Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:01:40.449 PST Gen. Time: 11/29/2011 00:01:40.449 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 137.165.1.111 (00:01:40.449 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (00:01:40.449 PST) tcpslice 1322553700.449 1322553700.450 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:08:59.980 PST Gen. Time: 11/29/2011 00:08:59.980 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (00:08:59.980 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49866->2128 (00:08:59.980 PST) tcpslice 1322554139.980 1322554139.981 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 194.85.105.17 Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:08:59.980 PST Gen. Time: 11/29/2011 00:12:23.353 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 194.85.105.17 (00:11:22.828 PST) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 45936->33435 (00:11:22.828 PST) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (00:08:59.980 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49866->2128 (00:08:59.980 PST) 192.58.128.30 (00:11:40.608 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45936->33435 (00:11:40.608 PST) tcpslice 1322554139.980 1322554139.981 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:16:12.162 PST Gen. Time: 11/29/2011 00:16:12.162 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (00:16:12.162 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:16:12.162 PST) tcpslice 1322554572.162 1322554572.163 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:16:12.162 PST Gen. Time: 11/29/2011 00:20:49.731 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (00:19:48.267 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56215->2126 (00:19:48.267 PST) 184.105.178.92 (00:16:12.162 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:16:12.162 PST) tcpslice 1322554572.162 1322554572.163 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:21:44.128 PST Gen. Time: 11/29/2011 00:21:44.128 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (00:21:44.128 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->65535 (00:21:44.128 PST) tcpslice 1322554904.128 1322554904.129 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:27:57.523 PST Gen. Time: 11/29/2011 00:27:57.523 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (00:27:57.523 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:27:57.523 PST) tcpslice 1322555277.523 1322555277.524 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:31:48.965 PST Gen. Time: 11/29/2011 00:31:48.965 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (00:31:48.965 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (00:31:48.965 PST) tcpslice 1322555508.965 1322555508.966 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:31:48.965 PST Gen. Time: 11/29/2011 00:33:44.571 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (00:31:48.965 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (00:31:48.965 PST) 128.163.142.20 (00:32:09.188 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55931->2126 (00:32:09.188 PST) tcpslice 1322555508.965 1322555508.966 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:41:49.377 PST Gen. Time: 11/29/2011 00:41:49.377 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (00:41:49.377 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (00:41:49.377 PST) tcpslice 1322556109.377 1322556109.378 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:41:49.377 PST Gen. Time: 11/29/2011 00:44:57.240 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (00:41:49.377 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (00:41:49.377 PST) 206.207.248.34 (00:43:08.459 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37751->2128 (00:43:08.459 PST) tcpslice 1322556109.377 1322556109.378 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:45:46.110 PST Gen. Time: 11/29/2011 00:45:46.110 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (00:45:46.110 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:45:46.110 PST) tcpslice 1322556346.110 1322556346.111 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:51:49.070 PST Gen. Time: 11/29/2011 00:51:49.070 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (00:51:49.070 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 5377->5377 (00:51:49.070 PST) tcpslice 1322556709.070 1322556709.071 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:56:21.504 PST Gen. Time: 11/29/2011 00:56:21.504 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (00:56:21.504 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59684->2128 (00:56:21.504 PST) tcpslice 1322556981.504 1322556981.505 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 00:56:21.504 PST Gen. Time: 11/29/2011 01:00:40.509 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (00:56:21.504 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59684->2128 (00:56:21.504 PST) 184.105.178.92 (00:57:32.296 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:57:32.296 PST) tcpslice 1322556981.504 1322556981.505 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:01:50.048 PST Gen. Time: 11/29/2011 01:01:50.048 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (01:01:50.048 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (01:01:50.048 PST) tcpslice 1322557310.048 1322557310.049 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:09:03.694 PST Gen. Time: 11/29/2011 01:09:03.694 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (01:09:03.694 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43510->2128 (01:09:03.694 PST) tcpslice 1322557743.694 1322557743.695 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:09:03.694 PST Gen. Time: 11/29/2011 01:13:25.372 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (01:09:03.694 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43510->2128 (01:09:03.694 PST) 129.93.229.138 (01:11:50.552 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:11:50.552 PST) tcpslice 1322557743.694 1322557743.695 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:15:19.248 PST Gen. Time: 11/29/2011 01:15:19.248 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (01:15:19.248 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:15:19.248 PST) tcpslice 1322558119.248 1322558119.249 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:20:09.926 PST Gen. Time: 11/29/2011 01:20:09.926 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (01:20:09.926 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48882->2128 (01:20:09.926 PST) tcpslice 1322558409.926 1322558409.927 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:20:09.926 PST Gen. Time: 11/29/2011 01:24:17.963 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (01:20:09.926 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48882->2128 (01:20:09.926 PST) 129.93.229.138 (01:21:51.593 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (01:21:51.593 PST) tcpslice 1322558409.926 1322558409.927 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:27:06.298 PST Gen. Time: 11/29/2011 01:27:06.298 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (01:27:06.298 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:27:06.298 PST) tcpslice 1322558826.298 1322558826.299 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:27:06.298 PST Gen. Time: 11/29/2011 01:31:00.974 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (01:31:00.974 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34064->2126 (01:31:00.974 PST) 184.105.178.92 (01:27:06.298 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:27:06.298 PST) tcpslice 1322558826.298 1322558826.299 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:31:52.503 PST Gen. Time: 11/29/2011 01:31:52.503 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 129.93.229.138 (01:31:52.503 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:31:52.503 PST) tcpslice 1322559112.503 1322559112.504 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:41:23.389 PST Gen. Time: 11/29/2011 01:41:23.389 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (01:41:23.389 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45167->2126 (01:41:23.389 PST) tcpslice 1322559683.389 1322559683.390 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:41:23.389 PST Gen. Time: 11/29/2011 01:45:23.321 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (01:44:52.949 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:44:52.949 PST) 128.163.142.20 (01:41:23.389 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45167->2126 (01:41:23.389 PST) 129.93.229.138 (01:41:54.857 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:41:54.857 PST) tcpslice 1322559683.389 1322559683.390 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:51:55.748 PST Gen. Time: 11/29/2011 01:51:55.748 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (01:51:55.748 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->65535 (01:51:55.748 PST) tcpslice 1322560315.748 1322560315.749 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:51:55.748 PST Gen. Time: 11/29/2011 01:56:24.194 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (01:51:56.509 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48479->2128 (01:51:56.509 PST) 128.227.11.13 (01:51:55.748 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->65535 (01:51:55.748 PST) tcpslice 1322560315.748 1322560315.749 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 01:56:40.420 PST Gen. Time: 11/29/2011 01:56:40.420 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (01:56:40.420 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:56:40.420 PST) tcpslice 1322560600.420 1322560600.421 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:01:55.026 PST Gen. Time: 11/29/2011 02:01:55.026 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (02:01:55.026 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->65535 (02:01:55.026 PST) tcpslice 1322560915.026 1322560915.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:01:55.026 PST Gen. Time: 11/29/2011 02:05:38.885 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (02:02:09.833 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42849->2128 (02:02:09.833 PST) 128.227.11.13 (02:01:55.026 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->65535 (02:01:55.026 PST) tcpslice 1322560915.026 1322560915.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:07:35.853 PST Gen. Time: 11/29/2011 02:07:35.853 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (02:07:35.853 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->65535 (02:07:35.853 PST) tcpslice 1322561255.853 1322561255.854 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:07:35.853 PST Gen. Time: 11/29/2011 02:11:51.305 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (02:08:08.000 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47445->2128 (02:08:08.000 PST) 128.227.11.13 (02:07:35.853 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->65535 (02:07:35.853 PST) tcpslice 1322561255.853 1322561255.854 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:14:27.373 PST Gen. Time: 11/29/2011 02:14:27.373 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (02:14:27.373 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:14:27.373 PST) tcpslice 1322561667.373 1322561667.374 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:14:27.373 PST Gen. Time: 11/29/2011 02:18:38.388 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (02:17:35.822 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->65535 (02:17:35.822 PST) 184.105.178.92 (02:14:27.373 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:14:27.373 PST) tcpslice 1322561667.373 1322561667.374 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:19:02.752 PST Gen. Time: 11/29/2011 02:19:02.752 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (02:19:02.752 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41906->2128 (02:19:02.752 PST) tcpslice 1322561942.752 1322561942.753 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:26:12.835 PST Gen. Time: 11/29/2011 02:26:12.835 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (02:26:12.835 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:26:12.835 PST) tcpslice 1322562372.835 1322562372.836 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:26:12.835 PST Gen. Time: 11/29/2011 02:30:51.962 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (02:26:12.835 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:26:12.835 PST) 206.207.248.34 (02:27:35.911 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (02:27:35.911 PST) tcpslice 1322562372.835 1322562372.836 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:32:32.461 PST Gen. Time: 11/29/2011 02:32:32.461 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (02:32:32.461 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33517->7365 (02:32:32.461 PST) tcpslice 1322562752.461 1322562752.462 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:37:38.074 PST Gen. Time: 11/29/2011 02:37:38.074 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:37:38.074 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (02:37:38.074 PST) tcpslice 1322563058.074 1322563058.075 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:37:38.074 PST Gen. Time: 11/29/2011 02:39:27.196 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (02:37:38.074 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (02:37:38.074 PST) 129.93.229.138 (02:38:21.007 PST) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 39132->41933 (02:38:21.007 PST) tcpslice 1322563058.074 1322563058.075 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:42:51.444 PST Gen. Time: 11/29/2011 02:42:51.444 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.104.72.201 (02:42:51.444 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57492->56410 (02:42:51.444 PST) tcpslice 1322563371.444 1322563371.445 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:42:51.444 PST Gen. Time: 11/29/2011 02:46:05.473 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (02:44:00.518 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:44:00.518 PST) 130.104.72.201 (02:42:51.444 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57492->56410 (02:42:51.444 PST) tcpslice 1322563371.444 1322563371.445 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:47:41.641 PST Gen. Time: 11/29/2011 02:47:41.641 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 129.93.229.138 (02:47:41.641 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:47:41.641 PST) tcpslice 1322563661.641 1322563661.642 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:53:07.308 PST Gen. Time: 11/29/2011 02:53:07.308 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 137.165.1.111 (02:53:07.308 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48973->52222 (02:53:07.308 PST) tcpslice 1322563987.308 1322563987.