Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230, 82.210.157.9 Egg Source List: C & C List: 88.198.53.104, 67.208.74.71, 96.9.185.117, 200.147.1.41, 192.168.1.230 (17) Peer Coord. List: Resource List: Observed Start: 10/14/2011 23:34:41.549 PDT Gen. Time: 10/15/2011 00:11:48.538 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (23:51:56.308 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 60116->80 (23:51:56.308 PDT) 192.168.1.230 (15) (23:36:26.869 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: didid.nl (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 49884->53 (23:36:26.869 PDT) 34229->53 (23:40:13.596 PDT) 52755->53 (23:40:43.994 PDT) 53409->53 (23:43:21.411 PDT) 38507->53 (23:43:21.575 PDT) 46055->53 (23:44:17.726 PDT) 50784->53 (23:44:18.833 PDT) 47496->53 (23:48:47.288 PDT) 39532->53 (23:49:17.535 PDT) 57249->53 (23:49:31.520 PDT) 56805->53 (23:53:33.276 PDT) 42877->53 (23:53:42.413 PDT) 43794->53 (23:54:17.255 PDT) 45994->53 (23:54:41.267 PDT) 36458->53 (23:56:42.454 PDT) 82.210.157.9 (23:40:18.354 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 39246->80 (23:40:18.354 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.198.53.104 (00:01:18.412 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 36776->53 (00:01:18.412 PDT) 67.208.74.71 (00:11:18.295 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 40987->80 (00:11:18.295 PDT) 96.9.185.117 (23:40:51.132 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 40243->80 (23:40:51.132 PDT) 200.147.1.41 (23:51:14.030 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 34831->80 (23:51:14.030 PDT) C and C DNS CHECK-IN 192.168.1.230 (17) (23:34:41.549 PDT) event=224:1 (17) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 34597->53 (23:34:41.549 PDT) 52422->53 (23:35:06.195 PDT) 55433->53 (23:37:14.615 PDT) 45164->53 (23:39:05.074 PDT) 45432->53 (23:40:51.107 PDT) 36813->53 (23:42:42.067 PDT) 59307->53 (23:45:00.482 PDT) 59016->53 (23:45:44.968 PDT) 45950->53 (23:47:06.051 PDT) 46025->53 (23:48:56.201 PDT) 47004->53 (23:51:11.939 PDT) 35255->53 (23:52:06.972 PDT) 60166->53 (23:53:44.841 PDT) 57970->53 (23:56:13.297 PDT) 35875->53 (23:57:16.360 PDT) 52495->53 (23:57:46.078 PDT) 60704->53 (23:58:30.352 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 200.147.1.41 (23:56:32.345 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 35712->53 (23:56:32.345 PDT) 176.28.0.239 (23:47:16.341 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53121->53 (23:47:16.341 PDT) 41.189.229.65 (00:09:13.960 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 45676->80 (00:09:13.960 PDT) 109.70.26.36 (23:36:30.861 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52471->53 (23:36:30.861 PDT) 134.34.246.5 (00:07:21.481 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7001->7004 (00:07:21.481 PDT) 93.170.52.30 (00:06:32.329 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 33576->53 (00:06:32.329 PDT) 130.149.49.136 (3) (23:37:21.066 PDT) event=1:9910006 (3) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7002->7001 (23:37:21.066 PDT) 7003->7002 (23:47:21.280 PDT) 7001->7000 (23:57:21.257 PDT) 92.38.209.230 (23:57:25.085 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 59270->53 (23:57:25.085 PDT) 93.170.52.20 (23:46:30.855 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 47172->53 (23:46:30.855 PDT) 200.72.1.94 (23:37:16.153 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49393->53 (23:37:16.153 PDT) tcpslice 1318660481.549 1318660481.550 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (5) Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:11:51.919 PDT Gen. Time: 10/15/2011 00:16:33.396 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (00:13:48.882 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 35634->53 (00:13:48.882 PDT) 192.168.1.230 (2) (00:11:51.919 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 35410->53 (00:11:51.919 PDT) 37103->53 (00:11:52.163 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (5) (00:14:00.292 PDT) event=224:1 (5) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 34833->53 (00:14:00.292 PDT) 49801->53 (00:14:04.845 PDT) 32973->53 (00:14:48.992 PDT) 46427->53 (00:15:16.664 PDT) 57901->53 (00:15:56.419 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 121.14.70.4 (00:16:33.396 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40794->53 (00:16:33.396 PDT) tcpslice 1318662711.919 1318662711.920 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 200.147.33.21, 213.136.106.214, 83.170.72.109, 192.168.1.230 (12), 192.168.1.20 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:11:51.919 PDT Gen. Time: 10/15/2011 00:32:42.804 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (00:13:48.882 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 35634->53 (00:13:48.882 PDT) 54666->80 (00:23:52.585 PDT) 192.168.1.230 (13) (00:11:51.919 PDT-00:30:46.676 PDT) event=224:1 (13) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 37132->53 (00:23:23.186 PDT) 42009->53 (00:25:05.993 PDT) 35410->53 (00:11:51.919 PDT) 45098->53 (00:30:11.613 PDT) 60877->53 (00:30:51.443 PDT) 51598->53 (00:18:01.637 PDT) 36401->53 (00:18:53.183 PDT) 37103->53 (00:11:52.163 PDT) 45518->53 (00:20:31.984 PDT) 51681->53 (00:23:27.723 PDT) 2: 36992->53 (00:30:40.633 PDT-00:30:46.676 PDT) 36403->53 (00:28:53.314 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.33.21 (00:21:28.224 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 43236->53 (00:21:28.224 PDT) 213.136.106.214 (00:25:40.725 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 50399->53 (00:25:40.725 PDT) 83.170.72.109 (00:32:01.903 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 46758->53 (00:32:01.903 PDT) C and C DNS CHECK-IN 192.168.1.230 (12) (00:14:00.292 PDT) event=224:1 (12) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 34833->53 (00:14:00.292 PDT) 49801->53 (00:14:04.845 PDT) 32973->53 (00:14:48.992 PDT) 46427->53 (00:15:16.664 PDT) 57901->53 (00:15:56.419 PDT) 44905->53 (00:20:03.939 PDT) 54649->53 (00:23:15.882 PDT) 40203->53 (00:23:46.512 PDT) 58606->53 (00:24:36.847 PDT) 34511->53 (00:25:02.227 PDT) 44409->53 (00:26:42.013 PDT) 40677->53 (00:27:54.365 PDT) 192.168.1.20 (3) (00:20:06.795 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: mobile-files.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 39337->53 (00:20:06.795 PDT) 43970->53 (00:23:12.810 PDT) 40478->53 (00:23:16.882 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 41.189.229.65 (00:30:12.620 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 42444->53 (00:30:12.620 PDT) 130.149.49.136 (2) (00:17:21.436 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7003->7001 (00:17:21.436 PDT) 7004->7000 (00:27:21.214 PDT) 200.147.33.19 (00:26:33.693 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 39824->53 (00:26:33.693 PDT) 121.14.70.4 (00:16:33.396 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40794->53 (00:16:33.396 PDT) 31.170.163.70 (00:19:55.980 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34731->53 (00:19:55.980 PDT) tcpslice 1318662711.919 1318663846.677 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:33:02.050 PDT Gen. Time: 10/15/2011 00:36:35.365 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (00:35:15.099 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 44624->53 (00:35:15.099 PDT) 192.168.1.230 (2) (00:33:30.063 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: simulatormage.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 48879->53 (00:33:30.063 PDT) 51797->53 (00:33:41.829 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (00:33:02.050 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 55522->53 (00:33:02.050 PDT) 56971->53 (00:33:22.219 PDT) 39301->53 (00:33:25.980 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (00:36:35.365 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 43788->53 (00:36:35.365 PDT) tcpslice 1318663982.050 1318663982.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230, 188.229.89.127 Egg Source List: C & C List: 194.85.105.17, 194.186.88.58, 192.168.1.230 (10) Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:33:02.050 PDT Gen. Time: 10/15/2011 00:50:10.570 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (00:35:15.099 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 44624->53 (00:35:15.099 PDT) 192.168.1.230 (11) (00:33:30.063 PDT) event=224:1 (11) {udp} E2[dns] BHDNS SPYWARE-DNS: simulatormage.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 48879->53 (00:33:30.063 PDT) 51797->53 (00:33:41.829 PDT) 33200->53 (00:40:59.328 PDT) 53179->53 (00:41:31.729 PDT) 56466->53 (00:43:19.998 PDT) 33855->53 (00:43:21.930 PDT) 55475->53 (00:43:24.231 PDT) 55379->53 (00:44:08.296 PDT) 41705->53 (00:46:05.702 PDT) 51815->53 (00:46:59.686 PDT) 59706->53 (00:47:08.781 PDT) 188.229.89.127 (00:46:05.998 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 59250->53 (00:46:05.998 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 194.85.105.17 (00:47:35.013 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 51998->53 (00:47:35.013 PDT) 194.186.88.58 (00:42:01.287 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 36860->80 (00:42:01.287 PDT) C and C DNS CHECK-IN 192.168.1.230 (10) (00:33:02.050 PDT) event=224:1 (10) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 55522->53 (00:33:02.050 PDT) 56971->53 (00:33:22.219 PDT) 39301->53 (00:33:25.980 PDT) 55331->53 (00:36:50.491 PDT) 41242->53 (00:39:02.033 PDT) 49350->53 (00:39:18.955 PDT) 59951->53 (00:40:51.469 PDT) 60507->53 (00:42:08.934 PDT) 53895->53 (00:43:34.437 PDT) 55059->53 (00:47:39.337 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (00:47:21.448 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7004->7000 (00:47:21.448 PDT) 93.170.52.30 (00:36:35.365 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 43788->53 (00:36:35.365 PDT) 92.38.209.184 (00:40:27.219 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54303->80 (00:40:27.219 PDT) 200.147.1.41 (00:46:35.582 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40544->53 (00:46:35.582 PDT) 130.104.72.201 (00:37:21.559 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 6110->6110 (00:37:21.559 PDT) tcpslice 1318663982.050 1318663982.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 96.9.185.117, 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:50:27.882 PDT Gen. Time: 10/15/2011 00:52:06.446 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (00:50:27.882 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 40996->53 (00:50:27.882 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 96.9.185.117 (00:52:06.446 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 41891->80 (00:52:06.446 PDT) C and C DNS CHECK-IN 192.168.1.230 (3) (00:50:43.285 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 33866->53 (00:50:43.285 PDT) 41994->53 (00:51:38.605 PDT) 43958->53 (00:51:50.780 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318665027.882 1318665027.883 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 96.9.185.117, 192.168.1.230 (4) Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:50:27.882 PDT Gen. Time: 10/15/2011 00:53:46.165 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (00:50:27.882 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 40996->53 (00:50:27.882 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 96.9.185.117 (00:52:06.446 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 41891->80 (00:52:06.446 PDT) C and C DNS CHECK-IN 192.168.1.230 (4) (00:50:43.285 PDT) event=224:1 (4) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 33866->53 (00:50:43.285 PDT) 41994->53 (00:51:38.605 PDT) 43958->53 (00:51:50.780 PDT) 48308->53 (00:52:42.355 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 200.72.1.94 (00:52:26.429 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 55381->80 (00:52:26.429 PDT) tcpslice 1318665027.882 1318665027.883 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:53:55.979 PDT Gen. Time: 10/15/2011 00:56:35.270 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (00:56:05.576 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [S%00%00%00%11%00%00%00%00%00%00%8A/%00%00%00%00%00%011`%00%00%00%00%00%011i%00%00%00%00%00%011b%00%00%00%00%00%011k%00%00%00%00%00%011T%00%00%00%00%00%011m%00] MAC_Dst: 00:21:1C:EE:14:00 42475->80 (00:56:05.576 PDT) 192.168.1.230 (00:56:27.052 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 46122->53 (00:56:27.052 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (2) (00:53:55.979 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: bjglvgsxteki.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 43171->53 (00:53:55.979 PDT) 60673->53 (00:54:37.424 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 91.209.163.202 (00:56:35.270 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57150->53 (00:56:35.270 PDT) tcpslice 1318665235.979 1318665235.980 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 91.209.163.201, 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:53:55.979 PDT Gen. Time: 10/15/2011 01:03:46.659 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (00:56:05.576 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [S%00%00%00%11%00%00%00%00%00%00%8A/%00%00%00%00%00%011`%00%00%00%00%00%011i%00%00%00%00%00%011b%00%00%00%00%00%011k%00%00%00%00%00%011T%00%00%00%00%00%011m%00] MAC_Dst: 00:21:1C:EE:14:00 42475->80 (00:56:05.576 PDT) 192.168.1.230 (6) (00:56:27.052 PDT) event=224:1 (6) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 46122->53 (00:56:27.052 PDT) 40693->53 (00:57:03.016 PDT) 37858->53 (00:58:53.226 PDT) 54698->53 (00:58:57.573 PDT) 39539->53 (00:59:06.306 PDT) 33310->53 (00:59:31.616 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.201 (01:02:06.327 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 36761->80 (01:02:06.327 PDT) C and C DNS CHECK-IN 192.168.1.230 (3) (00:53:55.979 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: bjglvgsxteki.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 43171->53 (00:53:55.979 PDT) 60673->53 (00:54:37.424 PDT) 56289->53 (01:00:29.580 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (00:57:21.195 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7003->7002 (00:57:21.195 PDT) 91.209.163.202 (00:56:35.270 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57150->53 (00:56:35.270 PDT) tcpslice 1318665235.979 1318665235.980 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 91.209.175.100 C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 01:03:47.545 PDT Gen. Time: 10/15/2011 01:04:00.752 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.209.175.100 (01:03:47.545 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0), [/] MAC_Src: 00:21:5A:08:BB:0C 53187->80 (01:03:47.545 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (01:04:00.752 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 34487->53 (01:04:00.752 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318665827.545 1318665827.546 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 192.168.1.20 Egg Source List: 91.209.175.100 C & C List: 83.170.72.109, 87.242.73.96, 194.85.105.17, 93.170.52.30, 192.168.1.230 (15), 187.73.33.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 01:03:47.545 PDT Gen. Time: 10/15/2011 01:31:54.549 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (13) (01:07:44.967 PDT) event=224:1 (13) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 57567->53 (01:07:44.967 PDT) 58342->53 (01:08:29.824 PDT) 41137->53 (01:08:33.579 PDT) 59000->53 (01:10:12.366 PDT) 50099->53 (01:11:21.731 PDT) 59927->53 (01:11:26.819 PDT) 53408->53 (01:11:52.176 PDT) 57517->53 (01:17:09.626 PDT) 34914->53 (01:17:17.313 PDT) 44539->53 (01:18:06.892 PDT) 33495->53 (01:20:07.236 PDT) 47772->53 (01:20:43.125 PDT) 43060->53 (01:21:34.286 PDT) 192.168.1.20 (4) (01:07:45.973 PDT) event=224:1 (4) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 49400->53 (01:07:45.973 PDT) 58891->53 (01:08:30.465 PDT) 57772->53 (01:08:34.628 PDT) 46221->53 (01:11:27.800 PDT) EGG DOWNLOAD 91.209.175.100 (01:03:47.545 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0), [/] MAC_Src: 00:21:5A:08:BB:0C 53187->80 (01:03:47.545 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 83.170.72.109 (01:12:27.849 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 40012->53 (01:12:27.849 PDT) 87.242.73.96 (01:22:36.758 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 53461->80 (01:22:36.758 PDT) 194.85.105.17 (01:09:32.825 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 51084->33435 (01:09:32.825 PDT) C and C DNS CHECK-IN 93.170.52.30 (01:06:05.675 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 59228->80 (01:06:05.675 PDT) 192.168.1.230 (15) (01:04:00.752 PDT) event=224:1 (15) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 34487->53 (01:04:00.752 PDT) 44999->53 (01:04:16.650 PDT) 50776->53 (01:04:45.136 PDT) 43146->53 (01:05:32.920 PDT) 40706->53 (01:05:46.337 PDT) 33698->53 (01:10:00.660 PDT) 46290->53 (01:14:26.458 PDT) 52700->53 (01:14:34.392 PDT) 46347->53 (01:16:52.637 PDT) 36647->53 (01:17:00.307 PDT) 41248->53 (01:17:35.813 PDT) 34068->53 (01:17:52.532 PDT) 42263->53 (01:18:23.046 PDT) 56111->53 (01:18:40.500 PDT) 53452->53 (01:19:34.902 PDT) 187.73.33.20 (01:16:54.436 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: tiasissi.com.br (malware), [/samples-new/Korgo_botHunter.txt] MAC_Src: 00:21:5A:08:BB:0C 46520->80 (01:16:54.436 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (01:17:21.438 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7001->7002 (01:17:21.438 PDT) 130.149.49.136 (2) (01:07:21.116 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7002->7003 (01:07:21.116 PDT) 7003->7002 (01:27:21.116 PDT) 200.72.1.94 (01:29:46.715 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48940->53 (01:29:46.715 PDT) 67.208.74.71 (01:26:35.610 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 51055->53 (01:26:35.610 PDT) 195.226.246.3 (01:16:37.610 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%01%00!%87%D9%A6%05%F0%00.%C7%CE%9F%{@O%F7\%BF%FA%92}%EB%0E>B%EE%F4%11Q%D5L~%8E%D8%17%03%01%00!%7F%F6%88%ED%09b%C0%ED%15e,%16%9F"ZPc%C3v%DDoh%153f%12p%BC%EB%19@b%9A%17%03%01%00!%C4%DC2%05:%83x%C5] MAC_Src: 00:21:5A:08:BB:0C 52377->80 (01:16:37.610 PDT) 64.70.19.33 (01:06:35.535 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 47205->53 (01:06:35.535 PDT) 87.98.140.145 (01:16:35.557 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 55571->53 (01:16:35.557 PDT) 92.38.209.230 (01:04:04.897 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48424->53 (01:04:04.897 PDT) tcpslice 1318665827.545 1318665827.546 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 01:34:02.754 PDT Gen. Time: 10/15/2011 01:36:53.519 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (4) (01:34:02.754 PDT) event=224:1 (4) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 38841->53 (01:34:02.754 PDT) 41420->53 (01:34:45.141 PDT) 53547->53 (01:34:53.645 PDT) 40532->53 (01:35:23.084 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (01:34:37.588 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 45770->53 (01:34:37.588 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 88.198.53.104 (01:36:53.519 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49888->53 (01:36:53.519 PDT) tcpslice 1318667642.754 1318667642.755 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 82.210.157.9 Egg Source List: C & C List: 83.170.72.109, 64.70.19.33, 192.168.1.230 (16), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 01:34:02.754 PDT Gen. Time: 10/15/2011 02:00:41.856 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (16) (01:34:02.754 PDT-01:41:08.660 PDT) event=224:1 (16) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 50926->53 (01:50:20.893 PDT) 49022->53 (01:37:56.331 PDT) 37890->53 (01:48:32.108 PDT) 40532->53 (01:35:23.084 PDT) 53547->53 (01:34:53.645 PDT) 35750->53 (01:41:08.809 PDT) 2: 59721->53 (01:41:02.564 PDT-01:41:08.660 PDT) 48315->53 (01:46:33.219 PDT) 34256->53 (01:37:28.548 PDT) 49137->53 (01:38:02.782 PDT) 38387->53 (01:47:31.931 PDT) 38841->53 (01:34:02.754 PDT) 60444->53 (01:50:26.885 PDT) 41420->53 (01:34:45.141 PDT) 36578->53 (01:50:21.703 PDT) 82.210.157.9 (01:47:34.238 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 53387->53 (01:47:34.238 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 83.170.72.109 (01:52:58.114 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 37106->80 (01:52:58.114 PDT) 64.70.19.33 (01:42:52.438 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 54884->53 (01:42:52.438 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (01:34:37.588 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 45770->53 (01:34:37.588 PDT) 40942->53 (01:37:07.491 PDT) 41754->53 (01:39:44.815 PDT) 38614->53 (01:43:11.125 PDT) 43591->53 (01:43:50.766 PDT) 60824->53 (01:44:38.740 PDT) 55381->53 (01:45:14.489 PDT) 60387->53 (01:46:14.900 PDT) 40559->53 (01:46:42.656 PDT) 33108->53 (01:48:16.561 PDT) 51861->53 (01:55:19.201 PDT) 59157->53 (01:57:25.591 PDT) 46490->53 (01:57:53.664 PDT) 52570->53 (01:58:03.351 PDT) 33557->53 (01:58:41.733 PDT) 52411->53 (01:58:45.589 PDT) 91.228.133.56 (01:37:15.005 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 58363->80 (01:37:15.005 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 176.28.0.239 (01:39:58.051 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34179->80 (01:39:58.051 PDT) 64.70.19.33 (01:46:54.751 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48116->53 (01:46:54.751 PDT) 41.189.229.65 (01:51:11.318 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40914->80 (01:51:11.318 PDT) 95.173.163.8 (01:41:42.624 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:BB:0C 3124->50447 (01:41:42.624 PDT) 129.93.229.138 (01:51:53.239 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:BB:0C 54593->46130 (01:51:53.239 PDT) 87.242.73.96 (01:57:23.383 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48301->53 (01:57:23.383 PDT) 88.198.53.104 (01:36:53.519 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49888->53 (01:36:53.519 PDT) 134.34.246.5 (2) (01:37:21.245 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7004->7000 (01:37:21.245 PDT) 7003->7001 (01:57:21.070 PDT) 130.149.49.136 (01:47:21.039 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7002->7004 (01:47:21.039 PDT) tcpslice 1318667642.754 1318668068.661 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:00:43.845 PDT Gen. Time: 10/15/2011 02:01:11.841 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (02:00:56.874 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 60768->53 (02:00:56.874 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (02:00:43.845 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 36146->53 (02:00:43.845 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 79.96.166.153 (02:01:11.841 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 42772->53 (02:01:11.841 PDT) tcpslice 1318669243.845 1318669243.846 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 93.158.135.4, 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:00:43.845 PDT Gen. Time: 10/15/2011 02:07:57.035 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (13) (02:00:56.874 PDT-02:04:28.705 PDT) event=224:1 (13) {udp} E2[dns] BHDNS SPYWARE-DNS: datacricketuf.