614928.184 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:08:48.183 PDT Gen. Time: 06/20/2011 17:12:45.309 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (17:10:11.946 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38370->2128 (17:10:11.946 PDT) 12.46.129.16 (17:08:48.183 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (17:08:48.183 PDT) tcpslice 1308614928.183 1308614928.184 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:14:43.532 PDT Gen. Time: 06/20/2011 17:19:04.974 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (17:14:43.532 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->41938 (17:14:43.532 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (17:19:04.974 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (17:19:04.974 PDT) tcpslice 1308615283.532 1308615283.533 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:27:04.823 PDT Gen. Time: 06/20/2011 17:27:59.794 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (17:27:04.823 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->55042 (17:27:04.823 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (17:27:59.794 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42592->3128 (17:27:59.794 PDT) tcpslice 1308616024.823 1308616024.824 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:29:06.797 PDT Gen. Time: 06/20/2011 17:29:06.797 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (17:29:06.797 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (17:29:06.797 PDT) tcpslice 1308616146.797 1308616146.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:37:43.152 PDT Gen. Time: 06/20/2011 17:38:30.405 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (17:37:43.152 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->56479 (17:37:43.152 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (17:38:30.405 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49934->2126 (17:38:30.405 PDT) tcpslice 1308616663.152 1308616663.153 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:37:43.152 PDT Gen. Time: 06/20/2011 17:41:37.494 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (17:37:43.152 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->56479 (17:37:43.152 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.116.60.211 (17:39:08.507 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (17:39:08.507 PDT) 206.207.248.34 (17:38:30.405 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49934->2126 (17:38:30.405 PDT) tcpslice 1308616663.152 1308616663.153 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:48:37.787 PDT Gen. Time: 06/20/2011 17:48:37.787 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (17:48:37.787 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45397->2128 (17:48:37.787 PDT) tcpslice 1308617317.787 1308617317.788 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:48:37.787 PDT Gen. Time: 06/20/2011 17:52:34.967 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (17:49:13.023 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->45019 (17:49:13.023 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (17:48:37.787 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45397->2128 (17:48:37.787 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 9026->9028 (17:49:11.731 PDT) tcpslice 1308617317.787 1308617317.788 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:59:18.671 PDT Gen. Time: 06/20/2011 17:59:18.671 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (17:59:18.671 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (17:59:18.671 PDT) tcpslice 1308617958.671 1308617958.672 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 17:59:18.671 PDT Gen. Time: 06/20/2011 18:01:54.476 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (18:00:22.026 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->41415 (18:00:22.026 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:00:28.997 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46996->2126 (18:00:28.997 PDT) 206.207.248.34 (17:59:18.671 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (17:59:18.671 PDT) tcpslice 1308617958.671 1308617958.672 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:09:43.201 PDT Gen. Time: 06/20/2011 18:09:43.201 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:09:43.201 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (18:09:43.201 PDT) tcpslice 1308618583.201 1308618583.202 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:09:43.201 PDT Gen. Time: 06/20/2011 18:13:02.599 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (18:10:26.150 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->40269 (18:10:26.150 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:09:43.201 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (18:09:43.201 PDT) tcpslice 1308618583.201 1308618583.202 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:19:46.704 PDT Gen. Time: 06/20/2011 18:19:46.704 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (18:19:46.704 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (18:19:46.704 PDT) tcpslice 1308619186.704 1308619186.705 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:19:46.704 PDT Gen. Time: 06/20/2011 18:23:30.637 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (18:20:46.722 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->34874 (18:20:46.722 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (18:19:46.704 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58715->3128 (18:22:27.613 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (18:19:46.704 PDT) tcpslice 1308619186.704 1308619186.705 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:29:48.033 PDT Gen. Time: 06/20/2011 18:29:48.033 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (18:29:48.033 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (18:29:48.033 PDT) tcpslice 1308619788.033 1308619788.034 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:29:48.033 PDT Gen. Time: 06/20/2011 18:33:47.094 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (18:31:14.749 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->43218 (18:31:14.749 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (18:29:48.033 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (18:29:48.033 PDT) tcpslice 1308619788.033 1308619788.034 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:34:13.162 PDT Gen. Time: 06/20/2011 18:34:13.162 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (18:34:13.162 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41587->2126 (18:34:13.162 PDT) tcpslice 