Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 17:37:45.902 PDT Gen. Time: 07/16/2012 17:37:45.902 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (17:37:45.902 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:37:45.902 PDT) DECLARE BOT tcpslice 1342485465.902 1342485465.903 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 17:37:45.902 PDT Gen. Time: 07/16/2012 17:41:29.909 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (17:38:01.436 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (17:38:01.436 PDT) 195.37.16.125 (17:37:45.902 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:37:45.902 PDT) DECLARE BOT tcpslice 1342485465.902 1342485465.903 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.91.55.10, 192.16.125.12, 161.106.240.18, 164.107.127.12 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/16/2012 17:41:45.227 PDT Gen. Time: 07/16/2012 17:48:01.191 PDT INBOUND SCAN EXPLOIT 165.91.55.10 (17:44:14.899 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2004<-2029 (17:44:14.899 PDT) 192.16.125.12 (17:43:35.110 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2009<-2026 (17:43:35.110 PDT) 161.106.240.18 (17:45:31.636 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2028<-2026 (17:45:31.636 PDT) 164.107.127.12 (17:46:27.569 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2004 (17:46:27.569 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (17:41:45.227 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->53562 (17:41:45.227 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (17:48:01.191 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:48:01.191 PDT) DECLARE BOT tcpslice 1342485705.227 1342485705.228 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 170.140.119.70, 165.91.55.10, 192.16.125.12, 161.106.240.18, 164.107.127.12 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/16/2012 17:41:45.227 PDT Gen. Time: 07/16/2012 17:52:15.001 PDT INBOUND SCAN EXPLOIT 170.140.119.70 (17:49:27.554 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2008<-2022 (17:49:27.554 PDT) 165.91.55.10 (17:44:14.899 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2004<-2029 (17:44:14.899 PDT) 192.16.125.12 (17:43:35.110 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2009<-2026 (17:43:35.110 PDT) 161.106.240.18 (17:45:31.636 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2028<-2026 (17:45:31.636 PDT) 164.107.127.12 (17:46:27.569 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2004 (17:46:27.569 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (17:41:45.227 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->53562 (17:41:45.227 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (17:48:01.191 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (17:48:01.191 PDT) DECLARE BOT tcpslice 1342485705.227 1342485705.228 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.16.125.12, 165.230.49.119, 192.107.171.147 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/16/2012 17:52:34.401 PDT Gen. Time: 07/16/2012 17:56:00.313 PDT INBOUND SCAN EXPLOIT 192.16.125.12 (17:54:36.285 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2020<-2018 (17:54:36.285 PDT) 165.230.49.119 (17:54:44.418 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2006<-2026 (17:54:44.418 PDT) 192.107.171.147 (17:53:10.777 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2018<-2013 (17:53:10.777 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (17:52:34.401 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->51705 (17:52:34.401 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (17:56:00.313 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 32822->47749 (17:56:00.313 PDT) DECLARE BOT tcpslice 1342486354.401 1342486354.402 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.16.125.12, 165.230.49.119, 192.107.171.147 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/16/2012 17:52:34.401 PDT Gen. Time: 07/16/2012 17:59:37.513 PDT INBOUND SCAN EXPLOIT 192.16.125.12 (17:54:36.285 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2020<-2018 (17:54:36.285 PDT) 165.230.49.119 (17:54:44.418 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2006<-2026 (17:54:44.418 PDT) 192.107.171.147 (17:53:10.777 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2018<-2013 (17:53:10.777 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (17:52:34.401 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->51705 (17:52:34.401 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.12 (17:57:13.971 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2025->2005 (17:57:13.971 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (17:58:01.704 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (17:58:01.704 PDT) 132.239.17.226 (17:56:00.313 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 32822->47749 (17:56:00.313 PDT) DECLARE BOT tcpslice 1342486354.401 1342486354.402 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.33.90.68 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:01:45.649 PDT Gen. Time: 07/16/2012 18:06:27.207 PDT INBOUND SCAN EXPLOIT 192.33.90.68 (18:06:27.207 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2023<-2007 (18:06:27.207 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.159.226.72 (18:01:45.649 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2017->2002 (18:01:45.649 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342486905.649 1342486905.650 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.33.90.68 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:01:45.649 PDT Gen. Time: 07/16/2012 18:09:18.542 PDT INBOUND SCAN EXPLOIT 192.33.90.68 (18:06:27.207 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2023<-2007 (18:06:27.207 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.159.226.72 (18:01:45.649 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2017->2002 (18:01:45.649 