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 37795->53 (02:04:27.391 PDT) 2: 54103->53 (02:03:53.073 PDT-02:03:58.928 PDT) 58302->53 (02:04:22.756 PDT) 53863->53 (02:04:34.717 PDT) 60768->53 (02:00:56.874 PDT) 55129->53 (02:02:12.598 PDT) 3: 33423->53 (02:04:04.973 PDT-02:04:16.743 PDT) 2: 49404->53 (02:04:22.756 PDT-02:04:28.705 PDT) 57582->53 (02:02:01.365 PDT) 192.168.1.20 (4) (02:03:53.919 PDT-02:03:59.888 PDT) event=224:1 (4) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 2: 46692->53 (02:03:53.919 PDT-02:03:59.888 PDT) 50456->53 (02:04:05.599 PDT) 38559->53 (02:04:29.653 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 93.158.135.4 (02:03:12.311 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 52891->80 (02:03:12.311 PDT) C and C DNS CHECK-IN 192.168.1.230 (2) (02:00:43.845 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 36146->53 (02:00:43.845 PDT) 46582->53 (02:03:04.384 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (02:07:21.047 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7003->7002 (02:07:21.047 PDT) 200.147.33.17 (02:07:23.535 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 60420->53 (02:07:23.535 PDT) 79.96.166.153 (02:01:11.841 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 42772->53 (02:01:11.841 PDT) tcpslice 1318669243.845 1318669468.706 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 192.168.1.230 (4), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:08:21.848 PDT Gen. Time: 10/15/2011 02:11:02.632 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (4) (02:08:21.848 PDT) event=224:1 (4) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 41947->53 (02:08:21.848 PDT) 59696->53 (02:08:38.277 PDT) 42615->53 (02:10:20.888 PDT) 36980->53 (02:10:37.579 PDT) 91.228.133.56 (02:08:31.315 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 39223->80 (02:08:31.315 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 95.173.163.8 (02:11:02.632 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:BB:0C 3124->38930 (02:11:02.632 PDT) tcpslice 1318669701.848 1318669701.849 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 200.147.1.41, 192.168.1.230 (7), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:08:21.848 PDT Gen. Time: 10/15/2011 02:16:44.287 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (5) (02:12:19.309 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 44049->53 (02:12:19.309 PDT) 40241->53 (02:12:37.992 PDT) 53332->53 (02:14:02.178 PDT) 41558->53 (02:14:31.322 PDT) 40955->53 (02:14:49.975 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (02:13:12.769 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 46124->80 (02:13:12.769 PDT) C and C DNS CHECK-IN 192.168.1.230 (7) (02:08:21.848 PDT) event=224:1 (7) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 41947->53 (02:08:21.848 PDT) 59696->53 (02:08:38.277 PDT) 42615->53 (02:10:20.888 PDT) 36980->53 (02:10:37.579 PDT) 52874->53 (02:11:34.189 PDT) 38305->53 (02:12:24.980 PDT) 48636->53 (02:14:19.488 PDT) 91.228.133.56 (02:08:31.315 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 39223->80 (02:08:31.315 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 98.129.126.138 (02:11:33.354 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 43361->80 (02:11:33.354 PDT) 95.173.163.8 (02:11:02.632 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:BB:0C 3124->38930 (02:11:02.632 PDT) tcpslice 1318669701.848 1318669701.849 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:16:53.125 PDT Gen. Time: 10/15/2011 02:17:22.455 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (02:16:53.125 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: papucky.eu (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 43173->53 (02:16:53.125 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (02:17:07.640 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 45973->53 (02:17:07.640 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (02:17:22.455 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56391->56391 (02:17:22.455 PDT) tcpslice 1318670213.125 1318670213.126 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 88.198.53.104, 173.236.70.235, 192.168.1.230 Egg Source List: C & C List: 83.170.72.109, 69.10.37.189, 192.168.1.230 (13), 192.168.1.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:16:53.125 PDT Gen. Time: 10/15/2011 02:35:01.764 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (02:18:58.822 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 51479->80 (02:18:58.822 PDT) 173.236.70.235 (02:29:16.316 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 51151->80 (02:29:16.316 PDT) 192.168.1.230 (9) (02:16:53.125 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: papucky.eu (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 43173->53 (02:16:53.125 PDT) 58483->53 (02:17:27.862 PDT) 57023->53 (02:17:40.718 PDT) 52002->53 (02:19:42.129 PDT) 36962->53 (02:22:43.106 PDT) 46682->53 (02:25:17.780 PDT) 50747->53 (02:26:54.769 PDT) 40653->53 (02:32:08.884 PDT) 57067->53 (02:32:10.356 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 83.170.72.109 (02:23:15.008 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 58102->80 (02:23:15.008 PDT) 69.10.37.189 (02:33:20.654 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 38567->53 (02:33:20.654 PDT) C and C DNS CHECK-IN 192.168.1.230 (13) (02:17:07.640 PDT-02:27:22.783 PDT) event=224:1 (13) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 39783->53 (02:17:47.889 PDT) 33794->53 (02:29:11.910 PDT) 51337->53 (02:25:10.234 PDT) 42440->53 (02:25:29.574 PDT) 2: 55480->53 (02:27:16.608 PDT-02:27:22.783 PDT) 41469->53 (02:25:53.973 PDT) 44067->53 (02:25:57.613 PDT) 45973->53 (02:17:07.640 PDT) 42065->53 (02:17:59.356 PDT) 41167->53 (02:23:05.404 PDT) 57849->53 (02:24:06.754 PDT) 46756->53 (02:19:01.556 PDT) 192.168.1.20 (02:27:17.673 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 44257->53 (02:27:17.673 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (02:27:22.244 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7000->7002 (02:27:22.244 PDT) 195.226.246.3 (02:24:21.260 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53755->80 (02:24:21.260 PDT) 132.239.17.226 (02:17:22.455 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56391->56391 (02:17:22.455 PDT) 87.252.1.21 (02:27:25.754 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 38024->53 (02:27:25.754 PDT) 93.170.52.20 (02:17:24.224 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50617->53 (02:17:24.224 PDT) tcpslice 1318670213.125 1318670842.784 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:36:25.320 PDT Gen. Time: 10/15/2011 02:36:25.320 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 129.93.229.138 (02:36:25.320 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:BB:0C 54593->58796 (02:36:25.320 PDT) tcpslice 1318671385.320 1318671385.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 194.186.88.58, 192.168.1.230 (13) Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:36:25.320 PDT Gen. Time: 10/15/2011 02:49:35.210 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (02:40:18.944 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 35400->80 (02:40:18.944 PDT) 192.168.1.230 (10) (02:40:53.150 PDT-02:48:35.813 PDT) event=224:1 (10) {udp} E2[dns] BHDNS SPYWARE-DNS: stephanos.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 60727->53 (02:40:53.150 PDT) 2: 49265->53 (02:48:29.810 PDT-02:48:35.813 PDT) 50831->53 (02:43:22.575 PDT) 50358->53 (02:44:51.909 PDT) 42267->53 (02:40:57.080 PDT) 32804->53 (02:43:20.261 PDT) 41353->53 (02:42:29.081 PDT) 45913->53 (02:48:36.099 PDT) 45319->53 (02:44:43.552 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 194.186.88.58 (02:43:21.455 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 51825->53 (02:43:21.455 PDT) C and C DNS CHECK-IN 192.168.1.230 (13) (02:36:47.851 PDT) event=224:1 (13) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 37277->53 (02:36:47.851 PDT) 47578->53 (02:37:41.229 PDT) 48188->53 (02:37:57.560 PDT) 48323->53 (02:38:05.640 PDT) 46343->53 (02:40:34.268 PDT) 38037->53 (02:40:45.645 PDT) 37014->53 (02:40:49.119 PDT) 60986->53 (02:40:56.706 PDT) 33254->53 (02:43:33.024 PDT) 49025->53 (02:46:15.264 PDT) 34057->53 (02:47:14.443 PDT) 41670->53 (02:47:55.628 PDT) 40135->53 (02:48:00.958 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (02:47:22.040 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 6110->6110 (02:47:22.040 PDT) 93.170.52.30 (02:37:25.074 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50292->53 (02:37:25.074 PDT) 130.149.49.136 (02:37:22.225 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7003->7002 (02:37:22.225 PDT) 208.91.196.10 (02:38:26.066 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 43466->53 (02:38:26.066 PDT) 91.209.163.201 (02:47:28.594 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 55642->53 (02:47:28.594 PDT) 129.93.229.138 (02:36:25.320 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:BB:0C 54593->58796 (02:36:25.320 PDT) tcpslice 1318671385.320 1318672115.814 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:51:15.353 PDT Gen. Time: 10/15/2011 02:51:15.353 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 212.44.109.181 (02:51:15.353 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49491->80 (02:51:15.353 PDT) tcpslice 1318672275.353 1318672275.354 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:51:15.353 PDT Gen. Time: 10/15/2011 02:53:04.063 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (02:52:02.601 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 56194->80 (02:52:02.601 PDT) 192.168.1.230 (02:52:27.873 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 50760->53 (02:52:27.873 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (02:51:37.049 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 42202->53 (02:51:37.049 PDT) 54956->53 (02:52:35.885 PDT) 50781->53 (02:52:45.827 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 212.44.109.181 (02:51:15.353 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49491->80 (02:51:15.353 PDT) tcpslice 1318672275.353 1318672275.354 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 78.31.65.216, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:53:30.643 PDT Gen. Time: 10/15/2011 02:56:28.219 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (3) (02:54:26.770 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: gooqlepics.com (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 36722->53 (02:54:26.770 PDT) 57185->53 (02:55:17.124 PDT) 38144->53 (02:55:19.814 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 78.31.65.216 (02:53:30.643 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/ipInfo/IPRep.php?IP=202.177.216.227&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:BB:0C 57324->80 (02:53:30.643 PDT) C and C DNS CHECK-IN 192.168.1.230 (02:56:28.219 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 42775->53 (02:56:28.219 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318672410.643 1318672410.644 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 78.31.65.216, 82.146.43.2, 64.70.19.33, 192.168.1.230 (12) Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:53:30.643 PDT Gen. Time: 10/15/2011 03:14:41.428 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (03:02:05.781 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 49345->80 (03:02:05.781 PDT) 192.168.1.230 (14) (02:54:26.770 PDT) event=224:1 (14) {udp} E2[dns] BHDNS SPYWARE-DNS: gooqlepics.com (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 36722->53 (02:54:26.770 PDT) 57185->53 (02:55:17.124 PDT) 38144->53 (02:55:19.814 PDT) 50650->53 (02:57:04.224 PDT) 58438->53 (02:58:30.884 PDT) 35467->53 (02:58:43.008 PDT) 50259->53 (02:59:02.401 PDT) 52126->53 (03:04:38.411 PDT) 59924->53 (03:08:30.401 PDT) 42921->53 (03:08:31.943 PDT) 58338->53 (03:10:12.258 PDT) 39059->53 (03:10:39.324 PDT) 50376->53 (03:11:45.587 PDT) 56136->53 (03:11:53.112 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 78.31.65.216 (02:53:30.643 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/ipInfo/IPRep.php?IP=202.177.216.227&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:BB:0C 57324->80 (02:53:30.643 PDT) 82.146.43.2 (03:13:31.074 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 36143->80 (03:13:31.074 PDT) 64.70.19.33 (03:03:31.447 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 42777->80 (03:03:31.447 PDT) C and C DNS CHECK-IN 192.168.1.230 (12) (02:56:28.219 PDT) event=224:1 (12) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 42775->53 (02:56:28.219 PDT) 50625->53 (02:57:34.793 PDT) 51338->53 (02:57:35.937 PDT) 57568->53 (02:58:24.156 PDT) 58051->53 (03:00:38.893 PDT) 34805->53 (03:01:12.620 PDT) 40978->53 (03:03:33.902 PDT) 52799->53 (03:05:26.533 PDT) 56539->53 (03:07:18.951 PDT) 36914->53 (03:10:38.067 PDT) 53259->53 (03:11:37.455 PDT) 52970->53 (03:12:40.392 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 41.189.229.65 (03:11:53.795 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 60443->80 (03:11:53.795 PDT) 134.34.246.5 (03:07:23.558 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7002->7000 (03:07:23.558 PDT) 128.227.11.13 (02:57:23.208 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->4040 (02:57:23.208 PDT) 93.170.52.20 (2) (02:57:28.145 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 45384->53 (02:57:28.145 PDT) 51037->53 (03:07:28.159 PDT) 31.170.163.70 (03:01:50.917 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49044->80 (03:01:50.917 PDT) tcpslice 1318672410.643 1318672410.644 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230, 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 03:15:36.271 PDT Gen. Time: 10/15/2011 03:17:23.433 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (03:15:39.123 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 36769->53 (03:15:39.123 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (03:15:51.256 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 54041->53 (03:15:51.256 PDT) 91.228.133.56 (03:15:36.271 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 42890->80 (03:15:36.271 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (03:17:23.433 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (03:17:23.433 PDT) tcpslice 1318673736.271 1318673736.272 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 41.189.229.65, 92.240.253.14, 192.168.1.230 Egg Source List: 155.223.52.1, 62.108.171.76 C & C List: 91.209.163.202, 212.150.130.183, 192.168.1.230 (16), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 03:15:36.271 PDT Gen. Time: 10/15/2011 03:40:12.444 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (03:35:42.965 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 57239->80 (03:35:42.965 PDT) 92.240.253.14 (03:25:37.472 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: papucky.eu (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 59205->53 (03:25:37.472 PDT) 192.168.1.230 (15) (03:15:39.123 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 36769->53 (03:15:39.123 PDT) 43918->53 (03:20:52.412 PDT) 43185->53 (03:23:04.058 PDT) 33693->53 (03:24:08.715 PDT) 36535->53 (03:24:19.839 PDT) 55571->53 (03:24:35.565 PDT) 52999->53 (03:25:14.001 PDT) 37483->53 (03:25:33.510 PDT) 59983->53 (03:25:42.294 PDT) 49595->53 (03:27:52.201 PDT) 47101->53 (03:28:07.912 PDT) 60648->53 (03:33:29.391 PDT) 55669->53 (03:34:21.394 PDT) 35792->53 (03:34:29.052 PDT) 54005->53 (03:35:21.643 PDT) EGG DOWNLOAD 155.223.52.1 (2) (03:27:27.829 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 50620<-19999 (03:27:27.829 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 50620<-19999 (03:27:27.829 PDT) 62.108.171.76 (2) (03:33:29.008 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 54917<-40220 (03:33:29.008 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 54917<-40220 (03:33:29.008 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.202 (03:33:56.123 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 43583->80 (03:33:56.123 PDT) 212.150.130.183 (03:23:51.117 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 54344->80 (03:23:51.117 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (03:15:51.256 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 54041->53 (03:15:51.256 PDT) 58116->53 (03:17:25.978 PDT) 59993->53 (03:18:14.444 PDT) 57541->53 (03:18:38.422 PDT) 37819->53 (03:22:04.035 PDT) 34010->53 (03:23:45.453 PDT) 41316->53 (03:27:13.976 PDT) 60023->53 (03:28:43.916 PDT) 36513->53 (03:29:08.605 PDT) 51607->53 (03:29:32.164 PDT) 43506->53 (03:31:00.625 PDT) 47497->53 (03:32:31.227 PDT) 36191->53 (03:34:14.832 PDT) 37934->53 (03:34:51.290 PDT) 56767->53 (03:35:15.795 PDT) 33105->53 (03:37:49.185 PDT) 91.228.133.56 (03:15:36.271 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 42890->80 (03:15:36.271 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (03:37:29.313 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 35472->53 (03:37:29.313 PDT) 130.149.49.136 (03:37:23.411 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7004->7004 (03:37:23.411 PDT) 216.8.179.25 (03:32:30.098 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 43357->80 (03:32:30.098 PDT) 128.186.122.86 (03:27:23.238 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->35596 (03:27:23.238 PDT) 128.163.142.20 (03:17:23.433 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (03:17:23.433 PDT) 93.170.52.20 (2) (03:17:29.370 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53206->53 (03:17:29.370 PDT) 49365->53 (03:27:29.064 PDT) 92.38.209.230 (03:21:54.410 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/SeattleGENI/HashTable] MAC_Src: 00:21:5A:08:BB:0C 37723->80 (03:21:54.410 PDT) tcpslice 1318673736.271 1318673736.272 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (4) Peer Coord. List: Resource List: Observed Start: 10/15/2011 03:41:27.282 PDT Gen. Time: 10/15/2011 03:43:50.304 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (03:43:44.701 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 36522->53 (03:43:44.701 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (4) (03:41:27.282 PDT) event=224:1 (4) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 34985->53 (03:41:27.282 PDT) 46737->53 (03:42:39.165 PDT) 52658->53 (03:43:11.151 PDT) 33775->53 (03:43:35.669 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 122.224.18.94 (03:43:50.304 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 42556->80 (03:43:50.304 PDT) tcpslice 1318675287.282 1318675287.283 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: 141.11.0.162, 204.123.28.55 C & C List: 211.234.100.137, 192.168.1.230 (7) Peer Coord. List: Resource List: Observed Start: 10/15/2011 03:41:27.282 PDT Gen. Time: 10/15/2011 03:49:40.211 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (03:45:43.898 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 37234->53 (03:45:43.898 PDT) 192.168.1.230 (5) (03:43:44.701 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 36522->53 (03:43:44.701 PDT) 35577->53 (03:45:33.404 PDT) 34988->53 (03:45:57.904 PDT) 36668->53 (03:46:26.511 PDT) 44601->53 (03:48:32.743 PDT) EGG DOWNLOAD 141.11.0.162 (2) (03:45:40.686 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 39650<-55886 (03:45:40.686 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 39650<-55886 (03:45:40.686 PDT) 204.123.28.55 (2) (03:48:45.624 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 38172<-25756 (03:48:45.624 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 38172<-25756 (03:48:45.624 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 211.234.100.137 (03:43:56.120 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 46149->53 (03:43:56.120 PDT) C and C DNS CHECK-IN 192.168.1.230 (7) (03:41:27.282 PDT) event=224:1 (7) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 34985->53 (03:41:27.282 PDT) 46737->53 (03:42:39.165 PDT) 52658->53 (03:43:11.151 PDT) 33775->53 (03:43:35.669 PDT) 47802->53 (03:44:16.082 PDT) 38863->53 (03:46:21.947 PDT) 38698->53 (03:47:38.823 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (03:47:23.008 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7001->7004 (03:47:23.008 PDT) 92.241.169.250 (03:47:29.639 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50958->53 (03:47:29.639 PDT) 122.224.18.94 (03:43:50.304 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 42556->80 (03:43:50.304 PDT) tcpslice 1318675287.282 1318675287.283 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 96.9.169.85, 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 03:49:48.553 PDT Gen. Time: 10/15/2011 03:53:56.896 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (03:49:48.553 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: simulatormage.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 35223->53 (03:49:48.553 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 96.9.169.85 (03:53:56.896 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 33513->53 (03:53:56.896 PDT) C and C DNS CHECK-IN 192.168.1.230 (2) (03:51:08.761 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 48859->53 (03:51:08.761 PDT) 58636->53 (03:52:22.924 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318675788.553 1318675788.554 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: 199.26.254.70, 129.82.12.188, 108.58.13.205, 203.30.39.238 C & C List: 91.209.163.202, 200.147.33.21, 96.9.169.85, 192.168.1.230 (14), 91.228.133.56 (2), 192.168.1.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 03:49:48.553 PDT Gen. Time: 10/15/2011 04:20:26.656 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (16) (03:49:48.553 PDT) event=224:1 (16) {udp} E2[dns] BHDNS SPYWARE-DNS: simulatormage.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 35223->53 (03:49:48.553 PDT) 50756->53 (03:55:04.810 PDT) 42893->53 (03:59:44.562 PDT) 60845->53 (04:00:56.727 PDT) 53597->53 (04:01:03.278 PDT) 51519->53 (04:01:42.652 PDT) 47988->53 (04:02:46.870 PDT) 34467->53 (04:02:58.599 PDT) 60661->53 (04:03:02.241 PDT) 52685->53 (04:05:47.621 PDT) 43724->53 (04:08:04.768 PDT) 45533->53 (04:13:50.761 PDT) 37450->53 (04:15:06.565 PDT) 46358->53 (04:15:09.998 PDT) 50566->53 (04:16:36.224 PDT) 42034->53 (04:16:36.224 PDT) EGG DOWNLOAD 199.26.254.70 (2) (04:13:36.376 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 44950<-11815 (04:13:36.376 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 44950<-11815 (04:13:36.376 PDT) 129.82.12.188 (2) (04:08:58.056 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 36511<-17315 (04:08:58.056 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 36511<-17315 (04:08:58.056 PDT) 108.58.13.205 (2) (04:00:26.829 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 50031<-52230 (04:00:26.829 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 50031<-52230 (04:00:26.829 PDT) 203.30.39.238 (2) (03:54:07.901 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 54645<-32442 (03:54:07.901 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 54645<-32442 (03:54:07.901 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.202 (04:13:56.022 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 39685->53 (04:13:56.022 PDT) 200.147.33.21 (04:03:56.043 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 60438->80 (04:03:56.043 PDT) 96.9.169.85 (03:53:56.896 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 33513->53 (03:53:56.896 PDT) C and C DNS CHECK-IN 192.168.1.230 (14) (03:51:08.761 PDT) event=224:1 (14) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 48859->53 (03:51:08.761 PDT) 58636->53 (03:52:22.924 PDT) 49710->53 (03:54:54.833 PDT) 44036->53 (03:55:28.777 PDT) 48660->53 (03:56:21.643 PDT) 45815->53 (03:56:39.616 PDT) 41202->53 (03:57:04.973 PDT) 41606->53 (04:01:26.936 PDT) 55775->53 (04:05:50.958 PDT) 56951->53 (04:06:33.193 PDT) 44956->53 (04:07:34.529 PDT) 50399->53 (04:08:53.937 PDT) 54177->53 (04:09:11.128 PDT) 55704->53 (04:10:07.867 PDT) 91.228.133.56 (2) (03:57:14.581 PDT) event=1:2632222 (2) {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 59023->53 (03:57:14.581 PDT) 35235->80 (04:07:44.107 PDT) 192.168.1.20 (04:01:29.859 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 54047->53 (04:01:29.859 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 31.170.163.50 (04:17:33.537 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 45422->53 (04:17:33.537 PDT) 128.186.122.86 (04:17:23.599 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->35596 (04:17:23.599 PDT) 41.189.229.65 (04:16:39.528 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 44246->80 (04:16:39.528 PDT) 134.34.246.5 (04:07:23.396 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7003->7003 (04:07:23.396 PDT) 93.170.52.30 (03:57:29.388 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 44382->53 (03:57:29.388 PDT) 130.149.49.136 (03:57:23.137 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7002->7002 (03:57:23.137 PDT) 195.226.246.3 (03:55:24.636 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [y5%AAfPf%85-T%E6%B4@%CC%C8%B9%04%DC%F2%F5^5+%08%9E%F8r_%D8%CC^%9A%E2%D7%FCP%CF2%D4%A0Zw_%91a%8E$%FF%8F%FCE%0F%81%CF%C0%D2%BC-%D2E>%F0%BAB%BD%BD~%B7%C4] MAC_Src: 00:21:5A:08:BB:0C 53987->80 (03:55:24.636 PDT) 200.147.33.17 (04:07:33.758 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48911->53 (04:07:33.758 PDT) 92.38.209.184 (04:05:50.628 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 47660->80 (04:05:50.628 PDT) tcpslice 1318675788.553 1318675788.554 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: 128.233.252.11 C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 04:20:42.308 PDT Gen. Time: 10/15/2011 04:21:23.390 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (04:20:42.308 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 33085->53 (04:20:42.308 PDT) EGG DOWNLOAD 128.233.252.11 (04:21:23.390 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 42188<-16729 (04:21:23.390 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (04:21:04.368 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 58543->53 (04:21:04.368 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318677642.308 1318677642.