Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.198.53.104, 192.168.1.230 Egg Source List: C & C List: 200.147.1.41, 64.70.19.33, 64.94.137.53, 194.186.88.58, 83.170.72.109 (2), 88.198.53.104 (2), 91.209.163.202 (2), 67.208.74.71, 91.209.163.184, 192.168.1.230 (16), 176.28.0.239 Peer Coord. List: Resource List: Observed Start: 10/14/2011 22:08:25.415 PDT Gen. Time: 10/15/2011 00:16:33.396 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (2) (22:08:30.649 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 41638->80 (22:08:30.649 PDT) 43290->53 (22:19:40.985 PDT) 192.168.1.230 (15) (22:08:42.087 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 36658->53 (22:08:42.087 PDT) 39174->53 (22:09:30.232 PDT) 49822->53 (22:10:15.670 PDT) 60449->53 (22:13:43.959 PDT) 44288->53 (22:13:44.504 PDT) 42423->53 (22:14:06.630 PDT) 40188->53 (22:17:43.834 PDT) 35632->53 (22:19:36.102 PDT) 52973->53 (22:21:06.707 PDT) 41956->53 (22:22:04.110 PDT) 38621->53 (22:23:02.771 PDT) 51725->53 (22:24:01.991 PDT) 56073->53 (22:26:50.019 PDT) 52794->53 (22:26:50.189 PDT) 52578->53 (22:27:37.036 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (23:27:11.488 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 49945->80 (23:27:11.488 PDT) 64.70.19.33 (23:47:11.792 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 60328->53 (23:47:11.792 PDT) 64.94.137.53 (22:47:07.062 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 41807->53 (22:47:07.062 PDT) 194.186.88.58 (22:57:08.702 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/robots.txt] MAC_Src: 00:21:5A:08:EC:40 36952->80 (22:57:08.702 PDT) 83.170.72.109 (2) (22:27:06.122 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/ip2geo/geo.php] MAC_Src: 00:21:5A:08:EC:40 39016->80 (22:27:06.122 PDT) 39454->53 (23:17:08.632 PDT) 88.198.53.104 (2) (22:37:06.629 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 42757->80 (22:37:06.629 PDT) 55102->53 (00:07:35.137 PDT) 91.209.163.202 (2) (23:07:08.087 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 57035->80 (23:07:08.087 PDT) 42898->80 (23:37:11.460 PDT) 67.208.74.71 (22:16:45.758 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 59031->80 (22:16:45.758 PDT) 91.209.163.184 (23:57:15.581 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 45695->53 (23:57:15.581 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (22:08:58.983 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 37899->53 (22:08:58.983 PDT) 47033->53 (22:12:14.611 PDT) 58445->53 (22:14:48.121 PDT) 43496->53 (22:17:54.349 PDT) 53624->53 (22:18:13.685 PDT) 34146->53 (22:18:18.284 PDT) 38492->53 (22:19:45.507 PDT) 56461->53 (22:20:34.935 PDT) 48999->53 (22:21:47.430 PDT) 47149->53 (22:27:04.530 PDT) 41052->53 (22:29:37.690 PDT) 47331->53 (22:30:55.272 PDT) 53969->53 (22:31:36.744 PDT) 33451->53 (22:31:53.928 PDT) 38351->53 (22:32:26.519 PDT) 49775->53 (22:34:09.552 PDT) 176.28.0.239 (22:29:44.235 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: livedieoslix.com (malware), [] MAC_Src: 00:21:5A:08:EC:40 54044->80 (22:29:44.235 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 200.147.1.41 (22:15:05.260 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58286->53 (22:15:05.260 PDT) 176.28.0.239 (22:29:44.235 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54044->80 (22:29:44.235 PDT) 31.170.163.50 (22:51:05.473 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49850->53 (22:51:05.473 PDT) 64.86.97.91 (22:25:06.331 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58877->53 (22:25:06.331 PDT) 41.189.229.65 (23:01:07.430 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47926->53 (23:01:07.430 PDT) 91.207.220.74 (22:18:58.813 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44954->80 (22:18:58.813 PDT) 128.2.211.114 (2) (22:18:25.941 PDT-22:38:29.744 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2: 56391->56391 (22:18:25.941 PDT-22:38:29.744 PDT) 93.170.52.30 (2) (22:35:06.402 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37457->53 (22:45:10.787 PDT) 38633->53 (22:35:06.402 PDT) 130.149.49.136 (22:28:25.200 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4878->4878 (22:28:25.200 PDT) 195.226.246.3 (23:05:12.270 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49153->53 (23:05:12.270 PDT) 62.149.13.54 (22:39:58.659 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35768->53 (22:39:58.659 PDT) 208.109.255.18 (22:55:11.211 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56130->53 (22:55:11.211 PDT) 206.207.248.34 (22:48:29.205 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (22:48:29.205 PDT) 128.163.142.20 (22:08:25.415 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (22:08:25.415 PDT) 132.239.17.226 (22:58:31.082 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (22:58:31.082 PDT) tcpslice 1318655305.415 1318657109.745 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 91.209.163.202, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:17:29.949 PDT Gen. Time: 10/15/2011 00:18:32.769 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (00:17:29.949 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 45762->53 (00:17:29.949 PDT) 37060->53 (00:18:07.762 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.202 (00:17:38.204 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 54703->53 (00:17:38.204 PDT) C and C DNS CHECK-IN 192.168.1.230 (00:18:32.769 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 34008->53 (00:18:32.769 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318663049.949 1318663049.950 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 88.80.7.152, 91.209.163.202, 213.136.106.214, 200.147.1.41, 192.168.1.230 (14), 192.168.1.20 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:17:29.949 PDT Gen. Time: 10/15/2011 00:41:51.978 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (00:22:14.677 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 43023->80 (00:22:14.677 PDT) 46710->80 (00:32:42.804 PDT) 192.168.1.230 (15) (00:17:29.949 PDT-00:23:27.437 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 41879->53 (00:30:01.273 PDT) 2: 59496->53 (00:23:21.459 PDT-00:23:27.437 PDT) 40354->53 (00:21:15.405 PDT) 54879->53 (00:21:28.684 PDT) 33730->53 (00:20:30.571 PDT) 42457->53 (00:30:46.868 PDT) 42487->53 (00:28:30.798 PDT) 45762->53 (00:17:29.949 PDT) 41801->53 (00:23:27.751 PDT) 51648->53 (00:21:09.735 PDT) 52624->53 (00:30:43.563 PDT) 37060->53 (00:18:07.762 PDT) 38154->53 (00:24:55.509 PDT) 43689->53 (00:30:39.425 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.80.7.152 (00:27:59.235 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 59035->80 (00:27:59.235 PDT) 91.209.163.202 (00:17:38.204 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 54703->53 (00:17:38.204 PDT) 213.136.106.214 (00:25:23.532 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 45661->53 (00:25:23.532 PDT) 200.147.1.41 (00:37:59.379 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 56548->80 (00:37:59.379 PDT) C and C DNS CHECK-IN 192.168.1.230 (14) (00:18:32.769 PDT) event=224:1 (14) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 34008->53 (00:18:32.769 PDT) 36213->53 (00:20:01.424 PDT) 53296->53 (00:20:05.792 PDT) 47151->53 (00:20:07.433 PDT) 54092->53 (00:21:19.871 PDT) 60696->53 (00:23:12.674 PDT) 44595->53 (00:23:30.616 PDT) 45560->53 (00:26:08.105 PDT) 50726->53 (00:27:19.979 PDT) 46407->53 (00:28:10.038 PDT) 47837->53 (00:29:52.117 PDT) 48453->53 (00:30:26.012 PDT) 55091->53 (00:30:42.868 PDT) 37418->53 (00:33:45.275 PDT) 192.168.1.20 (3) (00:20:06.850 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: mobile-files.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 36228->53 (00:20:06.850 PDT) 38455->53 (00:23:13.677 PDT) 33766->53 (00:23:16.877 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.226.246.3 (00:25:47.469 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34714->80 (00:25:47.469 PDT) 128.2.211.114 (00:38:34.173 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (00:38:34.173 PDT) 91.207.61.48 (00:35:28.815 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54829->53 (00:35:28.815 PDT) 128.227.11.13 (00:28:34.775 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->4041 (00:28:34.775 PDT) 64.70.19.33 (00:25:28.894 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36731->53 (00:25:28.894 PDT) 206.207.248.34 (00:18:34.028 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:18:34.028 PDT) 31.170.163.70 (00:37:13.774 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46109->80 (00:37:13.774 PDT) tcpslice 1318663049.949 1318663407.438 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.189.229.65, 192.168.1.230 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:42:15.122 PDT Gen. Time: 10/15/2011 00:45:29.707 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (00:43:14.492 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 54480->80 (00:43:14.492 PDT) 192.168.1.230 (4) (00:42:15.122 PDT) event=224:1 (4) {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 46403->53 (00:42:15.122 PDT) 55621->53 (00:42:25.270 PDT) 46001->53 (00:42:37.871 PDT) 35737->53 (00:43:07.938 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 83.170.72.109 (00:45:29.707 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35726->53 (00:45:29.707 PDT) tcpslice 1318664535.122 1318664535.123 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 194.85.105.17, 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:47:01.760 PDT Gen. Time: 10/15/2011 00:47:40.698 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 194.85.105.17 (00:47:40.698 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 54892->53 (00:47:40.698 PDT) C and C DNS CHECK-IN 192.168.1.230 (2) (00:47:01.760 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 60823->53 (00:47:01.760 PDT) 51460->53 (00:47:15.196 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318664821.760 1318664821.761 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 91.209.163.202, 194.85.105.17, 192.168.1.230 (6) Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:47:01.760 PDT Gen. Time: 10/15/2011 00:53:46.165 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (00:49:44.506 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 56523->53 (00:49:44.506 PDT) 35159->53 (00:50:01.960 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.202 (00:48:07.934 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 53941->80 (00:48:07.934 PDT) 194.85.105.17 (00:47:40.698 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 54892->53 (00:47:40.698 PDT) C and C DNS CHECK-IN 192.168.1.230 (6) (00:47:01.760 PDT) event=224:1 (6) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 60823->53 (00:47:01.760 PDT) 51460->53 (00:47:15.196 PDT) 57367->53 (00:50:10.570 PDT) 44985->53 (00:50:54.150 PDT) 32864->53 (00:51:47.136 PDT) 42586->53 (00:52:39.655 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.226.246.3 (00:50:58.934 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58532->80 (00:50:58.934 PDT) 206.207.248.34 (00:48:34.643 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (00:48:34.643 PDT) tcpslice 1318664821.760 1318664821.761 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:54:42.146 PDT Gen. Time: 10/15/2011 00:55:29.379 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (00:54:42.146 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 54392->80 (00:54:42.146 PDT) 192.168.1.230 (00:54:50.642 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 54783->53 (00:54:50.642 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 31.170.163.50 (00:55:29.379 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45473->53 (00:55:29.379 PDT) tcpslice 1318665282.146 1318665282.147 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:54:42.146 PDT Gen. Time: 10/15/2011 00:57:03.016 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (00:54:42.146 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 54392->80 (00:54:42.146 PDT) 192.168.1.230 (2) (00:54:50.642 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 54783->53 (00:54:50.642 PDT) 60360->53 (00:55:44.415 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (00:55:32.348 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 49749->53 (00:55:32.348 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 31.170.163.50 (00:55:29.379 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45473->53 (00:55:29.379 PDT) tcpslice 1318665282.146 1318665282.147 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 200.147.33.19, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:58:02.994 PDT Gen. Time: 10/15/2011 00:58:07.313 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.33.19 (00:58:07.313 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 51604->80 (00:58:07.313 PDT) C and C DNS CHECK-IN 192.168.1.230 (00:58:02.994 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 53051->53 (00:58:02.994 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318665482.994 1318665482.995 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 118.220.175.24, 88.80.7.152, 67.208.74.71, 67.55.67.250, 200.147.33.19, 194.85.105.17, 192.168.1.230 (17) Peer Coord. List: Resource List: Observed Start: 10/15/2011 00:58:02.994 PDT Gen. Time: 10/15/2011 01:45:14.489 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (01:04:51.950 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 33978->80 (01:04:51.950 PDT) 192.168.1.230 (13) (00:58:42.397 PDT-00:58:54.450 PDT) event=224:1 (13) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 2: 44541->53 (00:58:42.397 PDT-00:58:54.450 PDT) 42125->53 (01:08:30.407 PDT) 49359->53 (00:59:27.724 PDT) 49766->53 (01:00:21.227 PDT) 34366->53 (01:08:27.511 PDT) 59843->53 (00:58:50.462 PDT) 45431->53 (01:10:38.517 PDT) 60780->53 (01:00:06.944 PDT) 54976->53 (01:11:16.932 PDT) 48957->53 (01:07:39.624 PDT) 37887->53 (01:08:29.988 PDT) 54977->53 (00:59:39.713 PDT) 192.168.1.20 (3) (01:07:44.985 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 39441->53 (01:07:44.985 PDT) 58023->53 (01:08:34.527 PDT) 48474->53 (01:08:31.407 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 118.220.175.24 (01:38:24.164 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 40422->80 (01:38:24.164 PDT) 88.80.7.152 (01:18:15.119 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 38420->53 (01:18:15.119 PDT) 67.208.74.71 (01:28:22.122 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 60057->53 (01:28:22.122 PDT) 67.55.67.250 (01:08:09.596 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 50793->80 (01:08:09.596 PDT) 200.147.33.19 (00:58:07.313 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 51604->80 (00:58:07.313 PDT) 194.85.105.17 (01:09:43.695 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 49356->33435 (01:09:43.695 PDT) C and C DNS CHECK-IN 192.168.1.230 (17) (00:58:02.994 PDT) event=224:1 (17) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 53051->53 (00:58:02.994 PDT) 34604->53 (01:01:19.286 PDT) 55594->53 (01:01:26.601 PDT) 59545->53 (01:03:46.659 PDT) 42797->53 (01:04:00.124 PDT) 55102->53 (01:04:23.817 PDT) 52750->53 (01:05:32.834 PDT) 51358->53 (01:05:33.267 PDT) 34012->53 (01:05:37.370 PDT) 38411->53 (01:07:54.359 PDT) 54619->53 (01:12:43.496 PDT) 52858->53 (01:15:59.341 PDT) 50299->53 (01:16:14.216 PDT) 43635->53 (01:16:52.875 PDT) 39605->53 (01:17:20.351 PDT) 43917->53 (01:17:28.310 PDT) 56771->53 (01:19:13.615 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 176.28.0.239 (01:01:29.699 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59139->80 (01:01:29.699 PDT) 217.16.28.65 (01:22:08.525 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48833->80 (01:22:08.525 PDT) 41.189.229.65 (01:11:51.431 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/owl_beta/register?] MAC_Src: 00:21:5A:08:EC:40 42581->80 (01:11:51.431 PDT) 95.173.163.8 (01:41:51.465 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 3124->40987 (01:41:51.465 PDT) 128.2.211.114 (01:18:35.941 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (01:18:35.941 PDT) 93.170.52.30 (2) (01:15:33.007 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48446->53 (01:15:33.007 PDT) 54025->53 (01:35:40.807 PDT) 130.149.49.136 (01:28:35.981 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (01:28:35.981 PDT) 200.147.33.17 (01:25:33.972 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56138->53 (01:25:33.972 PDT) 92.241.169.250 (01:42:25.209 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47362->80 (01:42:25.209 PDT) 208.91.196.10 (01:32:08.040 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/scan.php] MAC_Src: 00:21:5A:08:EC:40 44208->80 (01:32:08.040 PDT) 206.207.248.34 (00:58:35.798 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (00:58:35.798 PDT) 128.163.142.20 (01:05:33.267 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50558->3128 (01:05:33.267 PDT) 132.239.17.226 (2) (01:08:35.228 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:08:35.228 PDT) 2122->2122 (01:38:35.018 PDT) tcpslice 1318665482.994 1318665534.451 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 01:45:36.602 PDT Gen. Time: 10/15/2011 01:45:41.252 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (01:45:36.602 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: activationcode.ru (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 49404->53 (01:45:36.602 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 87.252.1.21 (01:45:41.252 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48774->53 (01:45:41.252 PDT) tcpslice 1318668336.602 1318668336.603 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.189.229.65, 192.168.1.230 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 01:46:33.212 PDT Gen. Time: 10/15/2011 01:48:37.622 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (01:47:46.011 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 38047->53 (01:47:46.011 PDT) 192.168.1.230 (2) (01:46:33.212 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 52905->53 (01:46:33.212 PDT) 33850->53 (01:47:38.957 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (01:48:37.622 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (01:48:37.622 PDT) tcpslice 1318668393.212 1318668393.213 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.189.229.65, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 83.170.72.109, 87.98.140.145, 192.168.1.230 (9), 93.170.52.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 01:46:33.212 PDT Gen. Time: 10/15/2011 02:00:41.856 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (01:47:46.011 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 38047->53 (01:47:46.011 PDT) 192.168.1.230 (9) (01:46:33.212 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 52905->53 (01:46:33.212 PDT) 33850->53 (01:47:38.957 PDT) 46622->53 (01:50:21.623 PDT) 50030->53 (01:50:24.579 PDT) 56633->53 (01:50:30.441 PDT) 40952->53 (01:50:56.482 PDT) 53877->53 (01:52:45.185 PDT) 54258->53 (01:55:07.881 PDT) 34485->53 (01:59:34.033 PDT) 192.168.1.20 (01:50:31.441 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: didid.nl (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 50567->53 (01:50:31.441 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 83.170.72.109 (01:49:26.832 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 49597->80 (01:49:26.832 PDT) 87.98.140.145 (01:59:28.853 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 59696->80 (01:59:28.853 PDT) C and C DNS CHECK-IN 192.168.1.230 (9) (01:49:38.351 PDT) event=224:1 (9) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 43577->53 (01:49:38.351 PDT) 42460->53 (01:50:20.137 PDT) 60763->53 (01:54:47.996 PDT) 44951->53 (01:56:01.919 PDT) 46552->53 (01:57:00.713 PDT) 32917->53 (01:57:06.837 PDT) 42228->53 (01:59:18.013 PDT) 47526->53 (01:59:22.214 PDT) 47296->53 (01:59:40.578 PDT) 93.170.52.20 (01:57:49.257 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 39157->80 (01:57:49.257 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 208.87.35.100 (01:55:41.715 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41130->53 (01:55:41.715 PDT) 132.239.17.226 (01:48:37.622 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (01:48:37.622 PDT) 206.207.248.34 (01:58:39.203 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (01:58:39.203 PDT) 95.173.163.8 (01:54:26.843 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 3124->42102 (01:54:26.843 PDT) 8.5.1.44 (01:54:17.554 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56975->53 (01:54:17.554 PDT) tcpslice 1318668393.212 1318668393.213 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:00:53.982 PDT Gen. Time: 10/15/2011 02:04:20.821 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (8) (02:00:53.982 PDT-02:04:04.659 PDT) event=224:1 (8) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 50027->53 (02:04:10.584 PDT) 57952->53 (02:03:34.528 PDT) 56525->53 (02:04:09.006 PDT) 44414->53 (02:01:04.291 PDT) 41178->53 (02:04:19.986 PDT) 57802->53 (02:00:53.982 PDT) 2: 54989->53 (02:03:58.507 PDT-02:04:04.659 PDT) 192.168.1.20 (5) (02:03:53.475 PDT-02:04:17.695 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 2: 58841->53 (02:03:53.475 PDT-02:03:59.473 PDT) 3: 33849->53 (02:04:05.581 PDT-02:04:17.695 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (02:02:38.002 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 44592->53 (02:02:38.002 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 60.19.30.131 (02:04:20.821 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45183->53 (02:04:20.821 PDT) tcpslice 1318669253.982 1318669457.696 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:00:53.982 PDT Gen. Time: 10/15/2011 02:07:57.035 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (12) (02:00:53.982 PDT-02:04:46.716 PDT) event=224:1 (12) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 50027->53 (02:04:10.584 PDT) 57952->53 (02:03:34.528 PDT) 56525->53 (02:04:09.006 PDT) 44414->53 (02:01:04.291 PDT) 50268->53 (02:04:34.627 PDT) 41178->53 (02:04:19.986 PDT) 3: 50095->53 (02:04:34.763 PDT-02:04:46.716 PDT) 57802->53 (02:00:53.982 PDT) 2: 54989->53 (02:03:58.507 PDT-02:04:04.659 PDT) 192.168.1.20 (9) (02:03:53.475 PDT-02:04:47.750 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 2: 42818->53 (02:04:41.750 PDT-02:04:47.750 PDT) 2: 58841->53 (02:03:53.475 PDT-02:03:59.473 PDT) 2: 43506->53 (02:04:23.630 PDT-02:04:29.626 PDT) 3: 33849->53 (02:04:05.581 PDT-02:04:17.695 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (02:02:38.002 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 44592->53 (02:02:38.002 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.226.246.3 (02:05:42.028 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52353->53 (02:05:42.028 PDT) 60.19.30.131 (02:04:20.821 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45183->53 (02:04:20.821 PDT) tcpslice 1318669253.982 1318669487.751 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:08:39.763 PDT Gen. Time: 10/15/2011 02:08:39.763 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.104.72.201 (02:08:39.763 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (02:08:39.763 PDT) tcpslice 1318669719.763 1318669719.764 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 86.109.114.31, 192.168.1.230 (7), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:08:39.763 PDT Gen. Time: 10/15/2011 02:16:44.287 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (5) (02:10:55.652 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 49475->53 (02:10:55.652 PDT) 46517->53 (02:11:16.007 PDT) 35850->53 (02:12:56.779 PDT) 51828->53 (02:13:37.181 PDT) 56143->53 (02:13:59.301 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 86.109.114.31 (02:09:28.801 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 50679->53 (02:09:28.801 PDT) C and C DNS CHECK-IN 192.168.1.230 (7) (02:08:48.252 PDT) event=224:1 (7) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 32963->53 (02:08:48.252 PDT) 37205->53 (02:08:50.649 PDT) 34435->53 (02:09:10.421 PDT) 34584->53 (02:09:40.452 PDT) 44378->53 (02:10:05.829 PDT) 38053->53 (02:11:07.344 PDT) 53387->53 (02:13:24.325 PDT) 91.228.133.56 (02:08:48.585 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [/popups/binaries/06-14-2011/a676ff29c5ea105bb2ca1a19034dd1d5.html] MAC_Src: 00:21:5A:08:EC:40 46043->80 (02:08:48.585 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.226.246.3 (2) (02:15:44.709 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50682->53 (02:15:44.709 PDT) ------------------------- event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43069->80 (02:15:44.709 PDT) 95.173.163.8 (02:11:06.350 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 3124->53718 (02:11:06.350 PDT) 130.104.72.201 (02:08:39.763 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (02:08:39.763 PDT) tcpslice 1318669719.763 1318669719.764 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:17:02.200 PDT Gen. Time: 10/15/2011 02:18:39.486 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (02:17:23.308 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: simulatormage.