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (18:08:21.823 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (18:08:21.823 PDT) DECLARE BOT tcpslice 1342486905.649 1342486905.650 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:18:27.305 PDT Gen. Time: 07/16/2012 18:18:27.305 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.186.122.86 (18:18:27.305 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 49302->55295 (18:18:27.305 PDT) DECLARE BOT tcpslice 1342487907.305 1342487907.306 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.17.10.51, 170.140.119.69 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:21:05.587 PDT Gen. Time: 07/16/2012 18:22:13.983 PDT INBOUND SCAN EXPLOIT 156.17.10.51 (18:22:01.489 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2011 (18:22:01.489 PDT) 170.140.119.69 (18:22:09.367 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2022<-2005 (18:22:09.367 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (18:21:05.587 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->52712 (18:21:05.587 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 190.227.163.142 (18:22:13.983 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2014->2005 (18:22:13.983 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342488065.587 1342488065.588 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 158.130.6.253, 161.106.240.19, 163.117.253.23, 156.17.10.51, 170.140.119.69 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:21:05.587 PDT Gen. Time: 07/16/2012 18:30:19.443 PDT INBOUND SCAN EXPLOIT 158.130.6.253 (18:24:49.589 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2002<-2025 (18:24:49.589 PDT) 161.106.240.19 (18:25:53.200 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2003<-2005 (18:25:53.200 PDT) 163.117.253.23 (18:26:51.825 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2028<-2008 (18:26:51.825 PDT) 156.17.10.51 (18:22:01.489 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2011 (18:22:01.489 PDT) 170.140.119.69 (18:22:09.367 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2022<-2005 (18:22:09.367 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (18:21:05.587 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->52712 (18:21:05.587 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 190.227.163.141 (18:23:11.228 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2003->2022 (18:23:11.228 PDT) 190.227.163.142 (18:22:13.983 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2014->2005 (18:22:13.983 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (18:28:37.026 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (18:28:37.026 PDT) DECLARE BOT tcpslice 1342488065.587 1342488065.588 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.17.10.51, 169.226.40.4 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:30:47.738 PDT Gen. Time: 07/16/2012 18:36:05.714 PDT INBOUND SCAN EXPLOIT 156.17.10.51 (18:30:48.389 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2011<-2019 (18:30:48.389 PDT) 169.226.40.4 (2) (18:30:47.738 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2025<-2017 (18:30:47.738 PDT) 2009<-2011 (18:33:24.347 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (18:31:10.966 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->59969 (18:31:10.966 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.230.49.119 (18:36:05.714 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2029->2002 (18:36:05.714 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342488647.738 1342488647.739 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.7 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.42.83.253, 170.140.119.70, 156.17.10.51, 193.10.64.35, 169.226.40.4, 192.197.121.3 Egg Source List: C & C List: 188.93.19.162 (2) Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:30:47.738 PDT Gen. Time: 07/16/2012 18:45:32.387 PDT INBOUND SCAN EXPLOIT 192.42.83.253 (18:41:35.271 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2003 (18:41:35.271 PDT) 170.140.119.70 (18:36:30.932 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2009<-2009 (18:36:30.932 PDT) 156.17.10.51 (18:30:48.389 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2011<-2019 (18:30:48.389 PDT) 193.10.64.35 (18:41:01.866 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2026 (18:41:01.866 PDT) 169.226.40.4 (2) (18:30:47.738 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2025<-2017 (18:30:47.738 PDT) 2009<-2011 (18:33:24.347 PDT) 192.197.121.3 (18:37:41.145 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2005<-2013 (18:37:41.145 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (2) (18:31:10.966 PDT) event=1:3810007 (2) {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->59969 (18:31:10.966 PDT) 4815->57033 (18:44:44.363 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.230.49.119 (18:36:05.714 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2029->2002 (18:36:05.714 PDT) 192.16.125.11 (18:38:20.169 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2007->2026 (18:38:20.169 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (18:38:38.166 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (18:38:38.166 PDT) DECLARE BOT tcpslice 1342488647.738 1342488647.739 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:48:39.360 PDT Gen. Time: 07/16/2012 18:48:39.360 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (18:48:39.360 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (18:48:39.360 PDT) DECLARE BOT tcpslice 1342489719.360 1342489719.361 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:58:51.517 PDT Gen. Time: 07/16/2012 18:58:51.517 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (18:58:51.517 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (18:58:51.517 PDT) DECLARE BOT tcpslice 1342490331.517 1342490331.518 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.17.10.52, 