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 41.189.229.65, 192.168.1.230 Egg Source List: 128.233.252.11 C & C List: 122.226.213.40, 192.168.1.230 (7) Peer Coord. List: Resource List: Observed Start: 10/15/2011 04:20:42.308 PDT Gen. Time: 10/15/2011 04:33:39.577 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (04:27:59.832 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 59166->53 (04:27:59.832 PDT) 192.168.1.230 (7) (04:20:42.308 PDT) event=224:1 (7) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 33085->53 (04:20:42.308 PDT) 56452->53 (04:23:17.204 PDT) 41930->53 (04:27:05.968 PDT) 35457->53 (04:27:58.624 PDT) 45498->53 (04:29:34.481 PDT) 58450->53 (04:30:21.120 PDT) 57686->53 (04:30:38.281 PDT) EGG DOWNLOAD 128.233.252.11 (4) (04:21:23.390 PDT-04:21:23.829 PDT) event=1:2000419 (2) {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 2: 42188<-16729 (04:21:23.390 PDT-04:21:23.829 PDT) ------------------------- event=1:3300007 (2) {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 2: 42188<-16729 (04:21:23.390 PDT-04:21:23.829 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 122.226.213.40 (04:24:06.860 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [%03&zs%E6p%00()%00%0B%00C%02%00%01%00%14(%93)%CF%E4,3%8F%94%A8%B1%ED%F8%D5%8BUZ?o%8C'%FAD%9F8+%D7%93%F5%F7P%AC%B1S%16iOP%9E%D6] MAC_Src: 00:21:5A:08:BB:0C 55606->80 (04:24:06.860 PDT) C and C DNS CHECK-IN 192.168.1.230 (7) (04:21:04.368 PDT) event=224:1 (7) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 58543->53 (04:21:04.368 PDT) 44628->53 (04:22:54.122 PDT) 47694->53 (04:24:09.671 PDT) 56853->53 (04:24:16.415 PDT) 60560->53 (04:24:42.837 PDT) 60538->53 (04:27:03.041 PDT) 53798->53 (04:28:42.856 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (04:27:23.036 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7001->7002 (04:27:23.036 PDT) 216.8.179.25 (04:26:51.811 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 35213->53 (04:26:51.811 PDT) 109.70.26.36 (04:27:38.375 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58941->53 (04:27:38.375 PDT) tcpslice 1318677642.308 1318677683.830 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 121.9.213.187, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 04:34:07.152 PDT Gen. Time: 10/15/2011 04:35:19.260 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (04:34:55.893 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: papucky.eu (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 38978->53 (04:34:55.893 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 121.9.213.187 (04:34:07.152 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 53910->53 (04:34:07.152 PDT) C and C DNS CHECK-IN 192.168.1.230 (04:35:19.260 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 42253->53 (04:35:19.260 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318678447.152 1318678447.153 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: 203.178.133.3, 192.42.83.250 C & C List: 121.9.213.187, 89.184.73.93, 192.168.1.230 (9) Peer Coord. List: Resource List: Observed Start: 10/15/2011 04:34:07.152 PDT Gen. Time: 10/15/2011 04:45:57.323 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (04:38:45.711 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 45262->53 (04:38:45.711 PDT) 192.168.1.230 (10) (04:34:55.893 PDT) event=224:1 (10) {udp} E2[dns] BHDNS SPYWARE-DNS: papucky.eu (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 38978->53 (04:34:55.893 PDT) 41066->53 (04:38:39.085 PDT) 58788->53 (04:39:33.712 PDT) 58926->53 (04:40:39.019 PDT) 33904->53 (04:41:24.980 PDT) 36985->53 (04:41:51.854 PDT) 59092->53 (04:42:44.286 PDT) 36166->53 (04:44:10.583 PDT) 50363->53 (04:44:12.545 PDT) 50615->53 (04:44:16.529 PDT) EGG DOWNLOAD 203.178.133.3 (2) (04:38:12.059 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 49808<-21323 (04:38:12.059 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 49808<-21323 (04:38:12.059 PDT) 192.42.83.250 (2) (04:44:17.155 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 37130<-12038 (04:44:17.155 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 37130<-12038 (04:44:17.155 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 121.9.213.187 (04:34:07.152 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 53910->53 (04:34:07.152 PDT) 89.184.73.93 (04:44:15.794 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 42888->53 (04:44:15.794 PDT) C and C DNS CHECK-IN 192.168.1.230 (9) (04:35:19.260 PDT) event=224:1 (9) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 42253->53 (04:35:19.260 PDT) 34333->53 (04:36:42.108 PDT) 45342->53 (04:37:10.895 PDT) 59895->53 (04:38:07.753 PDT) 59420->53 (04:39:13.370 PDT) 53820->53 (04:40:39.209 PDT) 42870->53 (04:41:33.106 PDT) 48389->53 (04:42:39.218 PDT) 42312->53 (04:44:33.087 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (04:37:45.202 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 33886->53 (04:37:45.202 PDT) 195.226.246.3 (04:37:14.493 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/releases/malware/SOURCES/f317bc3530e09c2cf37553b1e12f0f56/f317bc3530e09c2cf37553b1e12f0f56_unpacked.asm.html] MAC_Src: 00:21:5A:08:BB:0C 47546->80 (04:37:14.493 PDT) 132.239.17.226 (04:37:23.092 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (04:37:23.092 PDT) tcpslice 1318678447.152 1318678447.153 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 04:47:24.393 PDT Gen. Time: 10/15/2011 04:47:24.393 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (04:47:24.393 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7002->7002 (04:47:24.393 PDT) tcpslice 1318679244.393 1318679244.394 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 188.229.89.127 Egg Source List: C & C List: 88.86.113.143, 64.70.19.33, 192.168.1.230 (16), 62.42.230.17 Peer Coord. List: Resource List: Observed Start: 10/15/2011 04:47:24.393 PDT Gen. Time: 10/15/2011 05:05:57.281 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (9) (04:51:48.780 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 38971->53 (04:51:48.780 PDT) 43973->53 (04:54:42.868 PDT) 59263->53 (04:56:02.813 PDT) 59514->53 (04:56:58.142 PDT) 57633->53 (04:57:03.656 PDT) 33712->53 (04:58:30.453 PDT) 35619->53 (04:59:46.562 PDT) 60326->53 (05:02:47.859 PDT) 48714->53 (05:03:53.573 PDT) 188.229.89.127 (05:00:31.293 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 38797->80 (05:00:31.293 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.86.113.143 (05:04:15.529 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 37568->53 (05:04:15.529 PDT) 64.70.19.33 (04:54:15.762 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/ip2geo/geo.php] MAC_Src: 00:21:5A:08:BB:0C 44028->80 (04:54:15.762 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (04:48:10.875 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 36516->53 (04:48:10.875 PDT) 47631->53 (04:49:36.663 PDT) 41506->53 (04:49:51.999 PDT) 60783->53 (04:51:00.754 PDT) 35046->53 (04:51:04.561 PDT) 50301->53 (04:51:04.908 PDT) 48004->53 (04:52:45.380 PDT) 57241->53 (04:53:40.125 PDT) 52983->53 (04:54:08.783 PDT) 49108->53 (04:55:21.981 PDT) 46117->53 (04:55:28.707 PDT) 38898->53 (05:00:42.637 PDT) 44446->53 (05:01:56.918 PDT) 37129->53 (05:02:55.337 PDT) 55136->53 (05:03:29.676 PDT) 43370->53 (05:03:48.564 PDT) 62.42.230.17 (04:49:52.621 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: albaimtra.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 54942->53 (04:49:52.621 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 200.147.33.21 (04:57:45.409 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50018->53 (04:57:45.409 PDT) 130.149.49.136 (04:57:24.416 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7002->7003 (04:57:24.416 PDT) 134.34.246.5 (04:47:24.393 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7002->7002 (04:47:24.393 PDT) 200.147.33.17 (04:47:45.934 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 59043->53 (04:47:45.934 PDT) 195.226.246.3 (2) (04:49:04.435 PDT) event=1:9910009 (2) {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52886->80 (04:49:04.435 PDT) 58778->80 (05:00:40.991 PDT) tcpslice 1318679244.393 1318679244.394 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:06:30.362 PDT Gen. Time: 10/15/2011 05:07:24.264 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (05:06:53.361 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 55447->53 (05:06:53.361 PDT) 47704->53 (05:06:54.833 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (05:06:30.362 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 50684->53 (05:06:30.362 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (05:07:24.264 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7003->7002 (05:07:24.264 PDT) tcpslice 1318680390.362 1318680390.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:06:30.362 PDT Gen. Time: 10/15/2011 05:12:24.970 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (6) (05:06:53.361 PDT) event=224:1 (6) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 55447->53 (05:06:53.361 PDT) 47704->53 (05:06:54.833 PDT) 56381->53 (05:07:54.614 PDT) 60294->53 (05:08:29.494 PDT) 36702->53 (05:09:41.985 PDT) 41153->53 (05:09:54.334 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (05:06:30.362 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 50684->53 (05:06:30.362 PDT) 48737->53 (05:08:32.325 PDT) 35430->53 (05:10:23.183 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (05:07:45.168 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36245->53 (05:07:45.168 PDT) 130.149.49.136 (05:07:24.264 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7003->7002 (05:07:24.264 PDT) 31.170.163.70 (05:10:56.059 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 46846->80 (05:10:56.059 PDT) tcpslice 1318680390.362 1318680390.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48 Egg Source List: C & C List: 200.147.1.41, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:13:12.541 PDT Gen. Time: 10/15/2011 05:14:20.081 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (05:13:19.642 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 36364->80 (05:13:19.642 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (05:14:20.081 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 38488->53 (05:14:20.081 PDT) C and C DNS CHECK-IN 192.168.1.230 (05:13:12.541 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 44656->53 (05:13:12.541 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318680792.541 1318680792.542 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 200.147.33.19, 200.147.1.41, 192.168.1.230 (12) Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:13:12.541 PDT Gen. Time: 10/15/2011 05:29:53.119 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (05:13:19.642 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 36364->80 (05:13:19.642 PDT) 40206->53 (05:25:06.041 PDT) 192.168.1.230 (9) (05:16:18.310 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 47178->53 (05:16:18.310 PDT) 54620->53 (05:16:18.310 PDT) 54025->53 (05:16:51.357 PDT) 46122->53 (05:17:09.700 PDT) 56340->53 (05:19:22.668 PDT) 60467->53 (05:20:40.999 PDT) 49815->53 (05:21:37.909 PDT) 54716->53 (05:21:38.599 PDT) 45165->53 (05:28:21.133 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.33.19 (05:24:20.768 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 50067->53 (05:24:20.768 PDT) 200.147.1.41 (05:14:20.081 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 38488->53 (05:14:20.081 PDT) C and C DNS CHECK-IN 192.168.1.230 (12) (05:13:12.541 PDT) event=224:1 (12) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 44656->53 (05:13:12.541 PDT) 46232->53 (05:14:52.730 PDT) 40010->53 (05:15:24.883 PDT) 32997->53 (05:15:51.506 PDT) 36400->53 (05:17:20.175 PDT) 55618->53 (05:20:09.307 PDT) 33581->53 (05:21:33.132 PDT) 44434->53 (05:25:18.019 PDT) 59994->53 (05:26:18.661 PDT) 39101->53 (05:26:46.126 PDT) 52983->53 (05:27:53.469 PDT) 45609->53 (05:28:33.932 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 216.8.179.25 (05:17:46.489 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56326->53 (05:17:46.489 PDT) 130.149.49.136 (2) (05:17:24.429 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7004->7003 (05:17:24.429 PDT) 7003->7003 (05:27:24.377 PDT) 200.72.1.94 (05:20:57.157 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 33215->53 (05:20:57.157 PDT) 93.170.52.20 (05:27:46.292 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 35398->53 (05:27:46.292 PDT) tcpslice 1318680792.541 1318680792.542 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:30:59.963 PDT Gen. Time: 10/15/2011 05:31:07.296 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (05:30:59.963 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: sdkjgndfjnf.ru (malware), [] MAC_Src: 00:21:5A:08:BB:0C 50342->53 (05:30:59.963 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 31.170.163.50 (05:31:07.296 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 37322->80 (05:31:07.296 PDT) tcpslice 1318681859.963 1318681859.964 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 41.189.229.65, 192.168.1.230 Egg Source List: C & C List: 64.86.97.91, 192.168.1.230 (9) Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:30:59.963 PDT Gen. Time: 10/15/2011 05:43:54.141 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (05:35:19.210 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 49896->80 (05:35:19.210 PDT) 192.168.1.230 (8) (05:32:51.770 PDT) event=224:1 (8) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 42398->53 (05:32:51.770 PDT) 46067->53 (05:33:59.306 PDT) 56412->53 (05:34:07.840 PDT) 39647->53 (05:34:49.142 PDT) 47353->53 (05:34:55.583 PDT) 44494->53 (05:35:17.557 PDT) 51976->53 (05:40:30.951 PDT) 52085->53 (05:42:47.311 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 64.86.97.91 (05:34:40.467 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [!`Q%9EE%EBw%EF%06x%94%12%87wB$|%C4%E0%16%BF%C8x%A5%01%15%D5%B6%10^] MAC_Src: 00:21:5A:08:BB:0C 42395->80 (05:34:40.467 PDT) C and C DNS CHECK-IN 192.168.1.230 (9) (05:30:59.963 PDT) event=224:1 (9) {udp} E4[dns] BHDNS SPYWARE-DNS: sdkjgndfjnf.ru (malware), [] MAC_Src: 00:21:5A:08:BB:0C 50342->53 (05:30:59.963 PDT) 39497->53 (05:31:24.015 PDT) 55765->53 (05:31:36.715 PDT) 58455->53 (05:34:27.033 PDT) 58745->53 (05:35:47.199 PDT) 58704->53 (05:37:50.311 PDT) 56799->53 (05:38:16.689 PDT) 53823->53 (05:40:07.531 PDT) 33870->53 (05:41:07.969 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (05:37:24.109 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7000->7002 (05:37:24.109 PDT) 208.91.196.10 (05:41:26.892 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54731->80 (05:41:26.892 PDT) 31.170.163.50 (05:31:07.296 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 37322->80 (05:31:07.296 PDT) 93.170.52.20 (05:37:46.255 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58331->53 (05:37:46.255 PDT) tcpslice 1318681859.963 1318681859.964 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 184.22.115.56, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:44:42.956 PDT Gen. Time: 10/15/2011 05:45:12.549 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 184.22.115.56 (05:44:42.956 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [%B8+{%C6&%E1H%1Eo%CD%0D%7F%AF%B3%06m%A99%CC%10%A5] MAC_Src: 00:21:5A:08:BB:0C 52516->80 (05:44:42.956 PDT) C and C DNS CHECK-IN 192.168.1.230 (05:45:12.549 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 39469->53 (05:45:12.549 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318682682.956 1318682682.957 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 41.189.229.65, 192.168.1.230 Egg Source List: C & C List: 184.22.115.56, 87.98.140.145, 192.168.1.230 (9) Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:44:42.956 PDT Gen. Time: 10/15/2011 05:56:02.445 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (05:45:34.957 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 36776->80 (05:45:34.957 PDT) 192.168.1.230 (9) (05:45:33.123 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 44547->53 (05:45:33.123 PDT) 60120->53 (05:46:54.904 PDT) 53635->53 (05:47:09.827 PDT) 55269->53 (05:47:24.030 PDT) 44562->53 (05:47:36.153 PDT) 35048->53 (05:51:21.054 PDT) 34404->53 (05:51:37.619 PDT) 45272->53 (05:52:18.592 PDT) 52109->53 (05:52:24.359 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 184.22.115.56 (05:44:42.956 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [%B8+{%C6&%E1H%1Eo%CD%0D%7F%AF%B3%06m%A99%CC%10%A5] MAC_Src: 00:21:5A:08:BB:0C 52516->80 (05:44:42.956 PDT) 87.98.140.145 (05:54:49.021 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/ipInfo/IPRep.php?IP=75.101.145.196&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:BB:0C 54174->80 (05:54:49.021 PDT) C and C DNS CHECK-IN 192.168.1.230 (9) (05:45:12.549 PDT) event=224:1 (9) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 39469->53 (05:45:12.549 PDT) 36138->53 (05:47:47.301 PDT) 60335->53 (05:49:27.163 PDT) 47154->53 (05:49:34.879 PDT) 43237->53 (05:49:59.293 PDT) 35175->53 (05:50:46.569 PDT) 48540->53 (05:51:51.329 PDT) 41578->53 (05:52:26.423 PDT) 47399->53 (05:53:37.508 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 208.91.196.10 (05:53:39.209 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%14p%E1%A6eY%86%1F%96~%A2%FE%D4%0D%02N%BA@0%A3r%17%03%01%00%1FGL%9EF:%08] MAC_Src: 00:21:5A:08:BB:0C 48221->80 (05:53:39.209 PDT) 213.189.197.13 (05:47:49.659 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57020->53 (05:47:49.659 PDT) 206.207.248.34 (05:47:24.063 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (05:47:24.063 PDT) tcpslice 1318682682.956 1318682682.957 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 192.168.1.230, 62.42.230.17 Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:56:03.989 PDT Gen. Time: 10/15/2011 05:57:25.039 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (05:56:03.989 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: albaimtra.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 59308->53 (05:56:03.989 PDT) 62.42.230.17 (05:56:04.990 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: albaimtra.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 32936->53 (05:56:04.990 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (05:57:25.039 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (05:57:25.039 PDT) tcpslice 1318683363.989 1318683363.990 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 173.236.70.235, 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 200.147.1.41, 69.10.37.189, 194.186.88.58 (2), 203.121.165.16, 200.147.33.19, 88.198.53.104, 67.19.244.4, 91.209.163.202, 87.252.1.21, 67.21.76.36, 86.109.114.31 (2), 122.226.213.40, 192.168.1.230 (16), 62.42.230.17 Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:56:03.989 PDT Gen. Time: 10/15/2011 08:19:57.784 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 173.236.70.235 (06:08:08.153 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 53174->53 (06:08:08.153 PDT) 91.207.61.48 (06:18:23.573 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 53283->80 (06:18:23.573 PDT) 192.168.1.230 (15) (05:57:30.899 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 33040->53 (05:57:30.899 PDT) 42378->53 (05:58:19.773 PDT) 37916->53 (05:58:24.091 PDT) 38190->53 (06:00:11.280 PDT) 55040->53 (06:00:22.150 PDT) 60110->53 (06:03:09.981 PDT) 47130->53 (06:03:59.290 PDT) 36826->53 (06:08:07.119 PDT) 47977->53 (06:09:28.140 PDT) 38671->53 (06:09:48.722 PDT) 58242->53 (06:10:40.124 PDT) 49800->53 (06:12:24.188 PDT) 36440->53 (06:13:00.950 PDT) 38004->53 (06:13:02.766 PDT) 57980->53 (06:13:45.420 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (07:07:11.706 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [G%05%88dG%C8w%D4%13BitTorrent protocol%00%00%00%00%00%00%00%00F%98I1%15;%F2] MAC_Src: 00:21:5A:08:BB:0C 41588->80 (07:07:11.706 PDT) 69.10.37.189 (07:37:12.532 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 49162->53 (07:37:12.532 PDT) 194.186.88.58 (2) (06:46:25.109 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 40809->53 (06:46:25.109 PDT) 45000->80 (08:07:44.570 PDT) 203.121.165.16 (06:57:05.585 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 50270->53 (06:57:05.585 PDT) 200.147.33.19 (07:17:11.437 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 37028->80 (07:17:11.437 PDT) 88.198.53.104 (07:27:12.038 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 34628->80 (07:27:12.038 PDT) 67.19.244.4 (06:26:16.889 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 50878->80 (06:26:16.889 PDT) 91.209.163.202 (06:15:39.974 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 38274->80 (06:15:39.974 PDT) 87.252.1.21 (08:17:45.364 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 59990->80 (08:17:45.364 PDT) 67.21.76.36 (06:36:25.320 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/3/items/capital_vol1_0810_librivox/capitalvol1_35_marx.mp3] MAC_Src: 00:21:5A:08:BB:0C 59031->80 (06:36:25.320 PDT) 86.109.114.31 (2) (06:05:34.381 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 37647->53 (06:05:34.381 PDT) 50352->53 (07:47:20.673 PDT) 122.226.213.40 (07:57:35.191 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 49339->53 (07:57:35.191 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (05:56:03.989 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: albaimtra.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 59308->53 (05:56:03.989 PDT) 35067->53 (05:58:04.441 PDT) 41896->53 (06:00:11.280 PDT) 55676->53 (06:00:12.203 PDT) 47571->53 (06:01:25.640 PDT) 54784->53 (06:02:08.915 PDT) 57942->53 (06:02:32.326 PDT) 60605->53 (06:04:34.137 PDT) 47736->53 (06:05:18.288 PDT) 45417->53 (06:08:30.590 PDT) 42870->53 (06:09:49.458 PDT) 46426->53 (06:10:53.431 PDT) 44616->53 (06:11:40.060 PDT) 40351->53 (06:15:08.052 PDT) 39324->53 (06:16:38.248 PDT) 39562->53 (06:17:20.577 PDT) 62.42.230.17 (05:56:04.990 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: albaimtra.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 32936->53 (05:56:04.990 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (06:47:31.798 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->4040 (06:47:31.798 PDT) 212.44.109.181 (06:14:43.255 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36098->80 (06:14:43.255 PDT) 200.147.1.41 (06:27:52.197 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 44335->53 (06:27:52.197 PDT) 66.45.238.251 (06:04:04.878 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52754->80 (06:04:04.878 PDT) 60.19.30.131 (06:25:27.010 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%0D%C2%DB%CA%99%F7%D2%AB%96*%C5%E4%CB%86%A3%83x%9F%D0%92%A2%86>%A4%BA%92%B6t%89%14%9BD}%8C%9Cp.%A5h%13%B5%C6%DC] MAC_Src: 00:21:5A:08:BB:0C 42634->80 (06:25:27.010 PDT) 67.55.67.250 (06:47:56.043 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41857->53 (06:47:56.043 PDT) 134.34.246.5 (2) (06:17:25.064 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7003->7004 (06:17:25.064 PDT) 4121->4121 (06:37:25.807 PDT) 93.170.52.30 (06:37:54.115 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40713->53 (06:37:54.115 PDT) 67.19.244.4 (06:07:50.526 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 60496->53 (06:07:50.526 PDT) 130.149.49.136 (2) (06:07:25.339 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 7004->7000 (06:07:25.339 PDT) 7000->7004 (06:27:25.059 PDT) 195.226.246.3 (06:45:39.058 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56895->80 (06:45:39.058 PDT) 87.252.1.21 (05:57:50.353 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 55332->53 (05:57:50.353 PDT) 200.72.1.94 (06:35:32.369 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53628->53 (06:35:32.369 PDT) 91.207.61.48 (06:17:52.068 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58654->53 (06:17:52.068 PDT) 132.239.17.226 (05:57:25.039 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (05:57:25.039 PDT) tcpslice 1318683363.989 1318683363.990 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 08:20:54.901 PDT Gen. Time: 10/15/2011 08:21:13.369 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (08:21:12.577 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: simulatormage.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 51358->53 (08:21:12.577 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (2) (08:20:54.901 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 48178->53 (08:20:54.901 PDT) 60661->53 (08:20:54.976 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 41.189.229.65 (08:21:13.369 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 35216->80 (08:21:13.369 PDT) tcpslice 1318692054.901 1318692054.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 08:20:54.901 PDT Gen. Time: 10/15/2011 08:24:14.743 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (3) (08:21:12.577 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: simulatormage.