Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 17:38:03.125 PDT Gen. Time: 07/16/2012 17:38:03.125 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (17:38:03.125 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (17:38:03.125 PDT) DECLARE BOT tcpslice 1342485483.125 1342485483.126 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.107.171.145, 156.17.10.51, 192.197.121.3 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 17:44:34.741 PDT Gen. Time: 07/16/2012 17:48:03.769 PDT INBOUND SCAN EXPLOIT 192.107.171.145 (17:45:17.943 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2001<-2026 (17:45:17.943 PDT) 156.17.10.51 (17:46:32.525 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2022 (17:46:32.525 PDT) 192.197.121.3 (17:44:34.741 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2003 (17:44:34.741 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (17:48:03.769 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49301->49301 (17:48:03.769 PDT) DECLARE BOT tcpslice 1342485874.741 1342485874.742 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.107.171.145, 156.17.10.51, 192.197.121.3 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 17:44:34.741 PDT Gen. Time: 07/16/2012 17:49:58.532 PDT INBOUND SCAN EXPLOIT 192.107.171.145 (17:45:17.943 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2001<-2026 (17:45:17.943 PDT) 156.17.10.51 (17:46:32.525 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2022 (17:46:32.525 PDT) 192.197.121.3 (17:44:34.741 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2003 (17:44:34.741 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (17:48:03.769 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49301->49301 (17:48:03.769 PDT) 129.93.229.138 (17:48:55.273 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49040->17914 (17:48:55.273 PDT) DECLARE BOT tcpslice 1342485874.741 1342485874.742 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.16.125.12, 165.230.49.115 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 17:50:37.792 PDT Gen. Time: 07/16/2012 17:54:50.454 PDT INBOUND SCAN EXPLOIT 192.16.125.12 (17:50:37.792 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2024<-2014 (17:50:37.792 PDT) 165.230.49.115 (17:53:03.737 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2002 (17:53:03.737 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.11 (17:54:50.454 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2011->2007 (17:54:50.454 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342486237.792 1342486237.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.16.125.12, 165.230.49.115 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 17:50:37.792 PDT Gen. Time: 07/16/2012 17:59:37.513 PDT INBOUND SCAN EXPLOIT 192.16.125.12 (17:50:37.792 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2024<-2014 (17:50:37.792 PDT) 165.230.49.115 (17:53:03.737 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2002 (17:53:03.737 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.6.26.33 (17:56:37.702 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2022->2001 (17:56:37.702 PDT) 192.16.125.11 (17:54:50.454 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2011->2007 (17:54:50.454 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (17:58:06.140 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (17:58:06.140 PDT) DECLARE BOT tcpslice 1342486237.792 1342486237.793 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:00:35.309 PDT Gen. Time: 07/16/2012 18:00:35.309 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (18:00:35.309 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 46658->17914 (18:00:35.309 PDT) DECLARE BOT tcpslice 1342486835.309 1342486835.310 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:08:07.052 PDT Gen. Time: 07/16/2012 18:08:07.052 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (18:08:07.052 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (18:08:07.052 PDT) DECLARE BOT tcpslice 1342487287.052 1342487287.053 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.107.171.145, 156.17.10.51 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:08:07.052 PDT Gen. Time: 07/16/2012 18:16:26.006 PDT INBOUND SCAN EXPLOIT 192.107.171.145 (18:10:10.840 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2017<-2014 (18:10:10.840 PDT) 156.17.10.51 (18:12:03.710 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2018<-2026 (18:12:03.710 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (18:16:26.006 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 35097->17914 (18:16:26.006 PDT) 130.104.72.201 (18:08:07.052 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (18:08:07.052 PDT) DECLARE BOT tcpslice 1342487287.052 1342487287.053 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:18:08.580 PDT Gen. Time: 07/16/2012 18:20:37.275 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (18:18:08.580 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (18:18:08.580 PDT) DECLARE BOT tcpslice 1342487888.580 1342487888.581 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:28:08.147 PDT Gen. Time: 07/16/2012 18:28:08.147 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (18:28:08.147 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (18:28:08.147 PDT) DECLARE BOT tcpslice 1342488488.147 1342488488.148 