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 48121->53 (02:17:23.308 PDT) 41081->53 (02:17:33.868 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (2) (02:17:02.200 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 42355->53 (02:17:02.200 PDT) 50642->53 (02:18:11.733 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 138.238.250.155 (02:18:39.486 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (02:18:39.486 PDT) tcpslice 1318670222.200 1318670222.201 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.198.53.104, 192.168.1.230, 60.19.30.131 Egg Source List: C & C List: 91.209.163.182, 200.147.1.41, 192.168.1.230 (15), 192.168.1.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:17:02.200 PDT Gen. Time: 10/15/2011 02:35:01.764 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (02:18:56.128 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 52220->80 (02:18:56.128 PDT) 192.168.1.230 (14) (02:17:23.308 PDT-02:32:10.014 PDT) event=224:1 (14) {udp} E2[dns] BHDNS SPYWARE-DNS: toolbarqueries-google.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 40611->53 (02:24:51.815 PDT) 58732->53 (02:29:41.815 PDT) 40277->53 (02:19:28.954 PDT) 2: 56369->53 (02:32:04.200 PDT-02:32:10.014 PDT) 50913->53 (02:32:10.358 PDT) 44240->53 (02:30:46.202 PDT) 38726->53 (02:30:51.447 PDT) 50098->53 (02:32:00.830 PDT) 51118->53 (02:26:43.337 PDT) 33296->53 (02:21:41.202 PDT) 41081->53 (02:17:33.868 PDT) 48121->53 (02:17:23.308 PDT) 57270->53 (02:28:48.205 PDT) 60.19.30.131 (02:28:57.338 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 58568->80 (02:28:57.338 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.182 (02:19:29.252 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 53960->80 (02:19:29.252 PDT) 200.147.1.41 (02:29:31.056 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 53973->53 (02:29:31.056 PDT) C and C DNS CHECK-IN 192.168.1.230 (15) (02:17:02.200 PDT-02:27:22.424 PDT) event=224:1 (15) {udp} E4[dns] BHDNS SPYWARE-DNS: livedieoslix.com (malware), [] MAC_Src: 00:21:5A:08:EC:40 50642->53 (02:18:11.733 PDT) 2: 57616->53 (02:27:16.406 PDT-02:27:22.424 PDT) 50461->53 (02:22:25.309 PDT) 46341->53 (02:23:38.069 PDT) 40346->53 (02:25:34.180 PDT) 49260->53 (02:28:57.511 PDT) 45339->53 (02:29:47.200 PDT) 49607->53 (02:24:59.653 PDT) 42355->53 (02:17:02.200 PDT) 44652->53 (02:30:31.946 PDT) 36425->53 (02:31:29.123 PDT) 51707->53 (02:25:49.055 PDT) 58877->53 (02:19:06.788 PDT) 50886->53 (02:24:34.772 PDT) 192.168.1.20 (02:27:17.437 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 33166->53 (02:27:17.437 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (02:28:39.785 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (02:28:39.785 PDT) 216.8.179.25 (02:25:57.056 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48290->80 (02:25:57.056 PDT) 138.238.250.155 (02:18:39.486 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (02:18:39.486 PDT) 87.252.1.21 (02:25:45.425 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55364->53 (02:25:45.425 PDT) tcpslice 1318670222.200 1318671130.015 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:35:47.201 PDT Gen. Time: 10/15/2011 02:35:47.201 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.20 (02:35:47.201 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41033->53 (02:35:47.201 PDT) tcpslice 1318671347.201 1318671347.202 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230, 91.228.132.34 Egg Source List: 128.208.3.180 C & C List: 58.22.242.63, 192.168.1.230 (6) Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:35:47.201 PDT Gen. Time: 10/15/2011 02:45:51.269 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (4) (02:40:22.351 PDT) event=224:1 (4) {udp} E2[dns] BHDNS SPYWARE-DNS: stephanos.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 40666->53 (02:40:22.351 PDT) 55824->53 (02:40:24.590 PDT) 39404->53 (02:42:37.707 PDT) 38751->53 (02:43:22.080 PDT) 91.228.132.34 (02:39:51.036 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: activationcode.ru (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 41516->53 (02:39:51.036 PDT) EGG DOWNLOAD 128.208.3.180 (2) (02:39:28.583 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 47142<-45902 (02:39:28.583 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 47142<-45902 (02:39:28.583 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 58.22.242.63 (02:39:32.974 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 49126->80 (02:39:32.974 PDT) C and C DNS CHECK-IN 192.168.1.230 (6) (02:35:56.920 PDT) event=224:1 (6) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 48471->53 (02:35:56.920 PDT) 50685->53 (02:36:59.957 PDT) 36500->53 (02:37:25.913 PDT) 34667->53 (02:40:19.527 PDT) 52200->53 (02:40:21.871 PDT) 50596->53 (02:40:30.720 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 123.108.111.67 (02:45:51.269 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55160->53 (02:45:51.269 PDT) 208.91.196.10 (02:37:48.034 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59715->53 (02:37:48.034 PDT) 128.2.211.114 (02:38:39.298 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (02:38:39.298 PDT) 93.170.52.20 (02:35:47.201 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41033->53 (02:35:47.201 PDT) tcpslice 1318671347.201 1318671347.202 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:46:16.063 PDT Gen. Time: 10/15/2011 02:48:41.228 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (02:48:34.051 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 32815->53 (02:48:34.051 PDT) 35907->53 (02:48:36.062 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (02:46:16.063 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 58240->53 (02:46:16.063 PDT) 60055->53 (02:47:01.455 PDT) 55978->53 (02:47:58.981 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.104.72.201 (02:48:41.228 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (02:48:41.228 PDT) tcpslice 1318671976.063 1318671976.064 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 64.70.19.33, 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:46:16.063 PDT Gen. Time: 10/15/2011 02:49:35.210 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (02:48:34.051 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 32815->53 (02:48:34.051 PDT) 35907->53 (02:48:36.062 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 64.70.19.33 (02:49:35.097 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 38466->53 (02:49:35.097 PDT) C and C DNS CHECK-IN 192.168.1.230 (3) (02:46:16.063 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 58240->53 (02:46:16.063 PDT) 60055->53 (02:47:01.455 PDT) 55978->53 (02:47:58.981 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 212.44.109.181 (02:49:29.683 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39242->80 (02:49:29.683 PDT) 130.104.72.201 (02:48:41.228 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (02:48:41.228 PDT) tcpslice 1318671976.063 1318671976.064 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.198.53.104 Egg Source List: 195.251.248.180 C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:49:41.133 PDT Gen. Time: 10/15/2011 02:51:35.282 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (02:50:42.495 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 48630->80 (02:50:42.495 PDT) EGG DOWNLOAD 195.251.248.180 (02:51:35.282 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 55031<-39763 (02:51:35.282 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (02:49:41.133 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 57816->53 (02:49:41.133 PDT) 54164->53 (02:50:49.373 PDT) 41827->53 (02:50:59.858 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318672181.133 1318672181.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.198.53.104, 192.168.1.230 Egg Source List: 192.42.83.253, 138.246.99.249, 195.251.248.180 C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:49:41.133 PDT Gen. Time: 10/15/2011 02:53:04.063 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (02:50:42.495 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 48630->80 (02:50:42.495 PDT) 192.168.1.230 (02:52:28.515 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: gooqlepics.com (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 51153->53 (02:52:28.515 PDT) EGG DOWNLOAD 192.42.83.253 (2) (02:51:38.036 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 35375<-52851 (02:51:38.036 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 35375<-52851 (02:51:38.036 PDT) 138.246.99.249 (2) (02:51:36.422 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 45948<-33377 (02:51:36.422 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 45948<-33377 (02:51:36.422 PDT) 195.251.248.180 (2) (02:51:35.282 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 55031<-39763 (02:51:35.282 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 55031<-39763 (02:51:35.282 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (02:49:41.133 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 57816->53 (02:49:41.133 PDT) 54164->53 (02:50:49.373 PDT) 41827->53 (02:50:59.858 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318672181.133 1318672181.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:53:35.333 PDT Gen. Time: 10/15/2011 02:55:52.709 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (02:53:35.333 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 54830->53 (02:53:35.333 PDT) 36668->53 (02:53:39.479 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (02:55:32.327 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 42556->53 (02:55:32.327 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 123.108.111.67 (02:55:52.709 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57084->53 (02:55:52.709 PDT) tcpslice 1318672415.333 1318672415.334 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: 192.42.83.253, 206.12.16.155 C & C List: 222.236.44.135, 192.168.1.230 (7) Peer Coord. List: Resource List: Observed Start: 10/15/2011 02:53:35.333 PDT Gen. Time: 10/15/2011 03:07:31.674 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (03:00:44.325 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [F%E6%E4%D8%19%FDsQ%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01] MAC_Dst: 00:21:1C:EE:14:00 59340->80 (03:00:44.325 PDT) 192.168.1.230 (8) (02:53:35.333 PDT) event=224:1 (8) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 54830->53 (02:53:35.333 PDT) 36668->53 (02:53:39.479 PDT) 43679->53 (02:57:50.349 PDT) 34215->53 (02:57:56.615 PDT) 40937->53 (02:58:17.034 PDT) 38672->53 (03:03:32.336 PDT) 38562->53 (03:06:20.174 PDT) 37943->53 (03:06:23.873 PDT) EGG DOWNLOAD 192.42.83.253 (2) (02:58:41.572 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 57441<-29220 (02:58:41.572 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 57441<-29220 (02:58:41.572 PDT) 206.12.16.155 (2) (03:04:25.939 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 40930<-55168 (03:04:25.939 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 40930<-55168 (03:04:25.939 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 222.236.44.135 (02:59:37.276 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 55866->53 (02:59:37.276 PDT) C and C DNS CHECK-IN 192.168.1.230 (7) (02:55:32.327 PDT) event=224:1 (7) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 42556->53 (02:55:32.327 PDT) 59548->53 (02:56:49.820 PDT) 48319->53 (02:57:40.546 PDT) 53424->53 (03:00:38.884 PDT) 55968->53 (03:02:40.758 PDT) 38674->53 (03:03:59.607 PDT) 51627->53 (03:05:39.857 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.226.246.3 (03:01:35.164 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46722->53 (03:01:35.164 PDT) 123.108.111.67 (02:55:52.709 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57084->53 (02:55:52.709 PDT) 128.2.211.114 (02:58:41.081 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (02:58:41.081 PDT) 64.70.19.33 (03:05:52.045 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44078->53 (03:05:52.045 PDT) tcpslice 1318672415.333 1318672415.334 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 03:08:31.347 PDT Gen. Time: 10/15/2011 03:08:42.735 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (03:08:31.347 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 60247->53 (03:08:31.347 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (03:08:42.735 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:08:42.735 PDT) tcpslice 1318673311.347 1318673311.348 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230, 82.210.157.9 Egg Source List: 129.15.78.31, 192.33.90.195, 129.15.78.30, 128.220.251.52, 72.36.112.79, 199.26.254.70, 148.81.140.193, 204.8.155.226, 132.239.17.226 C & C List: 88.198.53.104 (2), 91.209.163.202, 88.86.113.143, 83.170.72.109, 88.81.249.200, 87.252.1.21, 200.147.1.41, 192.168.1.230 (17) Peer Coord. List: Resource List: Observed Start: 10/15/2011 03:08:31.347 PDT Gen. Time: 10/15/2011 04:25:09.829 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (03:21:04.800 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [/ipInfo/IPRep.php?IP=74.125.157.147&SPEED=fast&FORMAT=csv] MAC_Dst: 00:21:1C:EE:14:00 46397->80 (03:21:04.800 PDT) 45024->53 (03:31:06.985 PDT) 192.168.1.230 (14) (03:08:31.347 PDT) event=224:1 (14) {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 60247->53 (03:08:31.347 PDT) 34071->53 (03:09:12.321 PDT) 60278->53 (03:10:41.318 PDT) 52244->53 (03:10:47.072 PDT) 57570->53 (03:13:33.693 PDT) 50735->53 (03:19:16.585 PDT) 53260->53 (03:21:54.660 PDT) 47179->53 (03:23:09.862 PDT) 42239->53 (03:23:16.777 PDT) 42383->53 (03:23:29.312 PDT) 41361->53 (03:24:01.514 PDT) 59558->53 (03:24:29.421 PDT) 34116->53 (03:26:32.249 PDT) 49676->53 (03:26:44.696 PDT) 82.210.157.9 (03:10:47.381 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: florianarray.ru (zeus), [%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01] MAC_Dst: 00:21:1C:EE:14:00 41489->80 (03:10:47.381 PDT) EGG DOWNLOAD 129.15.78.31 (2) (03:26:50.897 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 51151<-44367 (03:26:50.897 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 51151<-44367 (03:26:50.897 PDT) 192.33.90.195 (2) (03:59:18.371 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 49554<-10073 (03:59:18.371 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 49554<-10073 (03:59:18.371 PDT) 129.15.78.30 (2) (03:53:22.658 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 38767<-12998 (03:53:22.658 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 38767<-12998 (03:53:22.658 PDT) 128.220.251.52 (2) (03:53:24.186 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 48601<-56323 (03:53:24.186 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 48601<-56323 (03:53:24.186 PDT) 72.36.112.79 (04:12:58.572 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 34231<-26340 (04:12:58.572 PDT) 199.26.254.70 (2) (03:34:15.561 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 36261<-19586 (03:34:15.561 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 36261<-19586 (03:34:15.561 PDT) 148.81.140.193 (2) (03:48:07.822 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 59190<-30385 (03:48:07.822 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 59190<-30385 (03:48:07.822 PDT) 204.8.155.226 (2) (03:17:57.396 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 50568<-14355 (03:17:57.396 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 50568<-14355 (03:17:57.396 PDT) 132.239.17.226 (2) (03:11:13.574 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 58586<-14284 (03:11:13.574 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 58586<-14284 (03:11:13.574 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 88.198.53.104 (2) (03:51:02.073 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 40402->53 (03:51:02.073 PDT) 56797->80 (04:01:02.553 PDT) 91.209.163.202 (03:40:51.016 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 48289->80 (03:40:51.016 PDT) 88.86.113.143 (03:10:05.025 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 60008->80 (03:10:05.025 PDT) 83.170.72.109 (03:20:51.770 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 45378->80 (03:20:51.770 PDT) 88.81.249.200 (04:22:07.418 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 53517->53 (04:22:07.418 PDT) 87.252.1.21 (03:30:51.662 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 37129->53 (03:30:51.662 PDT) 200.147.1.41 (04:12:05.313 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 50632->80 (04:12:05.313 PDT) C and C DNS CHECK-IN 192.168.1.230 (17) (03:09:15.561 PDT) event=224:1 (17) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 60155->53 (03:09:15.561 PDT) 33401->53 (03:10:26.724 PDT) 39930->53 (03:11:35.420 PDT) 50909->53 (03:13:52.938 PDT) 58217->53 (03:14:41.428 PDT) 50089->53 (03:15:22.267 PDT) 50557->53 (03:16:37.890 PDT) 44052->53 (03:20:59.701 PDT) 35985->53 (03:22:52.722 PDT) 38391->53 (03:23:17.703 PDT) 35538->53 (03:25:48.595 PDT) 33242->53 (03:28:03.621 PDT) 45589->53 (03:28:38.718 PDT) 50115->53 (03:29:56.991 PDT) 53589->53 (03:31:01.468 PDT) 58059->53 (03:32:17.947 PDT) 36443->53 (03:32:35.218 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 31.170.163.50 (03:58:47.350 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60520->80 (03:58:47.350 PDT) 128.186.122.86 (03:38:43.023 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->40140 (03:38:43.023 PDT) 60.19.30.131 (03:48:06.118 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45423->80 (03:48:06.118 PDT) 128.2.211.114 (03:18:42.792 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (03:18:42.792 PDT) 223.25.242.107 (03:55:53.950 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45576->53 (03:55:53.950 PDT) 67.212.177.42 (03:25:53.218 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38339->53 (03:25:53.218 PDT) 93.170.52.30 (2) (03:15:52.082 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37057->53 (03:35:53.915 PDT) 36323->53 (03:15:52.082 PDT) 31.170.163.70 (03:37:40.034 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46114->80 (03:37:40.034 PDT) 130.104.72.201 (03:28:42.067 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (03:28:42.067 PDT) 178.250.243.207 (03:26:52.191 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35337->53 (03:26:52.191 PDT) 93.170.52.20 (2) (03:45:53.668 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50720->53 (03:45:53.668 PDT) 58912->53 (04:05:55.487 PDT) 208.91.196.10 (03:16:42.846 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56243->80 (03:16:42.846 PDT) 206.207.248.34 (03:48:43.678 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (03:48:43.678 PDT) 128.163.142.20 (2) (03:08:42.735 PDT-03:58:45.273 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2: 2121->2121 (03:08:42.735 PDT-03:58:45.273 PDT) tcpslice 1318673311.347 1318676325.274 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 04:25:20.860 PDT Gen. Time: 10/15/2011 04:25:56.414 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (04:25:25.639 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 43610->53 (04:25:25.639 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (04:25:20.860 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 52523->53 (04:25:20.860 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 98.129.126.138 (04:25:56.414 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34644->53 (04:25:56.414 PDT) tcpslice 1318677920.860 1318677920.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: 91.209.175.100 C & C List: 67.55.67.250, 61.139.126.15, 194.186.88.58, 192.168.1.230 (16), 62.42.230.17 Peer Coord. List: Resource List: Observed Start: 10/15/2011 04:25:20.860 PDT Gen. Time: 10/15/2011 05:03:00.598 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (04:35:19.558 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 40049->53 (04:35:19.558 PDT) 192.168.1.230 (16) (04:25:25.639 PDT) event=224:1 (16) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 43610->53 (04:25:25.639 PDT) 52234->53 (04:26:22.883 PDT) 56597->53 (04:27:47.631 PDT) 48547->53 (04:28:57.762 PDT) 36071->53 (04:29:12.554 PDT) 37592->53 (04:32:12.166 PDT) 35576->53 (04:35:13.122 PDT) 40620->53 (04:36:16.489 PDT) 41633->53 (04:38:03.547 PDT) 60975->53 (04:38:58.996 PDT) 49191->53 (04:39:16.705 PDT) 40895->53 (04:40:37.329 PDT) 43020->53 (04:41:47.115 PDT) 59962->53 (04:41:49.883 PDT) 49501->53 (04:41:57.313 PDT) 51255->53 (04:44:59.696 PDT) EGG DOWNLOAD 91.209.175.100 (2) (05:01:44.416 PDT) event=1:2009295 (2) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0), [/sec] MAC_Src: 00:21:5A:08:EC:40 58228->80 (05:01:44.416 PDT) 58231->80 (05:01:44.742 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 67.55.67.250 (04:52:20.836 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 41418->80 (04:52:20.836 PDT) 61.139.126.15 (04:42:20.285 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [%ED%E8|%AE%E6%89%17%03%01%00!%F7<%9F%85|%9A%9D%07%92-%E2%CCL%E4%EC_%B5%FC%9A%90%E5%8A%8F%85%F8=%E8%1C#%A5%E7%D3%B9%17%03%01%00!|%8C'p%B6%ED%9De%DB=%91%09%06%CE>%A6%9D%DDL] MAC_Src: 00:21:5A:08:EC:40 44196->80 (04:42:20.285 PDT) 194.186.88.58 (04:32:15.265 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [!%AFXa{%C1U%C0C%8A%DC=fd%F9%E9%80t%BD5%AC] MAC_Src: 00:21:5A:08:EC:40 34562->80 (04:32:15.265 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (04:25:20.860 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 52523->53 (04:25:20.860 PDT) 41011->53 (04:32:17.026 PDT) 57192->53 (04:33:27.562 PDT) 33944->53 (04:33:39.577 PDT) 33250->53 (04:34:37.146 PDT) 53593->53 (04:35:57.940 PDT) 35088->53 (04:38:07.414 PDT) 45241->53 (04:39:10.060 PDT) 47916->53 (04:40:22.035 PDT) 58911->53 (04:41:59.770 PDT) 36324->53 (04:42:01.843 PDT) 48841->53 (04:43:33.240 PDT) 52312->53 (04:46:20.541 PDT) 38698->53 (04:46:28.211 PDT) 54132->53 (04:47:05.009 PDT) 60258->53 (04:47:23.428 PDT) 62.42.230.17 (04:46:32.308 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: albaimtra.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 41615->80 (04:46:32.308 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 98.129.126.138 (04:25:56.414 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34644->53 (04:25:56.414 PDT) 64.70.19.33 (04:35:57.100 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49419->53 (04:35:57.100 PDT) 128.186.122.86 (04:28:45.147 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->41701 (04:28:45.147 PDT) 41.189.229.65 (2) (04:41:58.690 PDT) event=1:9910009 (2) {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38821->53 (04:41:58.690 PDT) 48129->53 (04:52:02.880 PDT) 130.149.49.136 (04:58:48.015 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (04:58:48.015 PDT) 31.170.163.70 (04:31:55.898 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46576->80 (04:31:55.898 PDT) 87.98.140.145 (04:55:57.419 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48900->53 (04:55:57.419 PDT) 216.8.179.25 (05:02:16.339 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [Torrent protocol%00%00%00%00%00] MAC_Src: 00:21:5A:08:EC:40 34641->80 (05:02:16.339 PDT) 93.170.52.20 (04:45:57.323 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52509->53 (04:45:57.323 PDT) 206.207.248.34 (2) (04:38:45.636 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:38:45.636 PDT) 2119->2119 (04:48:45.280 PDT) tcpslice 1318677920.860 1318677920.