1308620053.162 1308620053.163 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:39:54.569 PDT Gen. Time: 06/20/2011 18:39:54.569 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:39:54.569 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (18:39:54.569 PDT) tcpslice 1308620394.569 1308620394.570 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:39:54.569 PDT Gen. Time: 06/20/2011 18:43:39.531 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (18:41:22.551 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->43096 (18:41:22.551 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:39:54.569 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (18:39:54.569 PDT) tcpslice 1308620394.569 1308620394.570 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:44:48.811 PDT Gen. Time: 06/20/2011 18:44:48.811 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (18:44:48.811 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35731->2126 (18:44:48.811 PDT) tcpslice 1308620688.811 1308620688.812 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:50:00.982 PDT Gen. Time: 06/20/2011 18:50:00.982 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 12.46.129.16 (18:50:00.982 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (18:50:00.982 PDT) tcpslice 1308621000.982 1308621000.983 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:50:00.982 PDT Gen. Time: 06/20/2011 18:53:44.204 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (18:51:32.576 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->59799 (18:51:32.576 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 12.46.129.16 (18:50:00.982 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (18:50:00.982 PDT) tcpslice 1308621000.982 1308621000.983 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:57:20.668 PDT Gen. Time: 06/20/2011 18:57:20.668 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (18:57:20.668 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46725->3128 (18:57:20.668 PDT) tcpslice 1308621440.668 1308621440.669 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 18:57:20.668 PDT Gen. Time: 06/20/2011 19:00:30.591 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (18:57:20.668 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46725->3128 (18:57:20.668 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 9835->9835 (19:00:00.574 PDT) tcpslice 1308621440.668 1308621440.669 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:05:12.846 PDT Gen. Time: 06/20/2011 19:05:20.682 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (19:05:20.682 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 60322->80 (19:05:20.682 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (19:05:12.846 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->56282 (19:05:12.846 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308621912.846 1308621912.847 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:10:03.380 PDT Gen. Time: 06/20/2011 19:10:03.380 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (19:10:03.380 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (19:10:03.380 PDT) tcpslice 1308622203.380 1308622203.381 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:13:27.755 PDT Gen. Time: 06/20/2011 19:13:27.755 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (19:13:27.755 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39206->2128 (19:13:27.755 PDT) tcpslice 1308622407.755 1308622407.756 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:13:27.755 PDT Gen. Time: 06/20/2011 19:15:41.512 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (19:15:41.512 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->59621 (19:15:41.512 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (19:13:27.755 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39206->2128 (19:13:27.755 PDT) tcpslice 1308622407.755 1308622407.756 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:20:07.658 PDT Gen. Time: 06/20/2011 19:20:07.658 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (19:20:07.658 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (19:20:07.658 PDT) tcpslice 1308622807.658 1308622807.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:20:07.658 PDT Gen. Time: 06/20/2011 19:24:03.723 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (19:24:03.723 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43080->2128 (19:24:03.723 PDT) 195.37.16.125 (19:20:07.658 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (19:20:07.658 PDT) tcpslice 1308622807.658 1308622807.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:28:01.900 PDT Gen. Time: 06/20/2011 19:30:08.540 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (19:28:01.900 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->55306 (19:28:01.900 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (19:30:08.540 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 14503->14503 (19:30:08.540 PDT) tcpslice 1308623281.900 1308623281.901 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:38:28.059 PDT Gen. Time: 06/20/2011 19:39:57.861 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (19:38:28.059 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->44050 (19:38:28.059 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (19:39:57.861 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34347->2126 (19:39:57.861 PDT) tcpslice 1308623908.059 1308623908.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:38:28.059 PDT Gen. Time: 06/20/2011 19:42:53.890 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (19:38:28.059 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->44050 (19:38:28.059 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (19:40:08.591 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 14503->14503 (19:40:08.591 PDT) 206.207.248.34 (19:39:57.861 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34347->2126 (19:39:57.861 PDT) tcpslice 1308623908.059 1308623908.