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.41.135.218, 162.105.205.21 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:30:59.552 PDT Gen. Time: 07/16/2012 18:34:26.814 PDT INBOUND SCAN EXPLOIT 192.41.135.218 (18:30:59.552 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2025<-2020 (18:30:59.552 PDT) 162.105.205.21 (18:34:11.323 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2024<-2002 (18:34:11.323 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 193.136.191.25 (18:34:26.814 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2020->2022 (18:34:26.814 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342488659.552 1342488659.553 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 155.246.12.163, 192.41.135.218, 169.235.24.232, 162.105.205.21 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:30:59.552 PDT Gen. Time: 07/16/2012 18:41:01.866 PDT INBOUND SCAN EXPLOIT 155.246.12.163 (18:36:16.425 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2017<-2029 (18:36:16.425 PDT) 192.41.135.218 (18:30:59.552 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2025<-2020 (18:30:59.552 PDT) 169.235.24.232 (18:39:01.316 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 1901<-2024 (18:39:01.316 PDT) 162.105.205.21 (18:34:11.323 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2024<-2002 (18:34:11.323 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 193.136.191.25 (18:34:26.814 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2020->2022 (18:34:26.814 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (18:36:28.824 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 48323->17914 (18:36:28.824 PDT) 130.104.72.201 (18:38:10.250 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (18:38:10.250 PDT) DECLARE BOT tcpslice 1342488659.552 1342488659.553 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.138.213.236 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:41:13.344 PDT Gen. Time: 07/16/2012 18:41:52.216 PDT INBOUND SCAN EXPLOIT 192.138.213.236 (18:41:13.344 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2010<-2006 (18:41:13.344 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.230.49.114 (18:41:52.216 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2002 (18:41:52.216 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342489273.344 1342489273.345 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 156.17.10.51, 192.138.213.236 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:41:13.344 PDT Gen. Time: 07/16/2012 18:47:44.586 PDT INBOUND SCAN EXPLOIT 156.17.10.51 (18:43:51.408 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2002<-2002 (18:43:51.408 PDT) 192.138.213.236 (18:41:13.344 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2010<-2006 (18:41:13.344 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 169.235.24.133 (18:44:13.170 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2014 (18:44:13.170 PDT) 165.230.49.114 (18:41:52.216 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2002 (18:41:52.216 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342489273.344 1342489273.345 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:48:11.430 PDT Gen. Time: 07/16/2012 18:48:11.430 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (18:48:11.430 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (18:48:11.430 PDT) DECLARE BOT tcpslice 1342489691.430 1342489691.431 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.42.43.22 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:48:11.430 PDT Gen. Time: 07/16/2012 18:54:42.819 PDT INBOUND SCAN EXPLOIT 192.42.43.22 (18:51:07.827 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2018<-2020 (18:51:07.827 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (18:48:11.430 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (18:48:11.430 PDT) DECLARE BOT tcpslice 1342489691.430 1342489691.431 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:55:28.730 PDT Gen. Time: 07/16/2012 18:55:28.730 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (18:55:28.730 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 55777->17914 (18:55:28.730 PDT) DECLARE BOT tcpslice 1342490128.730 1342490128.731 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:58:14.773 PDT Gen. Time: 07/16/2012 18:58:14.773 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (18:58:14.773 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (18:58:14.773 PDT) DECLARE BOT tcpslice 1342490294.773 1342490294.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 160.80.221.39, 192.41.135.218, 155.246.12.163 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:58:14.773 PDT Gen. Time: 07/16/2012 19:06:48.466 PDT INBOUND SCAN EXPLOIT 160.80.221.39 (19:03:28.550 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2015<-2012 (19:03:28.550 PDT) 192.41.135.218 (19:03:24.002 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2016 (19:03:24.002 PDT) 155.246.12.163 (19:01:27.168 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2027<-2012 (19:01:27.168 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.159.226.72 (19:04:03.628 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2029->2004 (19:04:03.628 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (18:58:14.773 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (18:58:14.773 PDT) DECLARE BOT tcpslice 1342490294.773 