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 83.170.72.109, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:03:29.095 PDT Gen. Time: 10/15/2011 05:04:30.027 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 83.170.72.109 (05:03:29.095 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 54054->80 (05:03:29.095 PDT) C and C DNS CHECK-IN 192.168.1.230 (05:04:30.027 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:EC:40 39430->53 (05:04:30.027 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318680209.095 1318680209.096 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 83.170.72.109, 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:03:29.095 PDT Gen. Time: 10/15/2011 05:05:57.281 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (05:04:33.173 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 47925->53 (05:04:33.173 PDT) 40328->53 (05:04:50.034 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 83.170.72.109 (05:03:29.095 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 54054->80 (05:03:29.095 PDT) C and C DNS CHECK-IN 192.168.1.230 (2) (05:04:30.027 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:EC:40 39430->53 (05:04:30.027 PDT) 48095->53 (05:04:39.479 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.20 (05:05:57.281 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55477->53 (05:05:57.281 PDT) tcpslice 1318680209.095 1318680209.096 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.189.229.65, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:06:03.652 PDT Gen. Time: 10/15/2011 05:08:48.513 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (05:07:20.232 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 54881->80 (05:07:20.232 PDT) 192.168.1.230 (3) (05:06:03.652 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 36738->53 (05:06:03.652 PDT) 42961->53 (05:07:19.211 PDT) 52325->53 (05:07:29.784 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (05:06:17.159 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 37000->53 (05:06:17.159 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (05:08:48.513 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (05:08:48.513 PDT) tcpslice 1318680363.652 1318680363.653 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:12:24.970 PDT Gen. Time: 10/15/2011 05:13:02.342 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (05:12:24.970 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 40694->53 (05:12:24.970 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 92.38.209.184 (05:13:02.342 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/in.php?site_id=238279&type=ping&jsuid=9609425711549596290&mime=js&x=0.5677242325618863] MAC_Src: 00:21:5A:08:EC:40 37721->80 (05:13:02.342 PDT) tcpslice 1318680744.970 1318680744.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.189.229.65, 192.168.1.230 Egg Source List: C & C List: 88.80.7.152, 200.147.33.19, 192.168.1.230 (10) Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:12:24.970 PDT Gen. Time: 10/15/2011 05:28:08.307 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (05:17:49.019 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [%00%00%00%01%00%00%00%00%00%01%0278%03109%03151%0266%0Asa-trusted%0Cbondedsender%03org%00%00%10%00%01%00%00)%02%00%00%00%80] MAC_Dst: 00:21:1C:EE:14:00 47337->80 (05:17:49.019 PDT) 192.168.1.230 (9) (05:13:41.298 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 38485->53 (05:13:41.298 PDT) 46199->53 (05:14:29.550 PDT) 36188->53 (05:14:43.771 PDT) 58168->53 (05:17:41.740 PDT) 60195->53 (05:18:50.119 PDT) 50872->53 (05:20:00.744 PDT) 52814->53 (05:20:08.320 PDT) 42603->53 (05:20:21.001 PDT) 45043->53 (05:23:26.620 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.80.7.152 (05:13:34.131 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 58933->53 (05:13:34.131 PDT) 200.147.33.19 (05:23:35.163 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 33382->53 (05:23:35.163 PDT) C and C DNS CHECK-IN 192.168.1.230 (10) (05:12:24.970 PDT) event=224:1 (10) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 40694->53 (05:12:24.970 PDT) 41282->53 (05:13:23.146 PDT) 48477->53 (05:15:03.003 PDT) 60495->53 (05:18:20.186 PDT) 44446->53 (05:20:07.349 PDT) 57714->53 (05:20:24.797 PDT) 46992->53 (05:21:55.713 PDT) 38252->53 (05:23:41.885 PDT) 40907->53 (05:24:58.222 PDT) 39272->53 (05:25:48.744 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (05:18:49.474 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->4039 (05:18:49.474 PDT) 206.207.248.34 (05:16:02.311 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41780->2128 (05:16:02.311 PDT) 92.38.209.184 (05:13:02.342 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/in.php?site_id=238279&type=ping&jsuid=9609425711549596290&mime=js&x=0.5677242325618863] MAC_Src: 00:21:5A:08:EC:40 37721->80 (05:13:02.342 PDT) 31.170.163.70 (05:26:03.576 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40515->53 (05:26:03.576 PDT) 79.96.166.153 (05:23:23.540 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [e%1C%D7%D1%A0wC%9DKf%93%%CA%A5%8DY%AF%A7%97%86%D7%E5V%A6y%99]*%BD%A4%A6%09%F07%D5%FE%EAU*.%13%10-%B7%07%B1%BC%FD%8D %1D%CFt%B2%E1%97%17%03%01%008%C00K%A0Q^i%1DS%8A%CFh%B1q ] MAC_Src: 00:21:5A:08:EC:40 59542->80 (05:23:23.540 PDT) tcpslice 1318680744.970 1318680744.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:28:50.149 PDT Gen. Time: 10/15/2011 05:28:50.149 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (05:28:50.149 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (05:28:50.149 PDT) tcpslice 1318681730.149 1318681730.150 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 194.226.96.8, 192.168.1.230 (6) Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:28:50.149 PDT Gen. Time: 10/15/2011 05:37:24.109 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (05:29:03.424 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 60262->53 (05:29:03.424 PDT) 192.168.1.230 (8) (05:30:20.808 PDT) event=224:1 (8) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 59227->53 (05:30:20.808 PDT) 54803->53 (05:31:32.135 PDT) 59159->53 (05:31:39.506 PDT) 52053->53 (05:32:28.538 PDT) 39602->53 (05:32:29.350 PDT) 59558->53 (05:32:35.974 PDT) 36988->53 (05:32:53.796 PDT) 41516->53 (05:32:57.535 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 194.226.96.8 (05:33:43.354 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 36829->80 (05:33:43.354 PDT) C and C DNS CHECK-IN 192.168.1.230 (6) (05:29:09.983 PDT) event=224:1 (6) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 47490->53 (05:29:09.983 PDT) 56678->53 (05:29:20.570 PDT) 46399->53 (05:29:53.119 PDT) 46900->53 (05:30:41.380 PDT) 39050->53 (05:32:06.998 PDT) 60085->53 (05:33:28.416 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (05:36:03.229 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60768->53 (05:36:03.229 PDT) 128.163.142.20 (05:28:50.149 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (05:28:50.149 PDT) 98.129.126.138 (05:33:26.083 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46656->53 (05:33:26.083 PDT) tcpslice 1318681730.149 1318681730.150 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:37:41.790 PDT Gen. Time: 10/15/2011 05:38:50.133 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (2) (05:37:41.790 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 47676->53 (05:37:41.790 PDT) 54172->53 (05:38:14.065 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (05:38:50.133 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (05:38:50.133 PDT) tcpslice 1318682261.790 1318682261.791 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 58.22.242.63, 192.168.1.230 (6), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:37:41.790 PDT Gen. Time: 10/15/2011 05:46:54.904 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (6) (05:40:05.187 PDT) event=224:1 (6) {udp} E2[dns] BHDNS SPYWARE-DNS: papucky.eu (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 46941->53 (05:40:05.187 PDT) 59813->53 (05:42:52.216 PDT) 54789->53 (05:43:19.869 PDT) 47615->53 (05:44:15.891 PDT) 49526->53 (05:45:16.153 PDT) 38154->53 (05:45:35.322 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 58.22.242.63 (05:43:45.162 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 34400->80 (05:43:45.162 PDT) C and C DNS CHECK-IN 192.168.1.230 (6) (05:37:41.790 PDT) event=224:1 (6) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 47676->53 (05:37:41.790 PDT) 54172->53 (05:38:14.065 PDT) 58597->53 (05:39:19.331 PDT) 46815->53 (05:39:40.668 PDT) 56253->53 (05:43:04.221 PDT) 52178->53 (05:45:46.371 PDT) 91.228.133.56 (05:39:19.445 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 60412->53 (05:39:19.445 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 41.189.229.65 (05:43:31.595 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35178->53 (05:43:31.595 PDT) 128.163.142.20 (05:38:50.133 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (05:38:50.133 PDT) 208.64.124.162 (05:46:04.543 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53571->53 (05:46:04.543 PDT) tcpslice 1318682261.790 1318682261.791 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:47:22.645 PDT Gen. Time: 10/15/2011 05:48:50.011 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (2) (05:47:22.645 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 34524->53 (05:47:22.645 PDT) 34395->53 (05:48:21.644 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (05:48:50.011 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (05:48:50.011 PDT) tcpslice 1318682842.645 1318682842.646 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.198.53.104, 91.214.209.19, 192.168.1.230 Egg Source List: C & C List: 88.198.53.104, 88.86.113.143, 78.31.65.216, 83.170.72.109, 64.70.19.33, 200.147.33.19, 87.242.73.96, 192.168.1.230 (17) Peer Coord. List: Resource List: Observed Start: 10/15/2011 05:47:22.645 PDT Gen. Time: 10/15/2011 07:05:31.655 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (06:00:25.520 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 49950->53 (06:00:25.520 PDT) 91.214.209.19 (05:49:38.373 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: toolbarqueries-google.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 37348->53 (05:49:38.373 PDT) 192.168.1.230 (15) (05:49:08.212 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 34974->53 (05:49:08.212 PDT) 51717->53 (05:49:30.921 PDT) 56702->53 (05:50:25.388 PDT) 40545->53 (05:52:25.911 PDT) 46376->53 (05:56:02.445 PDT) 49772->53 (05:56:56.034 PDT) 44324->53 (05:58:13.796 PDT) 37253->53 (05:58:19.374 PDT) 41853->53 (06:02:36.388 PDT) 46030->53 (06:05:54.547 PDT) 37820->53 (06:06:38.570 PDT) 33136->53 (06:07:56.312 PDT) 38251->53 (06:08:33.128 PDT) 58720->53 (06:09:31.087 PDT) 36886->53 (06:11:03.941 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.198.53.104 (06:55:25.752 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 58682->80 (06:55:25.752 PDT) 88.86.113.143 (06:25:17.241 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 35991->80 (06:25:17.241 PDT) 78.31.65.216 (06:04:28.876 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 41536->53 (06:04:28.876 PDT) 83.170.72.109 (06:45:18.077 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 57524->80 (06:45:18.077 PDT) 64.70.19.33 (06:14:48.071 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 53146->53 (06:14:48.071 PDT) 200.147.33.19 (06:35:18.857 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 39090->53 (06:35:18.857 PDT) 87.242.73.96 (05:54:20.734 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [J%0F%DD%05G%01Te~%F9nC8%8D%FC%B9%D2%82%AA%9An%DFGD%E5%0EK)%13%B0%92%BF%D7%92%00K%15%E3%17%03%01%00;%A7%937%1A%A9p%BBm%1F%81.%EATr%C4%C1^H#%E1%B0%0A%D4;n] MAC_Src: 00:21:5A:08:EC:40 42820->80 (05:54:20.734 PDT) C and C DNS CHECK-IN 192.168.1.230 (17) (05:47:22.645 PDT) event=224:1 (17) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 34524->53 (05:47:22.645 PDT) 34395->53 (05:48:21.644 PDT) 60826->53 (05:49:40.726 PDT) 33215->53 (05:50:45.568 PDT) 56869->53 (05:51:12.550 PDT) 58436->53 (05:54:19.951 PDT) 41837->53 (05:56:09.505 PDT) 40087->53 (05:56:43.145 PDT) 53443->53 (05:57:44.604 PDT) 39356->53 (05:59:29.495 PDT) 43483->53 (06:00:28.533 PDT) 41887->53 (06:01:03.735 PDT) 49326->53 (06:03:07.353 PDT) 54289->53 (06:03:43.347 PDT) 32888->53 (06:04:40.478 PDT) 49500->53 (06:06:53.564 PDT) 37834->53 (06:07:23.288 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (06:28:51.076 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->54859 (06:28:51.076 PDT) 91.207.220.74 (06:15:26.519 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [f%B7c%F0%11%D3%BF%FC%BA%1CU%B0c%E0%0C%F34!3r%AA%BE%8B%89?%CB!%92%95%E6%CB%B3%F7%8C%AF'J!%D2%A5%EB %9DB%D3%063(QW%F1K%0C%E5B.%B8%CDL%A3H%A1F%F1D?5%10%97%19%07%F4%DB%F6] MAC_Src: 00:21:5A:08:EC:40 40873->80 (06:15:26.519 PDT) 60.19.30.131 (06:37:05.599 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53889->53 (06:37:05.599 PDT) 128.2.211.114 (2) (05:58:50.628 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 30599->30599 (05:58:50.628 PDT) 56391->56391 (06:08:51.093 PDT) 93.170.52.30 (06:26:26.937 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35236->53 (06:26:26.937 PDT) 195.226.246.3 (06:27:05.388 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/robots.txt] MAC_Src: 00:21:5A:08:EC:40 36156->80 (06:27:05.388 PDT) 91.209.163.171 (05:56:05.927 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43019->53 (05:56:05.927 PDT) 92.241.169.250 (05:54:03.177 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46479->80 (05:54:03.177 PDT) 93.170.52.20 (06:16:25.483 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50183->53 (06:16:25.483 PDT) 122.226.213.40 (06:06:24.023 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60812->53 (06:06:24.023 PDT) 208.91.196.10 (06:04:07.982 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42793->80 (06:04:07.982 PDT) 64.182.102.213 (06:36:28.056 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44604->53 (06:36:28.056 PDT) 91.207.61.48 (06:46:29.042 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 32959->53 (06:46:29.042 PDT) 206.207.248.34 (3) (05:48:50.011 PDT-06:38:51.418 PDT) event=1:9910006 (3) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (05:48:50.011 PDT) 2: 56391->56391 (06:18:51.499 PDT-06:38:51.418 PDT) tcpslice 1318682842.645 1318685931.419 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 91.209.163.202, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 07:05:32.566 PDT Gen. Time: 10/15/2011 07:05:56.812 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.202 (07:05:32.566 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01] MAC_Src: 00:21:5A:08:EC:40 39378->80 (07:05:32.566 PDT) C and C DNS CHECK-IN 192.168.1.230 (07:05:56.812 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 33696->53 (07:05:56.812 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318687532.566 1318687532.567 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 67.43.226.154, 91.209.163.202, 64.86.97.91, 200.147.1.41, 87.98.140.145, 192.168.1.230 (17) Peer Coord. List: Resource List: Observed Start: 10/15/2011 07:05:32.566 PDT Gen. Time: 10/15/2011 07:46:23.630 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (07:07:17.880 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [%8E%FE%A7D}%17%CE$V] MAC_Dst: 00:21:1C:EE:14:00 59892->80 (07:07:17.880 PDT) 55101->80 (07:17:28.357 PDT) 192.168.1.230 (12) (07:12:25.512 PDT-07:12:31.279 PDT) event=224:1 (12) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 42117->53 (07:23:23.519 PDT) 58916->53 (07:14:13.079 PDT) 50057->53 (07:12:31.666 PDT) 60188->53 (07:19:00.895 PDT) 60431->53 (07:13:19.108 PDT) 44670->53 (07:13:14.228 PDT) 54368->53 (07:16:09.671 PDT) 32941->53 (07:16:11.127 PDT) 42382->53 (07:21:01.604 PDT) 58855->53 (07:23:29.238 PDT) 2: 51054->53 (07:12:25.512 PDT-07:12:31.279 PDT) 192.168.1.20 (3) (07:13:20.125 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 35675->53 (07:23:30.427 PDT) 41154->53 (07:13:20.125 PDT) 59315->53 (07:23:24.641 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 67.43.226.154 (07:25:32.731 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 51189->53 (07:25:32.731 PDT) 91.209.163.202 (07:05:32.566 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01] MAC_Src: 00:21:5A:08:EC:40 39378->80 (07:05:32.566 PDT) 64.86.97.91 (07:15:32.043 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 54958->53 (07:15:32.043 PDT) 200.147.1.41 (07:45:35.082 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 36203->53 (07:45:35.082 PDT) 87.98.140.145 (07:35:35.435 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 35688->80 (07:35:35.435 PDT) C and C DNS CHECK-IN 192.168.1.230 (17) (07:05:56.812 PDT) event=224:1 (17) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 33696->53 (07:05:56.812 PDT) 43270->53 (07:07:29.155 PDT) 39000->53 (07:08:10.281 PDT) 56655->53 (07:08:23.088 PDT) 33323->53 (07:08:34.422 PDT) 56453->53 (07:10:18.192 PDT) 40505->53 (07:16:48.207 PDT) 39418->53 (07:17:15.586 PDT) 50426->53 (07:18:30.579 PDT) 42181->53 (07:20:08.416 PDT) 54723->53 (07:20:43.637 PDT) 38170->53 (07:21:34.081 PDT) 51045->53 (07:23:56.836 PDT) 43566->53 (07:24:45.496 PDT) 53937->53 (07:26:03.237 PDT) 34761->53 (07:26:03.860 PDT) 35371->53 (07:26:54.999 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 203.121.165.16 (07:19:50.656 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [Z%8B%9F%E5Xx%81%98%9Bb%A9%C1%91"G%F9%84in%E9%17%03%01%00!q] MAC_Src: 00:21:5A:08:EC:40 53455->80 (07:19:50.656 PDT) 216.246.77.218 (07:30:45.646 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42197->53 (07:30:45.646 PDT) 41.189.229.65 (07:42:02.769 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01] MAC_Src: 00:21:5A:08:EC:40 36128->80 (07:42:02.769 PDT) 134.34.246.5 (07:08:51.137 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (07:08:51.137 PDT) 93.170.52.30 (07:06:29.271 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58648->53 (07:06:29.271 PDT) 130.149.49.136 (3) (07:18:51.162 PDT-07:38:51.638 PDT) event=1:9910006 (3) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 3: 49301->49301 (07:18:51.162 PDT-07:38:51.638 PDT) 91.209.163.202 (07:26:29.440 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56453->53 (07:26:29.440 PDT) 80.172.236.66 (07:36:50.603 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39975->53 (07:36:50.603 PDT) 80.93.56.4 (07:16:29.137 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47402->53 (07:16:29.137 PDT) 208.91.196.10 (07:08:54.613 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [S] MAC_Src: 00:21:5A:08:EC:40 43172->80 (07:08:54.613 PDT) tcpslice 1318687532.566 1318689531.639 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 07:46:29.853 PDT Gen. Time: 10/15/2011 07:46:50.455 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (07:46:29.853 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 45143->53 (07:46:29.853 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 86.109.114.31 (07:46:50.455 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37961->53 (07:46:50.455 PDT) tcpslice 1318689989.853 1318689989.854 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 64.191.90.213, 61.139.126.15, 194.186.88.58, 192.168.1.230 (16), 176.28.0.239 Peer Coord. List: Resource List: Observed Start: 10/15/2011 07:46:29.853 PDT Gen. Time: 10/15/2011 08:19:57.784 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (07:47:32.771 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 54364->53 (07:47:32.771 PDT) 192.168.1.230 (12) (07:49:19.361 PDT-07:53:15.272 PDT) event=224:1 (12) {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 57036->53 (07:57:00.606 PDT) 51234->53 (07:52:15.158 PDT) 60495->53 (08:04:33.607 PDT) 51522->53 (07:54:55.112 PDT) 57322->53 (07:56:03.698 PDT) 42009->53 (07:49:19.361 PDT) 41819->53 (07:53:03.921 PDT) 39063->53 (07:52:10.691 PDT) 46238->53 (07:55:01.205 PDT) 45415->53 (08:03:02.924 PDT) 2: 38642->53 (07:53:09.269 PDT-07:53:15.272 PDT) 192.168.1.20 (4) (07:52:16.332 PDT) event=224:1 (4) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 49607->53 (08:04:35.023 PDT) 42501->53 (07:52:16.332 PDT) 40707->53 (07:53:17.115 PDT) 60035->53 (08:04:38.264 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 64.191.90.213 (07:55:40.171 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 39434->53 (07:55:40.171 PDT) 61.139.126.15 (08:05:46.997 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/1/statuses/user_timeline.json?screen_name=chapterxfourx&count=3200&include_rts=true] MAC_Src: 00:21:5A:08:EC:40 33491->80 (08:05:46.997 PDT) 194.186.88.58 (08:15:46.657 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 59506->80 (08:15:46.657 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (07:46:29.853 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 45143->53 (07:46:29.853 PDT) 56192->53 (07:47:27.241 PDT) 57758->53 (07:47:47.396 PDT) 38537->53 (07:52:23.761 PDT) 48724->53 (07:53:02.562 PDT) 51080->53 (07:53:52.036 PDT) 50909->53 (07:56:33.619 PDT) 52272->53 (07:59:34.980 PDT) 47658->53 (08:00:31.451 PDT) 59025->53 (08:02:21.923 PDT) 57115->53 (08:02:28.446 PDT) 49229->53 (08:02:30.438 PDT) 38761->53 (08:04:32.842 PDT) 47410->53 (08:05:24.912 PDT) 44639->53 (08:05:57.594 PDT) 60927->53 (08:06:05.511 PDT) 176.28.0.239 (08:02:28.726 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: livedieoslix.com (malware), [] MAC_Src: 00:21:5A:08:EC:40 51637->53 (08:02:28.726 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (08:18:53.088 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->54859 (08:18:53.088 PDT) 200.147.1.41 (08:16:55.060 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 32820->53 (08:16:55.060 PDT) 176.28.0.239 (08:02:28.726 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51637->53 (08:02:28.726 PDT) 41.189.229.65 (07:52:23.288 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49930->80 (07:52:23.288 PDT) 128.2.211.114 (07:48:51.920 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (07:48:51.920 PDT) 93.170.52.30 (2) (07:56:50.304 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58518->53 (07:56:50.304 PDT) 51589->53 (08:06:55.549 PDT) 130.149.49.136 (08:08:53.488 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (08:08:53.488 PDT) 86.109.114.31 (07:46:50.455 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37961->53 (07:46:50.455 PDT) 208.91.196.10 (08:14:29.076 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%1F:,%DBR%C6%03%E9%9A] MAC_Src: 00:21:5A:08:EC:40 56254->80 (08:14:29.076 PDT) 206.207.248.34 (07:58:52.504 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (07:58:52.504 PDT) tcpslice 1318689989.853 1318690395.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 08:20:08.646 PDT Gen. Time: 10/15/2011 08:24:36.529 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (08:22:53.920 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 45935->80 (08:22:53.920 PDT) 192.168.1.230 (3) (08:20:32.835 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: simulatormage.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 40022->53 (08:20:32.835 PDT) 35975->53 (08:20:38.162 PDT) 42541->53 (08:22:18.236 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (08:20:08.646 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 33669->53 (08:20:08.646 PDT) 53428->53 (08:20:08.783 PDT) 34157->53 (08:21:23.376 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 92.241.169.250 (08:24:36.529 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56856->80 (08:24:36.529 PDT) tcpslice 1318692008.646 1318692008.647 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 88.80.7.152, 200.147.1.41, 192.168.1.230 (13) Peer Coord. List: Resource List: Observed Start: 10/15/2011 08:20:08.646 PDT Gen. Time: 10/15/2011 08:39:23.538 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (08:22:53.920 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 45935->80 (08:22:53.920 PDT) 34205->80 (08:32:54.184 PDT) 192.168.1.230 (11) (08:20:32.835 PDT) event=224:1 (11) {udp} E2[dns] BHDNS SPYWARE-DNS: simulatormage.