Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:03:03.871 PDT Gen. Time: 03/22/2012 00:03:03.871 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (00:03:03.871 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:03:03.871 PDT) DECLARE BOT tcpslice 1332399783.871 1332399783.872 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:03:03.871 PDT Gen. Time: 03/22/2012 00:06:39.910 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (00:03:03.871 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:03:03.871 PDT) DECLARE BOT 128.2.211.114 (00:03:03.871 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:03:03.871 PDT) tcpslice 1332399783.871 1332399783.872 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:11:44.309 PDT Gen. Time: 03/22/2012 00:11:44.309 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (00:11:44.309 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 39286->2126 (00:11:44.309 PDT) DECLARE BOT 206.207.248.34 (00:11:44.309 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39286->2126 (00:11:44.309 PDT) tcpslice 1332400304.309 1332400304.310 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:11:44.309 PDT Gen. Time: 03/22/2012 00:13:35.713 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (00:11:44.309 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 39286->2126 (00:11:44.309 PDT) 195.37.16.125 (00:13:06.293 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (00:13:06.293 PDT) DECLARE BOT 206.207.248.34 (00:11:44.309 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39286->2126 (00:11:44.309 PDT) 195.37.16.125 (00:13:06.293 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (00:13:06.293 PDT) tcpslice 1332400304.309 1332400304.310 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:23:09.772 PDT Gen. Time: 03/22/2012 00:23:09.772 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (00:23:09.772 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:23:09.772 PDT) DECLARE BOT tcpslice 1332400989.772 1332400989.773 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:23:09.772 PDT Gen. Time: 03/22/2012 00:26:57.729 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (00:23:09.772 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:23:09.772 PDT) 128.163.142.20 (00:25:46.965 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 58408->2128 (00:25:46.965 PDT) DECLARE BOT 128.2.211.114 (00:23:09.772 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:23:09.772 PDT) 128.163.142.20 (00:25:46.965 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58408->2128 (00:25:46.965 PDT) tcpslice 1332400989.772 1332400989.773 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:33:10.624 PDT Gen. Time: 03/22/2012 00:33:10.624 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (00:33:10.624 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (00:33:10.624 PDT) DECLARE BOT tcpslice 1332401590.624 1332401590.625 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:33:10.624 PDT Gen. Time: 03/22/2012 00:36:43.041 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (00:33:10.624 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (00:33:10.624 PDT) DECLARE BOT 130.149.49.136 (00:33:10.624 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (00:33:10.624 PDT) tcpslice 1332401590.624 1332401590.625 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:36:45.139 PDT Gen. Time: 03/22/2012 00:36:45.139 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (00:36:45.139 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 35193->2126 (00:36:45.139 PDT) DECLARE BOT 132.239.17.226 (00:36:45.139 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35193->2126 (00:36:45.139 PDT) tcpslice 1332401805.139 1332401805.140 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:43:10.009 PDT Gen. Time: 03/22/2012 00:43:10.009 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (00:43:10.009 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:43:10.009 PDT) DECLARE BOT tcpslice 1332402190.009 1332402190.010 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:43:10.009 PDT Gen. Time: 03/22/2012 00:46:18.370 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (00:43:10.009 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:43:10.009 PDT) DECLARE BOT 128.2.211.114 (00:43:10.009 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (00:43:10.009 PDT) tcpslice 1332402190.009 1332402190.010 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:47:52.482 PDT Gen. Time: 03/22/2012 00:47:52.482 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (00:47:52.482 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 38301->2128 (00:47:52.482 PDT) DECLARE BOT 206.207.248.34 (00:47:52.482 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38301->2128 (00:47:52.482 PDT) tcpslice 1332402472.482 1332402472.483 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:53:10.669 PDT Gen. Time: 03/22/2012 00:53:10.669 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (00:53:10.669 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (00:53:10.669 PDT) DECLARE BOT tcpslice 1332402790.669 1332402790.670 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 00:53:10.669 PDT Gen. Time: 03/22/2012 00:57:24.928 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (00:53:10.669 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (00:53:10.669 PDT) DECLARE BOT 130.149.49.136 (00:53:10.669 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (00:53:10.669 PDT) tcpslice 1332402790.669 1332402790.670 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 01:01:26.681 PDT Gen. Time: 03/22/2012 01:01:26.681 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (01:01:26.681 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 35751->2126 (01:01:26.681 PDT) DECLARE BOT 206.207.248.34 (01:01:26.681 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35751->2126 (01:01:26.681 PDT) tcpslice 1332403286.681 1332403286.682 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 01:01:26.681 PDT Gen. Time: 03/22/2012 01:04:45.206 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (01:01:26.681 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 35751->2126 (01:01:26.681 PDT) 195.37.16.125 (01:03:10.637 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (01:03:10.637 PDT) DECLARE BOT 206.207.248.34 (01:01:26.681 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35751->2126 (01:01:26.681 PDT) 195.37.16.125 (01:03:10.637 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (01:03:10.637 PDT) tcpslice 1332403286.681 1332403286.682 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 01:13:10.024 PDT Gen. Time: 03/22/2012 01:13:10.024 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (01:13:10.024 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (01:13:10.024 PDT) DECLARE BOT tcpslice 1332403990.024 1332403990.025 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 01:13:10.024 PDT Gen. Time: 03/22/2012 01:16:37.235 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (01:13:10.024 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (01:13:10.024 PDT) DECLARE BOT 128.2.211.114 (01:13:10.024 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (01:13:10.024 PDT) 128.163.142.20 (01:16:37.235 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49394->2128 (01:16:37.235 PDT) tcpslice 1332403990.024 1332403990.025 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 01:16:37.235 PDT Gen. Time: 03/22/2012 01:16:37.235 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (01:16:37.235 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49394->2128 (01:16:37.235 PDT) DECLARE BOT tcpslice 1332404197.235 1332404197.236 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 01:23:10.939 PDT Gen. Time: 03/22/2012 01:23:10.939 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (01:23:10.939 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:23:10.939 PDT) DECLARE BOT tcpslice 1332404590.939 1332404590.940 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 01:23:10.939 PDT Gen. Time: 03/22/2012 01:26:53.496 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (01:23:10.939 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:23:10.939 PDT) DECLARE BOT 128.2.211.114 (01:23:10.939 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (01:23:10.939 PDT) tcpslice 1332404590.939 1332404590.940 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 01:30:43.479 PDT Gen. Time: 03/22/2012 01:30:43.479 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (01:30:43.479 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 45414->2126 (01:30:43.479 PDT) DECLARE BOT 132.239.17.226 (01:30:43.479 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45414->2126 (01:30:43.479 PDT) tcpslice 1332405043.479 1332405043.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 01:30:43.479 PDT Gen. Time: 03/22/2012 01:33:10.542 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (01:33:10.542 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (01:33:10.542 PDT) 132.239.17.226 (01:30:43.479 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 45414->2126 (01:30:43.479 PDT) DECLARE BOT 132.239.17.226 (01:30:43.479 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45414->2126 (01:30:43.479 PDT) tcpslice 1332405043.479 1332405043.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 01:41:16.522 PDT Gen. Time: 03/22/2012 01:41:16.522 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (01:41:16.522 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 42263->2128 (01:41:16.522 PDT) DECLARE BOT 132.239.17.226 (01:41:16.522 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42263->2128 (01:41:16.522 PDT) tcpslice 1332405676.522 1332405676.523 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 01:41:16.522 PDT Gen. Time: 03/22/2012 01:45:13.921 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (01:43:13.939 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (01:43:13.939 PDT) 132.239.17.226 (01:41:16.522 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 42263->2128 (01:41:16.522 PDT) DECLARE BOT 130.149.49.136 (01:43:13.939 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (01:43:13.939 PDT) 132.239.17.226 (01:41:16.522 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42263->2128 (01:41:16.522 PDT) tcpslice 1332405676.522 1332405676.523 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 01:52:28.507 PDT Gen. Time: 03/22/2012 01:52:28.507 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (01:52:28.507 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 33988->2128 (01:52:28.507 PDT) DECLARE BOT 206.207.248.34 (01:52:28.507 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33988->2128 (01:52:28.507 PDT) tcpslice 1332406348.507 1332406348.508 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 01:52:28.507 PDT Gen. Time: 03/22/2012 01:56:06.311 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (01:53:14.921 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (01:53:14.921 PDT) 206.207.248.34 (01:52:28.507 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 33988->2128 (01:52:28.507 PDT) DECLARE BOT 130.149.49.136 (01:53:14.921 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (01:53:14.921 PDT) 206.207.248.34 (01:52:28.507 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33988->2128 (01:52:28.507 PDT) tcpslice 1332406348.507 1332406348.508 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:03:14.134 PDT Gen. Time: 03/22/2012 02:03:14.134 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (02:03:14.134 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (02:03:14.134 PDT) DECLARE BOT tcpslice 1332406994.134 1332406994.135 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:03:14.134 PDT Gen. Time: 03/22/2012 02:05:23.391 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (02:03:14.134 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (02:03:14.134 PDT) DECLARE BOT 130.149.49.136 (02:03:14.134 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (02:03:14.134 PDT) tcpslice 1332406994.134 1332406994.135 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:05:54.734 PDT Gen. Time: 03/22/2012 02:05:54.734 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (02:05:54.734 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 40936->2128 (02:05:54.734 PDT) DECLARE BOT 132.239.17.226 (02:05:54.734 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40936->2128 (02:05:54.734 PDT) tcpslice 1332407154.734 1332407154.735 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:13:14.352 PDT Gen. Time: 03/22/2012 02:13:14.352 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (02:13:14.352 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (02:13:14.352 PDT) DECLARE BOT tcpslice 1332407594.352 1332407594.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:13:14.352 PDT Gen. Time: 03/22/2012 02:16:02.271 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (02:13:14.352 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (02:13:14.352 PDT) DECLARE BOT 130.149.49.136 (02:13:14.352 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (02:13:14.352 PDT) tcpslice 1332407594.352 1332407594.353 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:16:52.206 PDT Gen. Time: 03/22/2012 02:16:52.206 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (02:16:52.206 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 36347->2126 (02:16:52.206 PDT) DECLARE BOT 128.163.142.20 (02:16:52.206 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36347->2126 (02:16:52.206 PDT) tcpslice 1332407812.206 1332407812.207 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:23:15.384 PDT Gen. Time: 03/22/2012 02:23:15.384 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (02:23:15.384 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (02:23:15.384 PDT) DECLARE BOT tcpslice 1332408195.384 1332408195.385 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 2.0 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:23:15.384 PDT Gen. Time: 03/22/2012 02:26:28.126 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 193.124.83.69 (02:25:41.147 PDT) event=1:9920006 {udp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:EC:40 59483->53 (02:25:41.147 PDT) DECLARE BOT Non-standard Port 195.37.16.125 (02:23:15.384 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (02:23:15.384 PDT) DECLARE BOT 195.37.16.125 (02:23:15.384 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (02:23:15.384 PDT) tcpslice 1332408195.384 1332408195.385 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:28:09.806 PDT Gen. Time: 03/22/2012 02:28:09.806 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (02:28:09.806 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 43701->2128 (02:28:09.806 PDT) DECLARE BOT 132.239.17.226 (02:28:09.806 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43701->2128 (02:28:09.806 PDT) tcpslice 1332408489.806 1332408489.807 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:33:15.489 PDT Gen. Time: 03/22/2012 02:33:15.489 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (02:33:15.489 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:33:15.489 PDT) DECLARE BOT tcpslice 1332408795.489 1332408795.490 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:33:15.489 PDT Gen. Time: 03/22/2012 02:37:22.815 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (02:33:15.489 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:33:15.489 PDT) DECLARE BOT 128.2.211.114 (02:33:15.489 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (02:33:15.489 PDT) tcpslice 1332408795.489 1332408795.490 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:39:10.612 PDT Gen. Time: 03/22/2012 02:39:10.612 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (02:39:10.612 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 43261->2128 (02:39:10.612 PDT) DECLARE BOT 206.207.248.34 (02:39:10.612 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43261->2128 (02:39:10.612 PDT) tcpslice 1332409150.612 1332409150.613 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:43:17.362 PDT Gen. Time: 03/22/2012 02:43:17.362 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (02:43:17.362 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (02:43:17.362 PDT) DECLARE BOT tcpslice 1332409397.362 1332409397.