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:53:07.308 PST Gen. Time: 11/29/2011 02:57:23.451 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 137.165.1.111 (02:53:07.308 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48973->52222 (02:53:07.308 PST) 184.105.178.92 (02:55:47.871 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:55:47.871 PST) tcpslice 1322563987.308 1322563987.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 02:57:44.524 PST Gen. Time: 11/29/2011 02:57:44.524 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 137.165.1.111 (02:57:44.524 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (02:57:44.524 PST) tcpslice 1322564264.524 1322564264.525 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:06:01.762 PST Gen. Time: 11/29/2011 03:06:01.762 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (03:06:01.762 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35535->54593 (03:06:01.762 PST) tcpslice 1322564761.762 1322564761.763 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:06:01.762 PST Gen. Time: 11/29/2011 03:10:01.685 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (03:06:01.762 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35535->54593 (03:06:01.762 PST) 129.93.229.138 (03:07:46.717 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:07:46.717 PST) tcpslice 1322564761.762 1322564761.763 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:13:36.908 PST Gen. Time: 11/29/2011 03:13:36.908 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (03:13:36.908 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:13:36.908 PST) tcpslice 1322565216.908 1322565216.909 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:13:36.908 PST Gen. Time: 11/29/2011 03:17:24.478 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (03:13:36.908 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:13:36.908 PST) 206.207.248.34 (03:17:24.478 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35438->2128 (03:17:24.478 PST) tcpslice 1322565216.908 1322565216.909 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:17:47.298 PST Gen. Time: 11/29/2011 03:17:47.298 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 129.93.229.138 (03:17:47.298 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (03:17:47.298 PST) tcpslice 1322565467.298 1322565467.299 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:25:22.213 PST Gen. Time: 11/29/2011 03:25:22.213 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (03:25:22.213 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:25:22.213 PST) tcpslice 1322565922.213 1322565922.214 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:25:22.213 PST Gen. Time: 11/29/2011 03:29:19.148 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (03:25:22.213 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:25:22.213 PST) 206.207.248.34 (03:27:51.127 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (03:27:51.127 PST) tcpslice 1322565922.213 1322565922.214 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:31:57.696 PST Gen. Time: 11/29/2011 03:31:57.696 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (03:31:57.696 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57823->2128 (03:31:57.696 PST) tcpslice 1322566317.696 1322566317.697 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:37:54.630 PST Gen. Time: 11/29/2011 03:37:54.630 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (03:37:54.630 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:37:54.630 PST) tcpslice 1322566674.630 1322566674.631 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:43:08.625 PST Gen. Time: 11/29/2011 03:43:08.625 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (03:43:08.625 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:43:08.625 PST) tcpslice 1322566988.625 1322566988.626 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:47:53.619 PST Gen. Time: 11/29/2011 03:47:53.619 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (03:47:53.619 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57423->49302 (03:47:53.619 PST) tcpslice 1322567273.619 1322567273.620 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:47:53.619 PST Gen. Time: 11/29/2011 03:51:26.320 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (03:47:54.771 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (03:47:54.771 PST) 134.34.246.5 (03:47:53.619 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57423->49302 (03:47:53.619 PST) tcpslice 1322567273.619 1322567273.620 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:54:53.782 PST Gen. Time: 11/29/2011 03:54:53.782 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (03:54:53.782 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:54:53.782 PST) tcpslice 1322567693.782 1322567693.783 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 03:54:53.782 PST Gen. Time: 11/29/2011 03:59:09.209 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (03:54:53.782 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:54:53.782 PST) 206.207.248.34 (03:57:54.894 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:57:54.894 PST) tcpslice 1322567693.782 1322567693.783 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:02:45.431 PST Gen. Time: 11/29/2011 04:02:45.431 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (04:02:45.431 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36989->53620 (04:02:45.431 PST) tcpslice 1322568165.431 1322568165.432 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:08:02.909 PST Gen. Time: 11/29/2011 04:08:02.909 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 129.93.229.138 (04:08:02.909 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:08:02.909 PST) tcpslice 1322568482.909 1322568482.910 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:12:41.237 PST Gen. Time: 11/29/2011 04:12:41.237 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (04:12:41.237 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:12:41.237 PST) tcpslice 1322568761.237 1322568761.238 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:12:41.237 PST Gen. Time: 11/29/2011 04:14:27.878 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (04:13:23.156 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41450->2128 (04:13:23.156 PST) 184.105.178.92 (04:12:41.237 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:12:41.237 PST) tcpslice 1322568761.237 1322568761.238 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:18:02.334 PST Gen. Time: 11/29/2011 04:18:02.334 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 129.93.229.138 (04:18:02.334 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:18:02.334 PST) tcpslice 1322569082.334 1322569082.335 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:23:49.087 PST Gen. Time: 11/29/2011 04:23:49.087 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (04:23:49.087 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49786->2128 (04:23:49.087 PST) tcpslice 1322569429.087 1322569429.088 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:23:49.087 PST Gen. Time: 11/29/2011 04:26:53.972 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (04:23:49.087 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49786->2128 (04:23:49.087 PST) 184.105.178.92 (04:24:25.652 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:24:25.652 PST) tcpslice 1322569429.087 1322569429.088 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:28:11.750 PST Gen. Time: 11/29/2011 04:28:11.750 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.2.211.114 (04:28:11.750 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:28:11.750 PST) tcpslice 1322569691.750 1322569691.751 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:33:57.643 PST Gen. Time: 11/29/2011 04:33:57.643 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (04:33:57.643 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36498->2128 (04:33:57.643 PST) tcpslice 1322570037.643 1322570037.644 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:38:15.195 PST Gen. Time: 11/29/2011 04:38:15.195 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.104.72.201 (04:38:15.195 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:38:15.195 PST) tcpslice 1322570295.195 1322570295.196 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:38:15.195 PST Gen. Time: 11/29/2011 04:42:22.234 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (04:42:12.875 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:42:12.875 PST) 130.104.72.201 (04:38:15.195 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:38:15.195 PST) tcpslice 1322570295.195 1322570295.196 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:44:53.096 PST Gen. Time: 11/29/2011 04:44:53.096 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (04:44:53.096 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38791->2128 (04:44:53.096 PST) tcpslice 1322570693.096 1322570693.097 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:48:17.787 PST Gen. Time: 11/29/2011 04:48:17.787 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (04:48:17.787 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (04:48:17.787 PST) tcpslice 1322570897.787 1322570897.788 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:53:58.317 PST Gen. Time: 11/29/2011 04:53:58.317 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (04:53:58.317 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (04:53:58.317 PST) tcpslice 1322571238.317 1322571238.318 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:58:36.763 PST Gen. Time: 11/29/2011 04:58:36.763 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (04:58:36.763 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (04:58:36.763 PST) tcpslice 1322571516.763 1322571516.764 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 04:58:36.763 PST Gen. Time: 11/29/2011 05:01:56.587 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 137.165.1.111 (04:58:45.007 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45390->7365 (04:58:45.007 PST) 206.207.248.34 (04:58:36.763 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (04:58:36.763 PST) tcpslice 1322571516.763 1322571516.764 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:08:37.926 PST Gen. Time: 11/29/2011 05:08:37.926 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (05:08:37.926 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35596 (05:08:37.926 PST) tcpslice 1322572117.926 1322572117.927 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:11:45.375 PST Gen. Time: 11/29/2011 05:11:45.375 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (05:11:45.375 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:11:45.375 PST) tcpslice 1322572305.375 1322572305.376 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:11:45.375 PST Gen. Time: 11/29/2011 05:14:26.019 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (05:12:31.253 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35986->2126 (05:12:31.253 PST) 184.105.178.92 (05:11:45.375 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:11:45.375 PST) tcpslice 1322572305.375 1322572305.376 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:18:37.029 PST Gen. Time: 11/29/2011 05:18:37.029 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (05:18:37.029 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (05:18:37.029 PST) tcpslice 1322572717.029 1322572717.030 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:22:36.146 PST Gen. Time: 11/29/2011 05:22:36.146 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (05:22:36.146 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38956->2126 (05:22:36.146 PST) tcpslice 1322572956.146 1322572956.147 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:22:36.146 PST Gen. Time: 11/29/2011 05:25:05.811 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (05:23:31.597 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:23:31.597 PST) 206.207.248.34 (05:22:36.146 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38956->2126 (05:22:36.146 PST) tcpslice 1322572956.146 1322572956.147 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:28:37.938 PST Gen. Time: 11/29/2011 05:28:37.938 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (05:28:37.938 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (05:28:37.938 PST) tcpslice 1322573317.938 1322573317.939 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:32:53.612 PST Gen. Time: 11/29/2011 05:32:53.612 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (05:32:53.612 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42797->2128 (05:32:53.612 PST) tcpslice 1322573573.612 1322573573.613 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:38:41.712 PST Gen. Time: 11/29/2011 05:38:41.712 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (05:38:41.712 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (05:38:41.712 PST) tcpslice 1322573921.712 1322573921.713 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:41:19.133 PST Gen. Time: 11/29/2011 05:41:19.133 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (05:41:19.133 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:41:19.133 PST) tcpslice 1322574079.133 1322574079.