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 40022->53 (08:20:32.835 PDT) 35975->53 (08:20:38.162 PDT) 42541->53 (08:22:18.236 PDT) 58495->53 (08:30:53.255 PDT) 37516->53 (08:31:31.199 PDT) 37903->53 (08:32:01.345 PDT) 54148->53 (08:33:02.774 PDT) 40864->53 (08:33:22.151 PDT) 52724->53 (08:33:23.993 PDT) 60510->53 (08:34:16.713 PDT) 38664->53 (08:38:22.083 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.80.7.152 (08:27:21.693 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 57394->53 (08:27:21.693 PDT) 200.147.1.41 (08:37:21.114 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 49023->53 (08:37:21.114 PDT) C and C DNS CHECK-IN 192.168.1.230 (13) (08:20:08.646 PDT) event=224:1 (13) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 33669->53 (08:20:08.646 PDT) 53428->53 (08:20:08.783 PDT) 34157->53 (08:21:23.376 PDT) 53410->53 (08:24:53.686 PDT) 60376->53 (08:25:38.313 PDT) 60538->53 (08:27:23.163 PDT) 38884->53 (08:28:55.339 PDT) 60960->53 (08:29:32.175 PDT) 55859->53 (08:33:52.306 PDT) 53948->53 (08:35:02.215 PDT) 55712->53 (08:35:15.145 PDT) 50058->53 (08:37:27.183 PDT) 35350->53 (08:37:32.442 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 92.241.169.250 (08:24:36.529 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56856->80 (08:24:36.529 PDT) 208.87.35.100 (08:37:02.214 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41990->53 (08:37:02.214 PDT) 128.227.11.13 (2) (08:28:55.128 PDT-08:38:55.061 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2: 49302->54859 (08:28:55.128 PDT-08:38:55.061 PDT) 92.38.209.184 (08:36:43.829 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/thread.js?url=http:/www.ibtimes.com/articles/227303/20111007/watson-supercomputer-jeopardy-wellpoint-oracle-hp-artificial-inte] MAC_Src: 00:21:5A:08:EC:40 38176->80 (08:36:43.829 PDT) 64.182.102.213 (08:27:02.796 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42728->53 (08:27:02.796 PDT) tcpslice 1318692008.646 1318693135.062 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 08:41:56.604 PDT Gen. Time: 10/15/2011 08:47:02.030 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (08:42:59.478 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 46609->80 (08:42:59.478 PDT) 192.168.1.230 (7) (08:41:56.604 PDT) event=224:1 (7) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 51998->53 (08:41:56.604 PDT) 43452->53 (08:43:11.431 PDT) 40954->53 (08:43:22.630 PDT) 56460->53 (08:44:09.530 PDT) 59654->53 (08:44:18.214 PDT) 41672->53 (08:46:10.549 PDT) 42785->53 (08:46:18.487 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (08:43:34.549 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 49967->53 (08:43:34.549 PDT) 43663->53 (08:45:13.275 PDT) 55075->53 (08:46:25.645 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (08:47:02.030 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54726->53 (08:47:02.030 PDT) tcpslice 1318693316.604 1318693316.605 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: 91.209.175.100 C & C List: 60.190.93.178, 96.9.185.117, 200.147.33.19, 87.98.140.145, 91.209.163.184, 192.168.1.230 (17) Peer Coord. List: Resource List: Observed Start: 10/15/2011 08:41:56.604 PDT Gen. Time: 10/15/2011 09:30:47.139 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (08:42:59.478 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 46609->80 (08:42:59.478 PDT) 35116->80 (08:53:01.826 PDT) 192.168.1.230 (14) (08:41:56.604 PDT) event=224:1 (14) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 51998->53 (08:41:56.604 PDT) 43452->53 (08:43:11.431 PDT) 40954->53 (08:43:22.630 PDT) 56460->53 (08:44:09.530 PDT) 59654->53 (08:44:18.214 PDT) 41672->53 (08:46:10.549 PDT) 42785->53 (08:46:18.487 PDT) 34510->53 (08:48:56.381 PDT) 48371->53 (08:50:59.435 PDT) 41751->53 (08:52:43.705 PDT) 43089->53 (08:56:14.652 PDT) 52033->53 (08:57:15.658 PDT) 41132->53 (08:58:56.478 PDT) 35032->53 (08:59:03.017 PDT) 192.168.1.20 (08:57:18.316 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 40619->53 (08:57:18.316 PDT) EGG DOWNLOAD 91.209.175.100 (2) (09:01:44.393 PDT) event=1:2009295 (2) {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0), [/tra] MAC_Src: 00:21:5A:08:EC:40 51937->80 (09:01:44.393 PDT) 51942->80 (09:01:44.719 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 60.190.93.178 (08:57:52.909 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 58594->80 (08:57:52.909 PDT) 96.9.185.117 (09:29:09.607 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 47433->53 (09:29:09.607 PDT) 200.147.33.19 (09:18:33.846 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 58667->53 (09:18:33.846 PDT) 87.98.140.145 (09:07:54.410 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 42196->80 (09:07:54.410 PDT) 91.209.163.184 (08:47:39.693 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/popups/cc_servers/02-13-2011/http:/videos.godaddy.com/danica-media.aspx?isc=gppt02C024&domain=blogtaletadio.com/] MAC_Src: 00:21:5A:08:EC:40 42349->80 (08:47:39.693 PDT) C and C DNS CHECK-IN 192.168.1.230 (17) (08:43:34.549 PDT) event=224:1 (17) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 49967->53 (08:43:34.549 PDT) 43663->53 (08:45:13.275 PDT) 55075->53 (08:46:25.645 PDT) 50565->53 (08:47:37.567 PDT) 47043->53 (08:49:07.182 PDT) 58164->53 (08:50:20.366 PDT) 58891->53 (08:53:23.974 PDT) 37954->53 (08:55:11.158 PDT) 59847->53 (08:55:26.548 PDT) 50608->53 (08:57:27.288 PDT) 49220->53 (09:01:27.315 PDT) 42067->53 (09:02:59.577 PDT) 32914->53 (09:03:17.143 PDT) 41795->53 (09:05:34.775 PDT) 40075->53 (09:05:55.838 PDT) 37434->53 (09:06:28.645 PDT) 37057->53 (09:08:35.693 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 41.189.229.65 (2) (08:58:57.504 PDT) event=1:9910009 (2) {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50054->80 (08:58:57.504 PDT) 55370->80 (09:09:15.208 PDT) 93.170.52.30 (3) (08:47:02.030 PDT) event=1:9910005 (3) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54726->53 (08:47:02.030 PDT) 58882->53 (09:07:07.150 PDT) 40903->53 (09:17:17.319 PDT) 195.226.246.3 (09:27:19.651 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58693->53 (09:27:19.651 PDT) 128.227.11.13 (09:08:55.454 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->3957 (09:08:55.454 PDT) 128.163.142.20 (3) (08:48:55.469 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59038->2126 (08:57:02.418 PDT) ------------------------- event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 30599->30599 (08:48:55.469 PDT) 23127->23127 (08:58:55.003 PDT) 206.207.248.34 (2) (09:18:55.108 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (09:18:55.108 PDT) 23127->23127 (09:28:55.884 PDT) 31.170.163.70 (09:19:38.290 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43864->80 (09:19:38.290 PDT) 79.96.166.153 (08:48:20.957 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57253->80 (08:48:20.957 PDT) tcpslice 1318693316.604 1318693316.605 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:31:09.295 PDT Gen. Time: 10/15/2011 09:31:19.973 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (09:31:09.295 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 55433->53 (09:31:09.295 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 8.5.1.44 (09:31:19.973 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [,20111015] MAC_Src: 00:21:5A:08:EC:40 46260->80 (09:31:19.973 PDT) tcpslice 1318696269.295 1318696269.296 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230, 82.210.157.9 Egg Source List: C & C List: 200.147.1.41, 192.168.1.230 (5) Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:31:09.295 PDT Gen. Time: 10/15/2011 09:40:07.457 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (6) (09:31:48.230 PDT) event=224:1 (6) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 41826->53 (09:31:48.230 PDT) 38529->53 (09:33:18.867 PDT) 38435->53 (09:34:35.020 PDT) 52861->53 (09:35:23.675 PDT) 36268->53 (09:36:52.231 PDT) 59085->53 (09:36:55.599 PDT) 82.210.157.9 (09:34:41.984 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 59169->80 (09:34:41.984 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (09:39:09.588 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 56203->53 (09:39:09.588 PDT) C and C DNS CHECK-IN 192.168.1.230 (5) (09:31:09.295 PDT) event=224:1 (5) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 55433->53 (09:31:09.295 PDT) 48320->53 (09:31:55.050 PDT) 47024->53 (09:32:10.673 PDT) 47914->53 (09:34:53.822 PDT) 39456->53 (09:38:35.990 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (09:38:55.479 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (09:38:55.479 PDT) 213.189.197.13 (09:37:20.265 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39441->53 (09:37:20.265 PDT) 8.5.1.44 (09:31:19.973 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [,20111015] MAC_Src: 00:21:5A:08:EC:40 46260->80 (09:31:19.973 PDT) tcpslice 1318696269.295 1318696269.296 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:41:05.103 PDT Gen. Time: 10/15/2011 09:43:48.268 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (09:41:12.179 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 52895->53 (09:41:12.179 PDT) 50727->53 (09:43:16.962 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (2) (09:41:05.103 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 57308->53 (09:41:05.103 PDT) 46897->53 (09:41:59.436 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 92.240.68.95 (09:43:48.268 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/ipInfo/IPRep.php?IP=173.194.33.16&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:EC:40 48960->80 (09:43:48.268 PDT) tcpslice 1318696865.103 1318696865.104 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 80.172.236.66, 93.170.52.30, 192.168.1.230 (7) Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:41:05.103 PDT Gen. Time: 10/15/2011 09:51:06.348 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (10) (09:41:12.179 PDT) event=224:1 (10) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 52895->53 (09:41:12.179 PDT) 50727->53 (09:43:16.962 PDT) 47096->53 (09:44:09.220 PDT) 59104->53 (09:45:42.068 PDT) 48466->53 (09:45:43.444 PDT) 42240->53 (09:46:09.743 PDT) 45920->53 (09:46:54.465 PDT) 52145->53 (09:47:40.607 PDT) 35477->53 (09:49:16.360 PDT) 54471->53 (09:49:19.953 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 80.172.236.66 (09:49:11.179 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 58917->53 (09:49:11.179 PDT) C and C DNS CHECK-IN 93.170.52.30 (09:44:47.918 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 38740->53 (09:44:47.918 PDT) 192.168.1.230 (7) (09:41:05.103 PDT) event=224:1 (7) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 57308->53 (09:41:05.103 PDT) 46897->53 (09:41:59.436 PDT) 36481->53 (09:44:23.189 PDT) 57979->53 (09:44:34.384 PDT) 48998->53 (09:44:35.330 PDT) 46804->53 (09:47:48.373 PDT) 35915->53 (09:48:32.978 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (09:48:55.154 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (09:48:55.154 PDT) 92.240.68.95 (09:43:48.268 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/ipInfo/IPRep.php?IP=173.194.33.16&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:EC:40 48960->80 (09:43:48.268 PDT) 31.31.74.37 (09:47:20.575 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34052->53 (09:47:20.575 PDT) tcpslice 1318696865.103 1318696865.104 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:51:46.328 PDT Gen. Time: 10/15/2011 09:55:19.047 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (2) (09:51:46.328 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 50414->53 (09:51:46.328 PDT) 33316->53 (09:53:15.231 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 31.170.163.70 (09:55:19.047 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [S%00%00%00%11%00%00%00%00] MAC_Src: 00:21:5A:08:EC:40 52404->80 (09:55:19.047 PDT) tcpslice 1318697506.328 1318697506.329 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 64.70.19.33, 192.168.1.230 (8), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 09:51:46.328 PDT Gen. Time: 10/15/2011 10:04:55.760 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (8) (09:57:53.155 PDT) event=224:1 (8) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 60825->53 (09:57:53.155 PDT) 38703->53 (09:59:03.796 PDT) 44787->53 (09:59:08.276 PDT) 54754->53 (09:59:48.358 PDT) 57878->53 (10:00:43.905 PDT) 52065->53 (10:01:26.837 PDT) 58307->53 (10:01:32.336 PDT) 40040->53 (10:01:42.619 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 64.70.19.33 (09:59:11.729 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 44829->53 (09:59:11.729 PDT) C and C DNS CHECK-IN 192.168.1.230 (8) (09:51:46.328 PDT) event=224:1 (8) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 50414->53 (09:51:46.328 PDT) 33316->53 (09:53:15.231 PDT) 51080->53 (09:55:29.051 PDT) 36181->53 (09:56:02.155 PDT) 32820->53 (09:56:37.824 PDT) 59562->53 (09:56:47.024 PDT) 34365->53 (09:57:46.883 PDT) 38916->53 (10:02:53.233 PDT) 91.228.133.56 (09:56:47.169 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [/scan.php] MAC_Src: 00:21:5A:08:EC:40 37934->80 (09:56:47.169 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (09:58:55.708 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (09:58:55.708 PDT) 93.170.52.20 (09:57:22.223 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58787->53 (09:57:22.223 PDT) 31.170.163.70 (09:55:19.047 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [S%00%00%00%11%00%00%00%00] MAC_Src: 00:21:5A:08:EC:40 52404->80 (09:55:19.047 PDT) tcpslice 1318697506.328 1318697506.329 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:05:05.318 PDT Gen. Time: 10/15/2011 10:07:47.316 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (10:05:05.318 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 55232->53 (10:05:05.318 PDT) 46111->53 (10:05:14.356 PDT) 49681->53 (10:05:47.015 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:07:47.316 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50921->2128 (10:07:47.316 PDT) tcpslice 1318698305.318 1318698305.319 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.198.53.104, 192.168.1.230 Egg Source List: C & C List: 69.43.161.164, 192.168.1.230 (8) Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:05:05.318 PDT Gen. Time: 10/15/2011 10:17:41.027 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (10:08:01.813 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 55168->53 (10:08:01.813 PDT) 192.168.1.230 (8) (10:08:30.072 PDT) event=224:1 (8) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 50638->53 (10:08:30.072 PDT) 49107->53 (10:10:12.012 PDT) 46491->53 (10:10:24.411 PDT) 44128->53 (10:11:36.958 PDT) 57056->53 (10:11:52.686 PDT) 59681->53 (10:12:33.475 PDT) 52866->53 (10:14:14.706 PDT) 57958->53 (10:14:27.162 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 69.43.161.164 (10:09:22.033 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/index.php/HybridSal_FAQ] MAC_Src: 00:21:5A:08:EC:40 38825->80 (10:09:22.033 PDT) C and C DNS CHECK-IN 192.168.1.230 (8) (10:05:05.318 PDT) event=224:1 (8) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 55232->53 (10:05:05.318 PDT) 46111->53 (10:05:14.356 PDT) 49681->53 (10:05:47.015 PDT) 43251->53 (10:09:00.282 PDT) 46814->53 (10:09:27.268 PDT) 42035->53 (10:11:28.475 PDT) 60070->53 (10:12:34.984 PDT) 42411->53 (10:13:50.090 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.2.211.114 (10:08:55.188 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (10:08:55.188 PDT) 206.207.248.34 (10:07:47.316 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50921->2128 (10:07:47.316 PDT) 92.38.209.230 (10:08:17.943 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52595->80 (10:08:17.943 PDT) tcpslice 1318698305.318 1318698305.319 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:17:47.661 PDT Gen. Time: 10/15/2011 10:17:47.661 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 91.207.61.48 (10:17:47.661 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37041->53 (10:17:47.661 PDT) tcpslice 1318699067.661 1318699067.662 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.198.53.104, 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 58.22.242.63, 96.9.169.85, 200.147.1.41, 192.168.1.230 (15), 192.168.1.20 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:17:47.661 PDT Gen. Time: 10/15/2011 10:44:36.513 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (10:28:35.943 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 56571->53 (10:28:35.943 PDT) 91.207.61.48 (10:18:10.728 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 49785->80 (10:18:10.728 PDT) 192.168.1.230 (15) (10:18:04.145 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 48059->53 (10:18:04.145 PDT) 53645->53 (10:18:24.435 PDT) 43511->53 (10:19:07.599 PDT) 32958->53 (10:20:05.403 PDT) 51621->53 (10:20:49.073 PDT) 59022->53 (10:22:56.824 PDT) 37560->53 (10:24:06.597 PDT) 49624->53 (10:24:51.433 PDT) 41163->53 (10:26:40.032 PDT) 44424->53 (10:26:55.502 PDT) 59921->53 (10:27:37.059 PDT) 45219->53 (10:35:24.750 PDT) 48219->53 (10:36:01.399 PDT) 39981->53 (10:36:47.701 PDT) 37225->53 (10:36:49.471 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 58.22.242.63 (10:41:01.459 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 41904->80 (10:41:01.459 PDT) 96.9.169.85 (10:20:45.802 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 36844->53 (10:20:45.802 PDT) 200.147.1.41 (10:30:45.177 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 48622->80 (10:30:45.177 PDT) C and C DNS CHECK-IN 192.168.1.230 (15) (10:18:31.934 PDT) event=224:1 (15) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 52043->53 (10:18:31.934 PDT) 36371->53 (10:18:53.596 PDT) 47066->53 (10:20:43.039 PDT) 51431->53 (10:20:54.745 PDT) 43721->53 (10:21:43.201 PDT) 38489->53 (10:21:51.834 PDT) 48635->53 (10:22:07.327 PDT) 40240->53 (10:22:24.300 PDT) 35568->53 (10:24:47.960 PDT) 35029->53 (10:25:52.996 PDT) 44909->53 (10:30:25.831 PDT) 44928->53 (10:31:00.209 PDT) 34528->53 (10:31:19.503 PDT) 47464->53 (10:31:51.338 PDT) 45215->53 (10:33:09.791 PDT) 192.168.1.20 (2) (10:21:52.823 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 54145->53 (10:21:52.823 PDT) 32952->53 (10:21:56.149 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (2) (10:28:56.833 PDT-10:38:56.781 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2: 49301->49301 (10:28:56.833 PDT-10:38:56.781 PDT) 91.207.61.48 (10:17:47.661 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37041->53 (10:17:47.661 PDT) 92.240.68.95 (10:21:05.568 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50239->80 (10:21:05.568 PDT) 176.28.0.239 (10:33:33.702 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54022->80 (10:33:33.702 PDT) 130.104.72.201 (10:18:55.241 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 6110->6110 (10:18:55.241 PDT) 93.170.52.20 (2) (10:27:47.149 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58459->53 (10:27:47.149 PDT) 52748->53 (10:37:50.923 PDT) tcpslice 1318699067.661 1318700336.782 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:44:57.664 PDT Gen. Time: 10/15/2011 10:45:00.060 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (10:44:57.664 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 34981->53 (10:44:57.664 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.226.246.3 (10:45:00.060 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42932->80 (10:45:00.060 PDT) tcpslice 1318700697.664 1318700697.665 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 212.36.9.10, 192.168.1.230 (6), 212.150.22.126 Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:44:57.664 PDT Gen. Time: 10/15/2011 10:57:09.776 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (9) (10:47:28.957 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 50177->53 (10:47:28.957 PDT) 52833->53 (10:50:00.699 PDT) 37172->53 (10:50:44.558 PDT) 45026->53 (10:50:45.572 PDT) 54884->53 (10:52:58.468 PDT) 57924->53 (10:53:04.505 PDT) 33759->53 (10:53:51.107 PDT) 47610->53 (10:54:09.801 PDT) 41911->53 (10:54:55.624 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 212.36.9.10 (10:51:01.645 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 55062->80 (10:51:01.645 PDT) C and C DNS CHECK-IN 192.168.1.230 (6) (10:44:57.664 PDT) event=224:1 (6) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 34981->53 (10:44:57.664 PDT) 54234->53 (10:47:18.463 PDT) 37639->53 (10:48:10.983 PDT) 59308->53 (10:49:07.349 PDT) 33107->53 (10:51:45.250 PDT) 59118->53 (10:52:46.816 PDT) 212.150.22.126 (10:49:14.792 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: blogerim.co.il (trojan), [] MAC_Src: 00:21:5A:08:EC:40 46160->53 (10:49:14.792 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (10:47:50.104 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37046->53 (10:47:50.104 PDT) 195.226.246.3 (10:45:00.060 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42932->80 (10:45:00.060 PDT) 206.207.248.34 (10:48:56.445 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (10:48:56.445 PDT) tcpslice 1318700697.664 1318700697.665 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:57:53.805 PDT Gen. Time: 10/15/2011 10:57:53.805 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 91.207.61.48 (10:57:53.805 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48594->53 (10:57:53.805 PDT) tcpslice 1318701473.805 1318701473.806 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 78.31.65.216, 200.147.1.41 (3), 91.209.163.184, 91.220.0.78, 192.168.1.230 (14), 176.28.0.239, 192.168.1.