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 51358->53 (08:21:12.577 PDT) 54675->53 (08:21:18.163 PDT) 49531->53 (08:22:48.593 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (08:20:54.901 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 48178->53 (08:20:54.901 PDT) 60661->53 (08:20:54.976 PDT) 48503->53 (08:21:59.459 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 41.189.229.65 (08:21:13.369 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 35216->80 (08:21:13.369 PDT) tcpslice 1318692054.901 1318692054.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 88.198.53.104 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 08:25:03.278 PDT Gen. Time: 10/15/2011 08:27:35.208 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (08:25:07.943 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [/campings-ciudad/70102/camping-ponte-dos-banos.htm] MAC_Dst: 00:21:1C:EE:14:00 33973->80 (08:25:07.943 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (08:25:03.278 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 53115->53 (08:25:03.278 PDT) 35994->53 (08:25:53.471 PDT) 36093->53 (08:27:16.777 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (08:27:35.208 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (08:27:35.208 PDT) tcpslice 1318692303.278 1318692303.279 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 88.198.53.104, 91.207.61.48, 192.168.1.230, 82.210.157.9 Egg Source List: C & C List: 60.190.93.178, 62.149.140.20, 200.147.1.41, 212.150.130.183, 192.168.1.230 (17) Peer Coord. List: Resource List: Observed Start: 10/15/2011 08:25:03.278 PDT Gen. Time: 10/15/2011 09:06:09.984 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (08:25:07.943 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [/campings-ciudad/70102/camping-ponte-dos-banos.htm] MAC_Dst: 00:21:1C:EE:14:00 33973->80 (08:25:07.943 PDT) 91.207.61.48 (08:36:55.915 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 45069->53 (08:36:55.915 PDT) 192.168.1.230 (14) (08:30:31.314 PDT) event=224:1 (14) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 52653->53 (08:30:31.314 PDT) 50538->53 (08:31:02.417 PDT) 35150->53 (08:31:58.179 PDT) 57467->53 (08:32:30.421 PDT) 54670->53 (08:34:22.698 PDT) 58504->53 (08:34:26.333 PDT) 43004->53 (08:34:28.613 PDT) 55204->53 (08:39:37.927 PDT) 43717->53 (08:41:39.009 PDT) 38042->53 (08:42:28.091 PDT) 47731->53 (08:43:53.278 PDT) 54650->53 (08:44:25.678 PDT) 47527->53 (08:44:38.338 PDT) 37222->53 (08:47:19.760 PDT) 82.210.157.9 (08:47:21.126 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 60977->53 (08:47:21.126 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 60.190.93.178 (08:58:07.945 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 43284->80 (08:58:07.945 PDT) 62.149.140.20 (08:47:58.888 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 43558->80 (08:47:58.888 PDT) 200.147.1.41 (08:37:56.887 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 54654->80 (08:37:56.887 PDT) 212.150.130.183 (08:27:45.209 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 46145->53 (08:27:45.209 PDT) C and C DNS CHECK-IN 192.168.1.230 (17) (08:25:03.278 PDT) event=224:1 (17) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 53115->53 (08:25:03.278 PDT) 35994->53 (08:25:53.471 PDT) 36093->53 (08:27:16.777 PDT) 42406->53 (08:29:08.484 PDT) 33937->53 (08:29:48.079 PDT) 56575->53 (08:35:11.234 PDT) 36650->53 (08:36:35.259 PDT) 58399->53 (08:36:53.314 PDT) 52484->53 (08:38:56.975 PDT) 39970->53 (08:39:04.019 PDT) 56384->53 (08:39:33.186 PDT) 39595->53 (08:40:53.808 PDT) 57776->53 (08:41:04.810 PDT) 47429->53 (08:43:59.846 PDT) 54381->53 (08:45:26.365 PDT) 46296->53 (08:48:35.895 PDT) 58922->53 (08:48:53.727 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 60.190.93.178 (08:58:11.214 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52656->53 (08:58:11.214 PDT) 31.170.163.50 (09:03:28.161 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58507->53 (09:03:28.161 PDT) 128.186.122.86 (08:47:36.547 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->50889 (08:47:36.547 PDT) 60.19.30.131 (08:32:00.991 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 38610->53 (08:32:00.991 PDT) 123.108.111.67 (08:28:10.629 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 43073->53 (08:28:10.629 PDT) 93.170.52.30 (08:48:11.788 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40152->53 (08:48:11.788 PDT) 195.226.246.3 (08:53:28.249 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52900->53 (08:53:28.249 PDT) 216.8.179.25 (08:42:54.528 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 42651->53 (08:42:54.528 PDT) 92.38.209.184 (08:38:10.291 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 38686->53 (08:38:10.291 PDT) 206.207.248.34 (2) (08:27:35.208 PDT-08:37:35.175 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2: 23127->23127 (08:27:35.208 PDT-08:37:35.175 PDT) 128.163.142.20 (08:57:37.023 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (08:57:37.023 PDT) tcpslice 1318692303.278 1318693055.176 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:06:51.245 PDT Gen. Time: 10/15/2011 09:07:37.399 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (09:07:08.017 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 38675->53 (09:07:08.017 PDT) 192.168.1.20 (09:07:09.065 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 34257->53 (09:07:09.065 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (09:06:51.245 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 52413->53 (09:06:51.245 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (09:07:37.399 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->4040 (09:07:37.399 PDT) tcpslice 1318694811.245 1318694811.246 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 188.229.89.127, 192.168.1.20 Egg Source List: C & C List: 91.209.163.202, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:06:51.245 PDT Gen. Time: 10/15/2011 09:13:05.006 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (5) (09:07:08.017 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 38675->53 (09:07:08.017 PDT) 49625->53 (09:08:59.634 PDT) 45033->53 (09:09:01.383 PDT) 53828->53 (09:09:12.898 PDT) 34556->53 (09:10:07.971 PDT) 188.229.89.127 (09:07:49.419 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: arhyv.ru (exploit), [%17] MAC_Dst: 00:21:1C:EE:14:00 48943->80 (09:07:49.419 PDT) 192.168.1.20 (5) (09:07:09.065 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 34257->53 (09:07:09.065 PDT) 41546->53 (09:09:02.216 PDT) 42966->53 (09:09:09.425 PDT) 53311->53 (09:09:13.891 PDT) 39676->53 (09:10:09.051 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.202 (09:08:12.748 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 47871->80 (09:08:12.748 PDT) C and C DNS CHECK-IN 192.168.1.230 (09:06:51.245 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 52413->53 (09:06:51.245 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 91.209.163.202 (09:08:12.748 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 45936->53 (09:08:12.748 PDT) 128.227.11.13 (09:07:37.399 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->4040 (09:07:37.399 PDT) tcpslice 1318694811.245 1318694811.246 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:13:25.524 PDT Gen. Time: 10/15/2011 09:13:30.568 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (09:13:25.524 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 52336->53 (09:13:25.524 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.226.246.3 (09:13:30.568 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54576->80 (09:13:30.568 PDT) tcpslice 1318695205.524 1318695205.525 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 41.189.229.65, 192.168.1.230 Egg Source List: C & C List: 83.170.72.109, 216.240.140.201, 192.168.1.230 (15), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:13:25.524 PDT Gen. Time: 10/15/2011 09:30:47.139 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (09:27:53.911 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [/RealMedia/ads/adstream_lx.ads/us.ibtimes/tv/articles/L22/1028564487/x42/IBTimes/USA_CM-US_Adknowledge_Post-roll_US_0921/Adknow] MAC_Dst: 00:21:1C:EE:14:00 41231->80 (09:27:53.911 PDT) 192.168.1.230 (12) (09:13:47.809 PDT) event=224:1 (12) {udp} E2[dns] BHDNS SPYWARE-DNS: simulatormage.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 50514->53 (09:13:47.809 PDT) 59958->53 (09:13:50.690 PDT) 56291->53 (09:14:45.831 PDT) 47906->53 (09:15:12.133 PDT) 46537->53 (09:22:50.037 PDT) 49356->53 (09:23:57.381 PDT) 55763->53 (09:25:01.760 PDT) 58882->53 (09:27:32.362 PDT) 42545->53 (09:27:32.362 PDT) 44150->53 (09:27:32.362 PDT) 57615->53 (09:27:53.658 PDT) 44720->53 (09:29:42.246 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 83.170.72.109 (09:28:22.917 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 51137->80 (09:28:22.917 PDT) 216.240.140.201 (09:18:17.259 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 50334->80 (09:18:17.259 PDT) C and C DNS CHECK-IN 192.168.1.230 (15) (09:13:25.524 PDT) event=224:1 (15) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 52336->53 (09:13:25.524 PDT) 52381->53 (09:14:08.370 PDT) 53990->53 (09:15:36.105 PDT) 37284->53 (09:17:00.735 PDT) 53280->53 (09:17:39.222 PDT) 36862->53 (09:17:43.223 PDT) 38697->53 (09:18:05.695 PDT) 42425->53 (09:18:48.051 PDT) 48224->53 (09:20:17.857 PDT) 39553->53 (09:20:35.046 PDT) 55936->53 (09:21:26.145 PDT) 48043->53 (09:27:12.478 PDT) 58072->53 (09:28:03.240 PDT) 47351->53 (09:28:42.259 PDT) 47676->53 (09:29:13.953 PDT) 91.228.133.56 (09:17:49.837 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 60143->53 (09:17:49.837 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (09:28:15.901 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56001->53 (09:28:15.901 PDT) 216.8.179.25 (09:23:32.164 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 35647->53 (09:23:32.164 PDT) 195.226.246.3 (09:13:30.568 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54576->80 (09:13:30.568 PDT) 132.239.17.226 (09:17:37.568 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56391->56391 (09:17:37.568 PDT) 128.227.11.13 (09:27:37.090 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->4040 (09:27:37.090 PDT) 93.170.52.20 (09:18:14.331 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50367->53 (09:18:14.331 PDT) tcpslice 1318695205.524 1318695205.525 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:31:44.833 PDT Gen. Time: 10/15/2011 09:33:58.933 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (09:31:44.833 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 55469->53 (09:31:44.833 PDT) 36492->53 (09:31:55.806 PDT) 54249->53 (09:33:56.092 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 8.5.1.44 (09:33:58.933 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchABGNSEBSDYhAUqBVVCAQAPMgVUQgEAAQ] MAC_Src: 00:21:5A:08:BB:0C 46966->80 (09:33:58.933 PDT) tcpslice 1318696304.833 1318696304.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 188.229.89.127, 60.19.30.131 Egg Source List: C & C List: 91.209.163.202 (2), 83.170.72.109, 87.252.1.21, 200.147.33.19, 200.147.1.41, 192.168.1.230 (17) Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:31:44.833 PDT Gen. Time: 10/15/2011 10:31:00.209 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (15) (09:35:59.525 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 34377->53 (09:35:59.525 PDT) 57001->53 (09:36:58.376 PDT) 43535->53 (09:38:10.615 PDT) 34252->53 (09:40:07.457 PDT) 55062->53 (09:40:19.359 PDT) 39327->53 (09:40:19.687 PDT) 41589->53 (09:45:27.003 PDT) 58692->53 (09:46:30.269 PDT) 57409->53 (09:48:26.323 PDT) 47666->53 (09:48:40.984 PDT) 43416->53 (09:49:21.303 PDT) 39979->53 (09:50:02.148 PDT) 39163->53 (09:52:20.922 PDT) 56213->53 (09:52:25.464 PDT) 48059->53 (09:52:51.514 PDT) 188.229.89.127 (09:47:54.850 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 59212->53 (09:47:54.850 PDT) 60.19.30.131 (09:37:54.044 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 47443->53 (09:37:54.044 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.202 (2) (09:49:19.579 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 46171->80 (09:49:19.579 PDT) 45482->80 (10:29:40.063 PDT) 83.170.72.109 (10:19:40.252 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 39260->80 (10:19:40.252 PDT) 87.252.1.21 (09:59:24.918 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 53659->53 (09:59:24.918 PDT) 200.147.33.19 (10:09:40.175 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 52413->80 (10:09:40.175 PDT) 200.147.1.41 (09:39:14.455 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 38356->80 (09:39:14.455 PDT) C and C DNS CHECK-IN 192.168.1.230 (17) (09:31:44.833 PDT) event=224:1 (17) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 55469->53 (09:31:44.833 PDT) 36492->53 (09:31:55.806 PDT) 54249->53 (09:33:56.092 PDT) 37994->53 (09:34:42.506 PDT) 47530->53 (09:40:47.401 PDT) 40977->53 (09:41:30.804 PDT) 33708->53 (09:41:59.670 PDT) 35176->53 (09:44:10.533 PDT) 50137->53 (09:44:53.490 PDT) 49020->53 (09:46:47.791 PDT) 53145->53 (09:46:47.905 PDT) 50380->53 (09:51:51.348 PDT) 45682->53 (09:53:56.455 PDT) 42308->53 (09:54:44.396 PDT) 60831->53 (09:55:44.379 PDT) 38062->53 (09:57:29.298 PDT) 60524->53 (09:57:58.653 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (10:17:41.027 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->4040 (10:17:41.027 PDT) 128.186.122.86 (09:47:41.188 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->36339 (09:47:41.188 PDT) 8.5.1.44 (09:33:58.933 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchABGNSEBSDYhAUqBVVCAQAPMgVUQgEAAQ] MAC_Src: 00:21:5A:08:BB:0C 46966->80 (09:33:58.933 PDT) 134.34.246.5 (10:27:41.328 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4797->4797 (10:27:41.328 PDT) 93.170.52.30 (2) (09:38:33.590 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49123->53 (09:38:33.590 PDT) 34392->53 (10:08:37.030 PDT) 31.170.163.70 (09:57:01.475 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/owl/update?] MAC_Src: 00:21:5A:08:BB:0C 43079->80 (09:57:01.475 PDT) 195.226.246.3 (10:07:18.293 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/thread.js?url=http:/www.ibtimes.com/articles/227303/20111007/watson-supercomputer-jeopardy-wellpoint-oracle-hp-artificial-inte] MAC_Src: 00:21:5A:08:BB:0C 36209->80 (10:07:18.293 PDT) 92.240.68.95 (2) (09:46:06.705 PDT) event=1:9910009 (2) {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53579->80 (09:46:06.705 PDT) 46805->53 (10:20:54.131 PDT) 87.252.1.21 (09:48:34.945 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50103->53 (09:48:34.945 PDT) 93.170.52.20 (2) (10:18:37.216 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48584->53 (10:18:37.216 PDT) 59839->53 (10:28:37.970 PDT) 208.91.196.10 (09:58:36.131 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 39056->53 (09:58:36.131 PDT) 206.207.248.34 (10:07:41.677 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (10:07:41.677 PDT) 128.163.142.20 (2) (09:37:37.276 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (09:37:37.276 PDT) 23127->23127 (09:57:41.780 PDT) tcpslice 1318696304.833 1318696304.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (6), 192.168.1.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:31:11.500 PDT Gen. Time: 10/15/2011 10:37:41.318 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (10:31:20.663 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 37186->80 (10:31:20.663 PDT) 192.168.1.230 (5) (10:32:43.583 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 33470->53 (10:32:43.583 PDT) 41797->53 (10:35:13.682 PDT) 38920->53 (10:36:29.183 PDT) 56096->53 (10:36:57.313 PDT) 58820->53 (10:36:59.349 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (6) (10:31:11.500 PDT) event=224:1 (6) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 34721->53 (10:31:11.500 PDT) 40248->53 (10:31:18.408 PDT) 48134->53 (10:32:29.261 PDT) 41289->53 (10:34:16.277 PDT) 53353->53 (10:35:47.568 PDT) 49836->53 (10:36:52.012 PDT) 192.168.1.20 (10:31:20.499 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 43410->53 (10:31:20.499 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:37:41.318 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56391->56391 (10:37:41.318 PDT) tcpslice 1318699871.500 1318699871.501 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 213.186.33.19, 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 200.147.1.41, 192.168.1.230 (8), 192.168.1.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:31:11.500 PDT Gen. Time: 10/15/2011 10:46:12.715 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 213.186.33.19 (10:41:20.102 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: projet-equinoxe.com (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 42836->53 (10:41:20.102 PDT) 91.207.61.48 (10:31:20.663 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 37186->80 (10:31:20.663 PDT) 192.168.1.230 (9) (10:32:43.583 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 33470->53 (10:32:43.583 PDT) 41797->53 (10:35:13.682 PDT) 38920->53 (10:36:29.183 PDT) 56096->53 (10:36:57.313 PDT) 58820->53 (10:36:59.349 PDT) 56381->53 (10:37:52.266 PDT) 36739->53 (10:40:12.894 PDT) 45975->53 (10:40:28.280 PDT) 33529->53 (10:42:58.521 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (10:39:41.150 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 37457->53 (10:39:41.150 PDT) C and C DNS CHECK-IN 192.168.1.230 (8) (10:31:11.500 PDT) event=224:1 (8) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 34721->53 (10:31:11.500 PDT) 40248->53 (10:31:18.408 PDT) 48134->53 (10:32:29.261 PDT) 41289->53 (10:34:16.277 PDT) 53353->53 (10:35:47.568 PDT) 49836->53 (10:36:52.012 PDT) 41672->53 (10:39:15.900 PDT) 42470->53 (10:41:42.661 PDT) 192.168.1.20 (10:31:20.499 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 43410->53 (10:31:20.499 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.226.246.3 (10:42:39.289 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36512->80 (10:42:39.289 PDT) 206.207.248.34 (2) (10:37:41.318 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 37401->2128 (10:38:47.542 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56391->56391 (10:37:41.318 PDT) tcpslice 1318699871.500 1318699871.501 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:46:16.439 PDT Gen. Time: 10/15/2011 10:47:41.005 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (10:46:16.439 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 58810->53 (10:46:16.439 PDT) 49268->53 (10:46:32.106 PDT) 36401->53 (10:47:16.945 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (10:47:41.005 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->35596 (10:47:41.005 PDT) tcpslice 1318700776.439 1318700776.440 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 64.70.19.33, 192.168.1.230 (8) Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:46:16.439 PDT Gen. Time: 10/15/2011 10:57:09.776 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (10:52:12.229 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 39579->80 (10:52:12.229 PDT) 192.168.1.230 (8) (10:48:38.361 PDT) event=224:1 (8) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 59444->53 (10:48:38.361 PDT) 59547->53 (10:50:16.785 PDT) 41095->53 (10:53:19.404 PDT) 59148->53 (10:53:23.644 PDT) 46498->53 (10:53:24.395 PDT) 37332->53 (10:54:01.364 PDT) 39812->53 (10:54:39.010 PDT) 45171->53 (10:55:33.972 PDT) 192.168.1.20 (10:50:44.748 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 57618->53 (10:50:44.748 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 64.70.19.33 (10:49:45.818 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 41073->80 (10:49:45.818 PDT) C and C DNS CHECK-IN 192.168.1.230 (8) (10:46:16.439 PDT) event=224:1 (8) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 58810->53 (10:46:16.439 PDT) 49268->53 (10:46:32.106 PDT) 36401->53 (10:47:16.945 PDT) 38690->53 (10:49:40.825 PDT) 60601->53 (10:50:04.724 PDT) 36569->53 (10:52:12.033 PDT) 47482->53 (10:53:19.111 PDT) 34096->53 (10:55:51.468 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (10:48:48.112 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 46550->53 (10:48:48.112 PDT) 128.186.122.86 (10:47:41.005 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->35596 (10:47:41.005 PDT) 92.38.209.184 (10:52:45.802 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54791->53 (10:52:45.802 PDT) tcpslice 1318700776.439 1318700776.440 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:57:42.203 PDT Gen. Time: 10/15/2011 10:57:42.203 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (10:57:42.203 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (10:57:42.203 PDT) tcpslice 1318701462.203 1318701462.204 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 91.209.163.202, 64.70.19.33, 64.191.90.213, 200.147.1.41, 192.168.1.230 (13), 192.168.1.20 (4) Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:57:42.203 PDT Gen. Time: 10/15/2011 11:33:23.635 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (11:02:14.985 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 45995->80 (11:02:14.985 PDT) 33749->80 (11:12:54.054 PDT) 192.168.1.230 (12) (11:01:41.517 PDT) event=224:1 (12) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 42048->53 (11:01:41.517 PDT) 39433->53 (11:03:13.840 PDT) 49901->53 (11:03:41.638 PDT) 51071->53 (11:04:09.037 PDT) 43699->53 (11:06:39.196 PDT) 46586->53 (11:06:50.635 PDT) 45970->53 (11:09:02.952 PDT) 47843->53 (11:13:14.427 PDT) 37987->53 (11:13:37.859 PDT) 54341->53 (11:14:06.606 PDT) 52612->53 (11:14:32.213 PDT) 47475->53 (11:14:37.360 PDT) 192.168.1.20 (3) (11:13:38.859 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 36640->53 (11:13:38.859 PDT) 60493->53 (11:14:33.471 PDT) 39360->53 (11:14:38.362 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.202 (11:09:45.157 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 51608->80 (11:09:45.157 PDT) 64.70.19.33 (11:30:02.155 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 56519->53 (11:30:02.155 PDT) 64.191.90.213 (11:20:02.881 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 35041->80 (11:20:02.881 PDT) 200.147.1.41 (10:59:45.863 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 57241->53 (10:59:45.863 PDT) C and C DNS CHECK-IN 192.168.1.230 (13) (10:58:19.758 PDT) event=224:1 (13) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 49618->53 (10:58:19.758 PDT) 41479->53 (11:00:17.074 PDT) 52757->53 (11:00:23.499 PDT) 35481->53 (11:00:28.410 PDT) 36151->53 (11:02:13.762 PDT) 55072->53 (11:04:28.812 PDT) 50947->53 (11:05:24.808 PDT) 43772->53 (11:05:46.279 PDT) 43793->53 (11:07:25.938 PDT) 33901->53 (11:10:24.469 PDT) 44445->53 (11:11:53.833 PDT) 37652->53 (11:12:00.599 PDT) 36960->53 (11:12:48.928 PDT) 192.168.1.20 (4) (11:00:24.532 PDT) event=224:1 (4) {udp} E4[dns] BHDNS SPYWARE-DNS: flashloads.net (malware), [] MAC_Src: 00:21:5A:08:BB:0C 54486->53 (11:00:24.532 PDT) 44307->53 (11:04:29.811 PDT) 54967->53 (11:12:49.936 PDT) 58942->53 (11:12:53.892 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 216.8.179.25 (11:02:46.333 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%E7h-%9Fk%A80dGET http://planetlab1.cs.pitt.edu:2126/? HTTP/1.0%0D%0AHost: planetlab1.cs.pitt.edu:2126%0D%0A%0D%0Ais a] MAC_Src: 00:21:5A:08:BB:0C 37305->80 (11:02:46.333 PDT) 93.170.52.30 (11:18:54.716 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57115->53 (11:18:54.716 PDT) 128.2.211.114 (11:07:42.564 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 6110->6110 (11:07:42.564 PDT) 91.207.61.48 (2) (11:08:48.031 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54732->53 (11:08:48.031 PDT) 59845->53 (11:28:54.454 PDT) 128.163.142.20 (4) (10:57:42.203 PDT-11:27:45.943 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 45784->2128 (10:58:48.318 PDT) ------------------------- event=1:9910006 (3) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 3: 2121->2121 (10:57:42.203 PDT-11:27:45.943 PDT) 98.129.126.138 (11:13:20.767 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40621->53 (11:13:20.767 PDT) 122.224.18.94 (11:24:19.324 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36271->53 (11:24:19.324 PDT) tcpslice 1318701462.203 1318703265.944 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (5) Peer Coord. List: Resource List: Observed Start: 10/15/2011 11:33:58.185 PDT Gen. Time: 10/15/2011 11:36:31.350 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (11:33:58.562 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 45438->80 (11:33:58.562 PDT) 192.168.1.230 (2) (11:34:11.926 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: projet-equinoxe.com (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 38291->53 (11:34:11.926 PDT) 60751->53 (11:35:25.984 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (5) (11:33:58.185 PDT) event=224:1 (5) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 57558->53 (11:33:58.185 PDT) 55641->53 (11:34:02.206 PDT) 36702->53 (11:34:35.029 PDT) 52839->53 (11:34:35.407 PDT) 50446->53 (11:36:30.398 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 203.121.165.16 (11:36:31.350 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36653->53 (11:36:31.350 PDT) tcpslice 1318703638.185 1318703638.186 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 200.147.1.41, 192.168.1.230 (8), 192.168.1.20 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 11:33:58.185 PDT Gen. Time: 10/15/2011 11:43:37.850 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (11:33:58.562 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 45438->80 (11:33:58.562 PDT) 192.168.1.230 (2) (11:34:11.926 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: projet-equinoxe.com (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 38291->53 (11:34:11.926 PDT) 60751->53 (11:35:25.984 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (11:40:05.163 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 54769->53 (11:40:05.163 PDT) C and C DNS CHECK-IN 192.168.1.230 (8) (11:33:58.185 PDT) event=224:1 (8) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 57558->53 (11:33:58.185 PDT) 55641->53 (11:34:02.206 PDT) 36702->53 (11:34:35.029 PDT) 52839->53 (11:34:35.407 PDT) 50446->53 (11:36:30.398 PDT) 51765->53 (11:38:49.780 PDT) 38680->53 (11:40:27.449 PDT) 39932->53 (11:40:35.532 PDT) 192.168.1.20 (2) (11:40:32.087 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: mobile-files.