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:43:17.362 PDT Gen. Time: 03/22/2012 02:44:50.619 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (02:43:17.362 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (02:43:17.362 PDT) DECLARE BOT 130.149.49.136 (02:43:17.362 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (02:43:17.362 PDT) tcpslice 1332409397.362 1332409397.363 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:52:39.534 PDT Gen. Time: 03/22/2012 02:52:39.534 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (02:52:39.534 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 43307->2128 (02:52:39.534 PDT) DECLARE BOT 132.239.17.226 (02:52:39.534 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43307->2128 (02:52:39.534 PDT) tcpslice 1332409959.534 1332409959.535 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 02:52:39.534 PDT Gen. Time: 03/22/2012 02:56:12.750 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (02:53:17.798 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (02:53:17.798 PDT) 132.239.17.226 (02:52:39.534 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 43307->2128 (02:52:39.534 PDT) DECLARE BOT 130.149.49.136 (02:53:17.798 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (02:53:17.798 PDT) 132.239.17.226 (02:52:39.534 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43307->2128 (02:52:39.534 PDT) tcpslice 1332409959.534 1332409959.535 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 03:03:18.596 PDT Gen. Time: 03/22/2012 03:03:18.596 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (03:03:18.596 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:03:18.596 PDT) DECLARE BOT tcpslice 1332410598.596 1332410598.597 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 03:03:18.596 PDT Gen. Time: 03/22/2012 03:07:00.143 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (03:03:18.596 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:03:18.596 PDT) 128.163.142.20 (03:04:19.076 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 50403->2128 (03:04:19.076 PDT) DECLARE BOT 128.2.211.114 (03:03:18.596 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:03:18.596 PDT) 128.163.142.20 (03:04:19.076 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50403->2128 (03:04:19.076 PDT) tcpslice 1332410598.596 1332410598.597 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 03:13:18.055 PDT Gen. Time: 03/22/2012 03:13:18.055 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (03:13:18.055 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (03:13:18.055 PDT) DECLARE BOT tcpslice 1332411198.055 1332411198.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 03:13:18.055 PDT Gen. Time: 03/22/2012 03:16:53.482 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (03:13:18.055 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (03:13:18.055 PDT) DECLARE BOT 138.238.250.155 (03:13:18.055 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (03:13:18.055 PDT) tcpslice 1332411198.055 1332411198.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 03:18:12.468 PDT Gen. Time: 03/22/2012 03:18:12.468 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (03:18:12.468 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 33260->2126 (03:18:12.468 PDT) DECLARE BOT 206.207.248.34 (03:18:12.468 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33260->2126 (03:18:12.468 PDT) tcpslice 1332411492.468 1332411492.469 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 03:23:19.745 PDT Gen. Time: 03/22/2012 03:23:19.745 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (03:23:19.745 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (03:23:19.745 PDT) DECLARE BOT tcpslice 1332411799.745 1332411799.746 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 03:23:19.745 PDT Gen. Time: 03/22/2012 03:26:03.395 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (03:23:19.745 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (03:23:19.745 PDT) DECLARE BOT 130.149.49.136 (03:23:19.745 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (03:23:19.745 PDT) tcpslice 1332411799.745 1332411799.746 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 03:33:19.723 PDT Gen. Time: 03/22/2012 03:33:19.723 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (03:33:19.723 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (03:33:19.723 PDT) DECLARE BOT tcpslice 1332412399.723 1332412399.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 03:33:19.723 PDT Gen. Time: 03/22/2012 03:37:21.849 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (03:36:44.959 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 59621->2128 (03:36:44.959 PDT) 206.207.248.34 (03:33:19.723 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (03:33:19.723 PDT) DECLARE BOT 132.239.17.226 (03:36:44.959 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59621->2128 (03:36:44.959 PDT) 206.207.248.34 (03:33:19.723 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (03:33:19.723 PDT) tcpslice 1332412399.723 1332412399.724 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 03:43:19.180 PDT Gen. Time: 03/22/2012 03:43:19.180 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (03:43:19.180 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:43:19.180 PDT) DECLARE BOT tcpslice 1332412999.180 1332412999.181 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 03:43:19.180 PDT Gen. Time: 03/22/2012 03:46:52.598 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (03:43:19.180 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:43:19.180 PDT) DECLARE BOT 128.2.211.114 (03:43:19.180 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (03:43:19.180 PDT) tcpslice 1332412999.180 1332412999.181 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 03:49:29.928 PDT Gen. Time: 03/22/2012 03:49:29.928 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (03:49:29.928 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 60095->2128 (03:49:29.928 PDT) DECLARE BOT 132.239.17.226 (03:49:29.928 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60095->2128 (03:49:29.928 PDT) tcpslice 1332413369.928 1332413369.929 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 03:49:29.928 PDT Gen. Time: 03/22/2012 03:53:20.101 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (03:49:29.928 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 60095->2128 (03:49:29.928 PDT) 195.37.16.125 (03:53:20.101 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (03:53:20.101 PDT) DECLARE BOT 132.239.17.226 (03:49:29.928 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60095->2128 (03:49:29.928 PDT) 195.37.16.125 (03:53:20.101 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (03:53:20.101 PDT) tcpslice 1332413369.928 1332413369.929 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 04:00:34.961 PDT Gen. Time: 03/22/2012 04:00:34.961 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (04:00:34.961 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54214->2128 (04:00:34.961 PDT) DECLARE BOT 206.207.248.34 (04:00:34.961 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54214->2128 (04:00:34.961 PDT) tcpslice 1332414034.961 1332414034.962 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 04:00:34.961 PDT Gen. Time: 03/22/2012 04:04:36.972 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (04:03:22.215 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:03:22.215 PDT) 206.207.248.34 (04:00:34.961 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54214->2128 (04:00:34.961 PDT) DECLARE BOT 130.149.49.136 (04:03:22.215 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:03:22.215 PDT) 206.207.248.34 (04:00:34.961 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54214->2128 (04:00:34.961 PDT) tcpslice 1332414034.961 1332414034.962 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 04:11:38.778 PDT Gen. Time: 03/22/2012 04:11:38.778 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (04:11:38.778 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 52391->2128 (04:11:38.778 PDT) DECLARE BOT 128.163.142.20 (04:11:38.778 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52391->2128 (04:11:38.778 PDT) tcpslice 1332414698.778 1332414698.779 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 04:11:38.778 PDT Gen. Time: 03/22/2012 04:15:24.239 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (04:13:23.388 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:13:23.388 PDT) 128.163.142.20 (04:11:38.778 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 52391->2128 (04:11:38.778 PDT) DECLARE BOT 130.149.49.136 (04:13:23.388 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:13:23.388 PDT) 128.163.142.20 (04:11:38.778 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52391->2128 (04:11:38.778 PDT) tcpslice 1332414698.778 1332414698.779 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 04:23:24.122 PDT Gen. Time: 03/22/2012 04:23:24.122 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (04:23:24.122 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:23:24.122 PDT) DECLARE BOT tcpslice 1332415404.122 1332415404.123 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 04:23:24.122 PDT Gen. Time: 03/22/2012 04:26:46.260 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (04:23:24.122 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:23:24.122 PDT) DECLARE BOT 130.149.49.136 (04:23:24.122 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:23:24.122 PDT) tcpslice 1332415404.122 1332415404.123 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 04:28:34.341 PDT Gen. Time: 03/22/2012 04:28:34.341 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (04:28:34.341 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 42418->2128 (04:28:34.341 PDT) DECLARE BOT 128.163.142.20 (04:28:34.341 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 42418->2128 (04:28:34.341 PDT) tcpslice 1332415714.341 1332415714.342 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 04:33:24.977 PDT Gen. Time: 03/22/2012 04:33:24.977 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (04:33:24.977 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:33:24.977 PDT) DECLARE BOT tcpslice 1332416004.977 1332416004.978 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 04:33:24.977 PDT Gen. Time: 03/22/2012 04:36:49.971 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (04:33:24.977 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:33:24.977 PDT) DECLARE BOT 195.37.16.125 (04:33:24.977 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:33:24.977 PDT) tcpslice 1332416004.977 1332416004.978 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 04:40:19.560 PDT Gen. Time: 03/22/2012 04:40:19.560 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (04:40:19.560 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 37269->2128 (04:40:19.560 PDT) DECLARE BOT 132.239.17.226 (04:40:19.560 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37269->2128 (04:40:19.560 PDT) tcpslice 1332416419.560 1332416419.561 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 04:40:19.560 PDT Gen. Time: 03/22/2012 04:44:12.782 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (04:40:19.560 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 37269->2128 (04:40:19.560 PDT) 195.37.16.125 (04:43:24.130 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:43:24.130 PDT) DECLARE BOT 132.239.17.226 (04:40:19.560 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37269->2128 (04:40:19.560 PDT) 195.37.16.125 (04:43:24.130 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:43:24.130 PDT) tcpslice 1332416419.560 1332416419.561 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 04:53:26.063 PDT Gen. Time: 03/22/2012 04:53:26.063 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (04:53:26.063 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:53:26.063 PDT) DECLARE BOT tcpslice 1332417206.063 1332417206.064 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 04:53:26.063 PDT Gen. Time: 03/22/2012 04:56:38.670 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (04:53:26.063 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:53:26.063 PDT) DECLARE BOT 130.149.49.136 (04:53:26.063 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (04:53:26.063 PDT) tcpslice 1332417206.063 1332417206.064 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 05:03:01.962 PDT Gen. Time: 03/22/2012 05:03:01.962 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (05:03:01.962 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 59872->2128 (05:03:01.962 PDT) DECLARE BOT 132.239.17.226 (05:03:01.962 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59872->2128 (05:03:01.962 PDT) tcpslice 1332417781.962 1332417781.963 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 91.209.175.100 C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 05:03:01.962 PDT Gen. Time: 03/22/2012 05:08:03.577 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.209.175.100 (05:04:03.742 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0), [/] MAC_Src: 00:21:5A:08:EC:40 46121->80 (05:04:03.742 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (05:03:26.049 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (05:03:26.049 PDT) 132.239.17.226 (05:03:01.962 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 59872->2128 (05:03:01.962 PDT) DECLARE BOT 130.149.49.136 (05:03:26.049 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (05:03:26.049 PDT) 132.239.17.226 (05:03:01.962 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59872->2128 (05:03:01.962 PDT) tcpslice 1332417781.962 1332417781.963 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 05:13:26.523 PDT Gen. Time: 03/22/2012 05:13:26.523 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (05:13:26.523 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (05:13:26.523 PDT) DECLARE BOT tcpslice 1332418406.523 1332418406.524 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 05:13:26.523 PDT Gen. Time: 03/22/2012 05:17:06.167 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (05:13:26.523 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (05:13:26.523 PDT) 128.163.142.20 (05:14:42.474 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 48103->2126 (05:14:42.474 PDT) DECLARE BOT 130.149.49.136 (05:13:26.523 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (05:13:26.523 PDT) 128.163.142.20 (05:14:42.474 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48103->2126 (05:14:42.474 PDT) tcpslice 1332418406.523 1332418406.524 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 05:23:27.780 PDT Gen. Time: 03/22/2012 05:23:27.780 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (05:23:27.780 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (05:23:27.780 PDT) DECLARE BOT tcpslice 1332419007.780 1332419007.781 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 05:23:27.780 PDT Gen. Time: 03/22/2012 05:27:09.324 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (05:23:27.780 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (05:23:27.780 PDT) DECLARE BOT 130.149.49.136 (05:23:27.780 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (05:23:27.780 PDT) tcpslice 1332419007.780 1332419007.781 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 05:30:16.480 PDT Gen. Time: 03/22/2012 05:30:16.480 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (05:30:16.480 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 47500->2126 (05:30:16.480 PDT) DECLARE BOT 206.207.248.34 (05:30:16.480 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47500->2126 (05:30:16.480 PDT) tcpslice 1332419416.480 1332419416.481 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 05:30:16.480 PDT Gen. Time: 03/22/2012 05:33:27.475 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (05:33:27.475 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (05:33:27.475 PDT) 206.207.248.34 (05:30:16.480 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 47500->2126 (05:30:16.480 PDT) DECLARE BOT 206.207.248.34 (05:30:16.480 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47500->2126 (05:30:16.480 PDT) tcpslice 1332419416.480 1332419416.481 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 05:43:28.059 PDT Gen. Time: 03/22/2012 05:43:28.059 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (05:43:28.059 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->53219 (05:43:28.059 PDT) DECLARE BOT tcpslice 1332420208.059 1332420208.