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 10:57:53.805 PDT Gen. Time: 10/15/2011 11:49:45.892 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (14) (10:58:12.476 PDT) event=224:1 (14) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 44410->53 (10:58:12.476 PDT) 37343->53 (11:01:32.753 PDT) 51788->53 (11:03:06.708 PDT) 47477->53 (11:04:22.559 PDT) 60281->53 (11:06:05.831 PDT) 54669->53 (11:06:08.507 PDT) 40998->53 (11:08:43.884 PDT) 53942->53 (11:13:08.391 PDT) 42749->53 (11:13:35.481 PDT) 36386->53 (11:13:37.867 PDT) 59276->53 (11:14:32.605 PDT) 59341->53 (11:14:37.363 PDT) 33971->53 (11:15:14.032 PDT) 34264->53 (11:16:41.259 PDT) 192.168.1.20 (3) (11:13:38.867 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 58442->53 (11:13:38.867 PDT) 51381->53 (11:14:33.686 PDT) 60323->53 (11:14:38.437 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 78.31.65.216 (11:41:30.069 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 55839->80 (11:41:30.069 PDT) 200.147.1.41 (3) (11:01:03.007 PDT) event=1:3810007 (3) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 58797->80 (11:01:03.007 PDT) 54895->80 (11:11:22.667 PDT) 44084->53 (11:31:29.709 PDT) 91.209.163.184 (11:21:28.248 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [%00%00%07%F3%00%00%00%00%00%00%07%C4%00%00%00%00%00%00%08]%00%00%00%00%00%00%08%D6%00%00%00%00%00%00%07%C7%FF%00%0F%00%00%00S%00%00%00%11%00%00%00%00] MAC_Src: 00:21:5A:08:EC:40 48528->80 (11:21:28.248 PDT) C and C DNS CHECK-IN 91.220.0.78 (11:00:43.325 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: flashloads.net (malware), [] MAC_Src: 00:21:5A:08:EC:40 52233->80 (11:00:43.325 PDT) 192.168.1.230 (14) (10:58:03.153 PDT) event=224:1 (14) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 60549->53 (10:58:03.153 PDT) 40991->53 (10:58:19.968 PDT) 59583->53 (11:00:22.437 PDT) 44263->53 (11:00:23.789 PDT) 32952->53 (11:00:26.202 PDT) 49799->53 (11:01:55.787 PDT) 60679->53 (11:04:23.745 PDT) 53069->53 (11:04:29.573 PDT) 36123->53 (11:04:59.016 PDT) 45345->53 (11:06:51.629 PDT) 46725->53 (11:07:16.075 PDT) 53522->53 (11:10:06.976 PDT) 60435->53 (11:12:03.501 PDT) 46461->53 (11:12:04.770 PDT) 176.28.0.239 (11:12:04.918 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: livedieoslix.com (malware), [] MAC_Src: 00:21:5A:08:EC:40 35810->53 (11:12:04.918 PDT) 192.168.1.20 (11:00:24.753 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: flashloads.net (malware), [] MAC_Src: 00:21:5A:08:EC:40 57180->53 (11:00:24.753 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 80.150.6.138 (11:09:31.464 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/http://a.wirebrain.de/coblitz/wow/patches/3.2.0/WoW-3.2.0-e] MAC_Src: 00:21:5A:08:EC:40 43007->80 (11:09:31.464 PDT) 216.246.77.218 (11:39:36.156 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38600->53 (11:39:36.156 PDT) 60.19.30.131 (2) (11:17:54.289 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57482->53 (11:17:54.289 PDT) ------------------------- event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/scan.php] MAC_Src: 00:21:5A:08:EC:40 34690->80 (11:19:32.947 PDT) 200.147.33.19 (11:47:59.148 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55905->53 (11:47:59.148 PDT) 128.2.211.114 (3) (11:08:57.581 PDT-11:28:59.825 PDT) event=1:9910006 (3) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 3: 2121->2121 (11:08:57.581 PDT-11:28:59.825 PDT) 93.170.52.30 (2) (11:27:54.371 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50072->53 (11:27:54.371 PDT) 37915->53 (11:37:59.919 PDT) 92.240.68.95 (10:59:19.367 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39015->53 (10:59:19.367 PDT) 130.104.72.201 (10:58:56.400 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (10:58:56.400 PDT) 216.8.179.25 (11:29:36.011 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39554->53 (11:29:36.011 PDT) 128.163.142.20 (11:38:59.151 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (11:38:59.151 PDT) 91.209.163.184 (11:07:54.666 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51783->53 (11:07:54.666 PDT) 91.207.61.48 (10:57:53.805 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48594->53 (10:57:53.805 PDT) 132.239.17.226 (11:48:59.942 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (11:48:59.942 PDT) tcpslice 1318701473.805 1318703339.826 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 11:49:48.829 PDT Gen. Time: 10/15/2011 11:50:09.090 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (11:49:48.829 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 47948->53 (11:49:48.829 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 176.28.0.239 (11:50:09.090 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54845->53 (11:50:09.090 PDT) tcpslice 1318704588.829 1318704588.830 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 200.147.33.17, 58.22.242.63, 64.70.19.33, 64.94.137.53, 192.168.1.230 (16), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 11:49:48.829 PDT Gen. Time: 10/15/2011 12:26:46.393 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (12:05:28.875 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 48795->80 (12:05:28.875 PDT) 192.168.1.230 (16) (11:49:48.829 PDT) event=224:1 (16) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 47948->53 (11:49:48.829 PDT) 48662->53 (11:50:12.432 PDT) 46111->53 (11:50:23.239 PDT) 56067->53 (11:56:53.492 PDT) 54169->53 (11:57:56.672 PDT) 60677->53 (11:58:50.391 PDT) 40619->53 (11:58:55.214 PDT) 50383->53 (12:00:11.619 PDT) 42146->53 (12:01:28.162 PDT) 49091->53 (12:07:57.356 PDT) 49358->53 (12:08:04.972 PDT) 40171->53 (12:08:27.042 PDT) 46420->53 (12:09:52.486 PDT) 51475->53 (12:10:15.054 PDT) 33972->53 (12:10:49.232 PDT) 48068->53 (12:11:56.121 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.33.17 (12:12:28.395 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 44435->80 (12:12:28.395 PDT) 58.22.242.63 (11:52:04.942 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 50336->80 (11:52:04.942 PDT) 64.70.19.33 (12:22:32.846 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 36461->53 (12:22:32.846 PDT) 64.94.137.53 (12:02:10.858 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 33509->80 (12:02:10.858 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (11:50:29.624 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 49702->53 (11:50:29.624 PDT) 59166->53 (11:54:54.424 PDT) 37163->53 (11:58:12.490 PDT) 40073->53 (12:01:42.767 PDT) 53463->53 (12:03:18.538 PDT) 36895->53 (12:05:14.668 PDT) 34973->53 (12:05:23.229 PDT) 36203->53 (12:05:31.844 PDT) 38354->53 (12:07:00.904 PDT) 46977->53 (12:12:23.049 PDT) 38858->53 (12:12:32.429 PDT) 51678->53 (12:15:18.644 PDT) 45631->53 (12:15:40.384 PDT) 41367->53 (12:18:45.447 PDT) 41790->53 (12:19:32.125 PDT) 56008->53 (12:19:54.017 PDT) 91.228.133.56 (11:54:26.819 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 45950->80 (11:54:26.819 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 98.129.126.138 (12:21:45.954 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40815->80 (12:21:45.954 PDT) 176.28.0.239 (11:50:09.090 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54845->53 (11:50:09.090 PDT) 41.189.229.65 (12:11:01.515 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35842->53 (12:11:01.515 PDT) 95.173.163.8 (12:22:47.796 PDT) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 3124->50369 (12:22:47.796 PDT) 88.81.249.200 (12:18:07.929 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34454->53 (12:18:07.929 PDT) 128.2.211.114 (2) (12:08:59.000 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (12:08:59.000 PDT) 2121->2121 (12:19:00.231 PDT) 87.252.1.21 (12:07:59.663 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45798->53 (12:07:59.663 PDT) 92.38.209.184 (12:00:16.311 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59992->80 (12:00:16.311 PDT) 67.21.76.36 (11:57:59.601 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54129->53 (11:57:59.601 PDT) 132.239.17.226 (11:58:59.611 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (11:58:59.611 PDT) tcpslice 1318704588.829 1318704588.830 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.189.229.65, 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 12:26:46.503 PDT Gen. Time: 10/15/2011 12:28:07.896 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (12:26:46.503 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [/viewforum.php?f=4&sid=3fbd18e93e02e046558e3b71d44cbb49] MAC_Dst: 00:21:1C:EE:14:00 39688->80 (12:26:46.503 PDT) 192.168.1.230 (2) (12:26:48.149 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: datacricketuf.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 36896->53 (12:26:48.149 PDT) 54381->53 (12:27:57.477 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (12:27:03.552 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 37975->53 (12:27:03.552 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (12:28:07.896 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37758->53 (12:28:07.896 PDT) tcpslice 1318706806.503 1318706806.504 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.189.229.65, 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 87.98.140.145, 67.19.244.5, 192.168.1.230 (13) Peer Coord. List: Resource List: Observed Start: 10/15/2011 12:26:46.503 PDT Gen. Time: 10/15/2011 12:44:13.168 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (12:26:46.503 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [/viewforum.php?f=4&sid=3fbd18e93e02e046558e3b71d44cbb49] MAC_Dst: 00:21:1C:EE:14:00 39688->80 (12:26:46.503 PDT) 91.207.61.48 (12:36:46.029 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 54549->80 (12:36:46.029 PDT) 192.168.1.230 (9) (12:26:48.149 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: datacricketuf.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 36896->53 (12:26:48.149 PDT) 54381->53 (12:27:57.477 PDT) 45037->53 (12:28:18.131 PDT) 58547->53 (12:29:39.154 PDT) 38730->53 (12:31:28.835 PDT) 39034->53 (12:34:47.423 PDT) 43258->53 (12:36:29.535 PDT) 54962->53 (12:37:24.913 PDT) 38636->53 (12:41:02.047 PDT) 192.168.1.20 (12:34:48.444 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 52161->53 (12:34:48.444 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 87.98.140.145 (12:32:34.328 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 46379->53 (12:32:34.328 PDT) 67.19.244.5 (12:42:38.115 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 55685->53 (12:42:38.115 PDT) C and C DNS CHECK-IN 192.168.1.230 (13) (12:27:03.552 PDT) event=224:1 (13) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 37975->53 (12:27:03.552 PDT) 53803->53 (12:28:18.115 PDT) 39932->53 (12:28:21.014 PDT) 54385->53 (12:29:27.841 PDT) 58415->53 (12:31:48.981 PDT) 59661->53 (12:32:23.525 PDT) 41390->53 (12:32:50.904 PDT) 44903->53 (12:33:44.392 PDT) 54612->53 (12:34:25.421 PDT) 49779->53 (12:37:35.957 PDT) 60642->53 (12:41:52.074 PDT) 36634->53 (12:42:38.204 PDT) 48153->53 (12:43:10.422 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (12:28:07.896 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37758->53 (12:28:07.896 PDT) 128.2.211.114 (2) (12:29:00.320 PDT-12:39:02.095 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2: 2121->2121 (12:29:00.320 PDT-12:39:02.095 PDT) 61.139.126.15 (12:38:07.501 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49873->53 (12:38:07.501 PDT) 178.250.243.207 (12:32:26.458 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60366->53 (12:32:26.458 PDT) tcpslice 1318706806.503 1318707542.096 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 12:46:29.137 PDT Gen. Time: 10/15/2011 12:46:29.137 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 208.91.196.10 (12:46:29.137 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [2#831#110#1304503424%05%00%04%003#444%0Af patch-src::Makefile.in,v 2#831#110#13045034243#444%0Af patch-src::frame.h,v 2#831#110#13045034243] MAC_Src: 00:21:5A:08:EC:40 33475->80 (12:46:29.137 PDT) tcpslice 1318707989.137 1318707989.138 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 80.172.236.66, 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 12:46:29.137 PDT Gen. Time: 10/15/2011 12:55:37.155 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (12:46:48.246 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 35772->53 (12:46:48.246 PDT) 192.168.1.230 (11) (12:47:41.551 PDT-12:48:35.635 PDT) event=224:1 (11) {udp} E2[dns] BHDNS SPYWARE-DNS: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 44572->53 (12:50:41.859 PDT) 2: 52641->53 (12:48:29.586 PDT-12:48:35.635 PDT) 48669->53 (12:49:20.953 PDT) 2: 39152->53 (12:47:41.551 PDT-12:47:53.550 PDT) 2: 48902->53 (12:47:59.559 PDT-12:48:05.558 PDT) 52954->53 (12:51:47.972 PDT) 2: 36676->53 (12:48:11.578 PDT-12:48:23.624 PDT) 192.168.1.20 (5) (12:48:12.644 PDT-12:48:36.586 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 2: 37775->53 (12:48:30.586 PDT-12:48:36.586 PDT) 3: 35270->53 (12:48:12.644 PDT-12:48:24.577 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 80.172.236.66 (12:53:01.920 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 44062->53 (12:53:01.920 PDT) C and C DNS CHECK-IN 192.168.1.230 (2) (12:46:36.427 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 43245->53 (12:46:36.427 PDT) 49233->53 (12:50:36.892 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (12:48:08.633 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54271->53 (12:48:08.633 PDT) 208.91.196.10 (12:46:29.137 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [2#831#110#1304503424%05%00%04%003#444%0Af patch-src::Makefile.in,v 2#831#110#13045034243#444%0Af patch-src::frame.h,v 2#831#110#13045034243] MAC_Src: 00:21:5A:08:EC:40 33475->80 (12:46:29.137 PDT) 128.163.142.20 (12:49:02.135 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (12:49:02.135 PDT) tcpslice 1318707989.137 1318708116.587 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 12:57:00.349 PDT Gen. Time: 10/15/2011 12:57:03.550 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (12:57:00.349 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 53228->53 (12:57:00.349 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 31.170.163.70 (12:57:03.550 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%87%8D%EB%16%87%8D%F5%9E_%86%E3%AF%83#%19%11%B7v;%0D%8B%CC%BDn4%A4B~#%C7;%92%D7%BF%17%03%01%00$_%E42q%E4%A0%82%A8e%12%93%A7%12%04%AB%B1B%E2%E5%B8%1D~?Ck%05T4A%87%D1%0A%A7] MAC_Src: 00:21:5A:08:EC:40 41943->80 (12:57:03.550 PDT) tcpslice 1318708620.349 1318708620.350 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 87.252.1.21, 200.147.33.19, 192.168.1.230 (16) Peer Coord. List: Resource List: Observed Start: 10/15/2011 12:57:00.349 PDT Gen. Time: 10/15/2011 13:17:55.433 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (12:57:38.284 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [/search?Creator=saslisb&sort_on=Date&sort_order=reverse] MAC_Dst: 00:21:1C:EE:14:00 37839->80 (12:57:38.284 PDT) 55516->80 (13:07:40.915 PDT) 192.168.1.230 (15) (12:57:44.714 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 39939->53 (12:57:44.714 PDT) 47075->53 (13:00:20.150 PDT) 59227->53 (13:02:03.873 PDT) 33811->53 (13:03:08.721 PDT) 35502->53 (13:03:16.847 PDT) 54557->53 (13:03:32.926 PDT) 43027->53 (13:04:16.514 PDT) 50099->53 (13:04:19.602 PDT) 39978->53 (13:09:45.542 PDT) 39545->53 (13:10:09.189 PDT) 55111->53 (13:10:23.835 PDT) 55086->53 (13:14:25.035 PDT) 43073->53 (13:15:37.615 PDT) 54801->53 (13:16:34.562 PDT) 44935->53 (13:16:41.107 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 87.252.1.21 (13:13:05.753 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 47060->53 (13:13:05.753 PDT) 200.147.33.19 (13:03:05.307 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 57088->53 (13:03:05.307 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (12:57:00.349 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 53228->53 (12:57:00.349 PDT) 36516->53 (12:57:33.144 PDT) 36666->53 (12:58:24.141 PDT) 56064->53 (12:59:12.118 PDT) 35731->53 (12:59:15.927 PDT) 51258->53 (12:59:31.416 PDT) 46936->53 (13:01:34.435 PDT) 46423->53 (13:06:57.452 PDT) 54355->53 (13:08:11.308 PDT) 33401->53 (13:10:33.916 PDT) 59116->53 (13:11:01.559 PDT) 58931->53 (13:11:52.811 PDT) 42576->53 (13:12:31.204 PDT) 53635->53 (13:14:47.431 PDT) 37428->53 (13:16:10.895 PDT) 57972->53 (13:16:34.534 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (13:08:09.287 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39827->53 (13:08:09.287 PDT) 128.2.211.114 (13:09:02.181 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (13:09:02.181 PDT) 128.163.142.20 (12:59:02.428 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (12:59:02.428 PDT) 91.207.61.48 (12:58:08.666 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55952->53 (12:58:08.666 PDT) 92.38.209.184 (13:07:58.013 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48648->80 (13:07:58.013 PDT) 31.170.163.70 (12:57:03.550 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%87%8D%EB%16%87%8D%F5%9E_%86%E3%AF%83#%19%11%B7v;%0D%8B%CC%BDn4%A4B~#%C7;%92%D7%BF%17%03%01%00$_%E42q%E4%A0%82%A8e%12%93%A7%12%04%AB%B1B%E2%E5%B8%1D~?Ck%05T4A%87%D1%0A%A7] MAC_Src: 00:21:5A:08:EC:40 41943->80 (12:57:03.550 PDT) tcpslice 1318708620.349 1318708620.350 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 13:18:09.571 PDT Gen. Time: 10/15/2011 13:18:09.571 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (13:18:09.571 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57299->53 (13:18:09.571 PDT) tcpslice 1318709889.571 1318709889.572 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230, 188.229.89.127 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 13:18:09.571 PDT Gen. Time: 10/15/2011 13:21:44.119 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (3) (13:18:31.783 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 36189->53 (13:18:31.783 PDT) 47303->53 (13:19:28.145 PDT) 50369->53 (13:20:28.451 PDT) 188.229.89.127 (13:18:36.864 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 59638->80 (13:18:36.864 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (13:18:09.571 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57299->53 (13:18:09.571 PDT) 128.2.211.114 (13:19:02.252 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (13:19:02.252 PDT) 8.5.1.44 (13:18:25.598 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53215->80 (13:18:25.598 PDT) tcpslice 1318709889.571 1318709889.572 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 96.9.169.85, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 13:22:13.859 PDT Gen. Time: 10/15/2011 13:23:41.745 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (13:22:13.859 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 38095->53 (13:22:13.859 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 96.9.169.85 (13:23:08.210 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 47552->80 (13:23:08.210 PDT) C and C DNS CHECK-IN 192.168.1.230 (13:23:41.745 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 45183->53 (13:23:41.745 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318710133.859 1318710133.860 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.189.229.65, 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 96.9.169.85 (2), 118.175.21.9, 192.168.1.230 (17) Peer Coord. List: Resource List: Observed Start: 10/15/2011 13:22:13.859 PDT Gen. Time: 10/15/2011 13:47:33.757 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (13:28:52.137 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 53408->53 (13:28:52.137 PDT) 91.207.61.48 (13:38:52.698 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 54028->80 (13:38:52.698 PDT) 192.168.1.230 (15) (13:22:13.859 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 38095->53 (13:22:13.859 PDT) 36219->53 (13:24:38.051 PDT) 36936->53 (13:27:23.582 PDT) 54466->53 (13:28:53.184 PDT) 52918->53 (13:29:25.905 PDT) 55528->53 (13:29:41.464 PDT) 50785->53 (13:29:49.585 PDT) 39536->53 (13:31:31.166 PDT) 37170->53 (13:37:07.849 PDT) 33072->53 (13:38:01.473 PDT) 53265->53 (13:38:02.226 PDT) 57579->53 (13:38:38.029 PDT) 37462->53 (13:39:44.215 PDT) 50490->53 (13:39:46.813 PDT) 50857->53 (13:41:06.758 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 96.9.169.85 (2) (13:23:08.210 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 47552->80 (13:23:08.210 PDT) 37544->53 (13:33:08.747 PDT) 118.175.21.9 (13:43:10.580 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 52934->80 (13:43:10.580 PDT) C and C DNS CHECK-IN 192.168.1.230 (17) (13:23:41.745 PDT) event=224:1 (17) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 45183->53 (13:23:41.745 PDT) 38555->53 (13:24:09.242 PDT) 54313->53 (13:24:40.394 PDT) 43917->53 (13:25:14.760 PDT) 50392->53 (13:25:59.803 PDT) 35566->53 (13:26:28.582 PDT) 57884->53 (13:28:59.313 PDT) 60533->53 (13:31:38.486 PDT) 51483->53 (13:34:52.312 PDT) 37132->53 (13:35:41.496 PDT) 52380->53 (13:36:09.177 PDT) 34640->53 (13:37:23.133 PDT) 43225->53 (13:37:43.546 PDT) 41390->53 (13:39:52.520 PDT) 33736->53 (13:42:12.921 PDT) 34237->53 (13:43:46.081 PDT) 34353->53 (13:44:13.756 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 216.8.179.25 (13:39:06.782 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37426->53 (13:39:06.782 PDT) 41.189.229.65 (13:28:52.137 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53408->53 (13:28:52.137 PDT) 93.170.52.30 (13:38:10.445 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33607->53 (13:38:10.445 PDT) 128.227.11.13 (2) (13:29:02.477 PDT-13:39:02.389 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2: 49302->54859 (13:29:02.477 PDT-13:39:02.389 PDT) 67.55.67.250 (13:28:10.115 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45318->53 (13:28:10.115 PDT) tcpslice 1318710133.859 1318711142.390 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 13:48:07.119 PDT Gen. Time: 10/15/2011 13:48:14.166 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (13:48:07.119 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 56941->53 (13:48:07.119 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 91.207.61.48 (13:48:14.166 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39251->53 (13:48:14.166 PDT) tcpslice 1318711687.119 1318711687.120 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 88.86.113.143, 86.35.15.212, 192.168.1.230 (10), 91.228.133.56, 62.42.230.17 Peer Coord. List: Resource List: Observed Start: 10/15/2011 13:48:07.119 PDT Gen. Time: 10/15/2011 14:04:27.566 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (9) (13:48:07.119 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 56941->53 (13:48:07.119 PDT) 57255->53 (13:52:16.437 PDT) 34197->53 (13:52:39.425 PDT) 55212->53 (13:53:06.298 PDT) 48104->53 (13:54:15.576 PDT) 53731->53 (13:54:20.047 PDT) 48494->53 (13:57:37.353 PDT) 56039->53 (13:58:26.372 PDT) 60380->53 (13:58:50.462 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.86.113.143 (13:53:13.277 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 60511->53 (13:53:13.277 PDT) 86.35.15.212 (14:03:16.464 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 50853->53 (14:03:16.464 PDT) C and C DNS CHECK-IN 192.168.1.230 (10) (13:48:37.348 PDT) event=224:1 (10) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 39045->53 (13:48:37.348 PDT) 54092->53 (13:49:25.084 PDT) 51527->53 (13:50:06.090 PDT) 53767->53 (13:51:03.132 PDT) 57124->53 (13:52:58.513 PDT) 33375->53 (13:54:25.590 PDT) 36252->53 (13:55:50.346 PDT) 48971->53 (13:55:50.837 PDT) 55169->53 (14:00:15.858 PDT) 53805->53 (14:02:31.624 PDT) 91.228.133.56 (14:00:22.193 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 52933->53 (14:00:22.193 PDT) 62.42.230.17 (13:50:12.401 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: albaimtra.com (trojan), [w%9B%12%9CI9%8Dd%0F%00%00%00S%00%00%00%11%00%00%00%00%00%00%129%00%00%00%00%00%00%17(%00%00%00%00%00%00%17!%00%00%00%00%00%00%16%92%00%00%00%00%00%00%16%93%00%00%00%00%00%00%16%84%00%00%00%00%00%00%17%0D%00] MAC_Src: 00:21:5A:08:EC:40 45591->80 (13:50:12.401 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (13:49:02.300 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->54859 (13:49:02.300 PDT) 91.207.61.48 (13:48:14.166 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39251->53 (13:48:14.166 PDT) 200.147.33.19 (13:58:15.755 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51399->53 (13:58:15.755 PDT) 130.104.72.201 (13:59:04.210 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (13:59:04.210 PDT) 66.45.238.251 (13:59:34.883 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42579->53 (13:59:34.883 PDT) 217.16.28.65 (13:49:07.295 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58743->53 (13:49:07.295 PDT) tcpslice 1318711687.119 1318711687.120 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:04:34.806 PDT Gen. Time: 10/15/2011 14:08:15.452 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (5) (14:04:56.497 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 47352->53 (14:04:56.497 PDT) 43248->53 (14:05:43.705 PDT) 60052->53 (14:06:31.265 PDT) 54636->53 (14:06:35.050 PDT) 39744->53 (14:08:05.919 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (2) (14:04:34.806 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 48046->53 (14:04:34.806 PDT) 59007->53 (14:06:19.863 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 91.207.61.48 (14:08:15.452 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53410->53 (14:08:15.452 PDT) tcpslice 1318712674.806 1318712674.