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:48:29.836 PDT Gen. Time: 06/20/2011 19:48:57.868 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (19:48:57.868 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-esMX-patch.exe] MAC_Src: 00:21:5A:08:EC:40 54941->80 (19:48:57.868 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (19:48:29.836 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->38809 (19:48:29.836 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308624509.836 1308624509.837 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:48:29.836 PDT Gen. Time: 06/20/2011 19:52:03.585 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (19:48:57.868 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.3.2/WoW-3.3.0.11159-to-3.3.2.11403-esMX-patch.exe] MAC_Src: 00:21:5A:08:EC:40 54941->80 (19:48:57.868 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (19:48:29.836 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->38809 (19:48:29.836 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (19:50:11.295 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (19:50:11.295 PDT) tcpslice 1308624509.836 1308624509.837 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 19:58:32.382 PDT Gen. Time: 06/20/2011 20:00:18.741 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (19:58:32.382 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->58336 (19:58:32.382 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (20:00:18.741 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4795->4795 (20:00:18.741 PDT) tcpslice 1308625112.382 1308625112.383 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:04:54.524 PDT Gen. Time: 06/20/2011 20:04:54.524 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:04:54.524 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49479->3128 (20:04:54.524 PDT) tcpslice 1308625494.524 1308625494.525 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:10:19.053 PDT Gen. Time: 06/20/2011 20:10:19.053 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:10:19.053 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 14503->14503 (20:10:19.053 PDT) tcpslice 1308625819.053 1308625819.054 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 218.6.19.3 Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:10:19.053 PDT Gen. Time: 06/20/2011 20:14:34.056 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 218.6.19.3 (20:10:19.789 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 3124->35973 (20:10:19.789 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:10:19.053 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 14503->14503 (20:10:19.053 PDT) tcpslice 1308625819.053 1308625819.054 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:20:19.393 PDT Gen. Time: 06/20/2011 20:20:19.393 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:20:19.393 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 14503->14503 (20:20:19.393 PDT) tcpslice 1308626419.393 1308626419.394 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:24:23.743 PDT Gen. Time: 06/20/2011 20:29:34.535 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (3) (20:24:23.743 PDT) event=1:2003179 (3) {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 55186->80 (20:24:23.743 PDT) 55512->80 (20:25:51.431 PDT) 55687->80 (20:26:35.554 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:29:34.535 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49811->3128 (20:29:34.535 PDT) tcpslice 1308626663.743 1308626663.744 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:30:02.005 PDT Gen. Time: 06/20/2011 20:30:02.005 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:30:02.005 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (20:30:02.005 PDT) tcpslice 1308627002.005 1308627002.006 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:30:02.005 PDT Gen. Time: 06/20/2011 20:33:14.676 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (20:32:06.537 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56044->2126 (20:32:06.537 PDT) 206.207.248.34 (20:30:02.005 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (20:30:02.005 PDT) tcpslice 1308627002.005 1308627002.006 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:40:02.581 PDT Gen. Time: 06/20/2011 20:40:02.581 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:40:02.581 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (20:40:02.581 PDT) tcpslice 1308627602.581 1308627602.582 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:42:38.581 PDT Gen. Time: 06/20/2011 20:42:38.581 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:42:38.581 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34477->2128 (20:42:38.581 PDT) tcpslice 1308627758.581 1308627758.582 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:47:03.307 PDT Gen. Time: 06/20/2011 20:50:07.050 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (20:47:03.307 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-deDE-patch.exe] MAC_Src: 00:21:5A:08:EC:40 33360->80 (20:47:03.307 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:50:07.050 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (20:50:07.050 PDT) tcpslice 1308628023.307 1308628023.308 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:59:07.422 PDT Gen. Time: 06/20/2011 20:59:07.422 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (20:59:07.422 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51296->2128 (20:59:07.422 PDT) tcpslice 1308628747.422 1308628747.423 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 20:59:07.422 PDT Gen. Time: 06/20/2011 21:02:38.780 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (20:59:07.422 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51296->2128 (20:59:07.422 PDT) 206.207.248.34 (21:00:07.314 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (21:00:07.314 PDT) tcpslice 1308628747.422 1308628747.423 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:10:07.896 PDT Gen. Time: 06/20/2011 21:10:07.896 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (21:10:07.896 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 14503->14503 (21:10:07.896 PDT) tcpslice 1308629407.896 1308629407.897 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:16:48.665 PDT Gen. Time: 06/20/2011 21:16:48.665 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (21:16:48.665 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40234->2128 (21:16:48.665 PDT) tcpslice 1308629808.665 1308629808.666 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:20:09.791 PDT Gen. Time: 06/20/2011 21:20:09.791 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (21:20:09.791 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (21:20:09.791 PDT) tcpslice 1308630009.791 1308630009.792 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:28:53.689 PDT Gen. Time: 06/20/2011 21:28:53.689 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (21:28:53.689 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57335->2128 (21:28:53.689 PDT) tcpslice 1308630533.689 1308630533.690 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:28:53.689 PDT Gen. Time: 06/20/2011 21:33:02.617 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (21:28:53.689 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57335->2128 (21:28:53.689 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 11552->11551 (21:30:09.346 PDT) tcpslice 1308630533.689 1308630533.690 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:40:09.735 PDT Gen. Time: 06/20/2011 21:40:09.735 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (21:40:09.735 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 14503->14503 (21:40:09.735 PDT) tcpslice 1308631209.735 1308631209.