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 05:43:28.059 PDT Gen. Time: 03/22/2012 05:46:56.859 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (05:43:28.059 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->53219 (05:43:28.059 PDT) 206.207.248.34 (05:44:36.590 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 33405->2128 (05:44:36.590 PDT) DECLARE BOT 128.186.122.86 (05:43:28.059 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->53219 (05:43:28.059 PDT) 206.207.248.34 (05:44:36.590 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33405->2128 (05:44:36.590 PDT) tcpslice 1332420208.059 1332420208.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 05:53:28.998 PDT Gen. Time: 03/22/2012 05:53:28.998 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (05:53:28.998 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (05:53:28.998 PDT) DECLARE BOT tcpslice 1332420808.998 1332420808.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 05:53:28.998 PDT Gen. Time: 03/22/2012 05:56:18.747 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (05:53:28.998 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (05:53:28.998 PDT) DECLARE BOT 130.149.49.136 (05:53:28.998 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (05:53:28.998 PDT) tcpslice 1332420808.998 1332420808.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 06:03:29.471 PDT Gen. Time: 03/22/2012 06:03:29.471 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (06:03:29.471 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (06:03:29.471 PDT) DECLARE BOT tcpslice 1332421409.471 1332421409.472 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 06:03:29.471 PDT Gen. Time: 03/22/2012 06:08:21.199 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (06:03:29.471 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (06:03:29.471 PDT) 128.163.142.20 (06:04:34.994 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 60530->2128 (06:04:34.994 PDT) DECLARE BOT 130.149.49.136 (06:03:29.471 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (06:03:29.471 PDT) 128.163.142.20 (06:04:34.994 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60530->2128 (06:04:34.994 PDT) tcpslice 1332421409.471 1332421409.472 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 06:13:31.891 PDT Gen. Time: 03/22/2012 06:13:31.891 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (06:13:31.891 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (06:13:31.891 PDT) DECLARE BOT tcpslice 1332422011.891 1332422011.892 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 06:13:31.891 PDT Gen. Time: 03/22/2012 06:17:42.888 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (06:13:31.891 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (06:13:31.891 PDT) DECLARE BOT 195.37.16.125 (06:13:31.891 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (06:13:31.891 PDT) tcpslice 1332422011.891 1332422011.892 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 06:18:11.145 PDT Gen. Time: 03/22/2012 06:18:11.145 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (06:18:11.145 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 34824->2126 (06:18:11.145 PDT) DECLARE BOT 206.207.248.34 (06:18:11.145 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34824->2126 (06:18:11.145 PDT) tcpslice 1332422291.145 1332422291.146 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 06:23:31.290 PDT Gen. Time: 03/22/2012 06:23:31.290 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (06:23:31.290 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (06:23:31.290 PDT) DECLARE BOT tcpslice 1332422611.290 1332422611.291 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 06:23:31.290 PDT Gen. Time: 03/22/2012 06:25:51.002 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (06:23:31.290 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (06:23:31.290 PDT) DECLARE BOT 130.149.49.136 (06:23:31.290 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (06:23:31.290 PDT) tcpslice 1332422611.290 1332422611.291 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 06:32:23.998 PDT Gen. Time: 03/22/2012 06:32:23.998 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 137.165.1.111 (06:32:23.998 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 57227->54593 (06:32:23.998 PDT) DECLARE BOT 137.165.1.111 (06:32:23.998 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57227->54593 (06:32:23.998 PDT) tcpslice 1332423143.998 1332423143.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 06:32:23.998 PDT Gen. Time: 03/22/2012 06:35:46.566 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (06:33:32.170 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (06:33:32.170 PDT) 137.165.1.111 (06:32:23.998 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 57227->54593 (06:32:23.998 PDT) DECLARE BOT 130.149.49.136 (06:33:32.170 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (06:33:32.170 PDT) 137.165.1.111 (06:32:23.998 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57227->54593 (06:32:23.998 PDT) tcpslice 1332423143.998 1332423143.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 06:43:32.831 PDT Gen. Time: 03/22/2012 06:43:32.831 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (06:43:32.831 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->53219 (06:43:32.831 PDT) DECLARE BOT tcpslice 1332423812.831 1332423812.832 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 06:43:32.831 PDT Gen. Time: 03/22/2012 06:47:52.323 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (06:43:32.831 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->53219 (06:43:32.831 PDT) DECLARE BOT 128.186.122.86 (06:43:32.831 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->53219 (06:43:32.831 PDT) tcpslice 1332423812.831 1332423812.832 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 06:53:03.276 PDT Gen. Time: 03/22/2012 06:53:03.276 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (06:53:03.276 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54536->2128 (06:53:03.276 PDT) DECLARE BOT 132.239.17.226 (06:53:03.276 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54536->2128 (06:53:03.276 PDT) tcpslice 1332424383.276 1332424383.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 06:53:03.276 PDT Gen. Time: 03/22/2012 06:56:52.894 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (06:53:03.276 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54536->2128 (06:53:03.276 PDT) 206.207.248.34 (06:53:34.429 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (06:53:34.429 PDT) DECLARE BOT 132.239.17.226 (06:53:03.276 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54536->2128 (06:53:03.276 PDT) 206.207.248.34 (06:53:34.429 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (06:53:34.429 PDT) tcpslice 1332424383.276 1332424383.277 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 07:03:34.296 PDT Gen. Time: 03/22/2012 07:03:34.296 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (07:03:34.296 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:03:34.296 PDT) DECLARE BOT tcpslice 1332425014.296 1332425014.297 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 07:03:34.296 PDT Gen. Time: 03/22/2012 07:06:03.355 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (07:03:34.296 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:03:34.296 PDT) 206.207.248.34 (07:04:20.015 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 59178->2126 (07:04:20.015 PDT) DECLARE BOT 130.149.49.136 (07:03:34.296 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:03:34.296 PDT) 206.207.248.34 (07:04:20.015 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59178->2126 (07:04:20.015 PDT) tcpslice 1332425014.296 1332425014.297 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 07:13:34.120 PDT Gen. Time: 03/22/2012 07:13:34.120 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (07:13:34.120 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (07:13:34.120 PDT) DECLARE BOT tcpslice 1332425614.120 1332425614.121 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 07:13:34.120 PDT Gen. Time: 03/22/2012 07:18:24.410 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (07:13:34.120 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (07:13:34.120 PDT) 128.163.142.20 (07:14:53.419 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 45157->2128 (07:14:53.419 PDT) DECLARE BOT 132.239.17.226 (07:13:34.120 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (07:13:34.120 PDT) 128.163.142.20 (07:14:53.419 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45157->2128 (07:14:53.419 PDT) tcpslice 1332425614.120 1332425614.121 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 07:23:34.756 PDT Gen. Time: 03/22/2012 07:23:34.756 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (07:23:34.756 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:23:34.756 PDT) DECLARE BOT tcpslice 1332426214.756 1332426214.757 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 07:23:34.756 PDT Gen. Time: 03/22/2012 07:27:35.148 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (07:23:34.756 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:23:34.756 PDT) 206.207.248.34 (07:26:11.037 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 53080->2128 (07:26:11.037 PDT) DECLARE BOT 130.149.49.136 (07:23:34.756 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:23:34.756 PDT) 206.207.248.34 (07:26:11.037 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53080->2128 (07:26:11.037 PDT) tcpslice 1332426214.756 1332426214.757 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 07:33:35.306 PDT Gen. Time: 03/22/2012 07:33:35.306 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (07:33:35.306 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:33:35.306 PDT) DECLARE BOT tcpslice 1332426815.306 1332426815.307 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 07:33:35.306 PDT Gen. Time: 03/22/2012 07:37:12.174 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (07:33:35.306 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:33:35.306 PDT) DECLARE BOT 130.149.49.136 (07:33:35.306 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:33:35.306 PDT) tcpslice 1332426815.306 1332426815.307 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 07:38:20.778 PDT Gen. Time: 03/22/2012 07:38:20.778 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (07:38:20.778 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 56738->2126 (07:38:20.778 PDT) DECLARE BOT 128.163.142.20 (07:38:20.778 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56738->2126 (07:38:20.778 PDT) tcpslice 1332427100.778 1332427100.779 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 07:43:36.558 PDT Gen. Time: 03/22/2012 07:43:36.558 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (07:43:36.558 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:43:36.558 PDT) DECLARE BOT tcpslice 1332427416.558 1332427416.559 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 07:43:36.558 PDT Gen. Time: 03/22/2012 07:45:48.064 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (07:43:36.558 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:43:36.558 PDT) DECLARE BOT 130.149.49.136 (07:43:36.558 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (07:43:36.558 PDT) tcpslice 1332427416.558 1332427416.559 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 07:53:36.699 PDT Gen. Time: 03/22/2012 07:53:36.699 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (07:53:36.699 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->35745 (07:53:36.699 PDT) DECLARE BOT tcpslice 1332428016.699 1332428016.700 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 07:53:36.699 PDT Gen. Time: 03/22/2012 07:56:26.038 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (07:53:36.699 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->35745 (07:53:36.699 PDT) 128.163.142.20 (07:53:42.062 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 57094->2126 (07:53:42.062 PDT) DECLARE BOT 128.186.122.86 (07:53:36.699 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35745 (07:53:36.699 PDT) 128.163.142.20 (07:53:42.062 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57094->2126 (07:53:42.062 PDT) tcpslice 1332428016.699 1332428016.700 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 08:03:36.108 PDT Gen. Time: 03/22/2012 08:03:36.108 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (08:03:36.108 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:03:36.108 PDT) DECLARE BOT tcpslice 1332428616.108 1332428616.109 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 08:03:36.108 PDT Gen. Time: 03/22/2012 08:06:33.138 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (08:03:36.108 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:03:36.108 PDT) DECLARE BOT 206.207.248.34 (08:03:36.108 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (08:03:36.108 PDT) tcpslice 1332428616.108 1332428616.109 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 08:12:01.824 PDT Gen. Time: 03/22/2012 08:12:01.824 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (08:12:01.824 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 53142->2128 (08:12:01.824 PDT) DECLARE BOT 132.239.17.226 (08:12:01.824 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53142->2128 (08:12:01.824 PDT) tcpslice 1332429121.824 1332429121.825 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 08:12:01.824 PDT Gen. Time: 03/22/2012 08:14:39.360 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (08:13:36.982 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (08:13:36.982 PDT) 132.239.17.226 (08:12:01.824 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 53142->2128 (08:12:01.824 PDT) DECLARE BOT 130.149.49.136 (08:13:36.982 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (08:13:36.982 PDT) 132.239.17.226 (08:12:01.824 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53142->2128 (08:12:01.824 PDT) tcpslice 1332429121.824 1332429121.825 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 08:23:23.167 PDT Gen. Time: 03/22/2012 08:23:23.167 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (08:23:23.167 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 56779->2128 (08:23:23.167 PDT) DECLARE BOT 128.163.142.20 (08:23:23.167 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56779->2128 (08:23:23.167 PDT) tcpslice 1332429803.167 1332429803.168 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 08:23:23.167 PDT Gen. Time: 03/22/2012 08:26:53.626 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (08:23:23.167 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 56779->2128 (08:23:23.167 PDT) 130.104.72.201 (08:23:38.621 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (08:23:38.621 PDT) DECLARE BOT 128.163.142.20 (08:23:23.167 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56779->2128 (08:23:23.167 PDT) 130.104.72.201 (08:23:38.621 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (08:23:38.621 PDT) tcpslice 1332429803.167 1332429803.168 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 08:33:38.100 PDT Gen. Time: 03/22/2012 08:33:38.100 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (08:33:38.100 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (08:33:38.100 PDT) DECLARE BOT tcpslice 1332430418.100 1332430418.101 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 08:33:38.100 PDT Gen. Time: 03/22/2012 08:36:56.865 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (08:33:38.100 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (08:33:38.100 PDT) DECLARE BOT 130.149.49.136 (08:33:38.100 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (08:33:38.100 PDT) tcpslice 1332430418.100 1332430418.101 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 08:41:32.575 PDT Gen. Time: 03/22/2012 08:41:32.575 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (08:41:32.575 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 53311->2128 (08:41:32.575 PDT) DECLARE BOT 128.163.142.20 (08:41:32.575 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53311->2128 (08:41:32.575 PDT) tcpslice 1332430892.575 1332430892.576 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 08:41:32.575 PDT Gen. Time: 03/22/2012 08:45:34.191 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (08:43:39.347 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (08:43:39.347 PDT) 128.163.142.20 (08:41:32.575 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 53311->2128 (08:41:32.575 PDT) DECLARE BOT 130.149.49.136 (08:43:39.347 