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:41:19.133 PST Gen. Time: 11/29/2011 05:45:17.692 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (05:42:56.988 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45301->2126 (05:42:56.988 PST) 184.105.178.92 (05:41:19.133 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:41:19.133 PST) tcpslice 1322574079.133 1322574079.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:48:49.407 PST Gen. Time: 11/29/2011 05:48:49.407 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (05:48:49.407 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35596 (05:48:49.407 PST) tcpslice 1322574529.407 1322574529.408 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:53:05.272 PST Gen. Time: 11/29/2011 05:53:05.272 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (05:53:05.272 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:53:05.272 PST) tcpslice 1322574785.272 1322574785.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:53:05.272 PST Gen. Time: 11/29/2011 05:55:59.629 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (05:53:05.272 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (05:53:05.272 PST) 206.207.248.34 (05:53:42.426 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58174->2128 (05:53:42.426 PST) tcpslice 1322574785.272 1322574785.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 05:58:54.037 PST Gen. Time: 11/29/2011 05:58:54.037 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (05:58:54.037 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35596 (05:58:54.037 PST) tcpslice 1322575134.037 1322575134.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:04:15.807 PST Gen. Time: 11/29/2011 06:04:15.807 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (06:04:15.807 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43601->2128 (06:04:15.807 PST) tcpslice 1322575455.807 1322575455.808 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:08:54.794 PST Gen. Time: 11/29/2011 06:08:54.794 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (06:08:54.794 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (06:08:54.794 PST) tcpslice 1322575734.794 1322575734.795 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:08:54.794 PST Gen. Time: 11/29/2011 06:13:48.326 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (06:10:50.701 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (06:10:50.701 PST) 206.207.248.34 (06:08:54.794 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (06:08:54.794 PST) tcpslice 1322575734.794 1322575734.795 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:17:52.502 PST Gen. Time: 11/29/2011 06:17:52.502 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (06:17:52.502 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44990->2126 (06:17:52.502 PST) tcpslice 1322576272.502 1322576272.503 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:17:52.502 PST Gen. Time: 11/29/2011 06:20:10.153 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (06:17:52.502 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44990->2126 (06:17:52.502 PST) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (06:18:59.715 PST) tcpslice 1322576272.502 1322576272.503 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:22:38.043 PST Gen. Time: 11/29/2011 06:22:38.043 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (06:22:38.043 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (06:22:38.043 PST) tcpslice 1322576558.043 1322576558.044 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:28:17.194 PST Gen. Time: 11/29/2011 06:28:17.194 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (06:28:17.194 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53331->2128 (06:28:17.194 PST) tcpslice 1322576897.194 1322576897.195 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:28:17.194 PST Gen. Time: 11/29/2011 06:32:10.754 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (06:28:17.194 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53331->2128 (06:28:17.194 PST) 206.207.248.34 (06:28:59.311 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (06:28:59.311 PST) tcpslice 1322576897.194 1322576897.195 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:39:04.853 PST Gen. Time: 11/29/2011 06:39:04.853 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (06:39:04.853 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (06:39:04.853 PST) tcpslice 1322577544.853 1322577544.854 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:39:04.853 PST Gen. Time: 11/29/2011 06:43:42.138 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (06:39:18.076 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60166->2128 (06:39:18.076 PST) 184.105.178.92 (06:40:25.444 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (06:40:25.444 PST) 206.207.248.34 (06:39:04.853 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (06:39:04.853 PST) tcpslice 1322577544.853 1322577544.854 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:49:13.840 PST Gen. Time: 11/29/2011 06:49:13.840 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (06:49:13.840 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35596 (06:49:13.840 PST) tcpslice 1322578153.840 1322578153.841 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:49:13.840 PST Gen. Time: 11/29/2011 06:53:23.581 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (06:49:13.840 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35596 (06:49:13.840 PST) 184.105.178.92 (06:52:13.617 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (06:52:13.617 PST) tcpslice 1322578153.840 1322578153.841 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:57:06.901 PST Gen. Time: 11/29/2011 06:57:06.901 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (06:57:06.901 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48824->2126 (06:57:06.901 PST) tcpslice 1322578626.901 1322578626.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 06:57:06.901 PST Gen. Time: 11/29/2011 07:01:14.366 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (06:59:14.897 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35596 (06:59:14.897 PST) 128.163.142.20 (06:57:06.901 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48824->2126 (06:57:06.901 PST) tcpslice 1322578626.901 1322578626.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:08:58.104 PST Gen. Time: 11/29/2011 07:08:58.104 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (07:08:58.104 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35120->2126 (07:08:58.104 PST) tcpslice 1322579338.104 1322579338.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:08:58.104 PST Gen. Time: 11/29/2011 07:13:07.557 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (07:08:58.104 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35120->2126 (07:08:58.104 PST) 184.105.178.92 (07:09:59.211 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (07:09:59.211 PST) 206.207.248.34 (07:09:14.105 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (07:09:14.105 PST) tcpslice 1322579338.104 1322579338.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:19:27.645 PST Gen. Time: 11/29/2011 07:19:27.645 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (07:19:27.645 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35596 (07:19:27.645 PST) tcpslice 1322579967.645 1322579967.646 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:19:27.645 PST Gen. Time: 11/29/2011 07:23:40.086 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (07:20:24.860 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57273->2128 (07:20:24.860 PST) 128.186.122.86 (07:19:27.645 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35596 (07:19:27.645 PST) 184.105.178.92 (07:21:45.981 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (07:21:45.981 PST) 129.93.229.138 (07:23:24.539 PST) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 55002->60932 (07:23:24.539 PST) tcpslice 1322579967.645 1322579967.646 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:29:29.045 PST Gen. Time: 11/29/2011 07:29:29.045 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (07:29:29.045 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (07:29:29.045 PST) tcpslice 1322580569.045 1322580569.046 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:36:33.081 PST Gen. Time: 11/29/2011 07:36:33.081 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (07:36:33.081 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34625->2128 (07:36:33.081 PST) tcpslice 1322580993.081 1322580993.082 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:36:33.081 PST Gen. Time: 11/29/2011 07:39:42.630 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (07:36:33.081 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34625->2128 (07:36:33.081 PST) 184.105.178.92 (07:39:33.618 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (07:39:33.618 PST) 206.207.248.34 (07:39:29.606 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (07:39:29.606 PST) tcpslice 1322580993.081 1322580993.082 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:47:09.983 PST Gen. Time: 11/29/2011 07:47:09.983 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (07:47:09.983 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55027->2128 (07:47:09.983 PST) tcpslice 1322581629.983 1322581629.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:47:09.983 PST Gen. Time: 11/29/2011 07:50:56.476 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 137.165.1.111 (07:49:29.296 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:49:29.296 PST) 132.239.17.226 (07:47:09.983 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55027->2128 (07:47:09.983 PST) tcpslice 1322581629.983 1322581629.984 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:51:19.942 PST Gen. Time: 11/29/2011 07:51:19.942 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (07:51:19.942 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (07:51:19.942 PST) tcpslice 1322581879.942 1322581879.943 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:59:27.610 PST Gen. Time: 11/29/2011 07:59:27.610 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (07:59:27.610 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58352->54593 (07:59:27.610 PST) tcpslice 1322582367.610 1322582367.611 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 07:59:27.610 PST Gen. Time: 11/29/2011 08:02:50.093 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (07:59:27.610 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58352->54593 (07:59:27.610 PST) 128.186.122.86 (07:59:30.349 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35596 (07:59:30.349 PST) tcpslice 1322582367.610 1322582367.611 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 08:09:08.236 PST Gen. Time: 11/29/2011 08:09:08.236 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (08:09:08.236 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:09:08.236 PST) tcpslice 1322582948.236 1322582948.237 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 08:09:08.236 PST Gen. Time: 11/29/2011 08:12:59.905 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (08:09:30.526 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57887->2128 (08:10:06.623 PST) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (08:09:30.526 PST) 184.105.178.92 (08:09:08.236 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:09:08.236 PST) tcpslice 1322582948.236 1322582948.237 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 08:19:33.453 PST Gen. Time: 11/29/2011 08:19:33.453 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 129.93.229.138 (08:19:33.453 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (08:19:33.453 PST) tcpslice 1322583573.453 1322583573.454 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 08:19:33.453 PST Gen. Time: 11/29/2011 08:23:09.160 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (08:22:15.185 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34066->52302 (08:22:15.185 PST) 184.105.178.92 (08:20:53.558 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:20:53.558 PST) 129.93.229.138 (08:19:33.453 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (08:19:33.453 PST) tcpslice 1322583573.453 1322583573.454 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 08:29:53.735 PST Gen. Time: 11/29/2011 08:29:53.735 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (08:29:53.735 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (08:29:53.735 PST) tcpslice 1322584193.735 1322584193.