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 48577->53 (11:40:32.087 PDT) 46506->53 (11:40:36.532 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (11:37:46.281 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->4040 (11:37:46.281 PDT) 93.158.135.4 (11:38:56.511 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 55750->53 (11:38:56.511 PDT) 203.121.165.16 (11:36:31.350 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36653->53 (11:36:31.350 PDT) tcpslice 1318703638.185 1318703638.186 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 204.10.137.41 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 11:44:16.792 PDT Gen. Time: 10/15/2011 11:47:24.586 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (5) (11:44:16.792 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: scspack230.org (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 43101->53 (11:44:16.792 PDT) 47797->53 (11:45:06.393 PDT) 55170->53 (11:46:17.336 PDT) 50318->53 (11:46:35.857 PDT) 55905->53 (11:47:21.706 PDT) 204.10.137.41 (11:44:17.090 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: scspack230.org (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 55520->53 (11:44:17.090 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (11:45:21.188 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 44568->53 (11:45:21.188 PDT) 45949->53 (11:45:38.300 PDT) 47923->53 (11:45:48.338 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 60.19.30.131 (11:47:24.586 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [S%00%00%00%11%00%00%00%00] MAC_Src: 00:21:5A:08:BB:0C 39501->80 (11:47:24.586 PDT) tcpslice 1318704256.792 1318704256.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 204.10.137.41 Egg Source List: C & C List: 91.209.163.202 (2), 64.70.19.33, 200.147.33.19, 192.168.1.230 (15), 91.228.133.56 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 11:44:16.792 PDT Gen. Time: 10/15/2011 12:26:46.393 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (16) (11:44:16.792 PDT) event=224:1 (16) {udp} E2[dns] BHDNS SPYWARE-DNS: scspack230.org (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 43101->53 (11:44:16.792 PDT) 47797->53 (11:45:06.393 PDT) 55170->53 (11:46:17.336 PDT) 50318->53 (11:46:35.857 PDT) 55905->53 (11:47:21.706 PDT) 36851->53 (11:47:26.205 PDT) 44917->53 (11:50:52.056 PDT) 55987->53 (11:51:14.863 PDT) 43020->53 (11:55:12.940 PDT) 46868->53 (11:57:35.326 PDT) 51520->53 (11:57:52.598 PDT) 53807->53 (11:58:47.330 PDT) 40582->53 (11:59:41.512 PDT) 54506->53 (11:59:47.292 PDT) 42569->53 (12:00:54.060 PDT) 49614->53 (12:02:37.689 PDT) 204.10.137.41 (11:44:17.090 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: scspack230.org (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 55520->53 (11:44:17.090 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.202 (2) (11:50:30.671 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 48074->53 (11:50:30.671 PDT) 37270->80 (12:10:48.495 PDT) 64.70.19.33 (12:21:09.253 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 51678->53 (12:21:09.253 PDT) 200.147.33.19 (12:00:34.511 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 54808->53 (12:00:34.511 PDT) C and C DNS CHECK-IN 192.168.1.230 (15) (11:45:21.188 PDT) event=224:1 (15) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 44568->53 (11:45:21.188 PDT) 45949->53 (11:45:38.300 PDT) 47923->53 (11:45:48.338 PDT) 56212->53 (11:49:20.555 PDT) 41235->53 (11:50:49.794 PDT) 43424->53 (11:51:21.382 PDT) 39021->53 (11:52:46.944 PDT) 40103->53 (11:53:46.938 PDT) 55804->53 (11:54:31.992 PDT) 56247->53 (11:55:13.477 PDT) 38226->53 (11:59:23.974 PDT) 42106->53 (12:02:51.202 PDT) 50689->53 (12:05:27.772 PDT) 60929->53 (12:06:22.056 PDT) 58147->53 (12:06:28.526 PDT) 91.228.133.56 (2) (11:54:32.300 PDT) event=1:2632222 (2) {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 53052->53 (11:54:32.300 PDT) 60321->80 (12:05:38.142 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 95.173.163.8 (12:22:06.230 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:BB:0C 3124->41400 (12:22:06.230 PDT) 60.19.30.131 (11:47:24.586 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [S%00%00%00%11%00%00%00%00] MAC_Src: 00:21:5A:08:BB:0C 39501->80 (11:47:24.586 PDT) 93.170.52.30 (2) (11:49:00.395 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 51484->53 (11:59:00.872 PDT) 39781->53 (11:49:00.395 PDT) 216.8.179.25 (11:57:25.147 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49198->53 (11:57:25.147 PDT) 92.241.169.250 (12:07:28.092 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 51309->80 (12:07:28.092 PDT) 200.72.1.94 (12:17:30.469 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50543->80 (12:17:30.469 PDT) 64.182.102.213 (12:09:00.663 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57505->53 (12:09:00.663 PDT) 128.163.142.20 (4) (11:47:46.417 PDT-12:17:48.420 PDT) event=1:9910006 (4) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4: 2121->2121 (11:47:46.417 PDT-12:17:48.420 PDT) 91.207.61.48 (12:19:00.409 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 52632->53 (12:19:00.409 PDT) tcpslice 1318704256.792 1318706268.421 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 12:27:48.715 PDT Gen. Time: 10/15/2011 12:27:48.715 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (12:27:48.715 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->4040 (12:27:48.715 PDT) tcpslice 1318706868.715 1318706868.716 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 12:27:48.715 PDT Gen. Time: 10/15/2011 12:30:59.778 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 91.209.163.202 (12:29:01.586 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 45042->53 (12:29:01.586 PDT) 128.227.11.13 (12:27:48.715 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->4040 (12:27:48.715 PDT) 176.28.0.239 (12:29:07.580 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 42997->53 (12:29:07.580 PDT) tcpslice 1318706868.715 1318706868.716 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 194.85.61.78 Peer Coord. List: Resource List: Observed Start: 10/15/2011 12:31:19.237 PDT Gen. Time: 10/15/2011 12:32:14.495 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 194.85.61.78 (12:31:19.237 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 36079->80 (12:31:19.237 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 95.173.163.8 (12:32:14.495 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:BB:0C 3124->54084 (12:32:14.495 PDT) tcpslice 1318707079.237 1318707079.238 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 12:37:06.676 PDT Gen. Time: 10/15/2011 12:37:50.937 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (12:37:07.359 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [C0%A8sn%06JS*%99%EE%04%CB%B4%C4M%F1%1C@%D0%DD%89%A2{B%E6m%C7%DFn%A2%9EUa%B1%EB%ss%1CX%16>%C0%DD%92%05>%EF%CB[#%C9%1B%C4%05%C4%0C-]"-%E6%A3%0E%E0a%DB] MAC_Dst: 00:21:1C:EE:14:00 53730->80 (12:37:07.359 PDT) 192.168.1.230 (12:37:11.836 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 45387->53 (12:37:11.836 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (2) (12:37:06.676 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 45407->53 (12:37:06.676 PDT) 50263->53 (12:37:12.564 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (12:37:50.937 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (12:37:50.937 PDT) tcpslice 1318707426.676 1318707426.677 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 193.227.240.38, 192.168.1.230 (5) Peer Coord. List: Resource List: Observed Start: 10/15/2011 12:37:06.676 PDT Gen. Time: 10/15/2011 12:44:13.168 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (12:37:07.359 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [C0%A8sn%06JS*%99%EE%04%CB%B4%C4M%F1%1C@%D0%DD%89%A2{B%E6m%C7%DFn%A2%9EUa%B1%EB%ss%1CX%16>%C0%DD%92%05>%EF%CB[#%C9%1B%C4%05%C4%0C-]"-%E6%A3%0E%E0a%DB] MAC_Dst: 00:21:1C:EE:14:00 53730->80 (12:37:07.359 PDT) 192.168.1.230 (6) (12:37:11.836 PDT) event=224:1 (6) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 45387->53 (12:37:11.836 PDT) 38712->53 (12:38:11.195 PDT) 51497->53 (12:38:13.800 PDT) 44937->53 (12:39:19.836 PDT) 52368->53 (12:39:21.960 PDT) 41506->53 (12:40:45.176 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 193.227.240.38 (12:41:21.954 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/SeattleGENI/HashTable] MAC_Src: 00:21:5A:08:BB:0C 58705->80 (12:41:21.954 PDT) C and C DNS CHECK-IN 192.168.1.230 (5) (12:37:06.676 PDT) event=224:1 (5) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 45407->53 (12:37:06.676 PDT) 50263->53 (12:37:12.564 PDT) 50832->53 (12:38:10.132 PDT) 43289->53 (12:41:55.438 PDT) 40497->53 (12:43:06.998 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 41.189.229.65 (12:39:20.823 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50998->53 (12:39:20.823 PDT) 222.76.215.12 (12:39:02.369 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 39657->53 (12:39:02.369 PDT) 206.207.248.34 (12:37:50.937 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (12:37:50.937 PDT) tcpslice 1318707426.676 1318707426.677 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (5) Peer Coord. List: Resource List: Observed Start: 10/15/2011 12:45:14.799 PDT Gen. Time: 10/15/2011 12:47:50.809 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (12:47:07.663 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 39178->80 (12:47:07.663 PDT) 192.168.1.230 (3) (12:45:35.976 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 56705->53 (12:45:35.976 PDT) 51492->53 (12:46:13.533 PDT) 49176->53 (12:47:49.055 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (5) (12:45:14.799 PDT) event=224:1 (5) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 48940->53 (12:45:14.799 PDT) 58369->53 (12:45:39.994 PDT) 57657->53 (12:45:41.170 PDT) 40772->53 (12:46:37.767 PDT) 53369->53 (12:47:08.572 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (12:47:50.809 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (12:47:50.809 PDT) tcpslice 1318707914.799 1318707914.800 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 200.147.33.21, 161.58.175.23, 213.131.252.251, 192.168.1.230 (16), 176.28.0.239 Peer Coord. List: Resource List: Observed Start: 10/15/2011 12:45:14.799 PDT Gen. Time: 10/15/2011 13:21:44.119 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (12:47:07.663 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 39178->80 (12:47:07.663 PDT) 192.168.1.230 (12) (12:45:35.976 PDT-12:48:35.822 PDT) event=224:1 (12) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 3: 49176->53 (12:47:49.055 PDT-12:48:01.057 PDT) 2: 34017->53 (12:48:29.654 PDT-12:48:35.822 PDT) 56705->53 (12:45:35.976 PDT) 59972->53 (12:48:07.076 PDT) 51492->53 (12:46:13.533 PDT) 3: 50720->53 (12:48:11.601 PDT-12:48:23.658 PDT) 36393->53 (12:50:11.615 PDT) 192.168.1.20 (4) (12:48:18.601 PDT-12:48:36.698 PDT) event=224:1 (4) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 2: 47890->53 (12:48:18.601 PDT-12:48:24.604 PDT) 2: 48581->53 (12:48:30.733 PDT-12:48:36.698 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.33.21 (13:02:28.099 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 37650->53 (13:02:28.099 PDT) 161.58.175.23 (13:12:34.436 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 51768->53 (13:12:34.436 PDT) 213.131.252.251 (12:51:25.241 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 46966->80 (12:51:25.241 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (12:45:14.799 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 48940->53 (12:45:14.799 PDT) 58369->53 (12:45:39.994 PDT) 57657->53 (12:45:41.170 PDT) 40772->53 (12:46:37.767 PDT) 53369->53 (12:47:08.572 PDT) 33242->53 (12:47:58.409 PDT) 35600->53 (12:48:56.469 PDT) 34604->53 (12:55:04.847 PDT) 37467->53 (12:57:21.512 PDT) 43827->53 (12:57:55.950 PDT) 52443->53 (12:58:24.449 PDT) 44295->53 (12:59:17.795 PDT) 45542->53 (12:59:28.430 PDT) 54960->53 (13:02:48.355 PDT) 58222->53 (13:04:36.815 PDT) 36108->53 (13:07:58.101 PDT) 176.28.0.239 (13:08:05.077 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: livedieoslix.com (malware), [] MAC_Src: 00:21:5A:08:BB:0C 42570->53 (13:08:05.077 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 200.147.1.41 (13:19:15.199 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48400->53 (13:19:15.199 PDT) 8.5.1.44 (13:21:00.928 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 51507->80 (13:21:00.928 PDT) 93.170.52.30 (2) (12:59:04.596 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49251->53 (12:59:04.596 PDT) 47385->53 (13:09:04.163 PDT) 195.226.246.3 (13:10:30.239 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54999->53 (13:10:30.239 PDT) 138.238.250.155 (13:17:56.364 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56391->56391 (13:17:56.364 PDT) 216.8.179.25 (12:49:23.864 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 44760->53 (12:49:23.864 PDT) 91.209.163.201 (12:49:02.285 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57920->53 (12:49:02.285 PDT) 208.91.196.10 (12:59:34.755 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50538->53 (12:59:34.755 PDT) 206.207.248.34 (13:07:51.764 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (13:07:51.764 PDT) 128.163.142.20 (2) (12:47:50.809 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (12:47:50.809 PDT) 2119->2119 (12:57:50.675 PDT) tcpslice 1318707914.799 1318708116.699 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 200.147.1.41, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 13:21:57.641 PDT Gen. Time: 10/15/2011 13:24:31.154 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (3) (13:21:57.641 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 47497->53 (13:21:57.641 PDT) 59752->53 (13:22:57.388 PDT) 40369->53 (13:23:42.910 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (13:22:36.996 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 55204->53 (13:22:36.996 PDT) C and C DNS CHECK-IN 192.168.1.230 (13:24:31.154 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 40310->53 (13:24:31.154 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318710117.641 1318710117.642 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 200.147.1.41, 192.168.1.230 (4) Peer Coord. List: Resource List: Observed Start: 10/15/2011 13:21:57.641 PDT Gen. Time: 10/15/2011 13:27:57.677 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (4) (13:21:57.641 PDT) event=224:1 (4) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 47497->53 (13:21:57.641 PDT) 59752->53 (13:22:57.388 PDT) 40369->53 (13:23:42.910 PDT) 55663->53 (13:24:33.145 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (13:22:36.996 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 55204->53 (13:22:36.996 PDT) C and C DNS CHECK-IN 192.168.1.230 (4) (13:24:31.154 PDT) event=224:1 (4) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 40310->53 (13:24:31.154 PDT) 52273->53 (13:24:41.002 PDT) 57420->53 (13:25:35.321 PDT) 57672->53 (13:25:51.743 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (13:27:57.677 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (13:27:57.677 PDT) tcpslice 1318710117.641 1318710117.642 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 82.210.157.9 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 13:27:57.981 PDT Gen. Time: 10/15/2011 13:29:21.117 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (13:28:51.572 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 56537->53 (13:28:51.572 PDT) 82.210.157.9 (13:28:52.343 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 56002->53 (13:28:52.343 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (13:27:57.981 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 43482->53 (13:27:57.981 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (13:29:21.117 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 60588->53 (13:29:21.117 PDT) tcpslice 1318710477.981 1318710477.982 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 188.229.89.127, 82.210.157.9 Egg Source List: C & C List: 87.98.140.145, 91.209.163.184, 192.168.1.230 (12) Peer Coord. List: Resource List: Observed Start: 10/15/2011 13:27:57.981 PDT Gen. Time: 10/15/2011 13:47:33.757 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (15) (13:28:51.572 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 56537->53 (13:28:51.572 PDT) 33521->53 (13:29:42.618 PDT) 44121->53 (13:30:26.008 PDT) 53669->53 (13:30:29.927 PDT) 49515->53 (13:32:50.968 PDT) 41614->53 (13:36:47.250 PDT) 38781->53 (13:37:00.777 PDT) 32831->53 (13:38:01.939 PDT) 60863->53 (13:40:05.622 PDT) 54555->53 (13:40:12.421 PDT) 41821->53 (13:41:15.570 PDT) 51143->53 (13:42:02.460 PDT) 57974->53 (13:42:13.006 PDT) 55384->53 (13:42:14.648 PDT) 36849->53 (13:45:06.883 PDT) 188.229.89.127 (13:39:10.342 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 42984->53 (13:39:10.342 PDT) 82.210.157.9 (13:28:52.343 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 56002->53 (13:28:52.343 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 87.98.140.145 (13:43:08.197 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 55368->80 (13:43:08.197 PDT) 91.209.163.184 (13:32:50.606 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 57307->80 (13:32:50.606 PDT) C and C DNS CHECK-IN 192.168.1.230 (12) (13:27:57.981 PDT) event=224:1 (12) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 43482->53 (13:27:57.981 PDT) 36198->53 (13:29:49.396 PDT) 36316->53 (13:31:56.354 PDT) 51081->53 (13:32:32.351 PDT) 35727->53 (13:34:13.166 PDT) 60158->53 (13:40:10.405 PDT) 48427->53 (13:41:16.706 PDT) 33401->53 (13:42:24.489 PDT) 55317->53 (13:43:07.048 PDT) 37360->53 (13:44:17.993 PDT) 60720->53 (13:44:43.705 PDT) 60897->53 (13:45:17.268 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 41.189.229.65 (13:41:15.234 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 37801->53 (13:41:15.234 PDT) 91.209.163.202 (13:39:21.699 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48362->53 (13:39:21.699 PDT) 93.170.52.30 (13:29:21.117 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 60588->53 (13:29:21.117 PDT) 195.226.246.3 (13:31:02.126 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48452->53 (13:31:02.126 PDT) 128.163.142.20 (13:38:00.769 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (13:38:00.769 PDT) tcpslice 1318710477.981 1318710477.982 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 13:48:00.069 PDT Gen. Time: 10/15/2011 13:48:00.069 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (13:48:00.069 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 6110->6110 (13:48:00.069 PDT) tcpslice 1318711680.069 1318711680.070 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 188.229.89.127 Egg Source List: C & C List: 91.209.163.202, 200.147.33.19, 192.168.1.230 (14), 62.42.230.17 Peer Coord. List: Resource List: Observed Start: 10/15/2011 13:48:00.069 PDT Gen. Time: 10/15/2011 14:09:04.014 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (11) (13:48:50.149 PDT) event=224:1 (11) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 35320->53 (13:48:50.149 PDT) 51817->53 (13:52:44.339 PDT) 43738->53 (13:53:14.769 PDT) 54976->53 (13:53:54.645 PDT) 43729->53 (13:54:10.170 PDT) 56661->53 (13:55:23.701 PDT) 46247->53 (13:55:54.339 PDT) 36435->53 (13:57:39.849 PDT) 39033->53 (14:00:46.374 PDT) 51124->53 (14:01:18.345 PDT) 45806->53 (14:06:29.954 PDT) 188.229.89.127 (14:00:46.974 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 38932->53 (14:00:46.974 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.202 (13:53:08.600 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 46529->80 (13:53:08.600 PDT) 200.147.33.19 (14:03:09.391 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 44979->53 (14:03:09.391 PDT) C and C DNS CHECK-IN 192.168.1.230 (14) (13:48:09.900 PDT) event=224:1 (14) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 42532->53 (13:48:09.900 PDT) 45103->53 (13:48:55.093 PDT) 53870->53 (13:50:25.413 PDT) 55586->53 (13:51:29.604 PDT) 33068->53 (13:52:15.386 PDT) 49844->53 (13:54:00.846 PDT) 60906->53 (13:55:05.467 PDT) 58969->53 (13:57:57.024 PDT) 48646->53 (13:58:01.635 PDT) 55345->53 (14:04:27.566 PDT) 39707->53 (14:05:13.757 PDT) 59741->53 (14:05:24.120 PDT) 54443->53 (14:05:47.366 PDT) 57541->53 (14:06:30.764 PDT) 62.42.230.17 (13:50:11.360 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: albaimtra.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 37388->80 (13:50:11.360 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (13:59:28.319 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 43579->53 (13:59:28.319 PDT) 216.8.179.25 (13:52:33.139 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 41104->80 (13:52:33.139 PDT) 130.149.49.136 (13:48:00.069 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 6110->6110 (13:48:00.069 PDT) 128.2.211.114 (14:08:01.880 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56391->56391 (14:08:01.880 PDT) 132.239.17.226 (13:58:01.059 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (13:58:01.059 PDT) 66.45.238.251 (14:02:45.706 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 46764->80 (14:02:45.706 PDT) 31.170.163.70 (13:49:23.334 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49812->53 (13:49:23.334 PDT) tcpslice 1318711680.069 1318711680.070 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:09:12.737 PDT Gen. Time: 10/15/2011 14:09:28.255 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (14:09:12.737 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 59253->53 (14:09:12.737 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 64.49.219.215 (14:09:28.255 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50292->53 (14:09:28.255 PDT) tcpslice 1318712952.737 1318712952.738 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 188.229.89.127 Egg Source List: C & C List: 122.226.213.40, 192.168.1.230 (9) Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:09:12.737 PDT Gen. Time: 10/15/2011 14:21:29.142 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (8) (14:09:30.272 PDT) event=224:1 (8) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 54836->53 (14:09:30.272 PDT) 35590->53 (14:10:19.793 PDT) 53698->53 (14:10:58.759 PDT) 58117->53 (14:11:04.501 PDT) 54987->53 (14:14:18.513 PDT) 56870->53 (14:15:58.545 PDT) 38099->53 (14:18:43.252 PDT) 42239->53 (14:18:45.568 PDT) 188.229.89.127 (14:14:18.620 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 36341->80 (14:14:18.620 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 122.226.213.40 (14:13:33.946 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/ipInfo/IPRep.php?IP=209.159.151.3&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:BB:0C 57915->80 (14:13:33.946 PDT) C and C DNS CHECK-IN 192.168.1.230 (9) (14:09:12.737 PDT) event=224:1 (9) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 59253->53 (14:09:12.737 PDT) 55355->53 (14:10:47.938 PDT) 56916->53 (14:13:32.771 PDT) 46500->53 (14:16:18.673 PDT) 53721->53 (14:16:21.778 PDT) 55627->53 (14:16:32.689 PDT) 47726->53 (14:16:37.186 PDT) 38434->53 (14:17:03.997 PDT) 52734->53 (14:18:52.436 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (14:18:02.406 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (14:18:02.406 PDT) 87.252.1.21 (14:19:59.427 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 47711->53 (14:19:59.427 PDT) 92.240.68.95 (14:13:48.321 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34491->80 (14:13:48.321 PDT) 64.49.219.215 (14:09:28.255 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50292->53 (14:09:28.255 PDT) tcpslice 1318712952.737 1318712952.738 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:23:51.026 PDT Gen. Time: 10/15/2011 14:23:51.026 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 213.189.197.13 (14:23:51.026 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58266->53 (14:23:51.026 PDT) tcpslice 1318713831.026 1318713831.