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (08:43:39.347 PDT) 128.163.142.20 (08:41:32.575 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53311->2128 (08:41:32.575 PDT) tcpslice 1332430892.575 1332430892.576 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 08:53:16.583 PDT Gen. Time: 03/22/2012 08:53:16.583 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (08:53:16.583 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 34160->2128 (08:53:16.583 PDT) DECLARE BOT 132.239.17.226 (08:53:16.583 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34160->2128 (08:53:16.583 PDT) tcpslice 1332431596.583 1332431596.584 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 08:53:16.583 PDT Gen. Time: 03/22/2012 08:56:59.171 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (2) (08:53:16.583 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 34160->2128 (08:53:16.583 PDT) ------------------------- event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (08:53:39.082 PDT) DECLARE BOT 132.239.17.226 (2) (08:53:16.583 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 34160->2128 (08:53:16.583 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (08:53:39.082 PDT) tcpslice 1332431596.583 1332431596.584 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:03:39.154 PDT Gen. Time: 03/22/2012 09:03:39.154 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (09:03:39.154 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (09:03:39.154 PDT) DECLARE BOT tcpslice 1332432219.154 1332432219.155 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: 91.209.175.100 C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:03:39.154 PDT Gen. Time: 03/22/2012 09:07:39.762 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD 91.209.175.100 (09:04:01.387 PDT) event=1:2009295 {tcp} E3[rb] ET USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0), [/] MAC_Src: 00:21:5A:08:EC:40 37193->80 (09:04:01.387 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (09:03:39.154 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (09:03:39.154 PDT) DECLARE BOT 130.149.49.136 (09:03:39.154 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (09:03:39.154 PDT) tcpslice 1332432219.154 1332432219.155 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:11:58.990 PDT Gen. Time: 03/22/2012 09:11:58.990 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (09:11:58.990 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 36555->2126 (09:11:58.990 PDT) DECLARE BOT 128.163.142.20 (09:11:58.990 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36555->2126 (09:11:58.990 PDT) tcpslice 1332432718.990 1332432718.991 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:11:58.990 PDT Gen. Time: 03/22/2012 09:15:15.348 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (09:11:58.990 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 36555->2126 (09:11:58.990 PDT) 195.37.16.125 (09:13:41.229 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (09:13:41.229 PDT) DECLARE BOT 128.163.142.20 (09:11:58.990 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36555->2126 (09:11:58.990 PDT) 195.37.16.125 (09:13:41.229 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (09:13:41.229 PDT) tcpslice 1332432718.990 1332432718.991 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:23:41.368 PDT Gen. Time: 03/22/2012 09:23:41.368 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (09:23:41.368 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->35314 (09:23:41.368 PDT) DECLARE BOT tcpslice 1332433421.368 1332433421.369 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:23:41.368 PDT Gen. Time: 03/22/2012 09:27:39.636 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (09:23:41.368 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->35314 (09:23:41.368 PDT) DECLARE BOT 132.239.17.226 (09:27:39.636 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57415->2128 (09:27:39.636 PDT) 128.186.122.86 (09:23:41.368 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35314 (09:23:41.368 PDT) tcpslice 1332433421.368 1332433421.369 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:27:39.636 PDT Gen. Time: 03/22/2012 09:27:39.636 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (09:27:39.636 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 57415->2128 (09:27:39.636 PDT) DECLARE BOT tcpslice 1332433659.636 1332433659.637 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:33:41.988 PDT Gen. Time: 03/22/2012 09:33:41.988 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (09:33:41.988 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (09:33:41.988 PDT) DECLARE BOT tcpslice 1332434021.988 1332434021.989 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:33:41.988 PDT Gen. Time: 03/22/2012 09:36:21.057 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (09:33:41.988 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (09:33:41.988 PDT) DECLARE BOT 130.149.49.136 (09:33:41.988 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (09:33:41.988 PDT) tcpslice 1332434021.988 1332434021.989 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:40:27.822 PDT Gen. Time: 03/22/2012 09:40:27.822 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (09:40:27.822 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 44595->2128 (09:40:27.822 PDT) DECLARE BOT 132.239.17.226 (09:40:27.822 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44595->2128 (09:40:27.822 PDT) tcpslice 1332434427.822 1332434427.823 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:43:41.267 PDT Gen. Time: 03/22/2012 09:43:41.267 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (09:43:41.267 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (09:43:41.267 PDT) DECLARE BOT tcpslice 1332434621.267 1332434621.268 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:43:41.267 PDT Gen. Time: 03/22/2012 09:46:24.973 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (09:43:41.267 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (09:43:41.267 PDT) DECLARE BOT 206.207.248.34 (09:43:41.267 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (09:43:41.267 PDT) tcpslice 1332434621.267 1332434621.268 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:53:43.135 PDT Gen. Time: 03/22/2012 09:53:43.135 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (09:53:43.135 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (09:53:43.135 PDT) DECLARE BOT tcpslice 1332435223.135 1332435223.136 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:53:43.135 PDT Gen. Time: 03/22/2012 09:57:34.893 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (09:53:43.135 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (09:53:43.135 PDT) DECLARE BOT 206.207.248.34 (09:53:43.135 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (09:53:43.135 PDT) tcpslice 1332435223.135 1332435223.136 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 09:58:35.608 PDT Gen. Time: 03/22/2012 09:58:35.608 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (09:58:35.608 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 53472->2128 (09:58:35.608 PDT) DECLARE BOT 132.239.17.226 (09:58:35.608 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53472->2128 (09:58:35.608 PDT) tcpslice 1332435515.608 1332435515.609 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:03:43.117 PDT Gen. Time: 03/22/2012 10:03:43.117 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (10:03:43.117 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 8844->8844 (10:03:43.117 PDT) DECLARE BOT tcpslice 1332435823.117 1332435823.118 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:03:43.117 PDT Gen. Time: 03/22/2012 10:07:43.314 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (10:03:43.117 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 8844->8844 (10:03:43.117 PDT) DECLARE BOT 195.37.16.125 (10:03:43.117 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 8844->8844 (10:03:43.117 PDT) tcpslice 1332435823.117 1332435823.118 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:08:48.099 PDT Gen. Time: 03/22/2012 10:08:48.099 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 8.5.1.45 (10:08:48.099 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 43160->54593 (10:08:48.099 PDT) DECLARE BOT 8.5.1.45 (10:08:48.099 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43160->54593 (10:08:48.099 PDT) tcpslice 1332436128.099 1332436128.100 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:13:45.530 PDT Gen. Time: 03/22/2012 10:13:45.530 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (10:13:45.530 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (10:13:45.530 PDT) DECLARE BOT tcpslice 1332436425.530 1332436425.531 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:13:45.530 PDT Gen. Time: 03/22/2012 10:17:37.368 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (10:13:45.530 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (10:13:45.530 PDT) DECLARE BOT 130.149.49.136 (10:13:45.530 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (10:13:45.530 PDT) tcpslice 1332436425.530 1332436425.531 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:23:45.411 PDT Gen. Time: 03/22/2012 10:23:45.411 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (10:23:45.411 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (10:23:45.411 PDT) DECLARE BOT tcpslice 1332437025.411 1332437025.412 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:23:45.411 PDT Gen. Time: 03/22/2012 10:26:29.498 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (10:23:45.411 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (10:23:45.411 PDT) DECLARE BOT 130.149.49.136 (10:23:45.411 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (10:23:45.411 PDT) tcpslice 1332437025.411 1332437025.412 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:29:07.224 PDT Gen. Time: 03/22/2012 10:29:07.224 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (10:29:07.224 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 48980->2128 (10:29:07.224 PDT) DECLARE BOT 132.239.17.226 (10:29:07.224 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 48980->2128 (10:29:07.224 PDT) tcpslice 1332437347.224 1332437347.225 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:33:45.761 PDT Gen. Time: 03/22/2012 10:33:45.761 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (10:33:45.761 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (10:33:45.761 PDT) DECLARE BOT tcpslice 1332437625.761 1332437625.762 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:33:45.761 PDT Gen. Time: 03/22/2012 10:37:27.435 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (10:33:45.761 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (10:33:45.761 PDT) DECLARE BOT 195.37.16.125 (10:33:45.761 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (10:33:45.761 PDT) tcpslice 1332437625.761 1332437625.762 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:43:45.153 PDT Gen. Time: 03/22/2012 10:43:45.153 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (10:43:45.153 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (10:43:45.153 PDT) DECLARE BOT tcpslice 1332438225.153 1332438225.154 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:43:45.153 PDT Gen. Time: 03/22/2012 10:47:50.230 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (10:44:44.337 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 38841->2128 (10:44:44.337 PDT) 128.2.211.114 (10:43:45.153 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (10:43:45.153 PDT) DECLARE BOT 132.239.17.226 (10:44:44.337 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 38841->2128 (10:44:44.337 PDT) 128.2.211.114 (10:43:45.153 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 22245->22245 (10:43:45.153 PDT) tcpslice 1332438225.153 1332438225.154 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:53:46.150 PDT Gen. Time: 03/22/2012 10:53:46.150 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (10:53:46.150 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (10:53:46.150 PDT) DECLARE BOT tcpslice 1332438826.150 1332438826.151 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 10:53:46.150 PDT Gen. Time: 03/22/2012 10:57:07.705 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (10:56:15.036 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 57232->2128 (10:56:15.036 PDT) 195.37.16.125 (10:53:46.150 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (10:53:46.150 PDT) DECLARE BOT 128.163.142.20 (10:56:15.036 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57232->2128 (10:56:15.036 PDT) 195.37.16.125 (10:53:46.150 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (10:53:46.150 PDT) tcpslice 1332438826.150 1332438826.151 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:03:51.232 PDT Gen. Time: 03/22/2012 11:03:51.232 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 184.105.178.92 (11:03:51.232 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:03:51.232 PDT) DECLARE BOT tcpslice 1332439431.232 1332439431.233 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:03:51.232 PDT Gen. Time: 03/22/2012 11:08:05.014 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 184.105.178.92 (11:03:51.232 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:03:51.232 PDT) DECLARE BOT 184.105.178.92 (11:03:51.232 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (11:03:51.232 PDT) tcpslice 1332439431.232 1332439431.233 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:13:53.970 PDT Gen. Time: 03/22/2012 11:13:53.970 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (11:13:53.970 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 56954->2126 (11:13:53.970 PDT) DECLARE BOT 132.239.17.226 (11:13:53.970 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56954->2126 (11:13:53.970 PDT) tcpslice 1332440033.970 1332440033.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:13:53.970 PDT Gen. Time: 03/22/2012 11:17:57.683 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (11:13:53.970 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 56954->2126 (11:13:53.970 PDT) 143.89.49.74 (11:13:55.160 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (11:13:55.160 PDT) DECLARE BOT 132.239.17.226 (11:13:53.970 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56954->2126 (11:13:53.970 PDT) 143.89.49.74 (11:13:55.160 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (11:13:55.160 PDT) tcpslice 1332440033.970 1332440033.971 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:24:00.097 PDT Gen. Time: 03/22/2012 11:24:00.097 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (11:24:00.097 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (11:24:00.097 PDT) DECLARE BOT tcpslice 1332440640.097 1332440640.098 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:24:00.097 PDT Gen. Time: 03/22/2012 11:26:59.214 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (11:24:50.435 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 37824->2128 (11:24:50.435 PDT) 195.37.16.125 (11:24:00.097 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (11:24:00.097 PDT) DECLARE BOT 132.239.17.226 (11:24:50.435 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37824->2128 (11:24:50.435 PDT) 195.37.16.125 (11:24:00.097 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (11:24:00.097 PDT) tcpslice 1332440640.097 1332440640.098 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:34:00.706 PDT Gen. Time: 03/22/2012 11:34:00.706 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (11:34:00.706 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (11:34:00.706 PDT) DECLARE BOT tcpslice 1332441240.706 1332441240.707 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:34:00.706 PDT Gen. Time: 03/22/2012 11:36:23.735 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (11:34:00.706 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (11:34:00.706 PDT) DECLARE BOT 206.207.248.34 (11:34:00.706 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (11:34:00.706 PDT) tcpslice 1332441240.706 1332441240.707 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:36:35.368 PDT Gen. Time: 03/22/2012 11:36:35.368 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (11:36:35.368 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 33578->2128 (11:36:35.368 PDT) DECLARE BOT 132.239.17.226 (11:36:35.368 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33578->2128 (11:36:35.368 PDT) tcpslice 1332441395.368 1332441395.369 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:44:00.380 PDT Gen. Time: 03/22/2012 11:44:00.380 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (11:44:00.380 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (11:44:00.380 PDT) DECLARE BOT tcpslice 1332441840.380 1332441840.381 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:44:00.380 PDT Gen. Time: 03/22/2012 11:47:59.913 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (11:44:00.380 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (11:44:00.380 PDT) DECLARE BOT 130.149.49.136 (11:44:00.380 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (11:44:00.380 PDT) 206.207.248.34 (11:47:59.913 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56503->2128 (11:47:59.913 PDT) tcpslice 1332441840.380 1332441840.381 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:47:59.913 PDT Gen. Time: 03/22/2012 11:47:59.913 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (11:47:59.913 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 56503->2128 (11:47:59.913 PDT) DECLARE BOT tcpslice 1332442079.913 1332442079.914 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:54:00.489 PDT Gen. Time: 03/22/2012 11:54:00.489 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (11:54:00.489 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (11:54:00.489 PDT) DECLARE BOT tcpslice 1332442440.489 1332442440.490 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 11:54:00.489 PDT Gen. Time: 03/22/2012 11:58:07.043 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (11:54:00.489 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (11:54:00.489 PDT) DECLARE BOT 132.239.17.226 (11:54:00.489 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (11:54:00.489 PDT) tcpslice 1332442440.489 1332442440.490 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:01:44.952 PDT Gen. Time: 03/22/2012 12:01:44.952 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (12:01:44.952 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 45614->2126 (12:01:44.952 PDT) DECLARE BOT 206.207.248.34 (12:01:44.952 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45614->2126 (12:01:44.952 PDT) tcpslice 1332442904.952 1332442904.