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 08:34:29.016 PST Gen. Time: 11/29/2011 08:34:29.016 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (08:34:29.016 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34640->7365 (08:34:29.016 PST) tcpslice 1322584469.016 1322584469.017 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 08:34:29.016 PST Gen. Time: 11/29/2011 08:38:40.555 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (08:38:40.555 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:38:40.555 PST) 206.207.248.34 (08:34:29.016 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34640->7365 (08:34:29.016 PST) tcpslice 1322584469.016 1322584469.017 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 08:39:55.960 PST Gen. Time: 11/29/2011 08:39:55.960 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (08:39:55.960 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (08:39:55.960 PST) tcpslice 1322584795.960 1322584795.961 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 08:45:34.025 PST Gen. Time: 11/29/2011 08:45:34.025 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (08:45:34.025 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50140->2128 (08:45:34.025 PST) tcpslice 1322585134.025 1322585134.026 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 08:49:56.157 PST Gen. Time: 11/29/2011 08:49:56.157 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.104.72.201 (08:49:56.157 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (08:49:56.157 PST) tcpslice 1322585396.157 1322585396.158 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 08:49:56.157 PST Gen. Time: 11/29/2011 08:54:08.877 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (08:50:27.564 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:50:27.564 PST) 130.104.72.201 (08:49:56.157 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (08:49:56.157 PST) tcpslice 1322585396.157 1322585396.158 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 08:59:52.985 PST Gen. Time: 11/29/2011 08:59:52.985 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (08:59:52.985 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44570->2126 (08:59:52.985 PST) tcpslice 1322585992.985 1322585992.986 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 08:59:52.985 PST Gen. Time: 11/29/2011 09:03:26.721 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (08:59:52.985 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44570->2126 (08:59:52.985 PST) 130.104.72.201 (08:59:58.576 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (08:59:58.576 PST) tcpslice 1322585992.985 1322585992.986 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:08:13.376 PST Gen. Time: 11/29/2011 09:08:13.376 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (09:08:13.376 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (09:08:13.376 PST) tcpslice 1322586493.376 1322586493.377 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:08:13.376 PST Gen. Time: 11/29/2011 09:12:33.616 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (09:09:59.015 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->36236 (09:09:59.015 PST) 184.105.178.92 (09:08:13.376 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (09:08:13.376 PST) 89.188.109.210 (09:08:32.754 PST) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 3128->36435 (09:08:32.754 PST) tcpslice 1322586493.376 1322586493.377 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:15:45.079 PST Gen. Time: 11/29/2011 09:15:45.079 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (09:15:45.079 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40198->2128 (09:15:45.079 PST) tcpslice 1322586945.079 1322586945.080 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:20:01.205 PST Gen. Time: 11/29/2011 09:20:01.205 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (09:20:01.205 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (09:20:01.205 PST) tcpslice 1322587201.205 1322587201.206 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:20:01.205 PST Gen. Time: 11/29/2011 09:23:09.375 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (2) (09:20:01.205 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (09:20:01.205 PST) ------------------------- event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (09:20:01.205 PST) tcpslice 1322587201.205 1322587201.206 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:30:07.103 PST Gen. Time: 11/29/2011 09:30:07.103 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (09:30:07.103 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (09:30:07.103 PST) tcpslice 1322587807.103 1322587807.104 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:30:07.103 PST Gen. Time: 11/29/2011 09:34:52.719 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (09:30:07.103 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (09:30:07.103 PST) 130.104.72.201 (09:33:30.860 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34662->7365 (09:33:30.860 PST) tcpslice 1322587807.103 1322587807.104 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:37:47.568 PST Gen. Time: 11/29/2011 09:37:47.568 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (09:37:47.568 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (09:37:47.568 PST) tcpslice 1322588267.568 1322588267.569 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:37:47.568 PST Gen. Time: 11/29/2011 09:40:09.657 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (09:37:47.568 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (09:37:47.568 PST) 143.89.49.74 (09:40:09.657 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (09:40:09.657 PST) tcpslice 1322588267.568 1322588267.569 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:43:50.593 PST Gen. Time: 11/29/2011 09:43:50.593 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (09:43:50.593 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34674->2126 (09:43:50.593 PST) tcpslice 1322588630.593 1322588630.594 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:49:32.948 PST Gen. Time: 11/29/2011 09:49:32.948 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (09:49:32.948 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (09:49:32.948 PST) tcpslice 1322588972.948 1322588972.949 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:49:32.948 PST Gen. Time: 11/29/2011 09:53:09.377 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (09:50:17.304 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (09:50:17.304 PST) 184.105.178.92 (09:49:32.948 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (09:49:32.948 PST) tcpslice 1322588972.948 1322588972.949 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 09:54:16.753 PST Gen. Time: 11/29/2011 09:54:16.753 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (09:54:16.753 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56483->2128 (09:54:16.753 PST) tcpslice 1322589256.753 1322589256.754 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 10:00:17.726 PST Gen. Time: 11/29/2011 10:00:17.726 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (10:00:17.726 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->9552 (10:00:17.726 PST) tcpslice 1322589617.726 1322589617.727 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 10:05:55.088 PST Gen. Time: 11/29/2011 10:05:55.088 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:05:55.088 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38870->2126 (10:05:55.088 PST) tcpslice 1322589955.088 1322589955.089 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 10:05:55.088 PST Gen. Time: 11/29/2011 10:10:01.019 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (10:07:19.427 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (10:07:19.427 PST) 206.207.248.34 (10:05:55.088 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38870->2126 (10:05:55.088 PST) tcpslice 1322589955.088 1322589955.089 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 10:10:18.079 PST Gen. Time: 11/29/2011 10:10:18.079 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:10:18.079 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (10:10:18.079 PST) tcpslice 1322590218.079 1322590218.080 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 10:19:06.296 PST Gen. Time: 11/29/2011 10:19:06.296 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (10:19:06.296 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (10:19:06.296 PST) tcpslice 1322590746.296 1322590746.297 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 10:19:06.296 PST Gen. Time: 11/29/2011 10:23:11.081 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (10:19:30.969 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45438->2128 (10:19:30.969 PST) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (10:20:27.001 PST) 184.105.178.92 (10:19:06.296 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (10:19:06.296 PST) tcpslice 1322590746.296 1322590746.297 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 10:30:28.053 PST Gen. Time: 11/29/2011 10:30:28.053 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (10:30:28.053 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->9552 (10:30:28.053 PST) tcpslice 1322591428.053 1322591428.054 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 10:33:59.690 PST Gen. Time: 11/29/2011 10:33:59.690 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 143.89.49.74 (10:33:59.690 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33679->55002 (10:33:59.690 PST) tcpslice 1322591639.690 1322591639.691 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 10:33:59.690 PST Gen. Time: 11/29/2011 10:37:54.283 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (10:36:56.641 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (10:36:56.641 PST) 143.89.49.74 (10:33:59.690 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33679->55002 (10:33:59.690 PST) tcpslice 1322591639.690 1322591639.691 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 10:40:28.780 PST Gen. Time: 11/29/2011 10:40:28.780 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (10:40:28.780 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->9552 (10:40:28.780 PST) tcpslice 1322592028.780 1322592028.781 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 10:47:41.627 PST Gen. Time: 11/29/2011 10:47:41.627 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (10:47:41.627 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34490->2128 (10:47:41.627 PST) tcpslice 1322592461.627 1322592461.628 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 10:47:41.627 PST Gen. Time: 11/29/2011 10:49:28.219 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (10:48:42.027 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (10:48:42.027 PST) 206.207.248.34 (10:47:41.627 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34490->2128 (10:47:41.627 PST) tcpslice 1322592461.627 1322592461.628 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 10:50:28.959 PST Gen. Time: 11/29/2011 10:50:28.959 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (10:50:28.959 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->9552 (10:50:28.959 PST) tcpslice 1322592628.959 1322592628.960 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:00:34.535 PST Gen. Time: 11/29/2011 11:00:34.535 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (11:00:34.535 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (11:00:34.535 PST) tcpslice 1322593234.535 1322593234.536 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:00:34.535 PST Gen. Time: 11/29/2011 11:04:41.896 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (11:00:34.535 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54831->2128 (11:02:03.199 PST) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (11:00:34.535 PST) tcpslice 1322593234.535 1322593234.536 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:06:29.338 PST Gen. Time: 11/29/2011 11:06:29.338 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (11:06:29.338 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:06:29.338 PST) tcpslice 1322593589.338 1322593589.339 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:10:34.615 PST Gen. Time: 11/29/2011 11:10:34.615 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (11:10:34.615 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:10:34.615 PST) tcpslice 1322593834.615 1322593834.616 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:13:29.750 PST Gen. Time: 11/29/2011 11:13:29.750 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (11:13:29.750 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51571->2126 (11:13:29.750 PST) tcpslice 1322594009.750 1322594009.751 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:18:13.959 PST Gen. Time: 11/29/2011 11:18:13.959 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (11:18:13.959 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:18:13.959 PST) tcpslice 1322594293.959 1322594293.960 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:18:13.959 