1342490294.774 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:08:15.010 PDT Gen. Time: 07/16/2012 19:08:15.010 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (19:08:15.010 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (19:08:15.010 PDT) DECLARE BOT tcpslice 1342490895.010 1342490895.011 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.230.49.115 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:16:52.302 PDT Gen. Time: 07/16/2012 19:18:15.369 PDT INBOUND SCAN EXPLOIT 165.230.49.115 (19:16:52.302 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2010<-2021 (19:16:52.302 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (19:18:15.369 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (19:18:15.369 PDT) DECLARE BOT tcpslice 1342491412.302 1342491412.303 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:28:21.953 PDT Gen. Time: 07/16/2012 19:28:21.953 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (19:28:21.953 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (19:28:21.953 PDT) DECLARE BOT tcpslice 1342492101.953 1342492101.954 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.41.135.218 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:37:54.645 PDT Gen. Time: 07/16/2012 19:38:24.649 PDT INBOUND SCAN EXPLOIT 192.41.135.218 (19:37:54.645 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2012 (19:37:54.645 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (19:38:24.649 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (19:38:24.649 PDT) DECLARE BOT tcpslice 1342492674.645 1342492674.646 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:48:24.857 PDT Gen. Time: 07/16/2012 19:48:24.857 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (19:48:24.857 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (19:48:24.857 PDT) DECLARE BOT tcpslice 1342493304.857 1342493304.858 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:53:10.258 PDT Gen. Time: 07/16/2012 19:53:10.258 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 137.165.1.111 (19:53:10.258 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 39587->42781 (19:53:10.258 PDT) DECLARE BOT tcpslice 1342493590.258 1342493590.259 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 161.106.240.18 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:53:10.258 PDT Gen. Time: 07/16/2012 19:58:28.085 PDT INBOUND SCAN EXPLOIT 161.106.240.18 (19:53:25.280 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2009<-2016 (19:53:25.280 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.11 (19:54:12.643 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2022->2001 (19:54:12.643 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 137.165.1.111 (19:53:10.258 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 39587->42781 (19:53:10.258 PDT) 130.104.72.201 (19:58:28.085 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (19:58:28.085 PDT) DECLARE BOT tcpslice 1342493590.258 1342493590.259 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:08:29.459 PDT Gen. Time: 07/16/2012 20:08:29.459 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (20:08:29.459 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (20:08:29.459 PDT) DECLARE BOT tcpslice 1342494509.459 1342494509.460 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:14:39.860 PDT Gen. Time: 07/16/2012 20:16:23.532 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.197.121.2 (20:14:39.860 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2003->2006 (20:14:39.860 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (20:16:23.532 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 48621->54593 (20:16:23.532 PDT) DECLARE BOT tcpslice 1342494879.860 1342494879.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:14:39.860 PDT Gen. Time: 07/16/2012 20:18:30.462 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.197.121.2 (20:14:39.860 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2003->2006 (20:14:39.860 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (20:16:23.532 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 48621->54593 (20:16:23.532 PDT) 130.104.72.201 (20:18:30.462 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (20:18:30.462 PDT) DECLARE BOT tcpslice 1342494879.860 1342494879.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:28:33.101 PDT Gen. Time: 07/16/2012 20:28:33.101 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (20:28:33.101 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (20:28:33.101 PDT) DECLARE BOT tcpslice 1342495713.101 1342495713.102 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 155.246.12.164 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:28:33.101 PDT Gen. Time: 07/16/2012 20:31:47.019 PDT INBOUND SCAN EXPLOIT 155.246.12.164 (20:29:30.942 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2019<-2012 (20:29:30.942 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (20:28:33.101 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (20:28:33.101 PDT) DECLARE BOT tcpslice 1342495713.101 1342495713.102 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:38:35.946 PDT Gen. Time: 07/16/2012 20:38:35.946 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (20:38:35.946 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (20:38:35.946 PDT) DECLARE BOT tcpslice 1342496315.946 1342496315.947 