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 88.198.53.104, 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 209.200.55.60, 194.186.88.58, 91.189.81.71, 192.168.1.230 (15) Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:23:51.026 PDT Gen. Time: 10/15/2011 14:50:23.561 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (14:24:21.325 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 47738->80 (14:24:21.325 PDT) 91.207.61.48 (2) (14:34:56.270 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 44127->53 (14:34:56.270 PDT) 43638->80 (14:44:57.103 PDT) 192.168.1.230 (13) (14:25:30.034 PDT) event=224:1 (13) {udp} E2[dns] BHDNS SPYWARE-DNS: editial.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 59170->53 (14:25:30.034 PDT) 53494->53 (14:26:49.662 PDT) 40051->53 (14:33:22.561 PDT) 60763->53 (14:34:49.801 PDT) 44746->53 (14:37:05.504 PDT) 33238->53 (14:37:20.611 PDT) 42002->53 (14:37:40.901 PDT) 44262->53 (14:38:31.647 PDT) 42440->53 (14:38:41.604 PDT) 55753->53 (14:40:11.486 PDT) 42633->53 (14:42:02.220 PDT) 38634->53 (14:46:49.217 PDT) 46889->53 (14:46:52.942 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 209.200.55.60 (14:23:58.423 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [!%F4%0E%8DO%F1%CDKb%03]%98%91%D7%0E_I:%1B%D1%E2%A1%8B%BC7%8D%FD^%B6%1Bs%EF%94s%17%03%01%00;Rl(%C1o%D0%85%E1o/%DC%FC%80%A5?%87%0E%BC%CA%BA%EB%06%82!%FD%10%BF%F8%01] MAC_Src: 00:21:5A:08:BB:0C 35232->80 (14:23:58.423 PDT) 194.186.88.58 (14:34:04.953 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 46959->53 (14:34:04.953 PDT) 91.189.81.71 (14:44:04.740 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [%7F%9C%AD%07=U%C5%E0%DF%D5W%11%C7%F0%DA%01b%87%95|%EF%1A%F2%D2%FB%11%AEz%09%DBW%E4%BA%17%03%01%00!%D4-%BDh%F1|%DA%18H%1E%F5%08(\D%EC%0DF%11%16?%D4ik%99&%00-%CB%10%EBx%BA%17%03%01%00!] MAC_Src: 00:21:5A:08:BB:0C 41548->80 (14:44:04.740 PDT) C and C DNS CHECK-IN 192.168.1.230 (15) (14:25:46.352 PDT) event=224:1 (15) {udp} E4[dns] BHDNS SPYWARE-DNS: livedieoslix.com (malware), [] MAC_Src: 00:21:5A:08:BB:0C 46858->53 (14:25:46.352 PDT) 52589->53 (14:27:13.772 PDT) 42359->53 (14:29:09.968 PDT) 54566->53 (14:30:14.950 PDT) 59936->53 (14:31:13.473 PDT) 36296->53 (14:32:44.549 PDT) 42541->53 (14:34:42.374 PDT) 36065->53 (14:38:28.054 PDT) 46013->53 (14:39:05.309 PDT) 38220->53 (14:39:55.507 PDT) 50803->53 (14:42:54.547 PDT) 39870->53 (14:42:59.179 PDT) 44675->53 (14:44:47.826 PDT) 49589->53 (14:45:20.656 PDT) 40371->53 (14:47:17.016 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 92.241.169.250 (14:44:32.859 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 47662->53 (14:44:32.859 PDT) 208.91.196.10 (14:34:04.379 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%00%00%00%01%00%00%00%00%00] MAC_Src: 00:21:5A:08:BB:0C 52349->80 (14:34:04.379 PDT) 208.87.35.100 (14:30:15.636 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 60962->53 (14:30:15.636 PDT) 128.227.11.13 (14:28:05.050 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->4040 (14:28:05.050 PDT) 213.189.197.13 (14:23:51.026 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58266->53 (14:23:51.026 PDT) 208.109.255.18 (14:50:23.561 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36911->53 (14:50:23.561 PDT) 64.49.219.215 (14:40:16.820 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 60933->53 (14:40:16.820 PDT) 130.104.72.201 (2) (14:38:05.790 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56391->56391 (14:38:05.790 PDT) 49301->49301 (14:48:05.805 PDT) tcpslice 1318713831.026 1318713831.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 64.94.137.53, 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:50:55.817 PDT Gen. Time: 10/15/2011 14:54:04.886 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (3) (14:50:56.770 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: stephanos.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 35762->53 (14:50:56.770 PDT) 40038->53 (14:52:46.662 PDT) 46371->53 (14:53:33.764 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 64.94.137.53 (14:54:04.886 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/ipInfo/IPRep.php?IP=209.190.113.190&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:BB:0C 34835->80 (14:54:04.886 PDT) C and C DNS CHECK-IN 192.168.1.230 (3) (14:50:55.817 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 45101->53 (14:50:55.817 PDT) 49555->53 (14:50:56.512 PDT) 51639->53 (14:50:56.770 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318715455.817 1318715455.818 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 60.19.30.131 Egg Source List: C & C List: 64.94.137.53, 192.168.1.230 (7) Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:50:55.817 PDT Gen. Time: 10/15/2011 14:57:32.665 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (8) (14:50:56.770 PDT) event=224:1 (8) {udp} E2[dns] BHDNS SPYWARE-DNS: stephanos.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 35762->53 (14:50:56.770 PDT) 40038->53 (14:52:46.662 PDT) 46371->53 (14:53:33.764 PDT) 42155->53 (14:54:05.033 PDT) 32898->53 (14:55:22.110 PDT) 43567->53 (14:55:29.787 PDT) 49033->53 (14:56:38.926 PDT) 38964->53 (14:57:32.665 PDT) 60.19.30.131 (14:55:22.829 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 35341->80 (14:55:22.829 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 64.94.137.53 (14:54:04.886 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/ipInfo/IPRep.php?IP=209.190.113.190&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:BB:0C 34835->80 (14:54:04.886 PDT) C and C DNS CHECK-IN 192.168.1.230 (7) (14:50:55.817 PDT) event=224:1 (7) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 45101->53 (14:50:55.817 PDT) 49555->53 (14:50:56.512 PDT) 51639->53 (14:50:56.770 PDT) 44630->53 (14:55:51.130 PDT) 47163->53 (14:55:58.675 PDT) 40229->53 (14:56:30.805 PDT) 58058->53 (14:56:46.930 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 61.4.82.131 (14:55:22.594 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34755->80 (14:55:22.594 PDT) tcpslice 1318715455.817 1318715455.818 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:57:34.845 PDT Gen. Time: 10/15/2011 14:58:07.245 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (14:57:34.845 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: taobao.lylwc.com (malware), [] MAC_Src: 00:21:5A:08:BB:0C 60136->53 (14:57:34.845 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (14:58:07.245 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (14:58:07.245 PDT) tcpslice 1318715854.845 1318715854.846 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 86.109.114.31, 192.168.1.230 (11), 216.246.35.77 Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:57:34.845 PDT Gen. Time: 10/15/2011 15:11:28.819 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (7) (14:59:35.461 PDT) event=224:1 (7) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 58559->53 (14:59:35.461 PDT) 59267->53 (15:00:03.892 PDT) 55476->53 (15:07:42.031 PDT) 32952->53 (15:08:00.808 PDT) 37833->53 (15:09:53.821 PDT) 33277->53 (15:10:13.518 PDT) 46532->53 (15:10:27.292 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 86.109.114.31 (15:05:02.043 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 41409->53 (15:05:02.043 PDT) C and C DNS CHECK-IN 192.168.1.230 (11) (14:57:34.845 PDT) event=224:1 (11) {udp} E4[dns] BHDNS SPYWARE-DNS: taobao.lylwc.com (malware), [] MAC_Src: 00:21:5A:08:BB:0C 60136->53 (14:57:34.845 PDT) 60230->53 (14:58:38.821 PDT) 38757->53 (15:01:48.279 PDT) 38906->53 (15:01:53.442 PDT) 43721->53 (15:02:40.099 PDT) 32928->53 (15:03:04.710 PDT) 52047->53 (15:05:51.808 PDT) 33543->53 (15:06:09.086 PDT) 49030->53 (15:06:37.875 PDT) 53904->53 (15:07:40.390 PDT) 53340->53 (15:10:35.352 PDT) 216.246.35.77 (15:06:09.918 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: mobile-files.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 53175->53 (15:06:09.918 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (15:00:23.687 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 60407->53 (15:00:23.687 PDT) 134.34.246.5 (14:58:07.245 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (14:58:07.245 PDT) 128.163.142.20 (15:08:07.169 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (15:08:07.169 PDT) 122.224.18.94 (15:05:34.815 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50117->80 (15:05:34.815 PDT) 194.186.88.58 (15:10:23.090 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 45213->53 (15:10:23.090 PDT) tcpslice 1318715854.845 1318715854.846 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 91.209.163.202, 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 15:11:39.322 PDT Gen. Time: 10/15/2011 15:15:10.695 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (3) (15:11:39.322 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 33338->53 (15:11:39.322 PDT) 33915->53 (15:12:16.191 PDT) 51125->53 (15:13:11.149 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.202 (15:15:10.695 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 54774->80 (15:15:10.695 PDT) C and C DNS CHECK-IN 192.168.1.230 (2) (15:12:14.822 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 51390->53 (15:12:14.822 PDT) 57518->53 (15:13:10.249 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318716699.322 1318716699.323 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 88.198.53.104, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 78.31.65.216, 91.209.163.202 (2), 194.28.86.197, 83.170.72.109, 192.168.1.230 (17) Peer Coord. List: Resource List: Observed Start: 10/15/2011 15:11:39.322 PDT Gen. Time: 10/15/2011 15:59:34.074 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (2) (15:16:30.113 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [%1F] MAC_Dst: 00:21:1C:EE:14:00 54873->80 (15:16:30.113 PDT) 38538->80 (15:27:42.299 PDT) 192.168.1.230 (14) (15:11:39.322 PDT) event=224:1 (14) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 33338->53 (15:11:39.322 PDT) 33915->53 (15:12:16.191 PDT) 51125->53 (15:13:11.149 PDT) 45325->53 (15:20:32.412 PDT) 40907->53 (15:20:52.327 PDT) 33051->53 (15:20:54.462 PDT) 39272->53 (15:22:40.912 PDT) 46047->53 (15:22:56.162 PDT) 43321->53 (15:23:55.265 PDT) 34867->53 (15:23:57.369 PDT) 52401->53 (15:25:38.054 PDT) 48495->53 (15:25:49.875 PDT) 51598->53 (15:29:33.901 PDT) 49482->53 (15:32:20.308 PDT) 192.168.1.20 (15:20:55.477 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 58753->53 (15:20:55.477 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 78.31.65.216 (15:45:29.294 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 43468->53 (15:45:29.294 PDT) 91.209.163.202 (2) (15:15:10.695 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 54774->80 (15:15:10.695 PDT) 35141->80 (15:55:35.033 PDT) 194.28.86.197 (15:35:25.318 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 40186->80 (15:35:25.318 PDT) 83.170.72.109 (15:25:24.070 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 36375->53 (15:25:24.070 PDT) C and C DNS CHECK-IN 192.168.1.230 (17) (15:12:14.822 PDT) event=224:1 (17) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 51390->53 (15:12:14.822 PDT) 57518->53 (15:13:10.249 PDT) 50943->53 (15:15:47.088 PDT) 56121->53 (15:16:30.088 PDT) 46059->53 (15:16:56.219 PDT) 41491->53 (15:21:11.421 PDT) 42732->53 (15:22:40.812 PDT) 41839->53 (15:25:06.131 PDT) 33711->53 (15:25:51.638 PDT) 52231->53 (15:28:31.807 PDT) 49877->53 (15:29:25.349 PDT) 48046->53 (15:30:31.306 PDT) 48218->53 (15:31:23.164 PDT) 60383->53 (15:33:03.220 PDT) 52894->53 (15:33:05.511 PDT) 39650->53 (15:36:11.349 PDT) 43908->53 (15:39:04.493 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 212.44.109.181 (15:17:33.934 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%AE] MAC_Src: 00:21:5A:08:BB:0C 44838->80 (15:17:33.934 PDT) 128.227.11.13 (15:58:08.785 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->4040 (15:58:08.785 PDT) 200.147.33.21 (15:30:23.001 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 35991->53 (15:30:23.001 PDT) 41.189.229.65 (15:48:26.074 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36411->80 (15:48:26.074 PDT) 93.170.52.30 (2) (15:40:23.756 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36751->53 (15:50:23.515 PDT) 59257->53 (15:40:23.756 PDT) 31.170.163.70 (15:38:21.851 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57732->53 (15:38:21.851 PDT) 138.238.250.155 (15:18:07.489 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 6110->6110 (15:18:07.489 PDT) 87.252.1.21 (15:20:23.040 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 46507->53 (15:20:23.040 PDT) 92.241.169.250 (15:27:43.901 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50030->80 (15:27:43.901 PDT) 208.91.196.10 (15:58:27.051 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 42888->53 (15:58:27.051 PDT) 206.207.248.34 (15:48:07.054 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (15:48:07.054 PDT) 128.163.142.20 (2) (15:28:07.883 PDT-15:38:07.393 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2121->2121 (15:28:07.883 PDT-15:38:07.393 PDT) tcpslice 1318716699.322 1318718287.394 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 16:00:23.333 PDT Gen. Time: 10/15/2011 16:00:23.333 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (16:00:23.333 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36765->53 (16:00:23.333 PDT) tcpslice 1318719623.333 1318719623.334 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 82.210.157.9 Egg Source List: C & C List: 212.36.9.10, 192.168.1.230 (14), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 16:00:23.333 PDT Gen. Time: 10/15/2011 16:14:46.515 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (11) (16:01:13.105 PDT) event=224:1 (11) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 45772->53 (16:01:13.105 PDT) 60343->53 (16:02:04.161 PDT) 44563->53 (16:02:47.877 PDT) 49339->53 (16:02:50.649 PDT) 43591->53 (16:03:05.277 PDT) 35762->53 (16:04:38.295 PDT) 41829->53 (16:05:00.513 PDT) 44507->53 (16:06:19.547 PDT) 44319->53 (16:06:56.378 PDT) 39588->53 (16:13:57.048 PDT) 40470->53 (16:14:46.515 PDT) 82.210.157.9 (16:01:13.401 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: florianarray.ru (zeus), [/impressions/uint/asc=307/f=1004/chip=8e550720d88e012d2f090024e87a30c2.mjs?CPN_PARTNER=false&AG_P0=College&AG_P1=Home&AG_R=5539] MAC_Dst: 00:21:1C:EE:14:00 40371->80 (16:01:13.401 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 212.36.9.10 (16:05:35.177 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 48293->80 (16:05:35.177 PDT) C and C DNS CHECK-IN 192.168.1.230 (14) (16:01:16.195 PDT) event=224:1 (14) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 53968->53 (16:01:16.195 PDT) 45578->53 (16:01:45.967 PDT) 34461->53 (16:01:47.192 PDT) 43353->53 (16:02:16.580 PDT) 41454->53 (16:02:56.255 PDT) 48329->53 (16:03:00.277 PDT) 34069->53 (16:04:31.133 PDT) 39542->53 (16:08:21.144 PDT) 49997->53 (16:08:53.375 PDT) 45916->53 (16:09:19.690 PDT) 41907->53 (16:09:57.351 PDT) 58734->53 (16:11:42.057 PDT) 47029->53 (16:13:39.525 PDT) 37463->53 (16:14:25.268 PDT) 91.228.133.56 (16:11:51.465 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 39381->53 (16:11:51.465 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (16:00:23.333 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 36765->53 (16:00:23.333 PDT) 208.91.196.10 (16:10:26.733 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40082->80 (16:10:26.733 PDT) 128.163.142.20 (16:08:10.742 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (16:08:10.742 PDT) 93.170.52.20 (16:10:25.341 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57523->53 (16:10:25.341 PDT) tcpslice 1318719623.333 1318719623.334 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 200.147.1.41, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 16:14:53.792 PDT Gen. Time: 10/15/2011 16:15:35.144 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (16:15:35.144 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/ipInfo/IPRep.php?IP=209.190.113.190&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:BB:0C 56900->80 (16:15:35.144 PDT) C and C DNS CHECK-IN 192.168.1.230 (16:14:53.792 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 51782->53 (16:14:53.792 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318720493.792 1318720493.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 173.236.70.235, 192.168.1.230 Egg Source List: C & C List: 200.147.33.19, 200.147.1.41, 192.168.1.230 (12) Peer Coord. List: Resource List: Observed Start: 10/15/2011 16:14:53.792 PDT Gen. Time: 10/15/2011 16:32:58.861 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 173.236.70.235 (16:22:24.120 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 55258->53 (16:22:24.120 PDT) 192.168.1.230 (13) (16:15:55.432 PDT) event=224:1 (13) {udp} E2[dns] BHDNS SPYWARE-DNS: simulatormage.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 40065->53 (16:15:55.432 PDT) 56820->53 (16:16:02.534 PDT) 35932->53 (16:18:15.608 PDT) 40923->53 (16:18:18.773 PDT) 57889->53 (16:22:22.597 PDT) 36051->53 (16:23:54.232 PDT) 47733->53 (16:25:28.236 PDT) 34735->53 (16:26:47.133 PDT) 43677->53 (16:27:06.659 PDT) 52140->53 (16:27:28.297 PDT) 60420->53 (16:28:06.062 PDT) 56934->53 (16:28:08.334 PDT) 55066->53 (16:30:14.352 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.33.19 (16:25:35.888 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 60628->53 (16:25:35.888 PDT) 200.147.1.41 (16:15:35.144 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/ipInfo/IPRep.php?IP=209.190.113.190&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:BB:0C 56900->80 (16:15:35.144 PDT) C and C DNS CHECK-IN 192.168.1.230 (12) (16:14:53.792 PDT) event=224:1 (12) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 51782->53 (16:14:53.792 PDT) 58305->53 (16:17:33.241 PDT) 35877->53 (16:18:42.308 PDT) 54098->53 (16:21:26.712 PDT) 58058->53 (16:21:38.889 PDT) 34326->53 (16:22:56.975 PDT) 57114->53 (16:22:59.944 PDT) 43430->53 (16:25:25.592 PDT) 36681->53 (16:28:07.921 PDT) 37749->53 (16:29:39.917 PDT) 56701->53 (16:30:57.214 PDT) 59935->53 (16:31:23.381 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (16:30:33.283 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58738->53 (16:30:33.283 PDT) 195.226.246.3 (16:21:13.925 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%D0%F1u%B5I%C3%BC%0A%05%F5%00%00%00%00%00%00%06v%00%00%00%00%00%00%06G%FF%00%0F%00%00%00S%00%00%00%11%00%00%00%00%00%00%03%AF%00%00%00%00%00%00%06%D8%00%00%00%00%00%00%06%C9%00%00] MAC_Src: 00:21:5A:08:BB:0C 53130->80 (16:21:13.925 PDT) 132.239.17.226 (16:20:31.676 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 46181->2128 (16:20:31.676 PDT) 128.163.142.20 (16:28:12.669 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (16:28:12.669 PDT) 128.227.11.13 (16:18:10.541 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->4040 (16:18:10.541 PDT) 31.170.163.70 (16:32:58.861 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 55722->53 (16:32:58.861 PDT) tcpslice 1318720493.792 1318720493.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 88.80.7.152, 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 16:34:05.387 PDT Gen. Time: 10/15/2011 16:35:50.548 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (16:34:05.387 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [!!0%BB%0A%1Co=%9E%0Ep%9C%B6%90N%97%1F{%DE%0D%FD] MAC_Dst: 00:21:1C:EE:14:00 50696->80 (16:34:05.387 PDT) 192.168.1.230 (16:35:10.949 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: didid.nl (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 47928->53 (16:35:10.949 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.80.7.152 (16:35:50.548 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 46537->80 (16:35:50.548 PDT) C and C DNS CHECK-IN 192.168.1.230 (2) (16:35:10.959 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 54454->53 (16:35:10.959 PDT) 48233->53 (16:35:48.070 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318721645.387 1318721645.388 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 88.80.7.152, 200.147.33.17, 222.76.217.174, 1.226.83.250, 192.168.1.230 (16), 176.28.0.239 Peer Coord. List: Resource List: Observed Start: 10/15/2011 16:34:05.387 PDT Gen. Time: 10/15/2011 17:09:19.617 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (16:34:05.387 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [!!0%BB%0A%1Co=%9E%0Ep%9C%B6%90N%97%1F{%DE%0D%FD] MAC_Dst: 00:21:1C:EE:14:00 50696->80 (16:34:05.387 PDT) 40028->80 (16:44:28.901 PDT) 192.168.1.230 (15) (16:35:10.949 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: didid.nl (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 47928->53 (16:35:10.949 PDT) 41708->53 (16:37:19.365 PDT) 34015->53 (16:40:15.076 PDT) 35947->53 (16:40:30.696 PDT) 54898->53 (16:40:57.109 PDT) 53920->53 (16:41:28.104 PDT) 33650->53 (16:41:39.636 PDT) 51747->53 (16:41:59.868 PDT) 54205->53 (16:43:30.352 PDT) 37299->53 (16:46:41.530 PDT) 34091->53 (16:51:33.143 PDT) 49690->53 (16:51:35.791 PDT) 52067->53 (16:52:44.848 PDT) 37063->53 (16:52:52.045 PDT) 53747->53 (16:55:18.776 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.80.7.152 (16:35:50.548 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 46537->80 (16:35:50.548 PDT) 200.147.33.17 (16:56:09.330 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 48121->80 (16:56:09.330 PDT) 222.76.217.174 (17:06:12.103 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 47875->80 (17:06:12.103 PDT) 1.226.83.250 (16:45:50.404 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 51725->80 (16:45:50.404 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (16:35:10.959 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 54454->53 (16:35:10.959 PDT) 48233->53 (16:35:48.070 PDT) 43074->53 (16:36:03.106 PDT) 45547->53 (16:36:49.810 PDT) 39467->53 (16:41:28.773 PDT) 54415->53 (16:42:26.749 PDT) 36328->53 (16:45:47.166 PDT) 49995->53 (16:45:54.187 PDT) 48217->53 (16:46:55.720 PDT) 33009->53 (16:47:37.056 PDT) 51677->53 (16:49:24.332 PDT) 46245->53 (16:51:06.725 PDT) 47728->53 (16:54:30.023 PDT) 39700->53 (16:55:03.268 PDT) 37934->53 (16:55:18.755 PDT) 55018->53 (16:58:50.363 PDT) 176.28.0.239 (16:54:30.275 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: livedieoslix.com (malware), [/ipInfo/IPRep.php?IP=141.83.42.246&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:BB:0C 33305->80 (16:54:30.275 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (16:38:13.037 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->4040 (16:38:13.037 PDT) 194.186.88.58 (16:40:34.115 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53372->53 (16:40:34.115 PDT) 60.19.30.131 (17:03:25.626 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48897->53 (17:03:25.626 PDT) 213.189.197.13 (16:53:17.816 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%00%10%00%01%00%00%00%00%00%01%03nyx%03ane%03cmc%07osaka-u%02ac%02jp%00%00%01%00%01%00%00)%02%00%00%00%80%00%00%00%04%01a%C0%18%C0%18%00%02%00%01%00%01Q%80%00%04%01b] MAC_Src: 00:21:5A:08:BB:0C 60927->80 (16:53:17.816 PDT) 138.238.250.155 (16:58:15.551 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (16:58:15.551 PDT) 91.209.163.202 (16:50:50.638 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40742->53 (16:50:50.638 PDT) 92.240.68.95 (16:43:15.313 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34354->80 (16:43:15.313 PDT) 206.207.248.34 (17:08:16.965 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 4797->4797 (17:08:16.965 PDT) 128.163.142.20 (16:48:14.460 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (16:48:14.460 PDT) 91.207.61.48 (17:00:51.028 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 35053->53 (17:00:51.028 PDT) tcpslice 1318721645.387 1318721645.388 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (4) Peer Coord. List: Resource List: Observed Start: 10/15/2011 17:09:27.425 PDT Gen. Time: 10/15/2011 17:10:51.202 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (17:09:49.258 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: toolbarqueries-google.