PST Gen. Time: 11/29/2011 11:22:17.812 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (11:18:13.959 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:18:13.959 PST) 129.93.229.138 (11:20:40.445 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 5377->5377 (11:20:40.445 PST) tcpslice 1322594293.959 1322594293.960 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:28:12.835 PST Gen. Time: 11/29/2011 11:28:12.835 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (11:28:12.835 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54159->2126 (11:28:12.835 PST) tcpslice 1322594892.835 1322594892.836 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:28:12.835 PST Gen. Time: 11/29/2011 11:32:48.185 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (11:28:12.835 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54159->2126 (11:28:12.835 PST) 128.227.11.13 (11:30:40.202 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->9554 (11:30:40.202 PST) tcpslice 1322594892.835 1322594892.836 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:36:01.579 PST Gen. Time: 11/29/2011 11:36:01.579 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (11:36:01.579 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:36:01.579 PST) tcpslice 1322595361.579 1322595361.580 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:36:01.579 PST Gen. Time: 11/29/2011 11:40:34.305 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (11:36:01.579 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:36:01.579 PST) 206.207.248.34 (11:38:37.184 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49672->2126 (11:38:37.184 PST) 129.93.229.138 (11:40:34.305 PST) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 49301->34208 (11:40:34.305 PST) tcpslice 1322595361.579 1322595361.580 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:40:45.242 PST Gen. Time: 11/29/2011 11:40:45.242 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (11:40:45.242 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49301->49301 (11:40:45.242 PST) tcpslice 1322595645.242 1322595645.243 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:47:47.825 PST Gen. Time: 11/29/2011 11:47:47.825 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (11:47:47.825 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:47:47.825 PST) tcpslice 1322596067.825 1322596067.826 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:47:47.825 PST Gen. Time: 11/29/2011 11:50:45.290 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (11:50:17.495 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41205->2128 (11:50:17.495 PST) 184.105.178.92 (11:47:47.825 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:47:47.825 PST) 129.93.229.138 (11:50:45.290 PST) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 49301->34208 (11:50:45.290 PST) tcpslice 1322596067.825 1322596067.826 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 11:50:47.574 PST Gen. Time: 11/29/2011 11:50:47.574 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (11:50:47.574 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (11:50:47.574 PST) tcpslice 1322596247.574 1322596247.575 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:00:47.126 PST Gen. Time: 11/29/2011 12:00:47.126 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (12:00:47.126 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (12:00:47.126 PST) tcpslice 1322596847.126 1322596847.127 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:00:47.126 PST Gen. Time: 11/29/2011 12:03:40.011 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (12:00:47.126 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38492->2126 (12:02:51.651 PST) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (12:00:47.126 PST) tcpslice 1322596847.126 1322596847.127 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:05:33.229 PST Gen. Time: 11/29/2011 12:05:33.229 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (12:05:33.229 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (12:05:33.229 PST) tcpslice 1322597133.229 1322597133.230 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:10:47.038 PST Gen. Time: 11/29/2011 12:10:47.038 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (12:10:47.038 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35596 (12:10:47.038 PST) tcpslice 1322597447.038 1322597447.039 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:10:47.038 PST Gen. Time: 11/29/2011 12:14:00.174 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (12:10:47.038 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35596 (12:10:47.038 PST) 206.207.248.34 (12:14:00.174 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42330->2128 (12:14:00.174 PST) tcpslice 1322597447.038 1322597447.039 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:17:18.621 PST Gen. Time: 11/29/2011 12:17:18.621 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (12:17:18.621 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (12:17:18.621 PST) tcpslice 1322597838.621 1322597838.622 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:17:18.621 PST Gen. Time: 11/29/2011 12:20:50.643 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (12:17:18.621 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (12:17:18.621 PST) 130.104.72.201 (12:20:50.643 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (12:20:50.643 PST) tcpslice 1322597838.621 1322597838.622 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:28:29.741 PST Gen. Time: 11/29/2011 12:28:29.741 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (12:28:29.741 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40675->2126 (12:28:29.741 PST) tcpslice 1322598509.741 1322598509.742 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:28:29.741 PST Gen. Time: 11/29/2011 12:32:03.966 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.2.211.114 (12:30:54.086 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (12:30:54.086 PST) 128.163.142.20 (12:28:29.741 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40675->2126 (12:28:29.741 PST) tcpslice 1322598509.741 1322598509.742 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:35:04.193 PST Gen. Time: 11/29/2011 12:35:04.193 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (12:35:04.193 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (12:35:04.193 PST) tcpslice 1322598904.193 1322598904.194 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:40:55.626 PST Gen. Time: 11/29/2011 12:40:55.626 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (12:40:55.626 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (12:40:55.626 PST) tcpslice 1322599255.626 1322599255.627 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:46:50.715 PST Gen. Time: 11/29/2011 12:46:50.715 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (12:46:50.715 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (12:46:50.715 PST) tcpslice 1322599610.715 1322599610.716 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:46:50.715 PST Gen. Time: 11/29/2011 12:50:08.638 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (12:48:53.094 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49421->2128 (12:48:53.094 PST) 184.105.178.92 (12:46:50.715 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (12:46:50.715 PST) tcpslice 1322599610.715 1322599610.716 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:50:55.987 PST Gen. Time: 11/29/2011 12:50:55.987 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (12:50:55.987 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (12:50:55.987 PST) tcpslice 1322599855.987 1322599855.988 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:59:59.901 PST Gen. Time: 11/29/2011 12:59:59.901 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (12:59:59.901 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58862->2128 (12:59:59.901 PST) tcpslice 1322600399.901 1322600399.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 12:59:59.901 PST Gen. Time: 11/29/2011 13:04:31.587 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (2) (12:59:59.901 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58862->2128 (12:59:59.901 PST) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (13:00:56.715 PST) tcpslice 1322600399.901 1322600399.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 13:04:37.853 PST Gen. Time: 11/29/2011 13:04:37.853 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (13:04:37.853 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (13:04:37.853 PST) tcpslice 1322600677.853 1322600677.854 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 13:10:56.727 PST Gen. Time: 11/29/2011 13:10:56.727 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 138.238.250.155 (13:10:56.727 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (13:10:56.727 PST) tcpslice 1322601056.727 1322601056.728 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 13:16:24.803 PST Gen. Time: 11/29/2011 13:16:24.803 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (13:16:24.803 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (13:16:24.803 PST) tcpslice 1322601384.803 1322601384.804 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 13:16:24.803 PST Gen. Time: 11/29/2011 13:19:40.458 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (13:16:36.561 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38326->2128 (13:16:36.561 PST) 184.105.178.92 (13:16:24.803 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (13:16:24.803 PST) tcpslice 1322601384.803 1322601384.804 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 13:20:56.210 PST Gen. Time: 11/29/2011 13:20:56.210 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (13:20:56.210 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->56079 (13:20:56.210 PST) tcpslice 1322601656.210 1322601656.211 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 13:30:59.361 PST Gen. Time: 11/29/2011 13:30:59.361 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 138.238.250.155 (13:30:59.361 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (13:30:59.361 PST) tcpslice 1322602259.361 1322602259.362 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 13:30:59.361 PST Gen. Time: 11/29/2011 13:35:03.411 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 138.238.250.155 (13:30:59.361 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (13:30:59.361 PST) 184.105.178.92 (13:34:11.089 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (13:34:11.089 PST) 130.104.72.201 (13:31:47.431 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38485->36639 (13:31:47.431 PST) tcpslice 1322602259.361 1322602259.362 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 13:40:59.770 PST Gen. Time: 11/29/2011 13:40:59.770 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.104.72.201 (13:40:59.770 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (13:40:59.770 PST) tcpslice 1322602859.770 1322602859.771 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 13:40:59.770 PST Gen. Time: 11/29/2011 13:45:19.921 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (13:42:30.014 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46978->2126 (13:42:30.014 PST) 130.104.72.201 (13:40:59.770 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (13:40:59.770 PST) tcpslice 1322602859.770 1322602859.771 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 13:45:58.449 PST Gen. Time: 11/29/2011 13:45:58.449 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (13:45:58.449 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (13:45:58.449 PST) tcpslice 1322603158.449 1322603158.450 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 13:50:59.544 PST Gen. Time: 11/29/2011 13:50:59.544 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (13:50:59.544 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->50889 (13:50:59.544 PST) tcpslice 1322603459.544 1322603459.545 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 13:50:59.544 PST Gen. Time: 11/29/2011 13:54:50.426 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (13:52:56.591 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59307->2128 (13:52:56.591 PST) 128.186.122.86 (13:50:59.544 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->50889 (13:50:59.544 PST) tcpslice 1322603459.544 1322603459.545 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:01:01.063 PST Gen. Time: 11/29/2011 14:01:01.063 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (14:01:01.063 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:01:01.063 PST) tcpslice 1322604061.063 1322604061.064 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:01:01.063 PST Gen. Time: 11/29/2011 14:05:01.945 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (14:03:44.599 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:03:44.599 PST) 195.37.16.125 (14:01:01.063 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:01:01.063 PST) tcpslice 1322604061.063 1322604061.064 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:07:21.692 PST Gen. Time: 11/29/2011 14:07:21.692 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:07:21.692 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56307->2128 (14:07:21.692 PST) tcpslice 1322604441.692 1322604441.693 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:07:21.692 PST Gen. Time: 11/29/2011 14:11:23.678 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (14:11:01.017 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:11:01.017 PST) 132.239.17.226 (14:07:21.692 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56307->2128 (14:07:21.692 PST) tcpslice 1322604441.692 1322604441.693 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:15:30.072 PST Gen. Time: 11/29/2011 14:15:30.072 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (14:15:30.072 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:15:30.072 PST) tcpslice 1322604930.072 1322604930.073 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:21:03.136 PST Gen. Time: 11/29/2011 14:21:03.136 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (14:21:03.136 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:21:03.136 PST) tcpslice 1322605263.136 1322605263.137 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:25:58.450 PST Gen. Time: 11/29/2011 14:25:58.450 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:25:58.450 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49248->2128 (14:25:58.450 PST) tcpslice 1322605558.450 1322605558.451 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:31:03.539 PST Gen. Time: 11/29/2011 14:31:03.539 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:31:03.539 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:31:03.539 PST) tcpslice 1322605863.539 1322605863.540 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:31:03.539 PST Gen. Time: 11/29/2011 14:34:18.885 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:31:03.539 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:31:03.539 PST) 184.105.178.92 (14:33:15.644 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:33:15.644 PST) tcpslice 1322605863.539 1322605863.540 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:41:03.300 PST Gen. Time: 11/29/2011 14:41:03.300 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (14:41:03.300 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->56079 (14:41:03.300 PST) tcpslice 1322606463.300 1322606463.