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:01:44.952 PDT Gen. Time: 03/22/2012 12:05:46.178 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (12:01:44.952 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 45614->2126 (12:01:44.952 PDT) 195.37.16.125 (12:04:02.090 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:04:02.090 PDT) DECLARE BOT 206.207.248.34 (12:01:44.952 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45614->2126 (12:01:44.952 PDT) 195.37.16.125 (12:04:02.090 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:04:02.090 PDT) tcpslice 1332442904.952 1332442904.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:14:04.217 PDT Gen. Time: 03/22/2012 12:14:04.217 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (12:14:04.217 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:14:04.217 PDT) DECLARE BOT tcpslice 1332443644.217 1332443644.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:14:04.217 PDT Gen. Time: 03/22/2012 12:17:30.079 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (12:14:04.217 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:14:04.217 PDT) DECLARE BOT 130.149.49.136 (12:14:04.217 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:14:04.217 PDT) tcpslice 1332443644.217 1332443644.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:18:01.158 PDT Gen. Time: 03/22/2012 12:18:01.158 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (12:18:01.158 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 51177->2128 (12:18:01.158 PDT) DECLARE BOT 132.239.17.226 (12:18:01.158 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51177->2128 (12:18:01.158 PDT) tcpslice 1332443881.158 1332443881.159 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:24:08.500 PDT Gen. Time: 03/22/2012 12:24:08.500 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (12:24:08.500 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:24:08.500 PDT) DECLARE BOT tcpslice 1332444248.500 1332444248.501 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:24:08.500 PDT Gen. Time: 03/22/2012 12:27:30.497 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (12:24:08.500 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:24:08.500 PDT) DECLARE BOT 195.37.16.125 (12:24:08.500 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:24:08.500 PDT) tcpslice 1332444248.500 1332444248.501 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:28:48.740 PDT Gen. Time: 03/22/2012 12:28:48.740 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (12:28:48.740 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 47490->2126 (12:28:48.740 PDT) DECLARE BOT 206.207.248.34 (12:28:48.740 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 47490->2126 (12:28:48.740 PDT) tcpslice 1332444528.740 1332444528.741 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:34:18.524 PDT Gen. Time: 03/22/2012 12:34:18.524 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (12:34:18.524 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:34:18.524 PDT) DECLARE BOT tcpslice 1332444858.524 1332444858.525 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:34:18.524 PDT Gen. Time: 03/22/2012 12:37:12.792 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (12:34:18.524 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:34:18.524 PDT) DECLARE BOT 195.37.16.125 (12:34:18.524 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:34:18.524 PDT) tcpslice 1332444858.524 1332444858.525 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:39:16.998 PDT Gen. Time: 03/22/2012 12:39:16.998 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (12:39:16.998 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 36040->2128 (12:39:16.998 PDT) DECLARE BOT 132.239.17.226 (12:39:16.998 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 36040->2128 (12:39:16.998 PDT) tcpslice 1332445156.998 1332445156.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:44:28.437 PDT Gen. Time: 03/22/2012 12:44:28.437 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (12:44:28.437 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:44:28.437 PDT) DECLARE BOT tcpslice 1332445468.437 1332445468.438 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:44:28.437 PDT Gen. Time: 03/22/2012 12:46:42.015 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (12:44:28.437 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:44:28.437 PDT) DECLARE BOT 130.149.49.136 (12:44:28.437 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:44:28.437 PDT) tcpslice 1332445468.437 1332445468.438 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:49:51.967 PDT Gen. Time: 03/22/2012 12:49:51.967 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (12:49:51.967 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 53261->2128 (12:49:51.967 PDT) DECLARE BOT 132.239.17.226 (12:49:51.967 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53261->2128 (12:49:51.967 PDT) tcpslice 1332445791.967 1332445791.968 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:54:28.639 PDT Gen. Time: 03/22/2012 12:54:28.639 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (12:54:28.639 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:54:28.639 PDT) DECLARE BOT tcpslice 1332446068.639 1332446068.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 12:54:28.639 PDT Gen. Time: 03/22/2012 12:56:39.268 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (12:54:28.639 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:54:28.639 PDT) DECLARE BOT 130.149.49.136 (12:54:28.639 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (12:54:28.639 PDT) tcpslice 1332446068.639 1332446068.640 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 13:03:20.543 PDT Gen. Time: 03/22/2012 13:03:20.543 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (13:03:20.543 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 53346->2128 (13:03:20.543 PDT) DECLARE BOT 132.239.17.226 (13:03:20.543 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53346->2128 (13:03:20.543 PDT) tcpslice 1332446600.543 1332446600.544 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 13:03:20.543 PDT Gen. Time: 03/22/2012 13:05:44.990 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (2) (13:03:20.543 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 53346->2128 (13:03:20.543 PDT) ------------------------- event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 59012->59012 (13:04:28.075 PDT) DECLARE BOT 132.239.17.226 (2) (13:03:20.543 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53346->2128 (13:03:20.543 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59012->59012 (13:04:28.075 PDT) tcpslice 1332446600.543 1332446600.544 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 13:13:41.552 PDT Gen. Time: 03/22/2012 13:13:41.552 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (13:13:41.552 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 52767->2128 (13:13:41.552 PDT) DECLARE BOT 128.163.142.20 (13:13:41.552 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52767->2128 (13:13:41.552 PDT) tcpslice 1332447221.552 1332447221.553 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 13:13:41.552 PDT Gen. Time: 03/22/2012 13:17:42.104 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (13:13:41.552 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 52767->2128 (13:13:41.552 PDT) 195.37.16.125 (13:14:28.343 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (13:14:28.343 PDT) DECLARE BOT 128.163.142.20 (13:13:41.552 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52767->2128 (13:13:41.552 PDT) 195.37.16.125 (13:14:28.343 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (13:14:28.343 PDT) tcpslice 1332447221.552 1332447221.553 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 13:24:29.759 PDT Gen. Time: 03/22/2012 13:24:29.759 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (13:24:29.759 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (13:24:29.759 PDT) DECLARE BOT tcpslice 1332447869.759 1332447869.760 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 13:24:29.759 PDT Gen. Time: 03/22/2012 13:29:18.491 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (13:24:29.759 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (13:24:29.759 PDT) DECLARE BOT 206.207.248.34 (13:24:29.759 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (13:24:29.759 PDT) tcpslice 1332447869.759 1332447869.760 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 13:31:49.375 PDT Gen. Time: 03/22/2012 13:31:49.375 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (13:31:49.375 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54909->2128 (13:31:49.375 PDT) DECLARE BOT 206.207.248.34 (13:31:49.375 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54909->2128 (13:31:49.375 PDT) tcpslice 1332448309.375 1332448309.376 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 13:31:49.375 PDT Gen. Time: 03/22/2012 13:35:39.286 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (13:34:33.289 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (13:34:33.289 PDT) 206.207.248.34 (13:31:49.375 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54909->2128 (13:31:49.375 PDT) DECLARE BOT 130.149.49.136 (13:34:33.289 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (13:34:33.289 PDT) 206.207.248.34 (13:31:49.375 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54909->2128 (13:31:49.375 PDT) tcpslice 1332448309.375 1332448309.376 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 13:44:46.280 PDT Gen. Time: 03/22/2012 13:44:46.280 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (13:44:46.280 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (13:44:46.280 PDT) DECLARE BOT tcpslice 1332449086.280 1332449086.281 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 13:44:46.280 PDT Gen. Time: 03/22/2012 13:49:08.321 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (2) (13:44:46.280 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 41033->2128 (13:48:01.506 PDT) ------------------------- event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (13:44:46.280 PDT) DECLARE BOT 206.207.248.34 (2) (13:44:46.280 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41033->2128 (13:48:01.506 PDT) ------------------------- event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (13:44:46.280 PDT) tcpslice 1332449086.280 1332449086.281 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 13:54:53.273 PDT Gen. Time: 03/22/2012 13:54:53.273 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (13:54:53.273 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (13:54:53.273 PDT) DECLARE BOT tcpslice 1332449693.273 1332449693.274 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 13:54:53.273 PDT Gen. Time: 03/22/2012 13:57:28.152 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (13:54:53.273 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (13:54:53.273 PDT) DECLARE BOT 195.37.16.125 (13:54:53.273 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (13:54:53.273 PDT) tcpslice 1332449693.273 1332449693.274 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 13:58:01.998 PDT Gen. Time: 03/22/2012 13:58:01.998 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (13:58:01.998 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 57698->2128 (13:58:01.998 PDT) DECLARE BOT 206.207.248.34 (13:58:01.998 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57698->2128 (13:58:01.998 PDT) tcpslice 1332449881.998 1332449881.999 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:04:55.966 PDT Gen. Time: 03/22/2012 14:04:55.966 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (14:04:55.966 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:04:55.966 PDT) DECLARE BOT tcpslice 1332450295.966 1332450295.967 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:04:55.966 PDT Gen. Time: 03/22/2012 14:08:31.505 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (14:04:55.966 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:04:55.966 PDT) DECLARE BOT 195.37.16.125 (14:04:55.966 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:04:55.966 PDT) tcpslice 1332450295.966 1332450295.967 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:09:40.013 PDT Gen. Time: 03/22/2012 14:09:40.013 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (14:09:40.013 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 57143->2128 (14:09:40.013 PDT) DECLARE BOT 206.207.248.34 (14:09:40.013 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57143->2128 (14:09:40.013 PDT) tcpslice 1332450580.013 1332450580.014 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:14:55.154 PDT Gen. Time: 03/22/2012 14:14:55.154 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (14:14:55.154 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:14:55.154 PDT) DECLARE BOT tcpslice 1332450895.154 1332450895.155 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:14:55.154 PDT Gen. Time: 03/22/2012 14:18:15.889 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (14:14:55.154 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:14:55.154 PDT) DECLARE BOT 130.149.49.136 (14:14:55.154 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:14:55.154 PDT) tcpslice 1332450895.154 1332450895.155 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:22:11.706 PDT Gen. Time: 03/22/2012 14:22:11.706 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (14:22:11.706 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 56889->2128 (14:22:11.706 PDT) DECLARE BOT 132.239.17.226 (14:22:11.706 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56889->2128 (14:22:11.706 PDT) tcpslice 1332451331.706 1332451331.707 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:24:56.482 PDT Gen. Time: 03/22/2012 14:24:56.482 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (14:24:56.482 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:24:56.482 PDT) DECLARE BOT tcpslice 1332451496.482 1332451496.483 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:24:56.482 PDT Gen. Time: 03/22/2012 14:29:19.901 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (14:24:56.482 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:24:56.482 PDT) DECLARE BOT 206.207.248.34 (14:24:56.482 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:24:56.482 PDT) tcpslice 1332451496.482 1332451496.483 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:33:32.751 PDT Gen. Time: 03/22/2012 14:33:32.751 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (14:33:32.751 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 39807->2126 (14:33:32.751 PDT) DECLARE BOT 128.163.142.20 (14:33:32.751 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39807->2126 (14:33:32.751 PDT) tcpslice 1332452012.751 1332452012.752 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:33:32.751 PDT Gen. Time: 03/22/2012 14:38:00.444 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (14:33:32.751 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 39807->2126 (14:33:32.751 PDT) 206.207.248.34 (14:34:56.008 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:34:56.008 PDT) DECLARE BOT 128.163.142.20 (14:33:32.751 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39807->2126 (14:33:32.751 PDT) 206.207.248.34 (14:34:56.008 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:34:56.008 PDT) tcpslice 1332452012.751 1332452012.752 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:44:57.562 PDT Gen. Time: 03/22/2012 14:44:57.562 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (14:44:57.562 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:44:57.562 PDT) DECLARE BOT tcpslice 1332452697.562 1332452697.563 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:44:57.562 PDT Gen. Time: 03/22/2012 14:48:57.218 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (14:44:57.562 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:44:57.562 PDT) DECLARE BOT 195.37.16.125 (14:44:57.562 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (14:44:57.562 PDT) tcpslice 1332452697.562 1332452697.563 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:51:17.797 PDT Gen. Time: 03/22/2012 14:51:17.797 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (14:51:17.797 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 58451->2128 (14:51:17.797 PDT) DECLARE BOT 128.163.142.20 (14:51:17.797 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58451->2128 (14:51:17.797 PDT) tcpslice 1332453077.797 1332453077.