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.33.90.66 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:38:35.946 PDT Gen. Time: 07/16/2012 20:43:04.236 PDT INBOUND SCAN EXPLOIT 192.33.90.66 (20:39:21.474 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2026<-2012 (20:39:21.474 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (20:38:35.946 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (20:38:35.946 PDT) DECLARE BOT tcpslice 1342496315.946 1342496315.947 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:48:35.916 PDT Gen. Time: 07/16/2012 20:48:35.916 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (20:48:35.916 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (20:48:35.916 PDT) DECLARE BOT tcpslice 1342496915.916 1342496915.917 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 193.10.64.35 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:48:35.916 PDT Gen. Time: 07/16/2012 20:51:30.371 PDT INBOUND SCAN EXPLOIT 193.10.64.35 (20:50:15.158 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2024<-2019 (20:50:15.158 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (20:48:35.916 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (20:48:35.916 PDT) DECLARE BOT tcpslice 1342496915.916 1342496915.917 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.16.125.12, 193.10.64.36, 192.41.135.219, 163.117.253.23, 165.91.55.11 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:51:35.577 PDT Gen. Time: 07/16/2012 20:58:38.972 PDT INBOUND SCAN EXPLOIT 192.16.125.12 (20:57:19.068 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2021<-2021 (20:57:19.068 PDT) 193.10.64.36 (20:57:18.470 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2014<-2015 (20:57:18.470 PDT) 192.41.135.219 (20:53:06.955 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2021<-2010 (20:53:06.955 PDT) 163.117.253.23 (20:51:35.577 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2020 (20:51:35.577 PDT) 165.91.55.11 (20:51:52.629 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2028<-2019 (20:51:52.629 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (20:58:38.972 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (20:58:38.972 PDT) DECLARE BOT tcpslice 1342497095.577 1342497095.578 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.16.125.12, 193.10.64.36, 192.41.135.219, 163.117.253.23, 165.91.55.11 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:51:35.577 PDT Gen. Time: 07/16/2012 21:03:33.570 PDT INBOUND SCAN EXPLOIT 192.16.125.12 (20:57:19.068 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2021<-2021 (20:57:19.068 PDT) 193.10.64.36 (20:57:18.470 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2014<-2015 (20:57:18.470 PDT) 192.41.135.219 (20:53:06.955 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2021<-2010 (20:53:06.955 PDT) 163.117.253.23 (20:51:35.577 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2020 (20:51:35.577 PDT) 165.91.55.11 (20:51:52.629 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2028<-2019 (20:51:52.629 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.11 (20:59:59.187 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2028->2020 (20:59:59.187 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (20:58:38.972 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (20:58:38.972 PDT) DECLARE BOT tcpslice 1342497095.577 1342497095.578 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:08:38.860 PDT Gen. Time: 07/16/2012 21:08:38.860 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (21:08:38.860 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (21:08:38.860 PDT) DECLARE BOT tcpslice 1342498118.860 1342498118.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.107.171.145, 156.17.10.52, 163.117.253.22 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:08:38.860 PDT Gen. Time: 07/16/2012 21:15:19.270 PDT INBOUND SCAN EXPLOIT 192.107.171.145 (21:12:59.966 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2025<-2020 (21:12:59.966 PDT) 156.17.10.52 (21:12:33.836 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2024<-2009 (21:12:33.836 PDT) 163.117.253.22 (21:10:40.374 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2028<-2022 (21:10:40.374 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (21:08:38.860 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (21:08:38.860 PDT) DECLARE BOT tcpslice 1342498118.860 1342498118.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.138.213.238 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:16:16.108 PDT Gen. Time: 07/16/2012 21:18:41.402 PDT INBOUND SCAN EXPLOIT 192.138.213.238 (21:16:16.108 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2001 (21:16:16.108 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (21:18:41.402 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (21:18:41.402 PDT) DECLARE BOT tcpslice 1342498576.108 1342498576.109 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:28:41.943 PDT Gen. Time: 07/16/2012 21:28:41.943 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (21:28:41.943 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (21:28:41.943 PDT) DECLARE BOT tcpslice 1342499321.943 1342499321.944 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 156.17.10.52, 192.107.171.145 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:28:41.943 PDT Gen. Time: 07/16/2012 21:35:11.809 