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:41:03.300 PST Gen. Time: 11/29/2011 14:45:37.458 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (14:41:49.363 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50985->2128 (14:41:49.363 PST) 128.186.122.86 (14:41:03.300 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->56079 (14:41:03.300 PST) 184.105.178.92 (14:45:01.078 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:45:01.078 PST) tcpslice 1322606463.300 1322606463.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:51:03.171 PST Gen. Time: 11/29/2011 14:51:03.171 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (14:51:03.171 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (14:51:03.171 PST) tcpslice 1322607063.171 1322607063.172 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 14:51:03.171 PST Gen. Time: 11/29/2011 14:55:46.518 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (14:51:03.171 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (14:51:03.171 PST) 128.163.142.20 (14:53:05.370 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56763->49628 (14:53:05.370 PST) tcpslice 1322607063.171 1322607063.172 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:01:03.792 PST Gen. Time: 11/29/2011 15:01:03.792 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 129.93.229.138 (15:01:03.792 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (15:01:03.792 PST) tcpslice 1322607663.792 1322607663.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:01:03.792 PST Gen. Time: 11/29/2011 15:05:11.020 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (15:04:10.978 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55524->2128 (15:04:10.978 PST) 184.105.178.92 (15:02:48.877 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (15:02:48.877 PST) 129.93.229.138 (15:01:03.792 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (15:01:03.792 PST) tcpslice 1322607663.792 1322607663.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:11:05.994 PST Gen. Time: 11/29/2011 15:11:05.994 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (15:11:05.994 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->56079 (15:11:05.994 PST) tcpslice 1322608265.994 1322608265.995 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:11:05.994 PST Gen. Time: 11/29/2011 15:15:00.779 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 138.238.250.155 (15:15:00.779 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53503->54593 (15:15:00.779 PST) 128.186.122.86 (15:11:05.994 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->56079 (15:11:05.994 PST) 184.105.178.92 (15:14:34.281 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (15:14:34.281 PST) tcpslice 1322608265.994 1322608265.995 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:21:05.833 PST Gen. Time: 11/29/2011 15:21:05.833 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 138.238.250.155 (15:21:05.833 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (15:21:05.833 PST) tcpslice 1322608865.833 1322608865.834 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:27:13.807 PST Gen. Time: 11/29/2011 15:27:13.807 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.104.72.201 (15:27:13.807 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44218->52305 (15:27:13.807 PST) tcpslice 1322609233.807 1322609233.808 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:27:13.807 PST Gen. Time: 11/29/2011 15:31:05.043 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.104.72.201 (2) (15:27:13.807 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44218->52305 (15:27:13.807 PST) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (15:31:05.043 PST) tcpslice 1322609233.807 1322609233.808 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:32:19.409 PST Gen. Time: 11/29/2011 15:32:19.409 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (15:32:19.409 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (15:32:19.409 PST) tcpslice 1322609539.409 1322609539.410 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:37:13.637 PST Gen. Time: 11/29/2011 15:37:13.637 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (15:37:13.637 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46479->2126 (15:37:13.637 PST) tcpslice 1322609833.637 1322609833.638 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:37:13.637 PST Gen. Time: 11/29/2011 15:41:14.409 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (2) (15:37:13.637 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46479->2126 (15:37:13.637 PST) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (15:41:05.656 PST) tcpslice 1322609833.637 1322609833.638 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:44:05.216 PST Gen. Time: 11/29/2011 15:44:05.216 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (15:44:05.216 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (15:44:05.216 PST) tcpslice 1322610245.216 1322610245.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:47:34.124 PST Gen. Time: 11/29/2011 15:47:34.124 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (15:47:34.124 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47961->41008 (15:47:34.124 PST) tcpslice 1322610454.124 1322610454.125 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:47:34.124 PST Gen. Time: 11/29/2011 15:51:07.372 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (2) (15:47:34.124 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47961->41008 (15:47:34.124 PST) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4878->4878 (15:51:07.372 PST) tcpslice 1322610454.124 1322610454.125 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:59:39.548 PST Gen. Time: 11/29/2011 15:59:39.548 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.104.72.201 (15:59:39.548 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51761->52305 (15:59:39.548 PST) tcpslice 1322611179.548 1322611179.549 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 15:59:39.548 PST Gen. Time: 11/29/2011 16:02:25.824 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (16:01:50.694 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (16:01:50.694 PST) 129.93.229.138 (16:00:11.170 PST) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 55002->58917 (16:00:11.170 PST) 130.104.72.201 (15:59:39.548 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51761->52305 (15:59:39.548 PST) 195.37.16.125 (16:01:07.178 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:01:07.178 PST) tcpslice 1322611179.548 1322611179.549 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 16:10:08.834 PST Gen. Time: 11/29/2011 16:10:08.834 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (16:10:08.834 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38863->2126 (16:10:08.834 PST) tcpslice 1322611808.834 1322611808.835 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 16:10:08.834 PST Gen. Time: 11/29/2011 16:14:01.995 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (16:13:36.399 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (16:13:36.399 PST) 128.163.142.20 (16:10:08.834 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38863->2126 (16:10:08.834 PST) 206.207.248.34 (16:11:08.170 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (16:11:08.170 PST) tcpslice 1322611808.834 1322611808.835 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 16:20:53.918 PST Gen. Time: 11/29/2011 16:20:53.918 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (16:20:53.918 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37598->2126 (16:20:53.918 PST) tcpslice 1322612453.918 1322612453.919 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 16:20:53.918 PST Gen. Time: 11/29/2011 16:24:27.939 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (16:21:08.053 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->56079 (16:21:08.053 PST) 206.207.248.34 (16:20:53.918 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37598->2126 (16:20:53.918 PST) tcpslice 1322612453.918 1322612453.919 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 16:31:10.726 PST Gen. Time: 11/29/2011 16:31:10.726 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (16:31:10.726 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (16:31:10.726 PST) tcpslice 1322613070.726 1322613070.727 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 16:31:10.726 PST Gen. Time: 11/29/2011 16:34:48.356 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:31:24.552 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57563->2128 (16:31:24.552 PST) 184.105.178.92 (16:31:24.017 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (16:31:24.017 PST) 206.207.248.34 (16:31:10.726 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (16:31:10.726 PST) tcpslice 1322613070.726 1322613070.727 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 16:41:10.431 PST Gen. Time: 11/29/2011 16:41:10.431 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (16:41:10.431 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->56079 (16:41:10.431 PST) tcpslice 1322613670.431 1322613670.432 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 16:41:10.431 PST Gen. Time: 11/29/2011 16:45:07.017 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:43:03.624 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40405->2128 (16:43:03.624 PST) 128.186.122.86 (16:41:10.431 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->56079 (16:41:10.431 PST) 184.105.178.92 (16:43:09.799 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (16:43:09.799 PST) tcpslice 1322613670.431 1322613670.432 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 16:51:11.874 PST Gen. Time: 11/29/2011 16:51:11.874 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (16:51:11.874 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:51:11.874 PST) tcpslice 1322614271.874 1322614271.875 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 16:54:52.985 PST Gen. Time: 11/29/2011 16:54:52.985 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (16:54:52.985 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51745->40756 (16:54:52.985 PST) tcpslice 1322614492.985 1322614492.986 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:00:56.661 PST Gen. Time: 11/29/2011 17:00:56.661 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (17:00:56.661 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (17:00:56.661 PST) tcpslice 1322614856.661 1322614856.662 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:00:56.661 PST Gen. Time: 11/29/2011 17:04:57.342 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (17:00:56.661 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (17:00:56.661 PST) 195.37.16.125 (17:01:11.758 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:01:11.758 PST) tcpslice 1322614856.661 1322614856.662 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:05:42.133 PST Gen. Time: 11/29/2011 17:05:42.133 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (17:05:42.133 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54266->2128 (17:05:42.133 PST) tcpslice 1322615142.133 1322615142.134 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:11:11.457 PST Gen. Time: 11/29/2011 17:11:11.457 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (17:11:11.457 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->56079 (17:11:11.457 PST) tcpslice 1322615471.457 1322615471.458 