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:55:00.823 PDT Gen. Time: 03/22/2012 14:55:00.823 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (14:55:00.823 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:55:00.823 PDT) DECLARE BOT tcpslice 1332453300.823 1332453300.824 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 14:55:00.823 PDT Gen. Time: 03/22/2012 14:57:59.868 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (14:55:00.823 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:55:00.823 PDT) DECLARE BOT 128.2.211.114 (14:55:00.823 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (14:55:00.823 PDT) tcpslice 1332453300.823 1332453300.824 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 15:05:03.181 PDT Gen. Time: 03/22/2012 15:05:03.181 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (15:05:03.181 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (15:05:03.181 PDT) DECLARE BOT tcpslice 1332453903.181 1332453903.182 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 15:05:03.181 PDT Gen. Time: 03/22/2012 15:08:30.364 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (15:05:03.181 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (15:05:03.181 PDT) 128.163.142.20 (15:08:03.732 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 53096->2126 (15:08:03.732 PDT) DECLARE BOT 128.2.211.114 (15:05:03.181 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (15:05:03.181 PDT) 128.163.142.20 (15:08:03.732 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53096->2126 (15:08:03.732 PDT) tcpslice 1332453903.181 1332453903.182 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 15:15:03.139 PDT Gen. Time: 03/22/2012 15:15:03.139 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (15:15:03.139 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (15:15:03.139 PDT) DECLARE BOT tcpslice 1332454503.139 1332454503.140 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 15:15:03.139 PDT Gen. Time: 03/22/2012 15:19:03.346 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (15:15:03.139 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (15:15:03.139 PDT) DECLARE BOT 130.149.49.136 (15:15:03.139 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (15:15:03.139 PDT) tcpslice 1332454503.139 1332454503.140 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 15:23:49.722 PDT Gen. Time: 03/22/2012 15:23:49.722 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (15:23:49.722 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 55585->2128 (15:23:49.722 PDT) DECLARE BOT 132.239.17.226 (15:23:49.722 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55585->2128 (15:23:49.722 PDT) tcpslice 1332455029.722 1332455029.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 15:23:49.722 PDT Gen. Time: 03/22/2012 15:27:39.406 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (15:25:04.218 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (15:25:04.218 PDT) 132.239.17.226 (15:23:49.722 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 55585->2128 (15:23:49.722 PDT) DECLARE BOT 128.2.211.114 (15:25:04.218 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (15:25:04.218 PDT) 132.239.17.226 (15:23:49.722 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 55585->2128 (15:23:49.722 PDT) tcpslice 1332455029.722 1332455029.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 15:35:04.902 PDT Gen. Time: 03/22/2012 15:35:04.902 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (15:35:04.902 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (15:35:04.902 PDT) DECLARE BOT tcpslice 1332455704.902 1332455704.903 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 15:35:04.902 PDT Gen. Time: 03/22/2012 15:39:01.041 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (15:35:04.902 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (15:35:04.902 PDT) DECLARE BOT 130.149.49.136 (15:35:04.902 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (15:35:04.902 PDT) 132.239.17.226 (15:39:01.041 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 52519->2128 (15:39:01.041 PDT) tcpslice 1332455704.902 1332455704.903 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 15:39:01.041 PDT Gen. Time: 03/22/2012 15:39:01.041 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (15:39:01.041 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 52519->2128 (15:39:01.041 PDT) DECLARE BOT tcpslice 1332455941.041 1332455941.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 15:45:05.430 PDT Gen. Time: 03/22/2012 15:45:05.430 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (15:45:05.430 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (15:45:05.430 PDT) DECLARE BOT tcpslice 1332456305.430 1332456305.431 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 15:45:05.430 PDT Gen. Time: 03/22/2012 15:48:37.054 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (15:45:05.430 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (15:45:05.430 PDT) DECLARE BOT 130.149.49.136 (15:45:05.430 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (15:45:05.430 PDT) tcpslice 1332456305.430 1332456305.431 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 15:55:05.061 PDT Gen. Time: 03/22/2012 15:55:05.061 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (15:55:05.061 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (15:55:05.061 PDT) DECLARE BOT tcpslice 1332456905.061 1332456905.062 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 15:55:05.061 PDT Gen. Time: 03/22/2012 15:59:04.421 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (15:55:23.082 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 40387->2128 (15:55:23.082 PDT) 128.163.142.20 (15:55:05.061 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (15:55:05.061 PDT) DECLARE BOT 132.239.17.226 (15:55:23.082 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 40387->2128 (15:55:23.082 PDT) 128.163.142.20 (15:55:05.061 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (15:55:05.061 PDT) tcpslice 1332456905.061 1332456905.062 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:05:05.216 PDT Gen. Time: 03/22/2012 16:05:05.216 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (16:05:05.216 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:05:05.216 PDT) DECLARE BOT tcpslice 1332457505.216 1332457505.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:05:05.216 PDT Gen. Time: 03/22/2012 16:09:20.958 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (16:05:05.216 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:05:05.216 PDT) DECLARE BOT 130.149.49.136 (16:05:05.216 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:05:05.216 PDT) tcpslice 1332457505.216 1332457505.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:09:37.246 PDT Gen. Time: 03/22/2012 16:09:37.246 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (16:09:37.246 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 32952->2126 (16:09:37.246 PDT) DECLARE BOT 128.163.142.20 (16:09:37.246 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 32952->2126 (16:09:37.246 PDT) tcpslice 1332457777.246 1332457777.247 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:15:05.693 PDT Gen. Time: 03/22/2012 16:15:05.693 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (16:15:05.693 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:15:05.693 PDT) DECLARE BOT tcpslice 1332458105.693 1332458105.694 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:15:05.693 PDT Gen. Time: 03/22/2012 16:18:52.555 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (16:15:05.693 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:15:05.693 PDT) DECLARE BOT 130.149.49.136 (16:15:05.693 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:15:05.693 PDT) tcpslice 1332458105.693 1332458105.694 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:19:41.710 PDT Gen. Time: 03/22/2012 16:19:41.710 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (16:19:41.710 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 35178->2128 (16:19:41.710 PDT) DECLARE BOT 128.163.142.20 (16:19:41.710 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35178->2128 (16:19:41.710 PDT) tcpslice 1332458381.710 1332458381.711 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:25:05.345 PDT Gen. Time: 03/22/2012 16:25:05.345 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (16:25:05.345 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (16:25:05.345 PDT) DECLARE BOT tcpslice 1332458705.345 1332458705.346 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:25:05.345 PDT Gen. Time: 03/22/2012 16:29:23.487 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (16:25:05.345 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (16:25:05.345 PDT) DECLARE BOT 206.207.248.34 (16:25:05.345 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (16:25:05.345 PDT) tcpslice 1332458705.345 1332458705.346 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:30:52.611 PDT Gen. Time: 03/22/2012 16:30:52.611 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (16:30:52.611 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 46496->2126 (16:30:52.611 PDT) DECLARE BOT 206.207.248.34 (16:30:52.611 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46496->2126 (16:30:52.611 PDT) tcpslice 1332459052.611 1332459052.612 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:35:05.606 PDT Gen. Time: 03/22/2012 16:35:05.606 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (16:35:05.606 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (16:35:05.606 PDT) DECLARE BOT tcpslice 1332459305.606 1332459305.607 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:35:05.606 PDT Gen. Time: 03/22/2012 16:38:43.747 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (16:35:05.606 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (16:35:05.606 PDT) DECLARE BOT 128.2.211.114 (16:35:05.606 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (16:35:05.606 PDT) tcpslice 1332459305.606 1332459305.607 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:41:54.892 PDT Gen. Time: 03/22/2012 16:41:54.892 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (16:41:54.892 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 56144->2128 (16:41:54.892 PDT) DECLARE BOT 132.239.17.226 (16:41:54.892 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56144->2128 (16:41:54.892 PDT) tcpslice 1332459714.892 1332459714.893 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:45:06.433 PDT Gen. Time: 03/22/2012 16:45:06.433 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (16:45:06.433 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:45:06.433 PDT) DECLARE BOT tcpslice 1332459906.433 1332459906.434 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:45:06.433 PDT Gen. Time: 03/22/2012 16:48:45.502 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (16:45:06.433 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:45:06.433 PDT) DECLARE BOT 195.37.16.125 (16:45:06.433 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:45:06.433 PDT) tcpslice 1332459906.433 1332459906.434 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:55:06.816 PDT Gen. Time: 03/22/2012 16:55:06.816 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (16:55:06.816 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:55:06.816 PDT) DECLARE BOT tcpslice 1332460506.816 1332460506.817 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 16:55:06.816 PDT Gen. Time: 03/22/2012 16:57:56.184 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 134.34.246.5 (16:55:09.344 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 46379->54593 (16:55:09.344 PDT) 195.37.16.125 (16:55:06.816 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:55:06.816 PDT) DECLARE BOT 134.34.246.5 (16:55:09.344 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46379->54593 (16:55:09.344 PDT) 195.37.16.125 (16:55:06.816 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (16:55:06.816 PDT) tcpslice 1332460506.816 1332460506.817 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 17:05:06.206 PDT Gen. Time: 03/22/2012 17:05:06.206 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (17:05:06.206 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (17:05:06.206 PDT) DECLARE BOT tcpslice 1332461106.206 1332461106.207 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 17:05:06.206 PDT Gen. Time: 03/22/2012 17:09:21.034 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (17:05:13.672 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 57176->2126 (17:05:13.672 PDT) 206.207.248.34 (17:05:06.206 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (17:05:06.206 PDT) DECLARE BOT 128.163.142.20 (17:05:13.672 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57176->2126 (17:05:13.672 PDT) 206.207.248.34 (17:05:06.206 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (17:05:06.206 PDT) tcpslice 1332461106.206 1332461106.207 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 17:15:07.123 PDT Gen. Time: 03/22/2012 17:15:07.123 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (17:15:07.123 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:15:07.123 PDT) DECLARE BOT tcpslice 1332461707.123 1332461707.124 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 17:15:07.123 PDT Gen. Time: 03/22/2012 17:18:23.531 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (17:15:07.123 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:15:07.123 PDT) DECLARE BOT 130.149.49.136 (17:15:07.123 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:15:07.123 PDT) tcpslice 1332461707.123 1332461707.124 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 17:19:06.832 PDT Gen. Time: 03/22/2012 17:19:06.832 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (17:19:06.832 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 46683->2126 (17:19:06.832 PDT) DECLARE BOT 128.163.142.20 (17:19:06.832 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 46683->2126 (17:19:06.832 PDT) tcpslice 1332461946.832 1332461946.833 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 17:25:07.129 PDT Gen. Time: 03/22/2012 17:25:07.129 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (17:25:07.129 