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 43293->53 (17:09:49.258 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (4) (17:09:27.425 PDT) event=224:1 (4) {udp} E4[dns] BHDNS SPYWARE-DNS: tiasissi.com.br (malware), [] MAC_Src: 00:21:5A:08:BB:0C 40304->53 (17:09:27.425 PDT) 52448->53 (17:09:43.328 PDT) 60438->53 (17:09:49.433 PDT) 45538->53 (17:10:39.981 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 88.81.249.200 (17:10:51.202 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57597->53 (17:10:51.202 PDT) tcpslice 1318723767.425 1318723767.426 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 67.43.226.154, 78.31.65.216, 194.186.88.58, 192.168.1.230 (14), 192.168.1.20 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 17:09:27.425 PDT Gen. Time: 10/15/2011 17:40:21.749 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (17:14:51.240 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [ %E5F%C8%99n%92%92%1A] MAC_Dst: 00:21:1C:EE:14:00 53617->80 (17:14:51.240 PDT) 37042->80 (17:25:08.430 PDT) 192.168.1.230 (14) (17:09:49.258 PDT) event=224:1 (14) {udp} E2[dns] BHDNS SPYWARE-DNS: toolbarqueries-google.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 43293->53 (17:09:49.258 PDT) 58513->53 (17:14:50.430 PDT) 41689->53 (17:14:52.702 PDT) 51849->53 (17:15:06.973 PDT) 36678->53 (17:15:24.878 PDT) 48319->53 (17:15:46.284 PDT) 37636->53 (17:16:42.535 PDT) 38321->53 (17:16:58.089 PDT) 37950->53 (17:19:13.619 PDT) 48081->53 (17:23:55.895 PDT) 37678->53 (17:24:00.924 PDT) 60339->53 (17:27:59.698 PDT) 53400->53 (17:28:23.450 PDT) 51542->53 (17:29:29.928 PDT) 192.168.1.20 (17:23:56.754 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 38879->53 (17:23:56.754 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 67.43.226.154 (17:36:53.493 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 59924->80 (17:36:53.493 PDT) 78.31.65.216 (17:26:50.313 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 47927->80 (17:26:50.313 PDT) 194.186.88.58 (17:16:37.929 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 57848->53 (17:16:37.929 PDT) C and C DNS CHECK-IN 192.168.1.230 (14) (17:09:27.425 PDT) event=224:1 (14) {udp} E4[dns] BHDNS SPYWARE-DNS: tiasissi.com.br (malware), [] MAC_Src: 00:21:5A:08:BB:0C 40304->53 (17:09:27.425 PDT) 52448->53 (17:09:43.328 PDT) 60438->53 (17:09:49.433 PDT) 45538->53 (17:10:39.981 PDT) 59366->53 (17:13:13.687 PDT) 52572->53 (17:15:20.517 PDT) 52871->53 (17:15:50.319 PDT) 52063->53 (17:18:11.924 PDT) 56460->53 (17:19:42.501 PDT) 35601->53 (17:22:08.476 PDT) 49657->53 (17:22:10.589 PDT) 51822->53 (17:23:40.667 PDT) 58330->53 (17:24:47.412 PDT) 56886->53 (17:27:12.220 PDT) 192.168.1.20 (3) (17:19:43.628 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: mobile-files.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 59430->53 (17:19:43.628 PDT) 43457->53 (17:19:44.689 PDT) 49597->53 (17:22:11.826 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 200.221.11.98 (17:21:03.136 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34729->53 (17:21:03.136 PDT) 128.163.142.20 (17:28:18.001 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 6110->6110 (17:28:18.001 PDT) 128.227.11.13 (2) (17:18:18.077 PDT-17:38:18.164 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2: 49302->4040 (17:18:18.077 PDT-17:38:18.164 PDT) 88.81.249.200 (17:10:51.202 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 57597->53 (17:10:51.202 PDT) 212.44.109.181 (17:34:15.276 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54546->53 (17:34:15.276 PDT) 176.28.0.239 (17:31:03.152 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56080->53 (17:31:03.152 PDT) 217.16.28.65 (17:13:32.042 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 47876->53 (17:13:32.042 PDT) 66.45.238.251 (17:23:46.181 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 44816->53 (17:23:46.181 PDT) tcpslice 1318723767.425 1318725498.165 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 17:41:04.312 PDT Gen. Time: 10/15/2011 17:41:04.312 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (17:41:04.312 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40692->53 (17:41:04.312 PDT) tcpslice 1318725664.312 1318725664.313 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: 155.98.35.7, 170.140.119.69, 128.10.19.52 C & C List: 200.147.33.17, 91.209.163.201 (2), 64.94.137.53, 88.81.249.200, 194.226.96.8, 200.147.1.41, 192.168.1.230 (17) Peer Coord. List: Resource List: Observed Start: 10/15/2011 17:41:04.312 PDT Gen. Time: 10/15/2011 18:54:05.762 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (17:45:16.094 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [/SeattleGENI/HashTable] MAC_Dst: 00:21:1C:EE:14:00 36236->80 (17:45:16.094 PDT) 46910->53 (17:55:18.939 PDT) 192.168.1.230 (14) (17:41:40.872 PDT) event=224:1 (14) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 38514->53 (17:41:40.872 PDT) 37864->53 (17:42:10.381 PDT) 46649->53 (17:42:10.485 PDT) 46899->53 (17:43:14.303 PDT) 50565->53 (17:43:23.382 PDT) 42076->53 (17:45:07.893 PDT) 37868->53 (17:45:30.958 PDT) 54324->53 (17:46:11.612 PDT) 49989->53 (17:50:14.102 PDT) 44947->53 (17:54:15.773 PDT) 48221->53 (17:54:26.420 PDT) 49768->53 (17:54:42.131 PDT) 44647->53 (17:54:43.059 PDT) 38376->53 (17:55:55.642 PDT) 192.168.1.20 (17:50:33.740 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 35296->53 (17:50:33.740 PDT) EGG DOWNLOAD 155.98.35.7 (2) (18:34:57.310 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 42970<-59408 (18:34:57.310 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 42970<-59408 (18:34:57.310 PDT) 170.140.119.69 (2) (18:41:20.523 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 34886<-26536 (18:41:20.523 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 34886<-26536 (18:41:20.523 PDT) 128.10.19.52 (2) (18:49:25.249 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 50771<-20385 (18:49:25.249 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 50771<-20385 (18:49:25.249 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.33.17 (18:49:29.064 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 37340->53 (18:49:29.064 PDT) 91.209.163.201 (2) (17:46:57.431 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [%F1i%BC%D8%BB,*6|%B4%13%EB%8B%C1%FC;%D2%D8%F48%F2%8C%80%D5(%BB%F9%A5%D9Z%CD%84K*%FF] MAC_Src: 00:21:5A:08:BB:0C 49449->80 (17:46:57.431 PDT) 55207->80 (18:18:47.134 PDT) 64.94.137.53 (18:07:57.807 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 46333->80 (18:07:57.807 PDT) 88.81.249.200 (17:57:37.810 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 34433->80 (17:57:37.810 PDT) 194.226.96.8 (18:39:26.614 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 37594->53 (18:39:26.614 PDT) 200.147.1.41 (18:28:49.456 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 54553->53 (18:28:49.456 PDT) C and C DNS CHECK-IN 192.168.1.230 (17) (17:42:32.453 PDT) event=224:1 (17) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 53383->53 (17:42:32.453 PDT) 46394->53 (17:44:28.746 PDT) 57861->53 (17:45:36.913 PDT) 60405->53 (17:48:36.693 PDT) 59560->53 (17:48:37.900 PDT) 33081->53 (17:49:22.201 PDT) 35788->53 (17:51:28.600 PDT) 57352->53 (17:52:30.718 PDT) 33532->53 (17:52:34.145 PDT) 51387->53 (17:54:10.952 PDT) 48729->53 (17:58:24.121 PDT) 60650->53 (18:01:48.324 PDT) 47797->53 (18:02:17.559 PDT) 52867->53 (18:02:42.041 PDT) 38399->53 (18:02:59.529 PDT) 49998->53 (18:03:06.556 PDT) 37063->53 (18:06:29.896 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (3) (17:58:21.140 PDT-18:38:26.341 PDT) event=1:9910006 (3) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2: 49302->4040 (18:08:21.757 PDT-18:38:26.341 PDT) 49301->37573 (17:58:21.140 PDT) 118.218.219.178 (18:01:07.545 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48441->53 (18:01:07.545 PDT) 8.5.1.44 (17:44:55.499 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 60150->80 (17:44:55.499 PDT) 93.170.52.30 (3) (17:41:04.312 PDT) event=1:9910005 (3) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 45132->53 (18:11:08.556 PDT) 40692->53 (17:41:04.312 PDT) 51279->53 (18:31:14.488 PDT) 195.226.246.3 (17:55:00.202 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58850->53 (17:55:00.202 PDT) 216.8.179.25 (18:06:29.191 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 45689->80 (18:06:29.191 PDT) 92.241.169.250 (18:18:46.985 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 47715->80 (18:18:46.985 PDT) 93.170.52.20 (2) (17:51:07.496 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 35165->53 (17:51:07.496 PDT) 59557->53 (18:21:09.595 PDT) 208.91.196.10 (18:28:46.683 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49379->53 (18:28:46.683 PDT) 206.207.248.34 (2) (18:18:21.118 PDT-18:28:25.004 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2: 23127->23127 (18:18:21.118 PDT-18:28:25.004 PDT) 128.163.142.20 (17:48:18.288 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (17:48:18.288 PDT) tcpslice 1318725664.312 1318729106.342 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: 143.215.131.197 C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 18:54:34.152 PDT Gen. Time: 10/15/2011 18:54:45.461 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 143.215.131.197 (18:54:45.461 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 42308<-50604 (18:54:45.461 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (18:54:34.152 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 46511->53 (18:54:34.152 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318730074.152 1318730074.153 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: 130.37.193.143, 204.123.28.57, 143.215.131.197 C & C List: 78.31.65.216, 91.209.163.201, 192.168.1.230 (11) Peer Coord. List: Resource List: Observed Start: 10/15/2011 18:54:34.152 PDT Gen. Time: 10/15/2011 19:11:46.066 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (18:57:16.367 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 37388->80 (18:57:16.367 PDT) 53605->80 (19:07:20.253 PDT) 192.168.1.230 (10) (18:56:03.098 PDT) event=224:1 (10) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 57039->53 (18:56:03.098 PDT) 59651->53 (18:59:54.600 PDT) 44831->53 (19:00:16.296 PDT) 43656->53 (19:00:31.161 PDT) 58407->53 (19:01:23.623 PDT) 48641->53 (19:01:43.318 PDT) 32819->53 (19:03:12.639 PDT) 46312->53 (19:03:35.060 PDT) 53501->53 (19:05:57.095 PDT) 52913->53 (19:06:03.085 PDT) 192.168.1.20 (19:05:58.173 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 59709->53 (19:05:58.173 PDT) EGG DOWNLOAD 130.37.193.143 (2) (19:07:06.154 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 52901<-14869 (19:07:06.154 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 52901<-14869 (19:07:06.154 PDT) 204.123.28.57 (2) (19:01:39.081 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 35235<-29730 (19:01:39.081 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 35235<-29730 (19:01:39.081 PDT) 143.215.131.197 (2) (18:54:45.461 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 42308<-50604 (18:54:45.461 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 42308<-50604 (18:54:45.461 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 78.31.65.216 (18:59:29.801 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 58371->80 (18:59:29.801 PDT) 91.209.163.201 (19:09:32.992 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 37159->53 (19:09:32.992 PDT) C and C DNS CHECK-IN 192.168.1.230 (11) (18:54:34.152 PDT) event=224:1 (11) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 46511->53 (18:54:34.152 PDT) 40400->53 (18:55:04.039 PDT) 51605->53 (18:59:18.964 PDT) 35858->53 (18:59:48.054 PDT) 55165->53 (19:03:00.709 PDT) 47137->53 (19:04:38.778 PDT) 41845->53 (19:07:09.999 PDT) 35253->53 (19:08:23.192 PDT) 55798->53 (19:08:39.977 PDT) 46525->53 (19:08:51.663 PDT) 41742->53 (19:09:21.013 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (18:58:26.889 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 6110->6110 (18:58:26.889 PDT) 67.228.81.181 (19:11:23.128 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 47226->53 (19:11:23.128 PDT) 64.86.97.91 (19:01:23.632 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49368->53 (19:01:23.632 PDT) 143.89.49.74 (19:08:28.053 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 30599->30599 (19:08:28.053 PDT) 62.149.13.54 (19:02:02.019 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 51848->53 (19:02:02.019 PDT) tcpslice 1318730074.152 1318730074.153 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:12:03.635 PDT Gen. Time: 10/15/2011 19:12:03.635 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 216.8.179.25 (19:12:03.635 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 38789->80 (19:12:03.635 PDT) tcpslice 1318731123.635 1318731123.636 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: 198.82.160.238, 157.92.44.101, 207.197.40.251 C & C List: 91.209.163.202, 76.73.1.194, 192.168.1.230 (16), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:12:03.635 PDT Gen. Time: 10/15/2011 19:36:12.737 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (17) (19:12:10.663 PDT-19:17:57.177 PDT) event=224:1 (17) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 35616->53 (19:25:01.978 PDT) 59259->53 (19:13:48.935 PDT) 2: 60042->53 (19:17:51.168 PDT-19:17:57.177 PDT) 54899->53 (19:20:41.569 PDT) 54425->53 (19:25:54.875 PDT) 43808->53 (19:12:24.690 PDT) 58733->53 (19:12:39.322 PDT) 48544->53 (19:20:12.515 PDT) 32845->53 (19:25:17.524 PDT) 47246->53 (19:15:49.533 PDT) 38831->53 (19:25:30.304 PDT) 50714->53 (19:25:54.630 PDT) 34002->53 (19:26:00.015 PDT) 53381->53 (19:17:57.609 PDT) 45935->53 (19:13:38.095 PDT) 53017->53 (19:12:10.663 PDT) EGG DOWNLOAD 198.82.160.238 (2) (19:29:04.293 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 48959<-25871 (19:29:04.293 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 48959<-25871 (19:29:04.293 PDT) 157.92.44.101 (2) (19:16:17.073 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 44650<-53557 (19:16:17.073 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 44650<-53557 (19:16:17.073 PDT) 207.197.40.251 (2) (19:21:55.186 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 52539<-10123 (19:21:55.186 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 52539<-10123 (19:21:55.186 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.202 (19:19:33.201 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 40454->80 (19:19:33.201 PDT) 76.73.1.194 (19:29:40.998 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 42960->80 (19:29:40.998 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (19:12:39.904 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 56585->53 (19:12:39.904 PDT) 57742->53 (19:14:01.750 PDT) 43055->53 (19:16:30.540 PDT) 53102->53 (19:17:52.102 PDT) 44068->53 (19:19:32.077 PDT) 52563->53 (19:20:24.870 PDT) 37609->53 (19:20:40.286 PDT) 52268->53 (19:22:39.332 PDT) 33155->53 (19:24:13.123 PDT) 54376->53 (19:25:15.343 PDT) 52505->53 (19:25:32.163 PDT) 46501->53 (19:26:11.228 PDT) 59796->53 (19:26:40.099 PDT) 41023->53 (19:27:02.794 PDT) 53645->53 (19:31:20.321 PDT) 53847->53 (19:32:29.438 PDT) 91.228.133.56 (19:17:58.909 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [%B1#%C5%EF%F6C%80ra%01%B8%00#%FFo%BE%F7%B6n;ps%09%1C%AF%7F%15~%C8E%17%03%01%00!V%05%AB%89%A5{X'%07%F1Zv%F4%E6M2~%A7%1E%B2%0Fdd%E9=%C2%05%91p%08k%14%11%17%03%01%00!%CD{%05scZ%02v%C3t] MAC_Src: 00:21:5A:08:BB:0C 50345->80 (19:17:58.909 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 216.8.179.25 (2) (19:12:03.635 PDT) event=1:9910009 (2) {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 38789->80 (19:12:03.635 PDT) 44660->80 (19:24:51.394 PDT) 128.2.211.114 (19:18:31.183 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (19:18:31.183 PDT) 31.170.163.50 (19:31:28.369 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48387->53 (19:31:28.369 PDT) 128.163.142.20 (19:28:31.217 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (19:28:31.217 PDT) 122.224.18.94 (19:35:00.516 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 55231->53 (19:35:00.516 PDT) 93.170.52.20 (19:21:25.839 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 37874->53 (19:21:25.839 PDT) tcpslice 1318731123.635 1318731477.178 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:36:26.931 PDT Gen. Time: 10/15/2011 19:38:31.655 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (19:36:26.931 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 54648->53 (19:36:26.931 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (19:37:09.248 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: mobile-files.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 59955->53 (19:37:09.248 PDT) 59867->53 (19:37:09.980 PDT) 45808->53 (19:37:41.836 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (19:38:31.655 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (19:38:31.655 PDT) tcpslice 1318732586.931 1318732586.932 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 82.210.157.9 Egg Source List: 140.192.249.204 C & C List: 213.133.101.29, 86.109.114.31, 192.168.1.230 (9) Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:36:26.931 PDT Gen. Time: 10/15/2011 19:50:22.928 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (9) (19:36:26.931 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 54648->53 (19:36:26.931 PDT) 39326->53 (19:38:46.073 PDT) 51803->53 (19:39:01.827 PDT) 56680->53 (19:39:23.344 PDT) 36948->53 (19:39:26.570 PDT) 40342->53 (19:40:21.451 PDT) 44856->53 (19:40:36.744 PDT) 57173->53 (19:40:43.395 PDT) 44898->53 (19:46:35.553 PDT) 82.210.157.9 (19:38:48.037 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 49523->53 (19:38:48.037 PDT) EGG DOWNLOAD 140.192.249.204 (2) (19:45:49.440 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 56399<-18538 (19:45:49.440 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 56399<-18538 (19:45:49.440 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 213.133.101.29 (19:39:44.363 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 39464->53 (19:39:44.363 PDT) 86.109.114.31 (19:50:03.687 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 58597->80 (19:50:03.687 PDT) C and C DNS CHECK-IN 192.168.1.230 (9) (19:37:09.248 PDT) event=224:1 (9) {udp} E4[dns] BHDNS SPYWARE-DNS: mobile-files.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 59955->53 (19:37:09.248 PDT) 59867->53 (19:37:09.980 PDT) 45808->53 (19:37:41.836 PDT) 33274->53 (19:41:31.434 PDT) 55217->53 (19:44:34.083 PDT) 43836->53 (19:45:40.125 PDT) 55998->53 (19:46:12.161 PDT) 48947->53 (19:46:58.307 PDT) 37688->53 (19:47:26.232 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (19:48:31.050 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 49302->40922 (19:48:31.050 PDT) 128.163.142.20 (19:38:31.655 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (19:38:31.655 PDT) 213.189.197.13 (19:41:32.446 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34302->53 (19:41:32.446 PDT) 203.121.165.16 (19:46:30.414 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 43623->53 (19:46:30.414 PDT) tcpslice 1318732586.931 1318732586.932 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:51:32.048 PDT Gen. Time: 10/15/2011 19:51:32.048 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 92.240.68.95 (19:51:32.048 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40814->53 (19:51:32.048 PDT) tcpslice 1318733492.048 1318733492.049 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 88.198.53.104, 41.189.229.65, 192.168.1.230, 192.168.1.20 Egg Source List: 192.42.83.253, 194.29.178.14, 128.208.4.197 C & C List: 76.163.253.1, 192.168.1.230 (10) Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:51:32.048 PDT Gen. Time: 10/15/2011 20:08:24.694 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (20:02:37.264 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 46035->80 (20:02:37.264 PDT) 41.189.229.65 (19:51:36.214 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 51833->53 (19:51:36.214 PDT) 192.168.1.230 (14) (19:51:34.903 PDT) event=224:1 (14) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 57327->53 (19:51:34.903 PDT) 44748->53 (19:51:58.511 PDT) 36581->53 (19:52:16.076 PDT) 45769->53 (19:53:21.047 PDT) 37162->53 (19:53:30.470 PDT) 60917->53 (19:56:18.052 PDT) 41164->53 (19:56:42.776 PDT) 60051->53 (19:57:34.721 PDT) 33879->53 (19:57:47.517 PDT) 59648->53 (19:58:08.570 PDT) 59625->53 (19:59:47.732 PDT) 51585->53 (20:03:09.342 PDT) 44693->53 (20:03:10.544 PDT) 56751->53 (20:05:08.279 PDT) 192.168.1.20 (20:03:10.305 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 56965->53 (20:03:10.305 PDT) EGG DOWNLOAD 192.42.83.253 (2) (20:05:09.262 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 48387<-25186 (20:05:09.262 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 48387<-25186 (20:05:09.262 PDT) 194.29.178.14 (2) (19:51:47.923 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 35388<-48650 (19:51:47.923 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 35388<-48650 (19:51:47.923 PDT) 128.208.4.197 (2) (19:58:20.240 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 33558<-11929 (19:58:20.240 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 33558<-11929 (19:58:20.240 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 76.163.253.1 (20:00:04.897 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 51661->53 (20:00:04.897 PDT) C and C DNS CHECK-IN 192.168.1.230 (10) (19:51:34.700 PDT) event=224:1 (10) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 33885->53 (19:51:34.700 PDT) 41043->53 (19:54:48.529 PDT) 43042->53 (19:54:49.766 PDT) 50313->53 (19:56:32.139 PDT) 47548->53 (19:58:36.626 PDT) 55538->53 (19:59:08.470 PDT) 54392->53 (19:59:44.416 PDT) 53764->53 (20:02:53.346 PDT) 55110->53 (20:03:42.430 PDT) 60132->53 (20:05:28.167 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 200.72.1.94 (19:56:35.977 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54240->53 (19:56:35.977 PDT) 132.239.17.226 (19:58:31.337 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56391->56391 (19:58:31.337 PDT) 87.252.1.21 (20:01:32.313 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 46627->53 (20:01:32.313 PDT) 92.240.68.95 (19:51:32.048 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 40814->53 (19:51:32.048 PDT) 31.170.163.70 (20:07:07.977 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/mail-archive/pvs/msg04440.html] MAC_Src: 00:21:5A:08:BB:0C 52569->80 (20:07:07.977 PDT) tcpslice 1318733492.048 1318733492.049 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 20:08:31.014 PDT Gen. Time: 10/15/2011 20:08:31.014 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (20:08:31.014 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56391->56391 (20:08:31.014 PDT) tcpslice 1318734511.014 1318734511.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 67.208.74.71, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 20:08:31.014 PDT Gen. Time: 10/15/2011 20:10:27.094 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 67.208.74.71 (20:10:05.185 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 36786->80 (20:10:05.185 PDT) C and C DNS CHECK-IN 192.168.1.230 (20:08:43.016 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 53656->53 (20:08:43.016 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (20:08:31.014 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56391->56391 (20:08:31.014 PDT) tcpslice 1318734511.014 1318734511.