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:11:11.457 PST Gen. Time: 11/29/2011 17:14:36.612 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (17:11:11.457 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->56079 (17:11:11.457 PST) 184.105.178.92 (17:12:42.211 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (17:12:42.211 PST) tcpslice 1322615471.457 1322615471.458 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:19:54.335 PST Gen. Time: 11/29/2011 17:19:54.335 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (17:19:54.335 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40372->2126 (17:19:54.335 PST) tcpslice 1322615994.335 1322615994.336 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:19:54.335 PST Gen. Time: 11/29/2011 17:23:12.191 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 138.238.250.155 (17:21:15.013 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:21:15.013 PST) 132.239.17.226 (17:19:54.335 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40372->2126 (17:19:54.335 PST) tcpslice 1322615994.335 1322615994.336 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:30:28.817 PST Gen. Time: 11/29/2011 17:30:28.817 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (17:30:28.817 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (17:30:28.817 PST) tcpslice 1322616628.817 1322616628.818 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:30:28.817 PST Gen. Time: 11/29/2011 17:34:45.990 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (17:31:20.517 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->56079 (17:31:20.517 PST) 128.163.142.20 (17:31:21.560 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34366->2126 (17:31:21.560 PST) 184.105.178.92 (17:30:28.817 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (17:30:28.817 PST) tcpslice 1322616628.817 1322616628.818 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:41:20.015 PST Gen. Time: 11/29/2011 17:41:20.015 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (17:41:20.015 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (17:41:20.015 PST) tcpslice 1322617280.015 1322617280.016 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:41:20.015 PST Gen. Time: 11/29/2011 17:45:20.710 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (17:42:15.678 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (17:42:15.678 PST) 206.207.248.34 (17:41:20.015 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (17:41:20.015 PST) tcpslice 1322617280.015 1322617280.016 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:45:46.506 PST Gen. Time: 11/29/2011 17:45:46.506 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (17:45:46.506 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51308->2128 (17:45:46.506 PST) tcpslice 1322617546.506 1322617546.507 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:51:26.455 PST Gen. Time: 11/29/2011 17:51:26.455 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (17:51:26.455 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:51:26.455 PST) tcpslice 1322617886.455 1322617886.456 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: 199.255.189.60 Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:51:26.455 PST Gen. Time: 11/29/2011 17:55:21.120 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC 199.255.189.60 (17:52:29.645 PST) event=1:2012801 {tcp} E4[rb] (experimental) ET USER_AGENTS Spoofed MSIE 7 User-Agent Likely Ponmocup, [/user_details_reviews_self?review_sort=time&rec_pagestart=0&userid=RUnFaVjqdSlgQYAUcZLzzg] MAC_Src: 00:21:5A:08:EC:40 36925->80 (17:52:29.645 PST) C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (17:51:26.455 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:51:26.455 PST) tcpslice 1322617886.455 1322617886.456 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:57:47.701 PST Gen. Time: 11/29/2011 17:57:47.701 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (17:57:47.701 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33950->2126 (17:57:47.701 PST) tcpslice 1322618267.701 1322618267.702 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 17:57:47.701 PST Gen. Time: 11/29/2011 18:01:16.215 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (17:57:47.701 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33950->2126 (17:57:47.701 PST) 184.105.178.92 (18:00:01.289 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (18:00:01.289 PST) tcpslice 1322618267.701 1322618267.702 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:01:28.306 PST Gen. Time: 11/29/2011 18:01:28.306 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:01:28.306 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (18:01:28.306 PST) tcpslice 1322618488.306 1322618488.307 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:08:11.506 PST Gen. Time: 11/29/2011 18:08:11.506 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (18:08:11.506 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53934->2126 (18:08:11.506 PST) tcpslice 1322618891.506 1322618891.507 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:08:11.506 PST Gen. Time: 11/29/2011 18:11:46.776 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (18:11:28.081 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->56079 (18:11:28.081 PST) 184.105.178.92 (18:11:46.776 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (18:11:46.776 PST) 206.207.248.34 (18:08:11.506 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53934->2126 (18:08:11.506 PST) tcpslice 1322618891.506 1322618891.507 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:18:52.614 PST Gen. Time: 11/29/2011 18:18:52.614 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:18:52.614 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55644->2128 (18:18:52.614 PST) tcpslice 1322619532.614 1322619532.615 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:21:28.120 PST Gen. Time: 11/29/2011 18:21:28.120 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (18:21:28.120 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (18:21:28.120 PST) tcpslice 1322619688.120 1322619688.121 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:29:34.771 PST Gen. Time: 11/29/2011 18:29:34.771 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (18:29:34.771 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (18:29:34.771 PST) tcpslice 1322620174.771 1322620174.772 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:29:34.771 PST Gen. Time: 11/29/2011 18:33:49.510 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (2) (18:29:34.771 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (18:31:29.878 PST) ------------------------- event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (18:29:34.771 PST) tcpslice 1322620174.771 1322620174.772 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:36:27.648 PST Gen. Time: 11/29/2011 18:36:27.648 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:36:27.648 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50330->2128 (18:36:27.648 PST) tcpslice 1322620587.648 1322620587.649 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:41:20.244 PST Gen. Time: 11/29/2011 18:41:20.244 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (18:41:20.244 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (18:41:20.244 PST) tcpslice 1322620880.244 1322620880.245 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:41:20.244 PST Gen. Time: 11/29/2011 18:45:34.324 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (18:41:32.026 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (18:41:32.026 PST) 184.105.178.92 (18:41:20.244 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (18:41:20.244 PST) tcpslice 1322620880.244 1322620880.245 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:48:01.056 PST Gen. Time: 11/29/2011 18:48:01.056 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (18:48:01.056 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50766->33531 (18:48:01.056 PST) tcpslice 1322621281.056 1322621281.057 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:51:35.831 PST Gen. Time: 11/29/2011 18:51:35.831 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (18:51:35.831 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (18:51:35.831 PST) tcpslice 1322621495.831 1322621495.832 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:58:36.779 PST Gen. Time: 11/29/2011 18:58:36.779 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:58:36.779 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59447->57930 (18:58:36.779 PST) tcpslice 1322621916.779 1322621916.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 18:58:36.779 PST Gen. Time: 11/29/2011 19:02:36.899 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (18:58:36.779 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59447->57930 (18:58:36.779 PST) 184.105.178.92 (18:59:07.267 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (18:59:07.267 PST) 195.37.16.125 (19:01:36.078 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:01:36.078 PST) tcpslice 1322621916.779 1322621916.780 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 19:10:34.001 PST Gen. Time: 11/29/2011 19:10:34.001 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (19:10:34.001 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36432->2126 (19:10:34.001 PST) tcpslice 1322622634.001 1322622634.002 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 19:10:34.001 PST Gen. Time: 11/29/2011 19:13:25.472 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (19:10:51.807 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (19:10:51.807 PST) 206.207.248.34 (19:10:34.001 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36432->2126 (19:10:34.001 PST) 130.104.72.201 (19:11:39.403 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (19:11:39.403 PST) tcpslice 1322622634.001 1322622634.002 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 19:13:57.998 PST Gen. Time: 11/29/2011 19:13:57.998 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 129.93.229.138 (19:13:57.998 PST) event=1:9910025 {tcp} E8[rb] CLEAN-MX Webserver hosting Malicious URL, [] MAC_Src: 00:21:5A:08:EC:40 49301->48541 (19:13:57.998 PST) tcpslice 1322622837.998 1322622837.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 19:21:39.679 PST Gen. Time: 11/29/2011 19:21:39.679 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (19:21:39.679 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (19:21:39.679 PST) tcpslice 1322623299.679 1322623299.680 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 19:21:39.679 PST Gen. Time: 11/29/2011 19:24:53.195 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 137.165.1.111 (19:24:11.713 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43781->38226 (19:24:11.713 PST) 206.207.248.34 (19:21:39.679 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (19:21:39.679 PST) tcpslice 1322623299.679 1322623299.680 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 19:28:40.032 PST Gen. Time: 11/29/2011 19:28:40.032 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (19:28:40.032 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (19:28:40.032 PST) tcpslice 1322623720.032 1322623720.033 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 19:28:40.032 PST Gen. Time: 11/29/2011 19:32:13.456 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (19:28:40.032 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (19:28:40.032 PST) 195.37.16.125 (19:31:41.195 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:31:41.195 PST) tcpslice 1322623720.032 1322623720.033 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 19:40:05.073 PST Gen. Time: 11/29/2011 19:40:05.073 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.104.72.201 (19:40:05.073 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40752->48629 (19:40:05.073 PST) tcpslice 1322624405.073 1322624405.074 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 19:40:05.073 PST Gen. Time: 11/29/2011 19:42:49.833 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (19:41:41.130 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (19:41:41.130 PST) 184.105.178.92 (19:40:24.498 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (19:40:24.498 PST) 130.104.72.201 (19:40:05.073 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40752->48629 (19:40:05.073 PST) tcpslice 1322624405.073 1322624405.074 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 19:50:45.457 PST Gen. Time: 11/29/2011 19:50:45.457 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (19:50:45.457 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53429->2128 (19:50:45.457 PST) tcpslice 1322625045.457 1322625045.458 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 19:50:45.457 PST Gen. Time: 11/29/2011 19:53:01.209 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (19:51:43.708 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (19:51:43.708 PST) 132.239.17.226 (19:50:45.457 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53429->2128 (19:50:45.457 PST) tcpslice 1322625045.457 1322625045.458 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 19:58:14.931 PST Gen. Time: 11/29/2011 19:58:14.931 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (19:58:14.931 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (19:58:14.931 PST) tcpslice 1322625494.931 1322625494.932 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 19:58:14.931 PST Gen. Time: 11/29/2011 20:01:46.968 