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:25:07.129 PDT) DECLARE BOT tcpslice 1332462307.129 1332462307.130 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 17:25:07.129 PDT Gen. Time: 03/22/2012 17:29:01.337 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (17:25:07.129 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:25:07.129 PDT) DECLARE BOT 130.149.49.136 (17:25:07.129 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:25:07.129 PDT) tcpslice 1332462307.129 1332462307.130 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 17:33:54.032 PDT Gen. Time: 03/22/2012 17:33:54.032 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (17:33:54.032 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 37224->49302 (17:33:54.032 PDT) DECLARE BOT 128.163.142.20 (17:33:54.032 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37224->49302 (17:33:54.032 PDT) tcpslice 1332462834.032 1332462834.033 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 17:33:54.032 PDT Gen. Time: 03/22/2012 17:38:02.158 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (17:35:07.133 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:35:07.133 PDT) 128.163.142.20 (17:33:54.032 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 37224->49302 (17:33:54.032 PDT) DECLARE BOT 130.149.49.136 (17:35:07.133 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:35:07.133 PDT) 128.163.142.20 (17:33:54.032 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 37224->49302 (17:33:54.032 PDT) tcpslice 1332462834.032 1332462834.033 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 17:45:07.323 PDT Gen. Time: 03/22/2012 17:45:07.323 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (17:45:07.323 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:45:07.323 PDT) DECLARE BOT tcpslice 1332463507.323 1332463507.324 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 17:45:07.323 PDT Gen. Time: 03/22/2012 17:47:45.609 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (17:45:07.323 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:45:07.323 PDT) 195.37.16.125 (17:45:12.450 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 57052->7733 (17:45:12.450 PDT) DECLARE BOT 130.149.49.136 (17:45:07.323 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:45:07.323 PDT) 195.37.16.125 (17:45:12.450 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 57052->7733 (17:45:12.450 PDT) tcpslice 1332463507.323 1332463507.324 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 17:55:07.159 PDT Gen. Time: 03/22/2012 17:55:07.159 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (17:55:07.159 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:55:07.159 PDT) DECLARE BOT tcpslice 1332464107.159 1332464107.160 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 17:55:07.159 PDT Gen. Time: 03/22/2012 17:59:08.496 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (17:55:07.159 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:55:07.159 PDT) 195.37.16.125 (17:55:54.480 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54436->7733 (17:55:54.480 PDT) DECLARE BOT 130.149.49.136 (17:55:07.159 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:55:07.159 PDT) 195.37.16.125 (17:55:54.480 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54436->7733 (17:55:54.480 PDT) tcpslice 1332464107.159 1332464107.160 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:05:07.162 PDT Gen. Time: 03/22/2012 18:05:07.162 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (18:05:07.162 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (18:05:07.162 PDT) DECLARE BOT tcpslice 1332464707.162 1332464707.163 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:05:07.162 PDT Gen. Time: 03/22/2012 18:09:22.565 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (18:05:07.162 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (18:05:07.162 PDT) 143.89.49.74 (18:06:28.817 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 56145->7733 (18:06:28.817 PDT) DECLARE BOT 130.149.49.136 (18:05:07.162 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (18:05:07.162 PDT) 143.89.49.74 (18:06:28.817 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 56145->7733 (18:06:28.817 PDT) tcpslice 1332464707.162 1332464707.163 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:15:07.320 PDT Gen. Time: 03/22/2012 18:15:07.320 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (18:15:07.320 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (18:15:07.320 PDT) DECLARE BOT tcpslice 1332465307.320 1332465307.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:15:07.320 PDT Gen. Time: 03/22/2012 18:18:07.062 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (18:15:07.320 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (18:15:07.320 PDT) 143.89.49.74 (18:16:50.404 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 35619->7733 (18:16:50.404 PDT) DECLARE BOT 206.207.248.34 (18:15:07.320 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (18:15:07.320 PDT) 143.89.49.74 (18:16:50.404 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35619->7733 (18:16:50.404 PDT) tcpslice 1332465307.320 1332465307.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:25:07.368 PDT Gen. Time: 03/22/2012 18:25:07.368 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (18:25:07.368 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (18:25:07.368 PDT) DECLARE BOT tcpslice 1332465907.368 1332465907.369 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:25:07.368 PDT Gen. Time: 03/22/2012 18:27:25.341 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (18:25:07.368 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (18:25:07.368 PDT) DECLARE BOT 130.149.49.136 (18:25:07.368 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (18:25:07.368 PDT) 143.89.49.74 (18:27:25.341 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43506->7733 (18:27:25.341 PDT) tcpslice 1332465907.368 1332465907.369 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:27:25.341 PDT Gen. Time: 03/22/2012 18:27:25.341 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (18:27:25.341 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 43506->7733 (18:27:25.341 PDT) DECLARE BOT tcpslice 1332466045.341 1332466045.342 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:35:07.336 PDT Gen. Time: 03/22/2012 18:35:07.336 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (18:35:07.336 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (18:35:07.336 PDT) DECLARE BOT tcpslice 1332466507.336 1332466507.337 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:35:07.336 PDT Gen. Time: 03/22/2012 18:37:46.382 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (18:35:07.336 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (18:35:07.336 PDT) DECLARE BOT 128.163.142.20 (18:37:46.382 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54305->7733 (18:37:46.382 PDT) 195.37.16.125 (18:35:07.336 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (18:35:07.336 PDT) tcpslice 1332466507.336 1332466507.337 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:37:46.382 PDT Gen. Time: 03/22/2012 18:37:46.382 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (18:37:46.382 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54305->7733 (18:37:46.382 PDT) DECLARE BOT tcpslice 1332466666.382 1332466666.383 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:45:07.308 PDT Gen. Time: 03/22/2012 18:45:07.308 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (18:45:07.308 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (18:45:07.308 PDT) DECLARE BOT tcpslice 1332467107.308 1332467107.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:45:07.308 PDT Gen. Time: 03/22/2012 18:48:02.995 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (18:45:07.308 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (18:45:07.308 PDT) DECLARE BOT 195.37.16.125 (18:45:07.308 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (18:45:07.308 PDT) tcpslice 1332467107.308 1332467107.309 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:48:41.904 PDT Gen. Time: 03/22/2012 18:48:41.904 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (18:48:41.904 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49367->7733 (18:48:41.904 PDT) DECLARE BOT 195.37.16.125 (18:48:41.904 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49367->7733 (18:48:41.904 PDT) tcpslice 1332467321.904 1332467321.905 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:55:07.585 PDT Gen. Time: 03/22/2012 18:55:07.585 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (18:55:07.585 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (18:55:07.585 PDT) DECLARE BOT tcpslice 1332467707.585 1332467707.586 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:55:07.585 PDT Gen. Time: 03/22/2012 18:58:50.521 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (18:55:07.585 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (18:55:07.585 PDT) DECLARE BOT 206.207.248.34 (18:55:07.585 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (18:55:07.585 PDT) tcpslice 1332467707.585 1332467707.586 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 18:59:09.710 PDT Gen. Time: 03/22/2012 18:59:09.710 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (18:59:09.710 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 58347->2126 (18:59:09.710 PDT) DECLARE BOT 206.207.248.34 (18:59:09.710 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 58347->2126 (18:59:09.710 PDT) tcpslice 1332467949.710 1332467949.711 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:05:08.325 PDT Gen. Time: 03/22/2012 19:05:08.325 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (19:05:08.325 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (19:05:08.325 PDT) DECLARE BOT tcpslice 1332468308.325 1332468308.326 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:05:08.325 PDT Gen. Time: 03/22/2012 19:09:10.696 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (19:05:08.325 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (19:05:08.325 PDT) DECLARE BOT 138.238.250.155 (19:05:08.325 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (19:05:08.325 PDT) tcpslice 1332468308.325 1332468308.326 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:09:29.037 PDT Gen. Time: 03/22/2012 19:09:29.037 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (19:09:29.037 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 50831->2128 (19:09:29.037 PDT) DECLARE BOT 132.239.17.226 (19:09:29.037 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 50831->2128 (19:09:29.037 PDT) tcpslice 1332468569.037 1332468569.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:15:11.479 PDT Gen. Time: 03/22/2012 19:15:11.479 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (19:15:11.479 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:15:11.479 PDT) DECLARE BOT tcpslice 1332468911.479 1332468911.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:15:11.479 PDT Gen. Time: 03/22/2012 19:18:39.313 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (19:15:11.479 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:15:11.479 PDT) DECLARE BOT 130.149.49.136 (19:15:11.479 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:15:11.479 PDT) tcpslice 1332468911.479 1332468911.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:20:15.369 PDT Gen. Time: 03/22/2012 19:20:15.369 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (19:20:15.369 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 59691->7733 (19:20:15.369 PDT) DECLARE BOT 195.37.16.125 (19:20:15.369 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59691->7733 (19:20:15.369 PDT) tcpslice 1332469215.369 1332469215.370 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:25:11.254 PDT Gen. Time: 03/22/2012 19:25:11.254 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (19:25:11.254 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:25:11.254 PDT) DECLARE BOT tcpslice 1332469511.254 1332469511.255 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:25:11.254 PDT Gen. Time: 03/22/2012 19:28:39.615 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (19:25:11.254 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:25:11.254 PDT) DECLARE BOT 130.149.49.136 (19:25:11.254 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:25:11.254 PDT) tcpslice 1332469511.254 1332469511.255 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:31:08.841 PDT Gen. Time: 03/22/2012 19:31:08.841 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (19:31:08.841 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 51377->7733 (19:31:08.841 PDT) DECLARE BOT 143.89.49.74 (19:31:08.841 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51377->7733 (19:31:08.841 PDT) tcpslice 1332469868.841 1332469868.842 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:31:08.841 PDT Gen. Time: 03/22/2012 19:35:11.756 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (19:35:11.756 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:35:11.756 PDT) 143.89.49.74 (19:31:08.841 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 51377->7733 (19:31:08.841 PDT) DECLARE BOT 143.89.49.74 (19:31:08.841 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 51377->7733 (19:31:08.841 PDT) tcpslice 1332469868.841 1332469868.842 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:41:19.724 PDT Gen. Time: 03/22/2012 19:41:19.724 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (19:41:19.724 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 60265->7733 (19:41:19.724 PDT) DECLARE BOT 143.89.49.74 (19:41:19.724 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 60265->7733 (19:41:19.724 PDT) tcpslice 1332470479.724 1332470479.725 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:45:11.900 PDT Gen. Time: 03/22/2012 19:45:11.900 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (19:45:11.900 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:45:11.900 PDT) DECLARE BOT tcpslice 1332470711.900 1332470711.901 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:45:11.900 PDT Gen. Time: 03/22/2012 19:48:31.575 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (19:45:11.900 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:45:11.900 PDT) DECLARE BOT 130.149.49.136 (19:45:11.900 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:45:11.900 PDT) tcpslice 1332470711.900 1332470711.901 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:52:38.103 PDT Gen. Time: 03/22/2012 19:52:38.103 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (19:52:38.103 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 35915->7733 (19:52:38.103 PDT) DECLARE BOT 143.89.49.74 (19:52:38.103 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35915->7733 (19:52:38.103 PDT) tcpslice 1332471158.103 1332471158.104 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 19:52:38.103 PDT Gen. Time: 03/22/2012 19:57:01.729 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (19:55:11.771 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:55:11.771 PDT) 143.89.49.74 (19:52:38.103 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 35915->7733 (19:52:38.103 PDT) DECLARE BOT 130.149.49.136 (19:55:11.771 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (19:55:11.771 PDT) 143.89.49.74 (19:52:38.103 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35915->7733 (19:52:38.103 PDT) tcpslice 1332471158.103 1332471158.104 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:05:11.798 PDT Gen. Time: 03/22/2012 20:05:11.798 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (20:05:11.798 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (20:05:11.798 PDT) DECLARE BOT tcpslice 1332471911.798 1332471911.