155.246.12.163, 192.41.135.218 Egg Source List: C & C List: 188.93.19.162 Peer Coord. List: Resource List: Observed Start: 07/16/2012 18:58:51.517 PDT Gen. Time: 07/16/2012 19:09:26.581 PDT INBOUND SCAN EXPLOIT 156.17.10.52 (19:06:48.466 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2011<-2001 (19:06:48.466 PDT) 155.246.12.163 (19:07:36.330 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2016<-2006 (19:07:36.330 PDT) 192.41.135.218 (2) (19:01:01.205 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2006<-2001 (19:01:01.205 PDT) 2020<-2005 (19:04:59.204 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 188.93.19.162 (19:09:26.581 PDT) event=1:3810007 {tcp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:EC:40 4815->51092 (19:09:26.581 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (18:58:51.517 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (18:58:51.517 PDT) 206.207.248.34 (19:08:51.897 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (19:08:51.897 PDT) DECLARE BOT tcpslice 1342490331.517 1342490331.518 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 170.140.119.70, 192.41.135.219, 165.230.49.119, 169.226.40.2, 165.230.49.114 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:13:27.209 PDT Gen. Time: 07/16/2012 19:18:58.939 PDT INBOUND SCAN EXPLOIT 170.140.119.70 (19:15:32.326 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2025<-2006 (19:15:32.326 PDT) 192.41.135.219 (19:13:31.444 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2005 (19:13:31.444 PDT) 165.230.49.119 (19:16:30.225 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2017<-2001 (19:16:30.225 PDT) 169.226.40.2 (19:14:35.493 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2011 (19:14:35.493 PDT) 165.230.49.114 (19:13:27.209 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2019<-2019 (19:13:27.209 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 156.17.10.52 (19:18:58.939 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2002->2001 (19:18:58.939 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342491207.209 1342491207.210 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.230.49.115, 169.235.24.133, 161.106.240.18, 165.230.49.114, 169.226.40.4, 169.226.40.2, 165.230.49.119, 170.140.119.70, 192.41.135.219 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:13:27.209 PDT Gen. Time: 07/16/2012 19:23:00.136 PDT INBOUND SCAN EXPLOIT 165.230.49.115 (19:20:33.931 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2007 (19:20:33.931 PDT) 169.235.24.133 (19:20:23.449 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2020 (19:20:23.449 PDT) 161.106.240.18 (19:20:01.372 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2022<-2006 (19:20:01.372 PDT) 165.230.49.114 (19:13:27.209 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2019<-2019 (19:13:27.209 PDT) 169.226.40.4 (19:20:26.353 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2011 (19:20:26.353 PDT) 169.226.40.2 (19:14:35.493 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2011 (19:14:35.493 PDT) 165.230.49.119 (19:16:30.225 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2017<-2001 (19:16:30.225 PDT) 170.140.119.70 (19:15:32.326 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2025<-2006 (19:15:32.326 PDT) 192.41.135.219 (19:13:31.444 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2005 (19:13:31.444 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 156.17.10.52 (19:18:58.939 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2002->2001 (19:18:58.939 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (19:19:54.820 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (19:19:54.820 PDT) DECLARE BOT tcpslice 1342491207.209 1342491207.210 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 160.80.221.37 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:24:04.066 PDT Gen. Time: 07/16/2012 19:24:07.715 PDT INBOUND SCAN EXPLOIT 160.80.221.37 (19:24:07.715 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2019<-2022 (19:24:07.715 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.197.121.3 (19:24:04.066 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2001->2006 (19:24:04.066 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342491844.066 1342491844.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.114.4.3, 160.80.221.37 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:24:04.066 PDT Gen. Time: 07/16/2012 19:31:15.139 PDT INBOUND SCAN EXPLOIT 192.114.4.3 (19:24:15.348 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2019<-2028 (19:24:15.348 PDT) 160.80.221.37 (19:24:07.715 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2019<-2022 (19:24:07.715 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 155.246.12.164 (19:27:59.198 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2028->2002 (19:27:59.198 PDT) 192.197.121.3 (19:24:04.066 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2001->2006 (19:24:04.066 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (19:30:05.808 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (19:30:05.808 PDT) DECLARE BOT tcpslice 1342491844.066 1342491844.067 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 155.98.35.7, 192.33.90.69 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:38:57.596 PDT Gen. Time: 07/16/2012 19:40:08.661 PDT INBOUND SCAN EXPLOIT 155.98.35.7 (19:39:55.923 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2005<-2015 (19:39:55.923 PDT) 192.33.90.69 (19:38:57.596 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2025 (19:38:57.596 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 160.80.221.37 (19:40:08.661 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2011->2008 (19:40:08.661 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342492737.596 1342492737.597 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 155.98.35.7, 192.33.90.69 