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (19:58:14.931 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (19:58:14.931 PST) 143.89.49.74 (20:01:46.968 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (20:01:46.968 PST) tcpslice 1322625494.931 1322625494.932 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:07:04.040 PST Gen. Time: 11/29/2011 20:07:04.040 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:07:04.040 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37712->2126 (20:07:04.040 PST) tcpslice 1322626024.040 1322626024.041 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:07:04.040 PST Gen. Time: 11/29/2011 20:11:34.060 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (20:09:58.327 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (20:09:58.327 PST) 206.207.248.34 (20:07:04.040 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37712->2126 (20:07:04.040 PST) tcpslice 1322626024.040 1322626024.041 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:11:52.058 PST Gen. Time: 11/29/2011 20:11:52.058 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (20:11:52.058 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (20:11:52.058 PST) tcpslice 1322626312.058 1322626312.059 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:19:36.857 PST Gen. Time: 11/29/2011 20:19:36.857 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:19:36.857 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56349->2126 (20:19:36.857 PST) tcpslice 1322626776.857 1322626776.858 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:19:36.857 PST Gen. Time: 11/29/2011 20:23:17.636 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (20:19:36.857 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56349->2126 (20:19:36.857 PST) 195.37.16.125 (20:21:55.724 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (20:21:55.724 PST) tcpslice 1322626776.857 1322626776.858 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:27:45.933 PST Gen. Time: 11/29/2011 20:27:45.933 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (20:27:45.933 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (20:27:45.933 PST) tcpslice 1322627265.933 1322627265.934 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:27:45.933 PST Gen. Time: 11/29/2011 20:31:15.845 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (20:27:45.933 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (20:27:45.933 PST) 206.207.248.34 (20:30:05.267 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58999->2128 (20:30:05.267 PST) tcpslice 1322627265.933 1322627265.934 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:31:55.666 PST Gen. Time: 11/29/2011 20:31:55.666 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (20:31:55.666 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (20:31:55.666 PST) tcpslice 1322627515.666 1322627515.667 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:39:32.885 PST Gen. Time: 11/29/2011 20:39:32.885 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (20:39:32.885 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (20:39:32.885 PST) tcpslice 1322627972.885 1322627972.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:39:32.885 PST Gen. Time: 11/29/2011 20:43:16.555 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (20:41:55.131 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 30599->30599 (20:41:55.131 PST) 184.105.178.92 (20:39:32.885 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (20:39:32.885 PST) 206.207.248.34 (20:41:20.879 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45754->2126 (20:41:20.879 PST) tcpslice 1322627972.885 1322627972.886 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:51:57.337 PST Gen. Time: 11/29/2011 20:51:57.337 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (20:51:57.337 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->40140 (20:51:57.337 PST) tcpslice 1322628717.337 1322628717.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:51:57.337 PST Gen. Time: 11/29/2011 20:56:40.369 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.186.122.86 (20:51:57.337 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->40140 (20:51:57.337 PST) 128.163.142.20 (20:52:41.260 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39890->2128 (20:52:41.260 PST) tcpslice 1322628717.337 1322628717.338 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 20:57:19.711 PST Gen. Time: 11/29/2011 20:57:19.711 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (20:57:19.711 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (20:57:19.711 PST) tcpslice 1322629039.711 1322629039.712 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:02:00.507 PST Gen. Time: 11/29/2011 21:02:00.507 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (21:02:00.507 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (21:02:00.507 PST) tcpslice 1322629320.507 1322629320.508 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:06:57.409 PST Gen. Time: 11/29/2011 21:06:57.409 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (21:06:57.409 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47589->49301 (21:06:57.409 PST) tcpslice 1322629617.409 1322629617.410 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:06:57.409 PST Gen. Time: 11/29/2011 21:11:20.334 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (21:09:06.131 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (21:09:06.131 PST) 195.37.16.125 (21:06:57.409 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47589->49301 (21:06:57.409 PST) tcpslice 1322629617.409 1322629617.410 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:12:01.860 PST Gen. Time: 11/29/2011 21:12:01.860 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (21:12:01.860 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (21:12:01.860 PST) tcpslice 1322629921.860 1322629921.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:19:24.600 PST Gen. Time: 11/29/2011 21:19:24.600 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (21:19:24.600 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44987->2126 (21:19:24.600 PST) tcpslice 1322630364.600 1322630364.601 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:19:24.600 PST Gen. Time: 11/29/2011 21:23:15.577 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 134.34.246.5 (21:22:03.132 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 23127->23127 (21:22:03.132 PST) 206.207.248.34 (21:19:24.600 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44987->2126 (21:19:24.600 PST) tcpslice 1322630364.600 1322630364.601 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:26:52.472 PST Gen. Time: 11/29/2011 21:26:52.472 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (21:26:52.472 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (21:26:52.472 PST) tcpslice 1322630812.472 1322630812.473 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:31:38.577 PST Gen. Time: 11/29/2011 21:31:38.577 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 129.93.229.138 (21:31:38.577 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46349->49302 (21:31:38.577 PST) tcpslice 1322631098.577 1322631098.578 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:31:38.577 PST Gen. Time: 11/29/2011 21:35:01.701 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 130.149.49.136 (21:32:05.683 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->49302 (21:32:05.683 PST) 129.93.229.138 (21:31:38.577 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46349->49302 (21:31:38.577 PST) tcpslice 1322631098.577 1322631098.578 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:38:37.566 PST Gen. Time: 11/29/2011 21:38:37.566 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (21:38:37.566 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (21:38:37.566 PST) tcpslice 1322631517.566 1322631517.567 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:42:05.401 PST Gen. Time: 11/29/2011 21:42:05.401 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (21:42:05.401 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (21:42:05.401 PST) tcpslice 1322631725.401 1322631725.402 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:42:05.401 PST Gen. Time: 11/29/2011 21:45:30.541 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (21:42:05.401 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (21:42:05.401 PST) 206.207.248.34 (21:43:31.817 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58868->2128 (21:43:31.817 PST) tcpslice 1322631725.401 1322631725.402 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:52:06.934 PST Gen. Time: 11/29/2011 21:52:06.934 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.227.11.13 (21:52:06.934 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->65535 (21:52:06.934 PST) tcpslice 1322632326.934 1322632326.935 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 21:56:24.396 PST Gen. Time: 11/29/2011 21:56:24.396 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (21:56:24.396 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (21:56:24.396 PST) tcpslice 1322632584.396 1322632584.397 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:02:06.981 PST Gen. Time: 11/29/2011 22:02:06.981 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (22:02:06.981 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (22:02:06.981 PST) tcpslice 1322632926.981 1322632926.982 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:02:06.981 PST Gen. Time: 11/29/2011 22:06:11.634 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (2) (22:02:06.981 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34721->2128 (22:04:16.141 PST) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (22:02:06.981 PST) tcpslice 1322632926.981 1322632926.982 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:08:10.839 PST Gen. Time: 11/29/2011 22:08:10.839 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (22:08:10.839 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:08:10.839 PST) tcpslice 1322633290.839 1322633290.840 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:08:10.839 PST Gen. Time: 11/29/2011 22:12:09.361 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (22:12:09.361 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4878->4878 (22:12:09.361 PST) 184.105.178.92 (22:08:10.839 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:08:10.839 PST) tcpslice 1322633290.839 1322633290.840 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:20:15.791 PST Gen. Time: 11/29/2011 22:20:15.791 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (22:20:15.791 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40494->55002 (22:20:15.791 PST) tcpslice 1322634015.791 1322634015.792 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:20:15.791 PST Gen. Time: 11/29/2011 22:23:44.285 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (22:22:10.451 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (22:22:10.451 PST) 128.163.142.20 (22:20:15.791 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40494->55002 (22:20:15.791 PST) tcpslice 1322634015.791 1322634015.792 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:25:58.056 PST Gen. Time: 11/29/2011 22:25:58.056 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (22:25:58.056 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:25:58.056 PST) tcpslice 1322634358.056 1322634358.057 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:32:11.231 PST Gen. Time: 11/29/2011 22:32:11.231 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 206.207.248.34 (22:32:11.231 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:32:11.231 PST) tcpslice 1322634731.231 1322634731.232 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:32:11.231 PST Gen. Time: 11/29/2011 22:35:18.446 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 132.239.17.226 (22:35:05.248 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56816->2126 (22:35:05.248 PST) 206.207.248.34 (22:32:11.231 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:32:11.231 PST) tcpslice 1322634731.231 1322634731.232 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:37:43.423 PST Gen. Time: 11/29/2011 22:37:43.423 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 184.105.178.92 (22:37:43.423 PST) event=1:9910020 {udp} E8[rb] ET ShadowServer confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:37:43.423 PST) tcpslice 1322635063.423 1322635063.424 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:42:12.416 PST Gen. Time: 11/29/2011 22:42:12.416 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 195.37.16.125 (22:42:12.416 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (22:42:12.416 PST) tcpslice 1322635332.416 1322635332.417 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:46:11.598 PST Gen. Time: 11/29/2011 22:46:11.598 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.163.142.20 (22:46:11.598 PST) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37556->2128 (22:46:11.598 PST) tcpslice 1322635571.598 1322635571.599 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 11/29/2011 22:52:20.631 PST Gen. Time: 11/29/2011 22:52:20.631 PST INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT 128.2.211.114 (22:52:20.631 PST) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (22:52:20.631 PST) tcpslice 1322635940.631 1322635940.632 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================