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:05:11.798 PDT Gen. Time: 03/22/2012 20:03:33.802 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (20:05:11.798 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (20:05:11.798 PDT) 128.163.142.20 (20:06:12.217 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 45435->2126 (20:06:12.217 PDT) DECLARE BOT 130.149.49.136 (20:05:11.798 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (20:05:11.798 PDT) 128.163.142.20 (20:06:12.217 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 45435->2126 (20:06:12.217 PDT) tcpslice 1332471911.798 1332471911.799 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:15:11.826 PDT Gen. Time: 03/22/2012 20:15:11.826 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (20:15:11.826 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (20:15:11.826 PDT) DECLARE BOT tcpslice 1332472511.826 1332472511.827 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:15:11.826 PDT Gen. Time: 03/22/2012 20:19:28.397 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (20:15:11.826 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (20:15:11.826 PDT) DECLARE BOT 206.207.248.34 (20:15:11.826 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (20:15:11.826 PDT) tcpslice 1332472511.826 1332472511.827 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:21:38.547 PDT Gen. Time: 03/22/2012 20:21:38.547 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (20:21:38.547 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 44821->7733 (20:21:38.547 PDT) DECLARE BOT 143.89.49.74 (20:21:38.547 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44821->7733 (20:21:38.547 PDT) tcpslice 1332472898.547 1332472898.548 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:25:11.298 PDT Gen. Time: 03/22/2012 20:25:11.298 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (20:25:11.298 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->53219 (20:25:11.298 PDT) DECLARE BOT tcpslice 1332473111.298 1332473111.299 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:25:11.298 PDT Gen. Time: 03/22/2012 20:28:03.660 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (20:25:11.298 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->53219 (20:25:11.298 PDT) DECLARE BOT 128.186.122.86 (20:25:11.298 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->53219 (20:25:11.298 PDT) tcpslice 1332473111.298 1332473111.299 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:35:11.797 PDT Gen. Time: 03/22/2012 20:35:11.797 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (20:35:11.797 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (20:35:11.797 PDT) DECLARE BOT tcpslice 1332473711.797 1332473711.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:35:11.797 PDT Gen. Time: 03/22/2012 20:39:25.558 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (20:35:11.797 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (20:35:11.797 PDT) 143.89.49.74 (20:36:41.956 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 43758->7733 (20:36:41.956 PDT) DECLARE BOT 130.149.49.136 (20:35:11.797 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (20:35:11.797 PDT) 143.89.49.74 (20:36:41.956 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 43758->7733 (20:36:41.956 PDT) tcpslice 1332473711.797 1332473711.798 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:45:11.229 PDT Gen. Time: 03/22/2012 20:45:11.229 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 134.34.246.5 (20:45:11.229 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (20:45:11.229 PDT) DECLARE BOT tcpslice 1332474311.229 1332474311.230 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:45:11.229 PDT Gen. Time: 03/22/2012 20:48:51.172 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 134.34.246.5 (20:45:11.229 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (20:45:11.229 PDT) DECLARE BOT 134.34.246.5 (20:45:11.229 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (20:45:11.229 PDT) tcpslice 1332474311.229 1332474311.230 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:51:38.688 PDT Gen. Time: 03/22/2012 20:51:38.688 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (20:51:38.688 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 35932->7733 (20:51:38.688 PDT) DECLARE BOT 143.89.49.74 (20:51:38.688 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 35932->7733 (20:51:38.688 PDT) tcpslice 1332474698.688 1332474698.689 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:55:11.808 PDT Gen. Time: 03/22/2012 20:55:11.808 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (20:55:11.808 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (20:55:11.808 PDT) DECLARE BOT tcpslice 1332474911.808 1332474911.809 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 20:55:11.808 PDT Gen. Time: 03/22/2012 20:58:47.367 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (20:55:11.808 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (20:55:11.808 PDT) DECLARE BOT 130.149.49.136 (20:55:11.808 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (20:55:11.808 PDT) tcpslice 1332474911.808 1332474911.809 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:04:21.815 PDT Gen. Time: 03/22/2012 21:04:21.815 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (21:04:21.815 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 59749->2128 (21:04:21.815 PDT) DECLARE BOT 206.207.248.34 (21:04:21.815 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59749->2128 (21:04:21.815 PDT) tcpslice 1332475461.815 1332475461.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:04:21.815 PDT Gen. Time: 03/22/2012 21:07:06.578 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (21:05:11.014 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (21:05:11.014 PDT) 206.207.248.34 (21:04:21.815 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 59749->2128 (21:04:21.815 PDT) DECLARE BOT 128.2.211.114 (21:05:11.014 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (21:05:11.014 PDT) 206.207.248.34 (21:04:21.815 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59749->2128 (21:04:21.815 PDT) tcpslice 1332475461.815 1332475461.816 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:15:11.826 PDT Gen. Time: 03/22/2012 21:15:11.826 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (21:15:11.826 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (21:15:11.826 PDT) DECLARE BOT tcpslice 1332476111.826 1332476111.827 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:15:11.826 PDT Gen. Time: 03/22/2012 21:18:34.719 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (21:15:11.826 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (21:15:11.826 PDT) 132.239.17.226 (21:15:56.046 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54967->2128 (21:15:56.046 PDT) DECLARE BOT 130.149.49.136 (21:15:11.826 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (21:15:11.826 PDT) 132.239.17.226 (21:15:56.046 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54967->2128 (21:15:56.046 PDT) tcpslice 1332476111.826 1332476111.827 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:25:11.264 PDT Gen. Time: 03/22/2012 21:25:11.264 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (21:25:11.264 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (21:25:11.264 PDT) DECLARE BOT tcpslice 1332476711.264 1332476711.265 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:25:11.264 PDT Gen. Time: 03/22/2012 21:29:11.352 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (21:26:20.759 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 53947->7733 (21:26:20.759 PDT) 206.207.248.34 (21:25:11.264 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (21:25:11.264 PDT) DECLARE BOT 128.163.142.20 (21:26:20.759 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 53947->7733 (21:26:20.759 PDT) 206.207.248.34 (21:25:11.264 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 2122->2122 (21:25:11.264 PDT) tcpslice 1332476711.264 1332476711.265 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:35:11.836 PDT Gen. Time: 03/22/2012 21:35:11.836 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (21:35:11.836 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (21:35:11.836 PDT) DECLARE BOT tcpslice 1332477311.836 1332477311.837 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:35:11.836 PDT Gen. Time: 03/22/2012 21:37:37.528 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (21:35:11.836 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (21:35:11.836 PDT) DECLARE BOT 130.149.49.136 (21:35:11.836 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (21:35:11.836 PDT) 195.37.16.125 (21:37:37.528 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 41597->7733 (21:37:37.528 PDT) tcpslice 1332477311.836 1332477311.837 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:37:37.528 PDT Gen. Time: 03/22/2012 21:37:37.528 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (21:37:37.528 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 41597->7733 (21:37:37.528 PDT) DECLARE BOT tcpslice 1332477457.528 1332477457.529 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:45:11.740 PDT Gen. Time: 03/22/2012 21:45:11.740 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (21:45:11.740 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (21:45:11.740 PDT) DECLARE BOT tcpslice 1332477911.740 1332477911.741 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:45:11.740 PDT Gen. Time: 03/22/2012 21:49:12.437 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (21:47:43.154 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 44607->2126 (21:47:43.154 PDT) 195.37.16.125 (21:45:11.740 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (21:45:11.740 PDT) DECLARE BOT 132.239.17.226 (21:47:43.154 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 44607->2126 (21:47:43.154 PDT) 195.37.16.125 (21:45:11.740 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (21:45:11.740 PDT) tcpslice 1332477911.740 1332477911.741 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:55:11.242 PDT Gen. Time: 03/22/2012 21:55:11.242 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (21:55:11.242 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->35314 (21:55:11.242 PDT) DECLARE BOT tcpslice 1332478511.242 1332478511.243 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:55:11.242 PDT Gen. Time: 03/22/2012 21:57:54.050 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (21:55:11.242 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->35314 (21:55:11.242 PDT) DECLARE BOT 128.186.122.86 (21:55:11.242 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35314 (21:55:11.242 PDT) tcpslice 1332478511.242 1332478511.243 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 21:58:56.965 PDT Gen. Time: 03/22/2012 21:58:56.965 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (21:58:56.965 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49412->2126 (21:58:56.965 PDT) DECLARE BOT 132.239.17.226 (21:58:56.965 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49412->2126 (21:58:56.965 PDT) tcpslice 1332478736.965 1332478736.966 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:05:11.724 PDT Gen. Time: 03/22/2012 22:05:11.724 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (22:05:11.724 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (22:05:11.724 PDT) DECLARE BOT tcpslice 1332479111.724 1332479111.725 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:05:11.724 PDT Gen. Time: 03/22/2012 22:08:58.072 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (22:05:11.724 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (22:05:11.724 PDT) DECLARE BOT 130.149.49.136 (22:05:11.724 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (22:05:11.724 PDT) tcpslice 1332479111.724 1332479111.725 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:09:17.907 PDT Gen. Time: 03/22/2012 22:09:17.907 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (22:09:17.907 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 59148->7733 (22:09:17.907 PDT) DECLARE BOT 195.37.16.125 (22:09:17.907 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 59148->7733 (22:09:17.907 PDT) tcpslice 1332479357.907 1332479357.908 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:15:11.857 PDT Gen. Time: 03/22/2012 22:15:11.857 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (22:15:11.857 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->35314 (22:15:11.857 PDT) DECLARE BOT tcpslice 1332479711.857 1332479711.858 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:15:11.857 PDT Gen. Time: 03/22/2012 22:19:23.088 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (22:15:11.857 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->35314 (22:15:11.857 PDT) DECLARE BOT 128.186.122.86 (22:15:11.857 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49302->35314 (22:15:11.857 PDT) tcpslice 1332479711.857 1332479711.858 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:22:33.915 PDT Gen. Time: 03/22/2012 22:22:33.915 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (22:22:33.915 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49126->7733 (22:22:33.915 PDT) DECLARE BOT 143.89.49.74 (22:22:33.915 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49126->7733 (22:22:33.915 PDT) tcpslice 1332480153.915 1332480153.916 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:22:33.915 PDT Gen. Time: 03/22/2012 22:25:13.706 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (22:25:13.706 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->35314 (22:25:13.706 PDT) 143.89.49.74 (22:22:33.915 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49126->7733 (22:22:33.915 PDT) DECLARE BOT 143.89.49.74 (22:22:33.915 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 49126->7733 (22:22:33.915 PDT) tcpslice 1332480153.915 1332480153.916 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:32:42.437 PDT Gen. Time: 03/22/2012 22:32:42.437 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (22:32:42.437 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 33904->2128 (22:32:42.437 PDT) DECLARE BOT 128.163.142.20 (22:32:42.437 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 33904->2128 (22:32:42.437 PDT) tcpslice 1332480762.437 1332480762.438 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:35:13.708 PDT Gen. Time: 03/22/2012 22:35:13.708 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (22:35:13.708 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (22:35:13.708 PDT) DECLARE BOT tcpslice 1332480913.708 1332480913.709 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:35:13.708 PDT Gen. Time: 03/22/2012 22:38:18.765 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (22:35:13.708 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (22:35:13.708 PDT) DECLARE BOT 206.207.248.34 (22:35:13.708 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 4119->4119 (22:35:13.708 PDT) tcpslice 1332480913.708 1332480913.709 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:44:23.058 PDT Gen. Time: 03/22/2012 22:44:23.058 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (22:44:23.058 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54011->7733 (22:44:23.058 PDT) DECLARE BOT 195.37.16.125 (22:44:23.058 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54011->7733 (22:44:23.058 PDT) tcpslice 1332481463.058 1332481463.059 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:44:23.058 PDT Gen. Time: 03/22/2012 22:47:48.296 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (22:45:13.948 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (22:45:13.948 PDT) 195.37.16.125 (22:44:23.058 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54011->7733 (22:44:23.058 PDT) DECLARE BOT 130.149.49.136 (22:45:13.948 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (22:45:13.948 PDT) 195.37.16.125 (22:44:23.058 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54011->7733 (22:44:23.058 PDT) tcpslice 1332481463.058 1332481463.059 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:55:14.435 PDT Gen. Time: 03/22/2012 22:55:14.435 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (22:55:14.435 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (22:55:14.435 PDT) DECLARE BOT tcpslice 1332482114.435 1332482114.436 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 03/22/2012 22:55:14.435 PDT Gen. Time: 03/22/2012 22:59:02.420 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (22:55:14.435 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (22:55:14.435 PDT) 128.163.142.20 (22:57:50.953 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 39825->2128 (22:57:50.953 PDT) DECLARE BOT 130.149.49.136 (22:55:14.435 PDT) event=1:9910006 {udp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (22:55:14.435 PDT) 128.163.142.20 (22:57:50.953 PDT) event=1:9910005 {tcp} E8[rb] BotHunter REPO confirmed botnet control server, [] MAC_Src: 00:21:5A:08:EC:40 39825->2128 (22:57:50.953 PDT) tcpslice 1332482114.435 1332482114.436 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================