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:40:09.735 PDT Gen. Time: 06/20/2011 21:43:44.653 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 98.124.199.1 (21:40:34.122 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 3124->64330 (21:40:34.122 PDT) 206.207.248.34 (21:40:09.735 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 14503->14503 (21:40:09.735 PDT) tcpslice 1308631209.735 1308631209.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:44:18.557 PDT Gen. Time: 06/20/2011 21:44:18.557 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (21:44:18.557 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60121->3125 (21:44:18.557 PDT) tcpslice 1308631458.557 1308631458.558 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:50:10.189 PDT Gen. Time: 06/20/2011 21:50:10.189 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (21:50:10.189 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (21:50:10.189 PDT) tcpslice 1308631810.189 1308631810.190 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 21:50:10.189 PDT Gen. Time: 06/20/2011 21:54:50.356 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 98.124.199.1 (21:51:49.263 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 3124->52870 (21:51:49.263 PDT) 206.207.248.34 (2) (21:50:10.189 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51346->2128 (21:54:50.356 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (21:50:10.189 PDT) tcpslice 1308631810.189 1308631810.190 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:00:17.570 PDT Gen. Time: 06/20/2011 22:00:17.570 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (22:00:17.570 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 14503->14503 (22:00:17.570 PDT) tcpslice 1308632417.570 1308632417.571 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:09:48.507 PDT Gen. Time: 06/20/2011 22:09:48.507 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (22:09:48.507 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45732->2128 (22:09:48.507 PDT) tcpslice 1308632988.507 1308632988.508 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:09:48.507 PDT Gen. Time: 06/20/2011 22:10:20.064 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (22:09:48.507 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45732->2128 (22:09:48.507 PDT) 195.37.16.125 (22:10:20.064 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (22:10:20.064 PDT) tcpslice 1308632988.507 1308632988.508 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:12:26.564 PDT Gen. Time: 06/20/2011 22:12:26.564 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 98.124.198.1 (22:12:26.564 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 3124->59368 (22:12:26.564 PDT) tcpslice 1308633146.564 1308633146.565 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:17:18.119 PDT Gen. Time: 06/20/2011 22:20:21.728 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (22:17:18.119 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-enUS-patch.exe] MAC_Src: 00:21:5A:08:EC:40 40236->80 (22:17:18.119 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (22:20:21.728 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (22:20:21.728 PDT) tcpslice 1308633438.119 1308633438.120 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:21:35.818 PDT Gen. Time: 06/20/2011 22:21:52.951 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (22:21:35.818 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 48353->80 (22:21:35.818 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (22:21:52.951 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55634->2126 (22:21:52.951 PDT) tcpslice 1308633695.818 1308633695.819 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:30:23.899 PDT Gen. Time: 06/20/2011 22:30:23.899 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (22:30:23.899 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (22:30:23.899 PDT) tcpslice 1308634223.899 1308634223.900 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:30:23.899 PDT Gen. Time: 06/20/2011 22:33:58.174 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (22:31:38.920 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 35110->80 (22:31:38.920 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (22:30:23.899 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49288->3128 (22:32:07.819 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (22:30:23.899 PDT) tcpslice 1308634223.899 1308634223.900 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:34:26.999 PDT Gen. Time: 06/20/2011 22:34:26.999 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 98.124.198.1 (22:34:26.999 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 3124->52591 (22:34:26.999 PDT) tcpslice 1308634466.999 1308634467.000 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:40:23.044 PDT Gen. Time: 06/20/2011 22:40:23.044 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (22:40:23.044 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 12360->12361 (22:40:23.044 PDT) tcpslice 1308634823.044 1308634823.045 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:43:58.307 PDT Gen. Time: 06/20/2011 22:43:58.307 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (22:43:58.307 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54300->3125 (22:43:58.307 PDT) tcpslice 1308635038.307 1308635038.308 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 212.227.97.179 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 22:48:45.038 PDT Gen. Time: 06/20/2011 22:50:23.622 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 212.227.97.179 (22:48:45.038 PDT) event=1:2003179 {tcp} E3[rb] ET POLICY exe download without User Agent, [/coblitz/wow/patches/3.2.0/WoW-3.2.0-esES-patch.exe] MAC_Src: 00:21:5A:08:EC:40 41288->80 (22:48:45.038 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 143.89.49.74 (22:50:23.622 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (22:50:23.622 PDT) tcpslice 1308635325.038 1308635325.039 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================