PDT INBOUND SCAN EXPLOIT 156.17.10.52 (21:30:57.504 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2001 (21:30:57.504 PDT) 192.107.171.145 (21:29:41.875 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2022<-2021 (21:29:41.875 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.11 (21:30:45.851 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2025->2010 (21:30:45.851 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (21:28:41.943 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (21:28:41.943 PDT) DECLARE BOT tcpslice 1342499321.943 1342499321.944 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:38:41.764 PDT Gen. Time: 07/16/2012 21:38:41.764 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (21:38:41.764 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (21:38:41.764 PDT) DECLARE BOT tcpslice 1342499921.764 1342499921.765 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:38:41.764 PDT Gen. Time: 07/16/2012 21:48:55.796 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.230.49.115 (21:45:10.184 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2018->2005 (21:45:10.184 PDT) 192.16.125.11 (21:42:40.989 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2016->2011 (21:42:40.989 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (2) (21:38:41.764 PDT-21:48:41.964 PDT) event=1:9930006 (2) {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2: 49302->49302 (21:38:41.764 PDT-21:48:41.964 PDT) DECLARE BOT tcpslice 1342499921.764 1342500521.965 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 155.246.12.164, 157.159.226.72, 165.91.55.9, 165.230.49.114 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:48:56.698 PDT Gen. Time: 07/16/2012 21:53:41.079 PDT INBOUND SCAN EXPLOIT 155.246.12.164 (21:51:25.027 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2011 (21:51:25.027 PDT) 157.159.226.72 (21:51:26.476 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2018<-2025 (21:51:26.476 PDT) 165.91.55.9 (21:51:25.265 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2019 (21:51:25.265 PDT) 165.230.49.114 (21:48:56.698 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 1902<-2017 (21:48:56.698 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.11 (21:53:41.079 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2009->2003 (21:53:41.079 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342500536.698 1342500536.699 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:58:45.010 PDT Gen. Time: 07/16/2012 21:58:45.010 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (21:58:45.010 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (21:58:45.010 PDT) DECLARE BOT tcpslice 1342501125.010 1342501125.011 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:08:47.834 PDT Gen. Time: 07/16/2012 22:08:47.834 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (22:08:47.834 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (22:08:47.834 PDT) DECLARE BOT tcpslice 1342501727.834 1342501727.835 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.230.49.115, 160.80.221.37 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:08:47.834 PDT Gen. Time: 07/16/2012 22:17:16.217 PDT INBOUND SCAN EXPLOIT 165.230.49.115 (22:11:04.311 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2018 (22:11:04.311 PDT) 160.80.221.37 (22:13:31.371 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2014<-2016 (22:13:31.371 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (22:08:47.834 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (22:08:47.834 PDT) DECLARE BOT tcpslice 1342501727.834 1342501727.835 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:17:55.426 PDT Gen. Time: 07/16/2012 22:18:49.061 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 190.227.163.141 (22:17:55.426 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2005->2027 (22:17:55.426 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (22:18:49.061 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (22:18:49.061 PDT) DECLARE BOT tcpslice 1342502275.426 1342502275.427 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:26:42.801 PDT Gen. Time: 07/16/2012 22:28:49.005 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 160.80.221.39 (22:26:42.801 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2029->2015 (22:26:42.801 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (22:28:49.005 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (22:28:49.005 PDT) DECLARE BOT tcpslice 1342502802.801 1342502802.802 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:38:52.908 PDT Gen. Time: 07/16/2012 22:38:52.908 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (22:38:52.908 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (22:38:52.908 PDT) DECLARE BOT tcpslice 1342503532.908 1342503532.909 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 163.117.253.23 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:44:47.574 PDT Gen. Time: 07/16/2012 22:48:52.836 PDT INBOUND SCAN EXPLOIT 163.117.253.23 (22:44:47.574 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2004 (22:44:47.574 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (22:48:52.836 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (22:48:52.836 PDT) DECLARE BOT tcpslice 1342503887.574 1342503887.575 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================