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230, 188.229.89.127 Egg Source List: C & C List: 67.208.74.71, 76.73.1.194, 192.168.1.230 (13), 176.28.0.239 Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:04:34.806 PDT Gen. Time: 10/15/2011 14:23:48.688 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (15) (14:04:56.497 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 47352->53 (14:04:56.497 PDT) 43248->53 (14:05:43.705 PDT) 60052->53 (14:06:31.265 PDT) 54636->53 (14:06:35.050 PDT) 39744->53 (14:08:05.919 PDT) 50661->53 (14:10:49.021 PDT) 54313->53 (14:13:07.615 PDT) 46079->53 (14:16:00.036 PDT) 52434->53 (14:17:24.123 PDT) 46352->53 (14:17:35.477 PDT) 51447->53 (14:17:45.963 PDT) 43583->53 (14:18:29.895 PDT) 47335->53 (14:19:18.081 PDT) 52943->53 (14:19:21.150 PDT) 55803->53 (14:23:36.046 PDT) 188.229.89.127 (14:10:51.464 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 60624->80 (14:10:51.464 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 67.208.74.71 (14:13:17.438 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/index.php] MAC_Src: 00:21:5A:08:EC:40 52067->80 (14:13:17.438 PDT) 76.73.1.194 (14:23:19.421 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 52718->53 (14:23:19.421 PDT) C and C DNS CHECK-IN 192.168.1.230 (13) (14:04:34.806 PDT) event=224:1 (13) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 48046->53 (14:04:34.806 PDT) 59007->53 (14:06:19.863 PDT) 48445->53 (14:09:45.811 PDT) 60846->53 (14:09:59.104 PDT) 36960->53 (14:13:34.026 PDT) 45405->53 (14:13:36.616 PDT) 53574->53 (14:14:11.897 PDT) 33397->53 (14:16:15.384 PDT) 33437->53 (14:18:12.859 PDT) 60952->53 (14:18:30.617 PDT) 47786->53 (14:19:52.039 PDT) 50271->53 (14:21:31.253 PDT) 37766->53 (14:23:30.630 PDT) 176.28.0.239 (14:21:44.407 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: livedieoslix.com (malware), [] MAC_Src: 00:21:5A:08:EC:40 34805->53 (14:21:44.407 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (14:09:04.014 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4878->4878 (14:09:04.014 PDT) 91.207.61.48 (14:08:15.452 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53410->53 (14:08:15.452 PDT) 206.207.248.34 (14:19:04.114 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:19:04.114 PDT) 92.240.68.95 (14:10:08.057 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43792->80 (14:10:08.057 PDT) 176.28.0.239 (14:21:44.407 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34805->53 (14:21:44.407 PDT) 93.170.52.20 (14:18:16.423 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55218->53 (14:18:16.423 PDT) tcpslice 1318712674.806 1318712674.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:23:54.738 PDT Gen. Time: 10/15/2011 14:28:18.403 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (14:25:44.192 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 36030->53 (14:25:44.192 PDT) 41937->53 (14:27:15.084 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (14:23:54.738 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 57864->53 (14:23:54.738 PDT) 59230->53 (14:26:19.899 PDT) 44735->53 (14:27:04.197 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:28:18.403 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59640->2128 (14:28:18.403 PDT) tcpslice 1318713834.738 1318713834.739 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:23:54.738 PDT Gen. Time: 10/15/2011 14:30:14.950 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (14:25:44.192 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 36030->53 (14:25:44.192 PDT) 41937->53 (14:27:15.084 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (14:23:54.738 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 57864->53 (14:23:54.738 PDT) 59230->53 (14:26:19.899 PDT) 44735->53 (14:27:04.197 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:28:18.403 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59640->2128 (14:28:18.403 PDT) 206.207.248.34 (14:29:04.236 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (14:29:04.236 PDT) tcpslice 1318713834.738 1318713834.739 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:30:37.952 PDT Gen. Time: 10/15/2011 14:31:46.934 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (3) (14:30:37.952 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 33163->53 (14:30:37.952 PDT) 35054->53 (14:31:08.676 PDT) 34672->53 (14:31:31.643 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.226.246.3 (14:31:46.934 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54520->53 (14:31:46.934 PDT) tcpslice 1318714237.952 1318714237.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 193.232.130.14, 192.168.1.230 (8) Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:30:37.952 PDT Gen. Time: 10/15/2011 14:43:38.494 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (14:32:02.894 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 58345->53 (14:32:02.894 PDT) 192.168.1.230 (8) (14:30:37.952 PDT) event=224:1 (8) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 33163->53 (14:30:37.952 PDT) 35054->53 (14:31:08.676 PDT) 34672->53 (14:31:31.643 PDT) 51146->53 (14:32:26.642 PDT) 52830->53 (14:32:28.865 PDT) 44890->53 (14:34:14.291 PDT) 38945->53 (14:36:04.986 PDT) 51770->53 (14:36:42.275 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 193.232.130.14 (14:33:37.127 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 53734->53 (14:33:37.127 PDT) C and C DNS CHECK-IN 192.168.1.230 (8) (14:32:23.638 PDT) event=224:1 (8) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 39449->53 (14:32:23.638 PDT) 42881->53 (14:32:55.720 PDT) 35750->53 (14:33:29.857 PDT) 58163->53 (14:33:56.862 PDT) 38657->53 (14:36:28.572 PDT) 59955->53 (14:37:55.703 PDT) 50445->53 (14:39:07.112 PDT) 46416->53 (14:39:59.152 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 60.190.93.178 (14:38:18.236 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38106->53 (14:38:18.236 PDT) 195.226.246.3 (14:31:46.934 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54520->53 (14:31:46.934 PDT) 206.207.248.34 (14:39:05.246 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (14:39:05.246 PDT) 31.170.163.70 (14:42:20.183 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59262->53 (14:42:20.183 PDT) tcpslice 1318714237.952 1318714237.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 200.147.33.21, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:43:39.904 PDT Gen. Time: 10/15/2011 14:46:02.465 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (14:43:51.747 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 53366->80 (14:43:51.747 PDT) 192.168.1.230 (3) (14:44:01.665 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 34721->53 (14:44:01.665 PDT) 45739->53 (14:44:54.998 PDT) 42566->53 (14:46:01.089 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.33.21 (14:43:39.904 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 34753->53 (14:43:39.904 PDT) C and C DNS CHECK-IN 192.168.1.230 (14:46:02.465 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 34229->53 (14:46:02.465 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318715019.904 1318715019.905 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 88.80.7.152, 200.147.33.21, 192.168.1.230 (12) Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:43:39.904 PDT Gen. Time: 10/15/2011 14:57:32.665 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (14:43:51.747 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 53366->80 (14:43:51.747 PDT) 32836->80 (14:54:52.932 PDT) 192.168.1.230 (10) (14:44:01.665 PDT) event=224:1 (10) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 34721->53 (14:44:01.665 PDT) 45739->53 (14:44:54.998 PDT) 42566->53 (14:46:01.089 PDT) 56952->53 (14:46:02.790 PDT) 43716->53 (14:49:24.414 PDT) 46011->53 (14:49:59.556 PDT) 34481->53 (14:50:25.192 PDT) 52471->53 (14:52:42.008 PDT) 33727->53 (14:53:22.372 PDT) 58762->53 (14:56:32.306 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.80.7.152 (14:53:39.172 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 43005->53 (14:53:39.172 PDT) 200.147.33.21 (14:43:39.904 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 34753->53 (14:43:39.904 PDT) C and C DNS CHECK-IN 192.168.1.230 (12) (14:46:02.465 PDT) event=224:1 (12) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 34229->53 (14:46:02.465 PDT) 41253->53 (14:46:56.550 PDT) 48144->53 (14:49:06.910 PDT) 34951->53 (14:49:21.416 PDT) 33943->53 (14:49:23.462 PDT) 60583->53 (14:52:29.338 PDT) 39433->53 (14:52:36.497 PDT) 37574->53 (14:52:41.233 PDT) 58266->53 (14:53:30.260 PDT) 37989->53 (14:53:38.827 PDT) 60578->53 (14:54:47.176 PDT) 49382->53 (14:56:11.746 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 61.4.82.131 (14:52:21.655 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%sF%CAIre%EF%00%00%00%00%00%00%10%0A%00] MAC_Src: 00:21:5A:08:EC:40 39896->80 (14:52:21.655 PDT) 206.207.248.34 (14:49:05.719 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (14:49:05.719 PDT) 93.170.52.20 (14:48:20.130 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50057->53 (14:48:20.130 PDT) tcpslice 1318715019.904 1318715019.905 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:57:43.900 PDT Gen. Time: 10/15/2011 14:58:21.919 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (14:57:43.900 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 59819->53 (14:57:43.900 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (14:58:21.919 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44651->53 (14:58:21.919 PDT) tcpslice 1318715863.900 1318715863.901 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 14:57:43.900 PDT Gen. Time: 10/15/2011 15:02:09.875 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (4) (14:57:43.900 PDT) event=224:1 (4) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 59819->53 (14:57:43.900 PDT) 58964->53 (14:58:38.023 PDT) 56052->53 (14:59:29.535 PDT) 53483->53 (14:59:32.339 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (15:00:22.336 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: livedieoslix.com (malware), [] MAC_Src: 00:21:5A:08:EC:40 46159->53 (15:00:22.336 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (14:58:21.919 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44651->53 (14:58:21.919 PDT) 128.2.211.114 (14:59:05.072 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (14:59:05.072 PDT) tcpslice 1318715863.900 1318715863.901 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 15:02:39.066 PDT Gen. Time: 10/15/2011 15:02:49.790 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (15:02:39.066 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 60925->53 (15:02:39.066 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 92.241.169.250 (15:02:49.790 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%0F%04%9Ds%9A%15A%E5%CE%B2FK%A3%D9Y%D1] MAC_Src: 00:21:5A:08:EC:40 42362->80 (15:02:49.790 PDT) tcpslice 1318716159.066 1318716159.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 91.209.163.184, 192.168.1.230 (8), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 15:02:39.066 PDT Gen. Time: 10/15/2011 15:11:28.819 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (5) (15:03:37.519 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 42956->53 (15:03:37.519 PDT) 57951->53 (15:05:57.700 PDT) 50167->53 (15:06:55.527 PDT) 56812->53 (15:08:18.400 PDT) 35952->53 (15:09:29.903 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.184 (15:03:50.515 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 48328->80 (15:03:50.515 PDT) C and C DNS CHECK-IN 192.168.1.230 (8) (15:02:39.066 PDT) event=224:1 (8) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 60925->53 (15:02:39.066 PDT) 36119->53 (15:03:25.312 PDT) 46130->53 (15:03:57.339 PDT) 35282->53 (15:04:30.786 PDT) 56022->53 (15:05:25.132 PDT) 54535->53 (15:06:51.761 PDT) 37087->53 (15:07:08.060 PDT) 45469->53 (15:07:25.909 PDT) 91.228.133.56 (15:04:52.590 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 57723->53 (15:04:52.590 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 92.241.169.250 (15:02:49.790 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%0F%04%9Ds%9A%15A%E5%CE%B2FK%A3%D9Y%D1] MAC_Src: 00:21:5A:08:EC:40 42362->80 (15:02:49.790 PDT) 206.207.248.34 (15:09:06.096 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (15:09:06.096 PDT) 93.170.52.20 (15:08:21.139 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49094->53 (15:08:21.139 PDT) tcpslice 1318716159.066 1318716159.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.0 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 15:11:54.493 PDT Gen. Time: 10/15/2011 15:12:49.155 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (15:11:54.493 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 55017->53 (15:11:54.493 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 8.5.1.44 (15:12:49.155 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35857->80 (15:12:49.155 PDT) tcpslice 1318716714.493 1318716714.494 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 194.85.61.78, 64.70.19.33, 64.86.97.91, 96.9.185.117, 212.36.9.10, 194.186.88.58, 64.62.181.43, 192.168.1.230 (16), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 15:11:54.493 PDT Gen. Time: 10/15/2011 16:14:46.515 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (15:25:41.746 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 48779->80 (15:25:41.746 PDT) 192.168.1.230 (14) (15:11:54.493 PDT) event=224:1 (14) {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 55017->53 (15:11:54.493 PDT) 49028->53 (15:17:35.138 PDT) 32928->53 (15:17:44.518 PDT) 34661->53 (15:20:50.629 PDT) 51830->53 (15:20:54.411 PDT) 45002->53 (15:23:14.740 PDT) 42916->53 (15:23:24.334 PDT) 33720->53 (15:25:14.400 PDT) 49956->53 (15:25:38.465 PDT) 32860->53 (15:28:00.647 PDT) 57132->53 (15:28:13.111 PDT) 56143->53 (15:29:26.673 PDT) 33343->53 (15:33:07.515 PDT) 37255->53 (15:33:11.830 PDT) 192.168.1.20 (2) (15:20:55.411 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 55834->53 (15:20:55.411 PDT) 36986->53 (15:33:12.871 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 194.85.61.78 (15:13:50.034 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/ipInfo/IPRep.php?IP=202.177.216.227&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:EC:40 34473->80 (15:13:50.034 PDT) 64.70.19.33 (15:44:13.678 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 40632->53 (15:44:13.678 PDT) 64.86.97.91 (16:14:13.245 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 44599->53 (16:14:13.245 PDT) 96.9.185.117 (15:54:13.419 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 37743->80 (15:54:13.419 PDT) 212.36.9.10 (16:04:13.187 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 58389->80 (16:04:13.187 PDT) 194.186.88.58 (15:34:12.672 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/papers/design_assurance_arg_sri_02/design_assurance_arg_SRI_02.pdf] MAC_Src: 00:21:5A:08:EC:40 52967->80 (15:34:12.672 PDT) 64.62.181.43 (15:23:50.053 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 40206->53 (15:23:50.053 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (15:12:57.786 PDT-15:33:05.400 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: collingimoveis.com.br (malware), [] MAC_Src: 00:21:5A:08:EC:40 45521->53 (15:12:57.786 PDT) 39601->53 (15:18:06.711 PDT) 40259->53 (15:24:31.838 PDT) 34164->53 (15:16:12.547 PDT) 57504->53 (15:25:34.570 PDT) 57139->53 (15:21:57.386 PDT) 44236->53 (15:15:32.683 PDT) 46034->53 (15:25:40.180 PDT) 59145->53 (15:28:40.600 PDT) 42238->53 (15:35:03.252 PDT) 2: 34709->53 (15:32:59.384 PDT-15:33:05.400 PDT) 60562->53 (15:15:56.035 PDT) 52895->53 (15:31:24.686 PDT) 49022->53 (15:29:27.676 PDT) 54592->53 (15:17:12.176 PDT) 91.228.133.56 (15:15:39.025 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 56808->53 (15:15:39.025 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 98.129.126.138 (15:45:17.502 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43782->53 (15:45:17.502 PDT) 41.189.229.65 (15:34:43.173 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48497->53 (15:34:43.173 PDT) 109.70.26.36 (15:48:29.175 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46669->53 (15:48:29.175 PDT) 60.19.30.131 (15:23:15.876 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33060->80 (15:23:15.876 PDT) 8.5.1.44 (15:12:49.155 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35857->80 (15:12:49.155 PDT) 93.170.52.30 (15:18:21.619 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33307->53 (15:18:21.619 PDT) 31.170.163.70 (15:55:39.492 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47537->53 (15:55:39.492 PDT) 130.104.72.201 (15:39:07.107 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (15:39:07.107 PDT) 62.149.13.54 (15:38:24.977 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60964->53 (15:38:24.977 PDT) 89.208.34.84 (15:28:21.186 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50547->53 (15:28:21.186 PDT) 93.170.52.20 (16:08:33.448 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41975->53 (16:08:33.448 PDT) 200.72.1.94 (16:06:55.175 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [w%A5%9A%DFI%B6%85TG=%9C%B5%AF%BCB%1Cm%ECAf%B6%EA%B6%D0%DD%B4%FA%FE%82%8FF%EF%A7a%B2%1BE%A6%A2%0D%F8%B8E%D8%FB<[gp%E5%15aAj%FC%83c%F8_%F2%C5%19%A4P90i%F9TC%83%D8 %8E|%95%08%DE%C1xs%16N%A4|%CA%B9%16%BE%8A%CF%A3u%03J%F8%ADBQht%08%7F%C4%BB%18%AD%BF%F6] MAC_Src: 00:21:5A:08:EC:40 33327->80 (16:06:55.175 PDT) 208.64.124.162 (15:58:30.243 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33983->53 (15:58:30.243 PDT) 132.239.17.226 (15:29:07.158 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (15:29:07.158 PDT) 206.207.248.34 (3) (15:19:07.073 PDT-15:59:07.924 PDT) event=1:9910006 (3) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (15:19:07.073 PDT) 2: 56391->56391 (15:49:07.390 PDT-15:59:07.924 PDT) tcpslice 1318716714.493 1318719547.925 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 16:14:55.381 PDT Gen. Time: 10/15/2011 16:16:56.897 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (16:16:17.573 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 50361->53 (16:16:17.573 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (2) (16:14:55.381 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 33925->53 (16:14:55.381 PDT) 37193->53 (16:15:49.425 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 92.241.169.250 (16:16:56.897 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50760->53 (16:16:56.897 PDT) tcpslice 1318720495.381 1318720495.382 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (4) Peer Coord. List: Resource List: Observed Start: 10/15/2011 16:14:55.381 PDT Gen. Time: 10/15/2011 16:19:44.958 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (16:16:17.573 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 50361->53 (16:16:17.573 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (4) (16:14:55.381 PDT) event=224:1 (4) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 33925->53 (16:14:55.381 PDT) 37193->53 (16:15:49.425 PDT) 43306->53 (16:17:01.404 PDT) 58714->53 (16:17:40.520 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 92.241.169.250 (16:16:56.897 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50760->53 (16:16:56.897 PDT) 87.98.140.145 (16:19:15.490 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54343->53 (16:19:15.490 PDT) 130.104.72.201 (16:19:07.050 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (16:19:07.050 PDT) tcpslice 1318720495.381 1318720495.382 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 200.147.1.41, 192.168.1.230 Peer Coord. List: Resource List: Observed Start: 10/15/2011 16:24:04.860 PDT Gen. Time: 10/15/2011 16:26:28.107 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (4) (16:24:04.860 PDT) event=224:1 (4) {udp} E2[dns] BHDNS SPYWARE-DNS: yandekapi.com (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 60519->53 (16:24:04.860 PDT) 59298->53 (16:25:21.960 PDT) 42059->53 (16:25:48.449 PDT) 36463->53 (16:26:11.824 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (16:24:14.889 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 35451->53 (16:24:14.889 PDT) C and C DNS CHECK-IN 192.168.1.230 (16:26:28.107 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 45920->53 (16:26:28.107 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318721044.860 1318721044.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 200.147.1.41, 192.168.1.230 (4) Peer Coord. List: Resource List: Observed Start: 10/15/2011 16:24:04.860 PDT Gen. Time: 10/15/2011 16:32:58.861 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (7) (16:24:04.860 PDT) event=224:1 (7) {udp} E2[dns] BHDNS SPYWARE-DNS: yandekapi.com (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 60519->53 (16:24:04.860 PDT) 59298->53 (16:25:21.960 PDT) 42059->53 (16:25:48.449 PDT) 36463->53 (16:26:11.824 PDT) 46152->53 (16:26:56.204 PDT) 47813->53 (16:27:06.715 PDT) 59367->53 (16:29:22.229 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 200.147.1.41 (16:24:14.889 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 35451->53 (16:24:14.889 PDT) C and C DNS CHECK-IN 192.168.1.230 (4) (16:26:28.107 PDT) event=224:1 (4) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 45920->53 (16:26:28.107 PDT) 57162->53 (16:27:04.857 PDT) 50508->53 (16:28:11.704 PDT) 59459->53 (16:30:41.695 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 41.189.229.65 (16:26:57.296 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36365->80 (16:26:57.296 PDT) 128.163.142.20 (16:29:15.682 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52476->3128 (16:29:15.682 PDT) 206.207.248.34 (16:29:08.692 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (16:29:08.692 PDT) tcpslice 1318721044.860 1318721044.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 88.198.53.104, 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 16:33:11.346 PDT Gen. Time: 10/15/2011 16:34:50.355 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (16:34:06.280 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 46868->80 (16:34:06.280 PDT) 192.168.1.230 (16:33:11.346 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: didid.nl (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 44809->53 (16:33:11.346 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.198.53.104 (16:34:50.355 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 48581->53 (16:34:50.355 PDT) C and C DNS CHECK-IN 192.168.1.230 (3) (16:33:24.859 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 50035->53 (16:33:24.859 PDT) 59649->53 (16:34:00.921 PDT) 60080->53 (16:34:19.067 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318721591.346 1318721591.347 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 91.209.163.202 (2), 88.198.53.104, 200.147.1.41, 194.186.88.58, 67.21.76.36, 192.168.1.230 (17) Peer Coord. List: Resource List: Observed Start: 10/15/2011 16:33:11.346 PDT Gen. Time: 10/15/2011 17:26:06.961 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (16:34:06.280 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 46868->80 (16:34:06.280 PDT) 57488->80 (16:44:29.924 PDT) 192.168.1.230 (15) (16:33:11.346 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: didid.nl (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 44809->53 (16:33:11.346 PDT) 54485->53 (16:36:01.470 PDT) 40951->53 (16:37:47.694 PDT) 32975->53 (16:38:15.275 PDT) 32992->53 (16:38:42.707 PDT) 49432->53 (16:39:17.132 PDT) 53545->53 (16:39:24.524 PDT) 43213->53 (16:39:45.277 PDT) 56230->53 (16:41:25.314 PDT) 49721->53 (16:43:31.518 PDT) 36209->53 (16:45:35.181 PDT) 34181->53 (16:49:58.860 PDT) 54534->53 (16:50:23.454 PDT) 58666->53 (16:51:19.038 PDT) 46444->53 (16:51:34.743 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.202 (2) (16:54:58.323 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 36581->80 (16:54:58.323 PDT) 50380->53 (17:25:06.814 PDT) 88.198.53.104 (16:34:50.355 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 48581->53 (16:34:50.355 PDT) 200.147.1.41 (17:15:05.989 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 52936->53 (17:15:05.989 PDT) 194.186.88.58 (16:44:53.170 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 35888->53 (16:44:53.170 PDT) 67.21.76.36 (17:05:01.559 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 58264->53 (17:05:01.559 PDT) C and C DNS CHECK-IN 192.168.1.230 (17) (16:33:24.859 PDT) event=224:1 (17) {udp} E4[dns] BHDNS SPYWARE-DNS: soudckrnkuzu.