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 20:11:32.804 PDT Gen. Time: 10/15/2011 20:11:32.804 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 121.14.70.4 (20:11:32.804 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34894->53 (20:11:32.804 PDT) tcpslice 1318734692.804 1318734692.805 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 200.147.1.41, 192.168.1.230 (6) Peer Coord. List: Resource List: Observed Start: 10/15/2011 20:11:32.804 PDT Gen. Time: 10/15/2011 20:22:27.937 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (20:14:01.768 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 57540->53 (20:14:01.768 PDT) 192.168.1.230 (8) (20:15:32.433 PDT) event=224:1 (8) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 48289->53 (20:15:32.433 PDT) 50670->53 (20:15:51.082 PDT) 35784->53 (20:16:21.179 PDT) 48115->53 (20:16:48.794 PDT) 38745->53 (20:17:41.736 PDT) 36364->53 (20:18:07.240 PDT) 53399->53 (20:18:37.246 PDT) 36098->53 (20:18:49.421 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (20:20:05.700 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 32933->80 (20:20:05.700 PDT) C and C DNS CHECK-IN 192.168.1.230 (6) (20:11:41.927 PDT) event=224:1 (6) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 33853->53 (20:11:41.927 PDT) 40315->53 (20:12:31.263 PDT) 34325->53 (20:12:42.746 PDT) 47233->53 (20:14:00.868 PDT) 40850->53 (20:15:34.488 PDT) 60279->53 (20:18:47.126 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (20:18:31.050 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 6110->6110 (20:18:31.050 PDT) 98.129.126.138 (20:17:35.125 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%F3%94%8A%8A%1C] MAC_Src: 00:21:5A:08:BB:0C 39432->80 (20:17:35.125 PDT) 69.10.37.189 (20:21:32.499 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34763->53 (20:21:32.499 PDT) 121.14.70.4 (20:11:32.804 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 34894->53 (20:11:32.804 PDT) tcpslice 1318734692.804 1318734692.805 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (5) Peer Coord. List: Resource List: Observed Start: 10/15/2011 20:23:13.354 PDT Gen. Time: 10/15/2011 20:27:36.607 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (20:24:13.646 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [;p_h%18%06%80%AA%0E%13%C2o%02%BC%FB%E3%ACG#%1Bh%10%BFa{%19%DD%C5%DB%126%14%F0%9D'%FB%B3%13"%E3%A2%E2K[*[%80%CF%B5%E2N%1E%C3%19%14] MAC_Dst: 00:21:1C:EE:14:00 49365->80 (20:24:13.646 PDT) 192.168.1.230 (2) (20:26:19.680 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 59264->53 (20:26:19.680 PDT) 55719->53 (20:27:13.583 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (5) (20:23:13.354 PDT) event=224:1 (5) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 49132->53 (20:23:13.354 PDT) 42670->53 (20:24:13.075 PDT) 59546->53 (20:25:04.213 PDT) 32988->53 (20:25:18.121 PDT) 38490->53 (20:26:00.522 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 31.170.163.50 (20:27:36.607 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 33018->53 (20:27:36.607 PDT) tcpslice 1318735393.354 1318735393.355 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (6) Peer Coord. List: Resource List: Observed Start: 10/15/2011 20:23:13.354 PDT Gen. Time: 10/15/2011 20:29:13.419 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (20:24:13.646 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [;p_h%18%06%80%AA%0E%13%C2o%02%BC%FB%E3%ACG#%1Bh%10%BFa{%19%DD%C5%DB%126%14%F0%9D'%FB%B3%13"%E3%A2%E2K[*[%80%CF%B5%E2N%1E%C3%19%14] MAC_Dst: 00:21:1C:EE:14:00 49365->80 (20:24:13.646 PDT) 192.168.1.230 (2) (20:26:19.680 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 59264->53 (20:26:19.680 PDT) 55719->53 (20:27:13.583 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (6) (20:23:13.354 PDT) event=224:1 (6) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 49132->53 (20:23:13.354 PDT) 42670->53 (20:24:13.075 PDT) 59546->53 (20:25:04.213 PDT) 32988->53 (20:25:18.121 PDT) 38490->53 (20:26:00.522 PDT) 44002->53 (20:27:41.327 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (20:28:32.146 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54593->54593 (20:28:32.146 PDT) 31.170.163.50 (20:27:36.607 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 33018->53 (20:27:36.607 PDT) tcpslice 1318735393.354 1318735393.355 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 67.19.244.5 Peer Coord. List: Resource List: Observed Start: 10/15/2011 20:30:09.698 PDT Gen. Time: 10/15/2011 20:31:33.529 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (20:30:32.105 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 54777->53 (20:30:32.105 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 67.19.244.5 (20:30:09.698 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 53773->53 (20:30:09.698 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.20 (20:31:33.529 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48067->53 (20:31:33.529 PDT) tcpslice 1318735809.698 1318735809.699 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 173.236.70.235, 192.168.1.230, 188.229.89.127 Egg Source List: C & C List: 88.198.53.104, 58.22.242.63, 67.19.244.5, 192.168.1.230 (16) Peer Coord. List: Resource List: Observed Start: 10/15/2011 20:30:09.698 PDT Gen. Time: 10/15/2011 20:50:42.394 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 173.236.70.235 (20:34:23.962 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 43598->80 (20:34:23.962 PDT) 192.168.1.230 (15) (20:30:32.105 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 54777->53 (20:30:32.105 PDT) 50973->53 (20:31:40.677 PDT) 38648->53 (20:31:58.840 PDT) 45830->53 (20:32:43.479 PDT) 58060->53 (20:33:02.227 PDT) 48864->53 (20:34:20.902 PDT) 56561->53 (20:34:20.902 PDT) 56331->53 (20:34:52.541 PDT) 37011->53 (20:36:05.121 PDT) 55032->53 (20:36:56.369 PDT) 55877->53 (20:43:57.245 PDT) 55650->53 (20:44:41.049 PDT) 35939->53 (20:44:41.921 PDT) 45488->53 (20:45:04.588 PDT) 59745->53 (20:45:14.695 PDT) 188.229.89.127 (20:44:23.812 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 33394->80 (20:44:23.812 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.198.53.104 (20:50:42.394 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [4.7%0A%00%00%03%0C%0A%14m] MAC_Src: 00:21:5A:08:BB:0C 56237->80 (20:50:42.394 PDT) 58.22.242.63 (20:40:33.244 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [S%00%00%00%11%00%00%00%00%00%00%06%8E%00%00%00%00%00%00%06%80%00%00%00%00%00%00%06%91%00%00%00%00%00%00%06%9A%00%00%00%00%00%00%06%8B%00%00%00%00%00%00%06%9C%00%00%00%00%00%00%06%95%00%00%00%00%00] MAC_Src: 00:21:5A:08:BB:0C 60203->80 (20:40:33.244 PDT) 67.19.244.5 (20:30:09.698 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 53773->53 (20:30:09.698 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (20:34:20.902 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 53077->53 (20:34:20.902 PDT) 55125->53 (20:34:57.830 PDT) 58985->53 (20:36:09.353 PDT) 48069->53 (20:36:11.032 PDT) 40617->53 (20:36:29.231 PDT) 35704->53 (20:37:39.973 PDT) 42239->53 (20:37:45.019 PDT) 57929->53 (20:38:29.841 PDT) 33503->53 (20:39:01.851 PDT) 36400->53 (20:39:57.445 PDT) 37073->53 (20:41:53.833 PDT) 56941->53 (20:42:01.032 PDT) 56661->53 (20:45:14.695 PDT) 53572->53 (20:45:35.198 PDT) 42020->53 (20:46:21.124 PDT) 34187->53 (20:48:34.745 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 123.108.111.67 (20:41:58.268 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48352->53 (20:41:58.268 PDT) 132.239.17.226 (20:38:32.325 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56391->56391 (20:38:32.325 PDT) 128.163.142.20 (20:48:33.450 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54593->54593 (20:48:33.450 PDT) 93.170.52.20 (20:31:33.529 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48067->53 (20:31:33.529 PDT) 217.16.28.65 (20:39:11.245 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 38240->53 (20:39:11.245 PDT) tcpslice 1318735809.698 1318735809.699 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 20:51:14.306 PDT Gen. Time: 10/15/2011 20:52:01.523 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (20:51:14.306 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 46525->53 (20:51:14.306 PDT) 47864->53 (20:51:47.476 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (20:51:14.351 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 44347->53 (20:51:14.351 PDT) 44356->53 (20:51:30.652 PDT) 57102->53 (20:51:53.725 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.20 (20:52:01.523 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 37591->53 (20:52:01.523 PDT) tcpslice 1318737074.306 1318737074.307 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 20:51:14.306 PDT Gen. Time: 10/15/2011 20:54:25.212 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (20:51:14.306 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 46525->53 (20:51:14.306 PDT) 47864->53 (20:51:47.476 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (20:51:14.351 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 44347->53 (20:51:14.351 PDT) 44356->53 (20:51:30.652 PDT) 57102->53 (20:51:53.725 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 208.91.196.10 (20:52:18.556 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 50170->53 (20:52:18.556 PDT) 93.170.52.20 (20:52:01.523 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 37591->53 (20:52:01.523 PDT) tcpslice 1318737074.306 1318737074.307 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 20:55:27.249 PDT Gen. Time: 10/15/2011 20:58:34.812 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (20:55:29.670 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [S%00%00%00%11%00%00%00%00] MAC_Dst: 00:21:1C:EE:14:00 38853->80 (20:55:29.670 PDT) 192.168.1.230 (6) (20:56:17.634 PDT) event=224:1 (6) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 51337->53 (20:56:17.634 PDT) 42319->53 (20:56:20.875 PDT) 43666->53 (20:56:54.869 PDT) 37909->53 (20:57:04.993 PDT) 51169->53 (20:57:35.495 PDT) 43304->53 (20:57:47.838 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (20:55:27.249 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 52569->53 (20:55:27.249 PDT) 60405->53 (20:55:29.209 PDT) 52945->53 (20:56:10.050 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:58:34.812 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (20:58:34.812 PDT) tcpslice 1318737327.249 1318737327.250 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 200.147.1.41, 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 20:55:27.249 PDT Gen. Time: 10/15/2011 21:01:16.551 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (20:55:29.670 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [S%00%00%00%11%00%00%00%00] MAC_Dst: 00:21:1C:EE:14:00 38853->80 (20:55:29.670 PDT) 192.168.1.230 (6) (20:56:17.634 PDT) event=224:1 (6) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 51337->53 (20:56:17.634 PDT) 42319->53 (20:56:20.875 PDT) 43666->53 (20:56:54.869 PDT) 37909->53 (20:57:04.993 PDT) 51169->53 (20:57:35.495 PDT) 43304->53 (20:57:47.838 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (21:00:42.595 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 59550->53 (21:00:42.595 PDT) C and C DNS CHECK-IN 192.168.1.230 (3) (20:55:27.249 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:BB:0C 52569->53 (20:55:27.249 PDT) 60405->53 (20:55:29.209 PDT) 52945->53 (20:56:10.050 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:58:34.812 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (20:58:34.812 PDT) tcpslice 1318737327.249 1318737327.250 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:02:01.147 PDT Gen. Time: 10/15/2011 21:02:01.147 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 194.186.88.58 (21:02:01.147 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58879->53 (21:02:01.147 PDT) tcpslice 1318737721.147 1318737721.148 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: 91.209.175.100 C & C List: 87.252.1.21, 200.147.1.41, 192.168.1.230 (11), 192.168.1.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:02:01.147 PDT Gen. Time: 10/15/2011 21:27:38.683 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (21:05:31.278 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [z%B1`R%E9%90%0F%07%00%07r%00%04y%DFu%95%00%07%02(%02%00%01%00%14%10%F9%84%9Ak%16\dM@]%11%9B%15%9F^%8F%F7%18%D2%10%C4%D3t"%0D%D8%B6%CF2D%C4%8F3%AB$%04%B40%B4%00%05ftun%00%18%92{bA] MAC_Dst: 00:21:1C:EE:14:00 33169->80 (21:05:31.278 PDT) 36620->53 (21:15:33.401 PDT) 192.168.1.230 (13) (21:05:20.167 PDT) event=224:1 (13) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 34854->53 (21:05:20.167 PDT) 36969->53 (21:05:21.875 PDT) 54405->53 (21:05:29.034 PDT) 39185->53 (21:07:45.434 PDT) 54633->53 (21:09:07.247 PDT) 35830->53 (21:09:12.047 PDT) 42417->53 (21:09:49.392 PDT) 57180->53 (21:10:05.558 PDT) 56726->53 (21:10:10.105 PDT) 44724->53 (21:10:41.821 PDT) 52968->53 (21:11:06.932 PDT) 52281->53 (21:15:30.091 PDT) 36555->53 (21:21:07.799 PDT) 192.168.1.20 (2) (21:22:10.378 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 48923->53 (21:22:10.378 PDT) 42882->53 (21:22:11.543 PDT) EGG DOWNLOAD 91.209.175.100 (2) (21:03:41.186 PDT) event=1:2009295 (2) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0), [/sec] MAC_Src: 00:21:5A:08:BB:0C 48100->80 (21:03:41.186 PDT) 48108->80 (21:03:41.514 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 87.252.1.21 (21:20:48.096 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 54088->53 (21:20:48.096 PDT) 200.147.1.41 (21:10:42.949 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 51722->53 (21:10:42.949 PDT) C and C DNS CHECK-IN 192.168.1.230 (11) (21:04:20.301 PDT) event=224:1 (11) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 53176->53 (21:04:20.301 PDT) 58600->53 (21:04:57.741 PDT) 34145->53 (21:09:22.430 PDT) 55259->53 (21:14:29.530 PDT) 53871->53 (21:14:42.591 PDT) 56321->53 (21:15:39.092 PDT) 45216->53 (21:16:11.643 PDT) 60814->53 (21:17:04.823 PDT) 46863->53 (21:18:43.951 PDT) 42329->53 (21:19:36.556 PDT) 50109->53 (21:22:45.386 PDT) 192.168.1.20 (21:04:21.301 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 55982->53 (21:04:21.301 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 92.241.169.250 (21:14:19.177 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 53989->53 (21:14:19.177 PDT) 208.91.196.10 (21:04:19.829 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 46549->80 (21:04:19.829 PDT) 91.207.61.48 (21:22:01.524 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 33883->53 (21:22:01.524 PDT) 128.163.142.20 (21:18:40.150 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (21:18:40.150 PDT) 98.129.126.138 (21:25:15.910 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 37989->80 (21:25:15.910 PDT) 206.207.248.34 (21:08:40.441 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (21:08:40.441 PDT) 93.170.52.20 (21:12:01.234 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 39495->53 (21:12:01.234 PDT) 194.186.88.58 (21:02:01.147 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 58879->53 (21:02:01.147 PDT) tcpslice 1318737721.147 1318737721.148 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:28:40.838 PDT Gen. Time: 10/15/2011 21:28:40.838 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (21:28:40.838 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (21:28:40.838 PDT) tcpslice 1318739320.838 1318739320.839 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 69.43.161.164 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:30:55.573 PDT Gen. Time: 10/15/2011 21:32:02.156 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 69.43.161.164 (21:30:55.573 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 38766->80 (21:30:55.573 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.20 (21:32:02.156 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56377->53 (21:32:02.156 PDT) tcpslice 1318739455.573 1318739455.574 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230, 192.168.1.20, 82.210.157.9 Egg Source List: C & C List: 88.198.53.104, 69.43.161.164, 192.168.1.230 (5), 192.168.1.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:30:55.573 PDT Gen. Time: 10/15/2011 21:40:55.644 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (12) (21:34:37.220 PDT-21:36:56.270 PDT) event=224:1 (12) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 42108->53 (21:35:41.498 PDT) 43877->53 (21:34:52.747 PDT) 50765->53 (21:34:55.551 PDT) 42317->53 (21:36:32.253 PDT) 44597->53 (21:34:37.220 PDT) 2: 58703->53 (21:36:50.298 PDT-21:36:56.270 PDT) 52792->53 (21:36:42.097 PDT) 2: 58159->53 (21:36:38.210 PDT-21:36:44.210 PDT) 47402->53 (21:35:37.565 PDT) 34889->53 (21:36:27.756 PDT) 192.168.1.20 (4) (21:34:38.246 PDT) event=224:1 (4) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 45081->53 (21:34:39.339 PDT) 52327->53 (21:36:51.314 PDT) 54153->53 (21:35:38.642 PDT) 59613->53 (21:34:38.246 PDT) 82.210.157.9 (21:35:40.990 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 42752->80 (21:35:40.990 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.198.53.104 (21:40:55.644 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 60446->53 (21:40:55.644 PDT) 69.43.161.164 (21:30:55.573 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 38766->80 (21:30:55.573 PDT) C and C DNS CHECK-IN 192.168.1.230 (5) (21:33:29.424 PDT) event=224:1 (5) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:BB:0C 48994->53 (21:33:29.424 PDT) 48584->53 (21:33:29.720 PDT) 41619->53 (21:33:30.983 PDT) 47960->53 (21:35:03.030 PDT) 45190->53 (21:36:53.570 PDT) 192.168.1.20 (21:35:08.662 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 43189->53 (21:35:08.662 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 143.89.49.74 (21:38:41.307 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (21:38:41.307 PDT) 93.170.52.20 (21:32:02.156 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 56377->53 (21:32:02.156 PDT) 60.19.30.131 (21:35:40.990 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 44817->80 (21:35:40.990 PDT) tcpslice 1318739455.573 1318739816.271 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:41:53.461 PDT Gen. Time: 10/15/2011 21:42:02.331 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (21:41:53.461 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 32806->53 (21:41:53.461 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (21:42:02.331 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 46539->53 (21:42:02.331 PDT) tcpslice 1318740113.461 1318740113.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (6), 192.168.1.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:41:53.461 PDT Gen. Time: 10/15/2011 21:45:22.359 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (21:42:39.325 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: toolbarqueries-google.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 36664->53 (21:42:39.325 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (6) (21:41:53.461 PDT) event=224:1 (6) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 32806->53 (21:41:53.461 PDT) 58573->53 (21:42:16.594 PDT) 51440->53 (21:42:16.879 PDT) 37020->53 (21:42:43.695 PDT) 39395->53 (21:43:50.379 PDT) 51897->53 (21:43:50.807 PDT) 192.168.1.20 (21:42:44.812 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: taobao.lylwc.com (malware), [] MAC_Src: 00:21:5A:08:BB:0C 42562->53 (21:42:44.812 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (21:42:02.331 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 46539->53 (21:42:02.331 PDT) tcpslice 1318740113.461 1318740113.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:45:37.525 PDT Gen. Time: 10/15/2011 21:46:35.761 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (21:45:52.509 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 48733->53 (21:45:52.509 PDT) 192.168.1.230 (3) (21:45:37.525 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 60843->53 (21:45:37.525 PDT) 39657->53 (21:46:07.870 PDT) 36986->53 (21:46:14.139 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (21:45:52.146 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 57213->53 (21:45:52.146 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 217.16.28.65 (21:46:35.761 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/OUTPUT/UNIQUE/0c917849ff3e6983bfe8cad07a345970/html/sub_404B80.html] MAC_Src: 00:21:5A:08:BB:0C 54784->80 (21:46:35.761 PDT) tcpslice 1318740337.525 1318740337.526 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 200.147.33.19, 192.168.1.230 (6) Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:45:37.525 PDT Gen. Time: 10/15/2011 21:53:54.530 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (21:45:52.509 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 48733->53 (21:45:52.509 PDT) 192.168.1.230 (9) (21:45:37.525 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 60843->53 (21:45:37.525 PDT) 39657->53 (21:46:07.870 PDT) 36986->53 (21:46:14.139 PDT) 33524->53 (21:47:43.519 PDT) 37044->53 (21:48:31.427 PDT) 54829->53 (21:49:09.157 PDT) 56079->53 (21:49:26.447 PDT) 43043->53 (21:49:33.505 PDT) 50124->53 (21:50:49.257 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.33.19 (21:51:01.737 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 56870->80 (21:51:01.737 PDT) C and C DNS CHECK-IN 192.168.1.230 (6) (21:45:52.146 PDT) event=224:1 (6) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 57213->53 (21:45:52.146 PDT) 32875->53 (21:46:52.773 PDT) 58966->53 (21:47:20.596 PDT) 60934->53 (21:50:37.487 PDT) 48760->53 (21:50:59.429 PDT) 53031->53 (21:51:01.906 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (21:48:41.995 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (21:48:41.995 PDT) 216.246.35.77 (21:52:27.005 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 55390->53 (21:52:27.005 PDT) 217.16.28.65 (21:46:35.761 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/OUTPUT/UNIQUE/0c917849ff3e6983bfe8cad07a345970/html/sub_404B80.html] MAC_Src: 00:21:5A:08:BB:0C 54784->80 (21:46:35.761 PDT) tcpslice 1318740337.525 1318740337.526 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3), 192.168.1.20 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:54:48.106 PDT Gen. Time: 10/15/2011 21:56:36.298 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (21:56:21.816 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 44840->80 (21:56:21.816 PDT) 192.168.1.230 (21:55:40.614 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 32790->53 (21:55:40.614 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (21:54:48.106 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 49386->53 (21:54:48.106 PDT) 52556->53 (21:55:12.911 PDT) 58547->53 (21:56:34.906 PDT) 192.168.1.20 (2) (21:55:13.814 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 38847->53 (21:55:13.814 PDT) 59499->53 (21:56:35.887 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 176.28.0.239 (21:56:36.298 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 42496->80 (21:56:36.298 PDT) tcpslice 1318740888.106 1318740888.107 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 64.70.19.33, 193.200.173.3, 192.168.1.230 (12), 91.228.133.56, 192.168.1.20 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:54:48.106 PDT Gen. Time: 10/15/2011 22:15:45.448 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (21:56:21.816 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 44840->80 (21:56:21.816 PDT) 192.168.1.230 (11) (21:55:40.614 PDT-22:13:03.650 PDT) event=224:1 (11) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 50828->53 (22:00:25.505 PDT) 46756->53 (22:02:49.488 PDT) 45499->53 (22:13:18.896 PDT) 32790->53 (21:55:40.614 PDT) 36163->53 (22:12:40.574 PDT) 38738->53 (22:03:19.010 PDT) 45622->53 (22:02:05.738 PDT) 39208->53 (22:02:11.117 PDT) 51384->53 (22:01:20.057 PDT) 2: 41567->53 (22:12:57.657 PDT-22:13:03.650 PDT) 192.168.1.20 (5) (22:03:20.010 PDT-22:13:04.650 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 58010->53 (22:03:20.010 PDT) 53482->53 (22:13:06.868 PDT) 55466->53 (22:13:19.988 PDT) 2: 52814->53 (22:12:58.651 PDT-22:13:04.650 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 64.70.19.33 (22:11:03.713 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 36552->53 (22:11:03.713 PDT) 193.200.173.3 (22:01:02.108 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 33367->53 (22:01:02.108 PDT) C and C DNS CHECK-IN 192.168.1.230 (12) (21:54:48.106 PDT) event=224:1 (12) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:BB:0C 49386->53 (21:54:48.106 PDT) 52556->53 (21:55:12.911 PDT) 58547->53 (21:56:34.906 PDT) 36306->53 (21:57:46.922 PDT) 42704->53 (22:00:05.356 PDT) 42685->53 (22:00:48.424 PDT) 50848->53 (22:04:22.771 PDT) 52910->53 (22:07:13.782 PDT) 55409->53 (22:08:11.792 PDT) 33102->53 (22:08:38.127 PDT) 57028->53 (22:11:11.314 PDT) 59115->53 (22:13:59.220 PDT) 91.228.133.56 (22:08:12.101 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [/22/items/The_Liberation_of_Our_People_Angela_Davis_1969_2008/PHP5_FULL_HD.mov] MAC_Src: 00:21:5A:08:BB:0C 39206->80 (22:08:12.101 PDT) 192.168.1.20 (2) (21:55:13.814 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:BB:0C 38847->53 (21:55:13.814 PDT) 59499->53 (21:56:35.887 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 91.207.220.74 (22:07:05.793 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 38878->53 (22:07:05.793 PDT) 132.239.17.226 (21:58:41.421 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 2122->2122 (21:58:41.421 PDT) 128.163.142.20 (22:08:41.904 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 23127->23127 (22:08:41.904 PDT) 87.252.1.21 (22:12:28.575 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 54766->53 (22:12:28.575 PDT) 176.28.0.239 (21:56:36.298 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 42496->80 (21:56:36.298 PDT) 93.170.52.20 (22:02:27.076 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 39637->53 (22:02:27.076 PDT) tcpslice 1318740888.106 1318741984.651 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 22:17:41.302 PDT Gen. Time: 10/15/2011 22:17:41.302 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.226.246.3 (22:17:41.302 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:BB:0C 48332->53 (22:17:41.302 PDT) tcpslice 1318742261.302 1318742261.303 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================