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 50035->53 (16:33:24.859 PDT) 59649->53 (16:34:00.921 PDT) 60080->53 (16:34:19.067 PDT) 47016->53 (16:35:11.985 PDT) 37005->53 (16:35:19.550 PDT) 38806->53 (16:37:38.400 PDT) 42372->53 (16:40:17.399 PDT) 60449->53 (16:44:24.233 PDT) 43752->53 (16:44:30.339 PDT) 47230->53 (16:44:44.782 PDT) 47685->53 (16:45:56.859 PDT) 34949->53 (16:46:32.430 PDT) 41102->53 (16:48:26.098 PDT) 44119->53 (16:52:39.247 PDT) 54502->53 (16:53:19.809 PDT) 40461->53 (16:53:38.870 PDT) 60902->53 (16:53:48.864 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 60.19.30.131 (16:39:18.410 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48047->53 (16:39:18.410 PDT) 128.2.211.114 (17:19:10.548 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (17:19:10.548 PDT) 93.170.52.30 (16:59:19.681 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50277->53 (16:59:19.681 PDT) 130.149.49.136 (16:59:08.816 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (16:59:08.816 PDT) 216.8.179.25 (2) (16:37:04.070 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34015->53 (16:49:18.961 PDT) ------------------------- event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [%AF%C0%81+%16%8C%F0l|L%F8%96%C8%CBs%89%FCL%10%ECU%DB] MAC_Src: 00:21:5A:08:EC:40 59973->80 (16:37:04.070 PDT) 66.128.59.108 (16:59:00.029 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45750->80 (16:59:00.029 PDT) 93.170.52.20 (17:19:19.156 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35701->53 (17:19:19.156 PDT) 122.226.213.40 (17:09:19.617 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46182->53 (17:09:19.617 PDT) 200.72.1.94 (17:22:04.926 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48754->80 (17:22:04.926 PDT) 208.91.196.10 (2) (16:47:04.869 PDT) event=1:9910009 (2) {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52231->53 (16:47:04.869 PDT) 32825->80 (17:11:53.052 PDT) 128.163.142.20 (17:09:08.102 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (17:09:08.102 PDT) 206.207.248.34 (16:49:08.575 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (16:49:08.575 PDT) 132.239.17.226 (16:39:08.293 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (16:39:08.293 PDT) tcpslice 1318721591.346 1318721591.347 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230, 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 17:26:41.467 PDT Gen. Time: 10/15/2011 17:29:10.356 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (17:27:42.912 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 53950->53 (17:27:42.912 PDT) 40935->53 (17:28:11.646 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (17:26:41.467 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 51261->53 (17:26:41.467 PDT) 91.228.133.56 (17:26:50.958 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 40351->80 (17:26:50.958 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (17:29:10.356 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->54859 (17:29:10.356 PDT) tcpslice 1318724801.467 1318724801.468 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230, 192.168.1.20 Egg Source List: 129.82.12.188, 139.19.142.6 C & C List: 64.86.97.91, 200.147.33.19, 200.147.1.41, 192.168.1.230 (16), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 17:26:41.467 PDT Gen. Time: 10/15/2011 18:01:48.324 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (12) (17:27:42.912 PDT-17:32:28.223 PDT) event=224:1 (12) {udp} E2[dns] BHDNS SPYWARE-DNS: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 40935->53 (17:28:11.646 PDT) 35083->53 (17:29:24.325 PDT) 58653->53 (17:29:33.619 PDT) 3: 37213->53 (17:32:16.154 PDT-17:32:28.223 PDT) 54834->53 (17:32:10.096 PDT) 49806->53 (17:32:05.591 PDT) 48756->53 (17:32:56.210 PDT) 43330->53 (17:31:46.084 PDT) 59441->53 (17:32:29.618 PDT) 53950->53 (17:27:42.912 PDT) 192.168.1.20 (5) (17:32:17.155 PDT-17:32:41.315 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 3: 36952->53 (17:32:17.155 PDT-17:32:29.155 PDT) 2: 40394->53 (17:32:35.240 PDT-17:32:41.315 PDT) EGG DOWNLOAD 129.82.12.188 (2) (17:59:12.156 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 44814<-19193 (17:59:12.156 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 44814<-19193 (17:59:12.156 PDT) 139.19.142.6 (2) (17:46:43.945 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 49369<-19676 (17:46:43.945 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 49369<-19676 (17:46:43.945 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 64.86.97.91 (17:55:07.389 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 59240->53 (17:55:07.389 PDT) 200.147.33.19 (17:45:07.588 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 56525->53 (17:45:07.588 PDT) 200.147.1.41 (17:35:07.486 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 45143->80 (17:35:07.486 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (17:26:41.467 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 51261->53 (17:26:41.467 PDT) 39661->53 (17:29:28.468 PDT) 36458->53 (17:30:44.345 PDT) 56856->53 (17:31:46.982 PDT) 56076->53 (17:35:00.655 PDT) 33823->53 (17:35:42.578 PDT) 48029->53 (17:35:47.446 PDT) 59675->53 (17:35:52.677 PDT) 59332->53 (17:36:35.744 PDT) 54310->53 (17:38:39.868 PDT) 57079->53 (17:42:08.154 PDT) 39128->53 (17:43:41.745 PDT) 58239->53 (17:48:37.796 PDT) 40443->53 (17:48:41.665 PDT) 36129->53 (17:49:32.552 PDT) 43404->53 (17:52:01.808 PDT) 91.228.133.56 (17:26:50.958 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 40351->80 (17:26:50.958 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 212.44.109.181 (17:34:15.015 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44368->80 (17:34:15.015 PDT) 128.227.11.13 (17:29:10.356 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->54859 (17:29:10.356 PDT) 217.16.28.65 (17:47:29.572 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58126->53 (17:47:29.572 PDT) 128.2.211.114 (17:49:11.033 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (17:49:11.033 PDT) 93.170.52.30 (17:29:19.032 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52642->53 (17:29:19.032 PDT) 195.226.246.3 (2) (17:49:24.933 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45322->53 (17:49:24.933 PDT) ------------------------- event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37247->80 (17:57:53.316 PDT) 64.182.102.213 (17:39:22.648 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43973->53 (17:39:22.648 PDT) 206.207.248.34 (2) (17:59:11.392 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36842->2128 (17:59:41.021 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (17:59:11.392 PDT) 132.239.17.226 (17:39:11.850 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (17:39:11.850 PDT) tcpslice 1318724801.467 1318725161.316 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 87.252.1.21, 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 18:02:02.837 PDT Gen. Time: 10/15/2011 18:05:08.787 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (18:02:08.344 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 43994->80 (18:02:08.344 PDT) 192.168.1.230 (18:03:56.953 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 39435->53 (18:03:56.953 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 87.252.1.21 (18:05:08.787 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 47297->53 (18:05:08.787 PDT) C and C DNS CHECK-IN 192.168.1.230 (2) (18:02:02.837 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 51868->53 (18:02:02.837 PDT) 52425->53 (18:02:36.437 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318726922.837 1318726922.838 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: 129.15.78.30, 137.165.1.115, 141.24.212.157, 146.57.249.98 C & C List: 88.80.7.152, 87.252.1.21, 193.200.173.3, 192.168.1.230 (16), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 18:02:02.837 PDT Gen. Time: 10/15/2011 18:27:20.274 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (18:02:08.344 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 43994->80 (18:02:08.344 PDT) 192.168.1.230 (15) (18:03:56.953 PDT-18:14:14.252 PDT) event=224:1 (15) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 58387->53 (18:06:21.033 PDT) 42523->53 (18:07:18.655 PDT) 50538->53 (18:08:00.546 PDT) 53195->53 (18:08:02.568 PDT) 52178->53 (18:08:13.228 PDT) 2: 57127->53 (18:07:01.947 PDT-18:07:13.881 PDT) 39435->53 (18:03:56.953 PDT) 57312->53 (18:07:06.966 PDT) 2: 36831->53 (18:14:08.215 PDT-18:14:14.252 PDT) 39661->53 (18:13:25.399 PDT) 46340->53 (18:09:33.876 PDT) 2: 55529->53 (18:09:27.478 PDT-18:09:33.558 PDT) 192.168.1.20 (18:09:28.516 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: papucky.eu (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 34672->53 (18:09:28.516 PDT) EGG DOWNLOAD 129.15.78.30 (2) (18:06:30.681 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 44903<-31093 (18:06:30.681 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 44903<-31093 (18:06:30.681 PDT) 137.165.1.115 (2) (18:12:13.484 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 44850<-50184 (18:12:13.484 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 44850<-50184 (18:12:13.484 PDT) 141.24.212.157 (2) (18:19:10.239 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 55700<-11088 (18:19:10.239 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 55700<-11088 (18:19:10.239 PDT) 146.57.249.98 (2) (18:25:19.680 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 41252<-28513 (18:25:19.680 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 41252<-28513 (18:25:19.680 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 88.80.7.152 (18:15:09.936 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 33244->53 (18:15:09.936 PDT) 87.252.1.21 (18:05:08.787 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 47297->53 (18:05:08.787 PDT) 193.200.173.3 (18:25:10.789 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/widgets/parser.info] MAC_Src: 00:21:5A:08:EC:40 40757->80 (18:25:10.789 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (18:02:02.837 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 51868->53 (18:02:02.837 PDT) 52425->53 (18:02:36.437 PDT) 37454->53 (18:05:58.142 PDT) 39957->53 (18:08:48.116 PDT) 49262->53 (18:11:13.752 PDT) 59278->53 (18:11:58.654 PDT) 41706->53 (18:13:09.304 PDT) 41186->53 (18:14:39.078 PDT) 53854->53 (18:15:41.844 PDT) 52366->53 (18:16:47.349 PDT) 53356->53 (18:17:09.573 PDT) 60457->53 (18:17:37.266 PDT) 49462->53 (18:20:02.493 PDT) 55941->53 (18:21:36.091 PDT) 45389->53 (18:23:51.274 PDT) 45470->53 (18:23:52.004 PDT) 91.228.133.56 (18:12:08.470 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 37556->80 (18:12:08.470 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (18:09:41.581 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42806->53 (18:09:41.581 PDT) 92.241.169.250 (18:18:22.323 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52174->53 (18:18:22.323 PDT) 200.147.1.41 (18:19:41.127 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47436->53 (18:19:41.127 PDT) 130.104.72.201 (2) (18:09:11.451 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 6110->6110 (18:09:11.451 PDT) 56391->56391 (18:19:11.273 PDT) 60.19.30.131 (18:08:01.483 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34863->80 (18:08:01.483 PDT) tcpslice 1318726922.837 1318727654.253 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.5 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 18:27:22.384 PDT Gen. Time: 10/15/2011 18:29:11.578 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (3) (18:27:33.663 PDT) event=224:1 (3) {udp} E2[dns] BHDNS SPYWARE-DNS: zwierzu.zxy.me (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 38614->53 (18:27:33.663 PDT) 55551->53 (18:27:34.776 PDT) 54048->53 (18:27:51.440 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (3) (18:27:22.384 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 32784->53 (18:27:22.384 PDT) 57263->53 (18:28:37.717 PDT) 58415->53 (18:28:38.245 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.2.211.114 (18:29:11.578 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (18:29:11.578 PDT) tcpslice 1318728442.384 1318728442.385 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230, 82.210.157.9 Egg Source List: 129.97.74.14 C & C List: 64.74.223.2, 192.168.1.230 (8) Peer Coord. List: Resource List: Observed Start: 10/15/2011 18:27:22.384 PDT Gen. Time: 10/15/2011 18:36:32.231 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (9) (18:27:33.663 PDT-18:33:45.193 PDT) event=224:1 (9) {udp} E2[dns] BHDNS SPYWARE-DNS: porntubebiz.org (fake_codec), [] MAC_Dst: 00:21:1C:EE:14:00 55551->53 (18:27:34.776 PDT) 40346->53 (18:33:49.972 PDT) 53611->53 (18:33:44.073 PDT) 54048->53 (18:27:51.440 PDT) 3: 44733->53 (18:33:33.194 PDT-18:33:45.193 PDT) 46957->53 (18:32:43.967 PDT) 38614->53 (18:27:33.663 PDT) 82.210.157.9 (18:33:56.075 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 44278->53 (18:33:56.075 PDT) EGG DOWNLOAD 129.97.74.14 (2) (18:34:46.520 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 60608<-30891 (18:34:46.520 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 60608<-30891 (18:34:46.520 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 64.74.223.2 (18:35:10.006 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 36254->80 (18:35:10.006 PDT) C and C DNS CHECK-IN 192.168.1.230 (8) (18:27:22.384 PDT) event=224:1 (8) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 32784->53 (18:27:22.384 PDT) 57263->53 (18:28:37.717 PDT) 58415->53 (18:28:38.245 PDT) 45749->53 (18:29:15.330 PDT) 43283->53 (18:31:04.025 PDT) 44641->53 (18:31:06.388 PDT) 52030->53 (18:34:20.689 PDT) 45519->53 (18:34:30.842 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (18:29:41.402 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42168->53 (18:29:41.402 PDT) 208.91.196.10 (18:29:48.059 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/OUTPUT/UNIQUE/424db3df040de167548624a4cf174b62/html/sub_416BC7.html] MAC_Src: 00:21:5A:08:EC:40 38004->80 (18:29:48.059 PDT) 128.2.211.114 (18:29:11.578 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (18:29:11.578 PDT) tcpslice 1318728442.384 1318728825.194 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 18:39:11.079 PDT Gen. Time: 10/15/2011 18:39:11.079 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (18:39:11.079 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->50889 (18:39:11.079 PDT) tcpslice 1318729151.079 1318729151.080 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: 193.55.112.41, 143.205.172.12, 128.223.8.112, 141.219.252.133, 141.24.212.159 C & C List: 67.43.226.154, 200.147.33.17, 200.147.1.41, 192.168.1.230 (14) Peer Coord. List: Resource List: Observed Start: 10/15/2011 18:39:11.079 PDT Gen. Time: 10/15/2011 19:10:43.641 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (18:44:35.111 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 39137->80 (18:54:36.449 PDT) 59667->80 (18:44:35.111 PDT) 192.168.1.230 (14) (18:45:29.548 PDT-18:49:51.996 PDT) event=224:1 (14) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 59661->53 (18:46:06.199 PDT) 48148->53 (18:59:18.937 PDT) 53017->53 (18:47:05.339 PDT) 37455->53 (18:45:29.548 PDT) 53096->53 (18:57:52.295 PDT) 39088->53 (18:48:17.252 PDT) 59217->53 (18:46:57.185 PDT) 59332->53 (18:59:26.123 PDT) 58918->53 (18:49:55.093 PDT) 41388->53 (18:55:44.517 PDT) 2: 43723->53 (18:49:45.997 PDT-18:49:51.996 PDT) 53324->53 (18:47:57.701 PDT) 43012->53 (18:58:40.506 PDT) 192.168.1.20 (18:49:56.093 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: didid.nl (zeusc&c), [] MAC_Dst: 00:21:1C:EE:14:00 38399->53 (18:49:56.093 PDT) EGG DOWNLOAD 193.55.112.41 (2) (19:06:22.663 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 45409<-40516 (19:06:22.663 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 45409<-40516 (19:06:22.663 PDT) 143.205.172.12 (2) (18:41:25.130 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 60031<-34018 (18:41:25.130 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 60031<-34018 (18:41:25.130 PDT) 128.223.8.112 (2) (19:00:53.766 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 38719<-11960 (19:00:53.766 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 38719<-11960 (19:00:53.766 PDT) 141.219.252.133 (2) (18:41:20.479 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 53418<-25659 (18:41:20.479 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 53418<-25659 (18:41:20.479 PDT) 141.24.212.159 (2) (18:41:22.033 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 49175<-37423 (18:41:22.033 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 49175<-37423 (18:41:22.033 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 67.43.226.154 (18:45:10.236 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 56839->53 (18:45:10.236 PDT) 200.147.33.17 (19:05:24.020 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 36662->53 (19:05:24.020 PDT) 200.147.1.41 (18:55:23.510 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 56526->80 (18:55:23.510 PDT) C and C DNS CHECK-IN 192.168.1.230 (14) (18:41:56.766 PDT) event=224:1 (14) {udp} E4[dns] BHDNS SPYWARE-DNS: bjglvgsxteki.tk (malware), [] MAC_Src: 00:21:5A:08:EC:40 36735->53 (18:41:56.766 PDT) 47448->53 (18:47:10.167 PDT) 37908->53 (18:48:36.166 PDT) 43911->53 (18:49:30.514 PDT) 56420->53 (18:54:05.762 PDT) 34622->53 (18:54:23.242 PDT) 34744->53 (18:54:28.501 PDT) 57827->53 (18:54:31.568 PDT) 53066->53 (18:58:12.401 PDT) 36379->53 (18:58:36.915 PDT) 44789->53 (19:02:36.313 PDT) 52917->53 (19:04:08.709 PDT) 51778->53 (19:06:58.596 PDT) 48920->53 (19:07:50.485 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (2) (18:39:11.079 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->50889 (18:39:11.079 PDT) 49302->53966 (18:49:13.250 PDT) 118.218.219.178 (18:39:49.852 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41013->53 (18:39:49.852 PDT) 128.2.211.114 (18:59:13.673 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 6110->6110 (18:59:13.673 PDT) 112.175.243.24 (18:59:57.063 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34790->53 (18:59:57.063 PDT) 93.170.52.30 (2) (18:49:49.847 PDT) event=1:9910005 (2) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43048->53 (18:49:49.847 PDT) 32809->53 (19:10:00.451 PDT) 195.226.246.3 (18:53:55.625 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/ipInfo/IPRep.php?IP=8.5.1.49&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:EC:40 41017->80 (18:53:55.625 PDT) 92.241.169.250 (19:08:03.287 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49601->80 (19:08:03.287 PDT) 200.72.1.94 (18:39:48.224 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54781->53 (18:39:48.224 PDT) 132.239.17.226 (19:09:15.543 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (19:09:15.543 PDT) tcpslice 1318729151.079 1318729791.997 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 64.191.90.213, 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:11:33.223 PDT Gen. Time: 10/15/2011 19:15:24.270 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (5) (19:11:33.223 PDT) event=224:1 (5) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 39522->53 (19:11:33.223 PDT) 48570->53 (19:11:58.721 PDT) 47382->53 (19:12:10.124 PDT) 58521->53 (19:13:10.054 PDT) 45165->53 (19:13:27.610 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 64.191.90.213 (19:15:24.270 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 47249->53 (19:15:24.270 PDT) C and C DNS CHECK-IN 192.168.1.230 (3) (19:12:16.856 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:EC:40 43171->53 (19:12:16.856 PDT) 59402->53 (19:13:37.560 PDT) 48831->53 (19:14:13.056 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318731093.223 1318731093.224 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 2.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.198.53.104, 192.168.1.230 Egg Source List: 165.91.55.8 C & C List: 88.198.53.104, 64.191.90.213, 192.168.1.230 (14), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:11:33.223 PDT Gen. Time: 10/15/2011 19:28:11.684 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (19:26:35.272 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 46004->80 (19:26:35.272 PDT) 192.168.1.230 (16) (19:11:33.223 PDT) event=224:1 (16) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 39522->53 (19:11:33.223 PDT) 48570->53 (19:11:58.721 PDT) 47382->53 (19:12:10.124 PDT) 58521->53 (19:13:10.054 PDT) 45165->53 (19:13:27.610 PDT) 35274->53 (19:17:53.610 PDT) 35193->53 (19:17:57.518 PDT) 40107->53 (19:19:47.459 PDT) 39829->53 (19:20:31.177 PDT) 34448->53 (19:24:10.408 PDT) 38039->53 (19:24:29.510 PDT) 55181->53 (19:24:47.745 PDT) 51814->53 (19:25:11.883 PDT) 56684->53 (19:25:15.751 PDT) 60037->53 (19:26:06.559 PDT) 44266->53 (19:26:25.590 PDT) EGG DOWNLOAD 165.91.55.8 (2) (19:17:29.870 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 48947<-55819 (19:17:29.870 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 48947<-55819 (19:17:29.870 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) 88.198.53.104 (19:25:28.913 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [%B9] MAC_Src: 00:21:5A:08:EC:40 45197->80 (19:25:28.913 PDT) 64.191.90.213 (19:15:24.270 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 47249->53 (19:15:24.270 PDT) C and C DNS CHECK-IN 192.168.1.230 (14) (19:12:16.856 PDT) event=224:1 (14) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:EC:40 43171->53 (19:12:16.856 PDT) 59402->53 (19:13:37.560 PDT) 48831->53 (19:14:13.056 PDT) 57158->53 (19:15:34.033 PDT) 40659->53 (19:16:19.466 PDT) 54744->53 (19:19:15.680 PDT) 36525->53 (19:20:15.974 PDT) 41295->53 (19:20:25.072 PDT) 49617->53 (19:22:08.364 PDT) 60962->53 (19:23:07.270 PDT) 56749->53 (19:24:13.616 PDT) 50688->53 (19:24:46.330 PDT) 44107->53 (19:25:24.562 PDT) 42901->53 (19:26:08.950 PDT) 91.228.133.56 (19:16:35.510 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 47464->80 (19:16:35.510 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (19:20:01.722 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53446->53 (19:20:01.722 PDT) 200.72.1.94 (19:18:03.310 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40353->53 (19:18:03.310 PDT) 128.2.211.114 (19:19:16.333 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (19:19:16.333 PDT) tcpslice 1318731093.223 1318731093.224 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:28:44.008 PDT Gen. Time: 10/15/2011 19:28:44.008 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 188.65.113.241 (19:28:44.008 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/ipInfo/IPRep.php?IP=202.177.216.227&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:EC:40 52878->80 (19:28:44.008 PDT) tcpslice 1318732124.008 1318732124.009 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 87.252.1.21, 192.168.1.230 (8) Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:28:44.008 PDT Gen. Time: 10/15/2011 19:42:43.853 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (19:37:12.763 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 54993->80 (19:37:12.763 PDT) 192.168.1.230 (8) (19:35:28.799 PDT) event=224:1 (8) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 48316->53 (19:35:28.799 PDT) 43020->53 (19:37:18.043 PDT) 36182->53 (19:37:39.402 PDT) 34451->53 (19:38:03.581 PDT) 55850->53 (19:38:03.598 PDT) 38580->53 (19:38:40.900 PDT) 38303->53 (19:39:02.676 PDT) 40483->53 (19:39:09.510 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 87.252.1.21 (19:35:29.723 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 36566->80 (19:35:29.723 PDT) C and C DNS CHECK-IN 192.168.1.230 (8) (19:30:53.644 PDT) event=224:1 (8) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 35470->53 (19:30:53.644 PDT) 42812->53 (19:31:38.194 PDT) 49495->53 (19:32:15.461 PDT) 59207->53 (19:33:23.352 PDT) 42225->53 (19:33:30.180 PDT) 47380->53 (19:33:34.089 PDT) 60579->53 (19:36:23.603 PDT) 52283->53 (19:39:40.354 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (19:40:01.138 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42467->53 (19:40:01.138 PDT) 130.149.49.136 (19:39:16.120 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (19:39:16.120 PDT) 41.189.229.65 (19:39:02.993 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48804->80 (19:39:02.993 PDT) 132.239.17.226 (19:29:16.228 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56391->56391 (19:29:16.228 PDT) 206.207.248.34 (19:30:01.996 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45095->2128 (19:30:01.996 PDT) 188.65.113.241 (19:28:44.008 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/ipInfo/IPRep.php?IP=202.177.216.227&SPEED=fast&FORMAT=csv] MAC_Src: 00:21:5A:08:EC:40 52878->80 (19:28:44.008 PDT) tcpslice 1318732124.008 1318732124.009 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 203.121.165.16, 192.168.1.230 (3) Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:42:52.590 PDT Gen. Time: 10/15/2011 19:45:37.238 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (19:45:35.665 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 56160->53 (19:45:35.665 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 203.121.165.16 (19:45:37.238 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 37790->80 (19:45:37.238 PDT) C and C DNS CHECK-IN 192.168.1.230 (3) (19:42:52.590 PDT) event=224:1 (3) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 42114->53 (19:42:52.590 PDT) 50049->53 (19:43:24.690 PDT) 49069->53 (19:45:16.455 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318732972.590 1318732972.591 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 88.198.53.104, 91.209.163.202, 72.29.87.105, 67.55.67.250, 200.147.33.19, 200.147.1.41, 109.234.161.10, 203.121.165.16, 192.168.1.230 (16), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 19:42:52.590 PDT Gen. Time: 10/15/2011 21:01:16.551 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (2) (19:47:15.671 PDT) event=1:2632222 (2) {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 52133->80 (19:47:15.671 PDT) 46084->80 (19:57:23.369 PDT) 192.168.1.230 (14) (19:45:35.665 PDT) event=224:1 (14) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 56160->53 (19:45:35.665 PDT) 44553->53 (19:49:59.285 PDT) 46078->53 (19:50:38.435 PDT) 59181->53 (19:51:02.373 PDT) 49265->53 (19:52:09.986 PDT) 39798->53 (19:52:18.484 PDT) 34035->53 (19:55:37.508 PDT) 56548->53 (19:56:07.431 PDT) 54414->53 (19:56:53.824 PDT) 48465->53 (19:57:12.746 PDT) 51156->53 (19:57:39.594 PDT) 52990->53 (19:59:22.104 PDT) 37390->53 (20:03:05.225 PDT) 48581->53 (20:03:09.437 PDT) 192.168.1.20 (20:03:10.437 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 55085->53 (20:03:10.437 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 88.198.53.104 (20:47:29.745 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [%00l%00%01%C6%808%0Cw%87%84%D8%E1%CE%AA%D0B%84%A2jip%EA>%85%16%00%07%84%FC%98%C1w%87%82y2%F6R%8CN%FD%BCb%FAi%8B%B5%E9%13%83%FE%D0%0Cw] MAC_Src: 00:21:5A:08:EC:40 36919->80 (20:47:29.745 PDT) 91.209.163.202 (20:36:30.684 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [k%CB%85%C6J*%0C2%8C%18%F8%95O#%DF%E8%04%87%8Df`] MAC_Src: 00:21:5A:08:EC:40 52838->80 (20:36:30.684 PDT) 72.29.87.105 (20:26:24.079 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 50172->53 (20:26:24.079 PDT) 67.55.67.250 (20:16:03.794 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 34394->80 (20:16:03.794 PDT) 200.147.33.19 (20:57:32.640 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 40696->53 (20:57:32.640 PDT) 200.147.1.41 (20:06:03.193 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [J%90%BC`q%DAV%8E%B5%EE%A4`%1A%8E#7%D0QA+%9B%1D%80%C6%CBy%CC%EC|#%F1d%D5(%84%8F%B5p%9D%FE%F9%FAB%FE%17%BA%89-)%C0%F1%A5I%D0%8D]%8A%17%03%01%00!%86%E7C%BD%9E%E1%DA4%04%D5%FF)0%E8%85Z] MAC_Src: 00:21:5A:08:EC:40 47137->80 (20:06:03.193 PDT) 109.234.161.10 (19:55:40.819 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 56306->53 (19:55:40.819 PDT) 203.121.165.16 (19:45:37.238 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 37790->80 (19:45:37.238 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (19:42:52.590 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 42114->53 (19:42:52.590 PDT) 50049->53 (19:43:24.690 PDT) 49069->53 (19:45:16.455 PDT) 58766->53 (19:50:04.534 PDT) 45136->53 (19:51:57.553 PDT) 51975->53 (19:53:29.264 PDT) 53684->53 (19:53:33.572 PDT) 60958->53 (19:58:18.005 PDT) 48570->53 (19:58:42.185 PDT) 52204->53 (19:59:20.854 PDT) 58231->53 (20:01:15.173 PDT) 37218->53 (20:02:48.045 PDT) 52725->53 (20:03:34.511 PDT) 42895->53 (20:04:17.400 PDT) 60921->53 (20:08:24.694 PDT) 43360->53 (20:10:19.682 PDT) 91.228.133.56 (20:10:27.094 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 52864->80 (20:10:27.094 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 64.70.19.33 (20:40:05.791 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46608->53 (20:40:05.791 PDT) 93.170.52.30 (3) (20:00:01.571 PDT) event=1:9910005 (3) {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42918->53 (20:10:03.001 PDT) 34187->53 (20:00:01.571 PDT) 59223->53 (20:30:04.217 PDT) 31.170.163.70 (19:49:07.542 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54150->53 (19:49:07.542 PDT) 130.149.49.136 (2) (20:29:26.400 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (20:29:26.400 PDT) 49301->49301 (20:39:28.630 PDT) 195.226.246.3 (20:33:11.617 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35572->80 (20:33:11.617 PDT) 138.238.250.155 (20:09:21.512 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (20:09:21.512 PDT) 92.241.169.250 (20:22:29.198 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45709->53 (20:22:29.198 PDT) 64.182.102.213 (19:50:01.441 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39143->53 (19:50:01.441 PDT) 208.91.196.10 (2) (19:59:51.277 PDT) event=1:9910009 (2) {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53409->53 (20:12:29.563 PDT) 50001->53 (19:59:51.277 PDT) 206.207.248.34 (2) (19:49:17.233 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40670->3128 (20:20:04.685 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (19:49:17.233 PDT) 132.239.17.226 (2) (19:59:21.210 PDT-20:19:21.496 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2: 56391->56391 (19:59:21.210 PDT-20:19:21.496 PDT) tcpslice 1318732972.590 1318735161.497 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 192.168.1.230 (5), 192.168.1.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:01:26.501 PDT Gen. Time: 10/15/2011 21:04:26.963 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (5) (21:01:26.501 PDT) event=224:1 (5) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 34071->53 (21:01:26.501 PDT) 55582->53 (21:03:05.618 PDT) 45747->53 (21:03:54.994 PDT) 43577->53 (21:04:17.930 PDT) 45035->53 (21:04:20.321 PDT) 192.168.1.20 (21:04:21.321 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 57363->53 (21:04:21.321 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 208.91.196.10 (21:04:26.963 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60230->53 (21:04:26.963 PDT) tcpslice 1318737686.501 1318737686.502 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 91.207.61.48, 192.168.1.230 Egg Source List: C & C List: 64.70.19.33, 192.168.1.230 (8), 192.168.1.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:01:26.501 PDT Gen. Time: 10/15/2011 21:13:37.960 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 91.207.61.48 (21:04:30.475 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [Torrent protocol%00%00%00%00%00%00%00%00F%98I1%15;%F2%9D%112p%EF%8F=%91%9A%A3>\%92T03H-----1O] MAC_Dst: 00:21:1C:EE:14:00 53919->80 (21:04:30.475 PDT) 192.168.1.230 (11) (21:05:15.718 PDT-21:05:21.718 PDT) event=224:1 (11) {udp} E2[dns] BHDNS SPYWARE-DNS: datacricketuf.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 42286->53 (21:10:04.004 PDT) 38328->53 (21:05:28.746 PDT) 50651->53 (21:09:01.322 PDT) 42344->53 (21:07:53.276 PDT) 2: 42805->53 (21:05:15.718 PDT-21:05:21.718 PDT) 51444->53 (21:08:52.808 PDT) 56494->53 (21:09:42.581 PDT) 49636->53 (21:07:52.745 PDT) 51021->53 (21:08:35.643 PDT) 46759->53 (21:06:39.024 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 64.70.19.33 (21:07:32.270 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 60904->80 (21:07:32.270 PDT) C and C DNS CHECK-IN 192.168.1.230 (8) (21:01:26.501 PDT) event=224:1 (8) {udp} E4[dns] BHDNS SPYWARE-DNS: igenorri.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 34071->53 (21:01:26.501 PDT) 55582->53 (21:03:05.618 PDT) 45747->53 (21:03:54.994 PDT) 43577->53 (21:04:17.930 PDT) 45035->53 (21:04:20.321 PDT) 52840->53 (21:04:36.342 PDT) 50143->53 (21:05:10.680 PDT) 52238->53 (21:08:10.534 PDT) 192.168.1.20 (21:04:21.321 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 57363->53 (21:04:21.321 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (21:09:28.475 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (21:09:28.475 PDT) 208.91.196.10 (21:04:26.963 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60230->53 (21:04:26.963 PDT) 200.147.33.19 (21:10:06.337 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40102->53 (21:10:06.337 PDT) tcpslice 1318737686.501 1318737921.719 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.198.53.104, 192.168.1.230 Egg Source List: C & C List: 75.126.150.82 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:14:52.332 PDT Gen. Time: 10/15/2011 21:17:43.385 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (21:14:52.332 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 43611->53 (21:14:52.332 PDT) 192.168.1.230 (2) (21:14:57.719 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 44324->53 (21:14:57.719 PDT) 39296->53 (21:15:31.561 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 75.126.150.82 (21:17:35.670 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 56077->80 (21:17:35.670 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 208.91.196.10 (21:17:43.385 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43438->80 (21:17:43.385 PDT) tcpslice 1318738492.332 1318738492.333 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.198.53.104, 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 75.126.150.82, 80.239.246.69, 194.85.61.20, 192.168.1.230 (16), 192.168.1.20 Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:14:52.332 PDT Gen. Time: 10/15/2011 21:45:22.359 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (21:14:52.332 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 43611->53 (21:14:52.332 PDT) 91.207.61.48 (21:25:23.421 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 52961->80 (21:25:23.421 PDT) 192.168.1.230 (13) (21:14:57.719 PDT) event=224:1 (13) {udp} E2[dns] BHDNS SPYWARE-DNS: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 44324->53 (21:14:57.719 PDT) 39296->53 (21:15:31.561 PDT) 43274->53 (21:20:50.322 PDT) 44837->53 (21:22:10.203 PDT) 51569->53 (21:23:01.708 PDT) 42864->53 (21:24:21.966 PDT) 40881->53 (21:24:39.654 PDT) 53993->53 (21:26:06.386 PDT) 37452->53 (21:28:13.467 PDT) 36802->53 (21:28:22.326 PDT) 39769->53 (21:34:33.148 PDT) 51735->53 (21:34:37.656 PDT) 57174->53 (21:34:49.179 PDT) 192.168.1.20 (2) (21:22:11.198 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 47343->53 (21:22:11.198 PDT) 54296->53 (21:34:38.656 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 75.126.150.82 (21:17:35.670 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 56077->80 (21:17:35.670 PDT) 80.239.246.69 (21:37:40.703 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 41809->53 (21:37:40.703 PDT) 194.85.61.20 (21:27:38.683 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 44336->53 (21:27:38.683 PDT) C and C DNS CHECK-IN 192.168.1.230 (16) (21:18:49.049 PDT) event=224:1 (16) {udp} E4[dns] BHDNS SPYWARE-DNS: livedieoslix.com (malware), [] MAC_Src: 00:21:5A:08:EC:40 41503->53 (21:18:49.049 PDT) 46234->53 (21:22:43.559 PDT) 54732->53 (21:22:50.591 PDT) 34927->53 (21:24:22.298 PDT) 51744->53 (21:25:22.613 PDT) 59971->53 (21:30:01.889 PDT) 44482->53 (21:30:21.611 PDT) 47433->53 (21:30:54.905 PDT) 55199->53 (21:33:09.562 PDT) 58816->53 (21:33:30.663 PDT) 43530->53 (21:35:08.110 PDT) 39651->53 (21:37:06.302 PDT) 43395->53 (21:40:14.266 PDT) 52445->53 (21:40:46.346 PDT) 40627->53 (21:42:05.777 PDT) 60200->53 (21:42:13.606 PDT) 192.168.1.20 (21:35:09.139 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: banner-count.com (trojan), [] MAC_Src: 00:21:5A:08:EC:40 40651->53 (21:35:09.139 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (21:30:06.049 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53076->53 (21:30:06.049 PDT) 130.149.49.136 (2) (21:19:28.423 PDT-21:29:28.371 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2: 49301->49301 (21:19:28.423 PDT-21:29:28.371 PDT) 208.91.196.10 (21:17:43.385 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43438->80 (21:17:43.385 PDT) 195.226.246.3 (21:29:18.936 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 32884->53 (21:29:18.936 PDT) 128.163.142.20 (21:39:28.040 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (21:39:28.040 PDT) 91.207.61.48 (21:40:06.914 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56749->53 (21:40:06.914 PDT) 31.170.163.50 (21:20:06.062 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38261->53 (21:20:06.062 PDT) 92.240.68.95 (21:44:00.928 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45146->53 (21:44:00.928 PDT) tcpslice 1318738492.332 1318739368.372 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.198.53.104, 192.168.1.230 Egg Source List: C & C List: 205.209.143.94, 192.168.1.230 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:45:45.696 PDT Gen. Time: 10/15/2011 21:47:41.534 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (21:45:45.696 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 43123->80 (21:45:45.696 PDT) 192.168.1.230 (21:47:14.520 PDT) event=224:1 {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 36228->53 (21:47:14.520 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 205.209.143.94 (21:47:41.534 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 33819->53 (21:47:41.534 PDT) C and C DNS CHECK-IN 192.168.1.230 (2) (21:46:41.519 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: wieblatrino.hopto.org (trojan), [] MAC_Src: 00:21:5A:08:EC:40 41764->53 (21:46:41.519 PDT) 51530->53 (21:46:48.803 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318740345.696 1318740345.697 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 88.198.53.104, 91.207.61.48, 192.168.1.230, 192.168.1.20 Egg Source List: C & C List: 196.40.97.219, 205.209.143.94, 96.9.169.85, 192.168.1.230 (15), 192.168.1.20 (2) Peer Coord. List: Resource List: Observed Start: 10/15/2011 21:45:45.696 PDT Gen. Time: 10/15/2011 22:15:45.448 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 88.198.53.104 (21:45:45.696 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 43123->80 (21:45:45.696 PDT) 91.207.61.48 (21:55:50.185 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: warwork.info (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 56003->80 (21:55:50.185 PDT) 192.168.1.230 (13) (21:47:14.520 PDT) event=224:1 (13) {udp} E2[dns] BHDNS SPYWARE-DNS: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 36228->53 (21:47:14.520 PDT) 43730->53 (21:49:28.950 PDT) 35096->53 (21:51:44.576 PDT) 47033->53 (21:55:38.450 PDT) 34938->53 (21:59:57.995 PDT) 38791->53 (22:00:50.203 PDT) 42530->53 (22:01:51.522 PDT) 43054->53 (22:01:56.162 PDT) 49915->53 (22:02:09.258 PDT) 53981->53 (22:02:45.273 PDT) 60669->53 (22:02:49.784 PDT) 59381->53 (22:03:18.711 PDT) 60546->53 (22:05:16.384 PDT) 192.168.1.20 (2) (22:03:19.650 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: sourcegoogle.com (harmful), [] MAC_Dst: 00:21:1C:EE:14:00 38282->53 (22:03:19.650 PDT) 43426->53 (22:03:20.715 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 196.40.97.219 (22:07:49.182 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 52102->53 (22:07:49.182 PDT) 205.209.143.94 (21:47:41.534 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 33819->53 (21:47:41.534 PDT) 96.9.169.85 (21:57:44.916 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [/pagead/conversion/1033191019/?label=7KGdCNX6iQIQ6_zU7AM&guid=ON&script=0] MAC_Src: 00:21:5A:08:EC:40 54865->80 (21:57:44.916 PDT) C and C DNS CHECK-IN 192.168.1.230 (15) (21:46:41.519 PDT-21:51:01.523 PDT) event=224:1 (15) {udp} E4[dns] BHDNS SPYWARE-DNS: centsubsgesqua.hopto.org (malware), [] MAC_Src: 00:21:5A:08:EC:40 58759->53 (22:04:56.747 PDT) 37204->53 (21:52:34.510 PDT) 43417->53 (21:57:26.684 PDT) 50020->53 (21:56:29.798 PDT) 41764->53 (21:46:41.519 PDT) 51593->53 (21:56:14.214 PDT) 51249->53 (22:05:03.232 PDT) 51530->53 (21:46:48.803 PDT) 52976->53 (22:00:24.303 PDT) 48421->53 (21:59:33.867 PDT) 42534->53 (21:50:48.655 PDT) 35226->53 (21:54:50.908 PDT) 2: 49481->53 (21:50:55.504 PDT-21:51:01.523 PDT) 39289->53 (21:55:08.492 PDT) 192.168.1.20 (2) (21:55:13.237 PDT) event=224:1 (2) {udp} E4[dns] BHDNS SPYWARE-DNS: livedieoslix.com (malware), [] MAC_Src: 00:21:5A:08:EC:40 37347->53 (21:56:35.379 PDT) 45448->53 (21:55:13.237 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 91.209.163.202 (22:10:11.934 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48114->53 (22:10:11.934 PDT) 130.149.49.136 (22:09:33.183 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (22:09:33.183 PDT) 128.163.142.20 (21:59:28.984 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (21:59:28.984 PDT) 212.44.109.181 (22:05:51.995 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53946->80 (22:05:51.995 PDT) 206.207.248.34 (21:49:28.165 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (21:49:28.165 PDT) 64.49.219.215 (22:00:07.871 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52530->53 (22:00:07.871 PDT) 93.170.52.20 (21:50:07.747 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52262->53 (21:50:07.747 PDT) 31.170.163.70 (21:55:13.502 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [/scan.php] MAC_Src: 00:21:5A:08:EC:40 37323->80 (21:55:13.502 PDT) tcpslice 1318740345.696 1318740661.524 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 192.168.1.230, 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 22:15:54.011 PDT Gen. Time: 10/15/2011 22:17:21.073 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN 192.168.1.230 (22:15:54.011 PDT) event=224:1 {udp} E4[dns] BHDNS SPYWARE-DNS: zeissopticszone.com (malware), [] MAC_Src: 00:21:5A:08:EC:40 50529->53 (22:15:54.011 PDT) 91.228.133.56 (22:17:14.036 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 37138->80 (22:17:14.036 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 203.121.165.16 (22:17:21.073 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46742->80 (22:17:21.073 PDT) tcpslice 1318742154.011 1318742154.012 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230, 192.168.1.20, 82.210.157.9 Egg Source List: C & C List: 82.146.55.155, 200.147.1.41, 192.168.1.230 (9), 91.228.133.56 Peer Coord. List: Resource List: Observed Start: 10/15/2011 22:15:54.011 PDT Gen. Time: 10/15/2011 22:32:13.980 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (12) (22:20:39.329 PDT-22:28:18.281 PDT) event=224:1 (12) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 54015->53 (22:28:24.294 PDT) 43681->53 (22:25:57.494 PDT) 48450->53 (22:27:31.039 PDT) 57456->53 (22:21:10.081 PDT) 33120->53 (22:20:39.329 PDT) 55176->53 (22:28:25.220 PDT) 3: 53471->53 (22:28:06.281 PDT-22:28:18.281 PDT) 43673->53 (22:26:36.705 PDT) 44586->53 (22:28:28.185 PDT) 33502->53 (22:24:38.924 PDT) 192.168.1.20 (4) (22:21:13.485 PDT-22:28:19.283 PDT) event=224:1 (4) {udp} E2[dns] BHDNS SPYWARE-DNS: arhyv.ru (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 3: 45603->53 (22:28:07.281 PDT-22:28:19.283 PDT) 46258->53 (22:21:13.485 PDT) 82.210.157.9 (22:27:33.337 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: florianarray.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 52564->80 (22:27:33.337 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 82.146.55.155 (22:27:54.811 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 39889->53 (22:27:54.811 PDT) 200.147.1.41 (22:17:49.915 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 51308->53 (22:17:49.915 PDT) C and C DNS CHECK-IN 192.168.1.230 (9) (22:15:54.011 PDT) event=224:1 (9) {udp} E4[dns] BHDNS SPYWARE-DNS: zeissopticszone.com (malware), [] MAC_Src: 00:21:5A:08:EC:40 50529->53 (22:15:54.011 PDT) 48025->53 (22:17:28.506 PDT) 50916->53 (22:18:22.860 PDT) 50390->53 (22:20:04.039 PDT) 53982->53 (22:21:20.898 PDT) 52092->53 (22:24:31.786 PDT) 59355->53 (22:25:32.291 PDT) 35455->53 (22:26:32.253 PDT) 39383->53 (22:28:11.700 PDT) 91.228.133.56 (22:17:14.036 PDT) event=1:2632222 {tcp} E4[dns] BHDNS SPYWARE-CONTACT: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 37138->80 (22:17:14.036 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (22:20:11.162 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47248->53 (22:20:11.162 PDT) 130.149.49.136 (2) (22:19:33.110 PDT-22:29:33.055 PDT) event=1:9910006 (2) {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2: 49301->49301 (22:19:33.110 PDT-22:29:33.055 PDT) 64.182.102.213 (22:30:27.241 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51429->53 (22:30:27.241 PDT) 203.121.165.16 (22:17:21.073 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46742->80 (22:17:21.073 PDT) 60.19.30.131 (22:27:33.337 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50305->53 (22:27:33.337 PDT) tcpslice 1318742154.011 1318742973.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 10/15/2011 22:37:37.301 PDT Gen. Time: 10/15/2011 22:37:37.301 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 216.8.179.25 (22:37:37.301 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37241->53 (22:37:37.301 PDT) tcpslice 1318743457.301 1318743457.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 41.189.229.65, 192.168.1.230 Egg Source List: C & C List: 91.209.163.201 Peer Coord. List: Resource List: Observed Start: 10/15/2011 22:37:37.301 PDT Gen. Time: 10/15/2011 22:42:29.070 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 41.189.229.65 (22:38:06.043 PDT) event=1:2632222 {tcp} E2[dns] BHDNS SPYWARE-CONTACT: esperadooptic.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 55815->53 (22:38:06.043 PDT) 192.168.1.230 (2) (22:39:28.851 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: simulatormage.ru (zeus), [] MAC_Dst: 00:21:1C:EE:14:00 33034->53 (22:39:28.851 PDT) 42122->53 (22:39:48.953 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 91.209.163.201 (22:37:54.098 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 44378->80 (22:37:54.098 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 93.170.52.30 (22:40:30.155 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34775->53 (22:40:30.155 PDT) 130.149.49.136 (22:39:33.003 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (22:39:33.003 PDT) 216.8.179.25 (22:37:37.301 PDT) event=1:9910009 {tcp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37241->53 (22:37:37.301 PDT) tcpslice 1318743457.301 1318743457.302 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.168.1.230 Egg Source List: C & C List: 193.232.130.14, 192.168.1.230 (4) Peer Coord. List: Resource List: Observed Start: 10/15/2011 22:42:47.285 PDT Gen. Time: 10/15/2011 22:47:55.435 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS 192.168.1.230 (2) (22:42:47.285 PDT) event=224:1 (2) {udp} E2[dns] BHDNS SPYWARE-DNS: papucky.eu (exploit), [] MAC_Dst: 00:21:1C:EE:14:00 35988->53 (22:42:47.285 PDT) 35920->53 (22:43:20.842 PDT) EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 193.232.130.14 (22:47:55.435 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 47963->80 (22:47:55.435 PDT) C and C DNS CHECK-IN 192.168.1.230 (4) (22:43:23.269 PDT) event=224:1 (4) {udp} E4[dns] BHDNS SPYWARE-DNS: wagequtn.mattemon.info (malware), [] MAC_Src: 00:21:5A:08:EC:40 44453->53 (22:43:23.269 PDT) 41019->53 (22:45:17.581 PDT) 54548->53 (22:45:41.759 PDT) 48901->53 (22:46:28.960 PDT) OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1318743767.285 1318743767.286 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================