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:38:57.596 PDT Gen. Time: 07/16/2012 19:44:45.940 PDT INBOUND SCAN EXPLOIT 155.98.35.7 (19:39:55.923 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2005<-2015 (19:39:55.923 PDT) 192.33.90.69 (19:38:57.596 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2025 (19:38:57.596 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.6.26.31 (19:41:13.107 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2014->2027 (19:41:13.107 PDT) 160.80.221.37 (19:40:08.661 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2011->2008 (19:40:08.661 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (19:40:10.322 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (19:40:10.322 PDT) DECLARE BOT tcpslice 1342492737.596 1342492737.597 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.33.90.67 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:46:57.257 PDT Gen. Time: 07/16/2012 19:47:39.662 PDT INBOUND SCAN EXPLOIT 192.33.90.67 (19:47:39.662 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2005<-2022 (19:47:39.662 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.12 (19:46:57.257 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2002->2003 (19:46:57.257 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342493217.257 1342493217.258 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.91.55.10, 192.33.90.67, 169.226.40.4, 157.181.175.249 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:46:57.257 PDT Gen. Time: 07/16/2012 19:56:43.027 PDT INBOUND SCAN EXPLOIT 165.91.55.10 (19:52:21.758 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2016<-2026 (19:52:21.758 PDT) 192.33.90.67 (2) (19:47:39.662 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2005<-2022 (19:47:39.662 PDT) 2013<-2029 (19:50:25.073 PDT) 169.226.40.4 (19:53:24.289 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2015<-2028 (19:53:24.289 PDT) 157.181.175.249 (19:51:40.240 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2010<-2024 (19:51:40.240 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.12 (19:46:57.257 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2002->2003 (19:46:57.257 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (19:50:26.846 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (19:50:26.846 PDT) DECLARE BOT tcpslice 1342493217.257 1342493217.258 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 19:57:18.272 PDT Gen. Time: 07/16/2012 20:00:27.508 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.6.26.32 (20:00:04.025 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2008->2014 (20:00:04.025 PDT) 161.106.240.18 (19:57:18.272 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2004->2026 (19:57:18.272 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (20:00:27.508 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (20:00:27.508 PDT) DECLARE BOT tcpslice 1342493838.272 1342493838.273 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:10:46.722 PDT Gen. Time: 07/16/2012 20:10:46.722 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (20:10:46.722 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (20:10:46.722 PDT) DECLARE BOT tcpslice 1342494646.722 1342494646.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:10:46.722 PDT Gen. Time: 07/16/2012 20:14:39.860 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (20:11:23.287 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 36960->54593 (20:11:23.287 PDT) 132.239.17.226 (20:10:46.722 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (20:10:46.722 PDT) DECLARE BOT tcpslice 1342494646.722 1342494646.723 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.41.135.219 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:15:54.212 PDT Gen. Time: 07/16/2012 20:16:17.336 PDT INBOUND SCAN EXPLOIT 192.41.135.219 (20:15:54.212 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2004<-2004 (20:15:54.212 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.242.90.129 (20:16:17.336 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2023->2007 (20:16:17.336 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342494954.212 1342494954.213 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.41.135.219, 169.235.24.232 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:15:54.212 PDT Gen. Time: 07/16/2012 20:21:16.767 PDT INBOUND SCAN EXPLOIT 192.41.135.219 (20:15:54.212 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2004<-2004 (20:15:54.212 PDT) 169.235.24.232 (20:16:51.732 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2016<-2023 (20:16:51.732 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.242.90.129 (20:16:17.336 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2023->2007 (20:16:17.336 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (20:21:16.767 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (20:21:16.767 PDT) DECLARE BOT tcpslice 1342494954.212 1342494954.213 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.114.4.3 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:21:55.285 PDT Gen. Time: 07/16/2012 20:21:56.807 PDT INBOUND SCAN EXPLOIT 192.114.4.3 (20:21:55.285 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2026<-2009 (20:21:55.285 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (20:21:56.807 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 51159->42781 (20:21:56.807 PDT) DECLARE BOT tcpslice 1342495315.285 1342495315.286 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.42.83.253, 160.80.221.39, 192.114.4.3, 193.136.191.25, 193.10.64.36, 165.230.49.119, 192.138.213.238, 165.230.49.115 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:21:55.285 PDT Gen. Time: 07/16/2012 20:38:35.946 PDT INBOUND SCAN EXPLOIT 192.42.83.253 (20:34:10.513 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2017<-2004 (20:34:10.513 PDT) 160.80.221.39 (20:31:47.019 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2012<-2006 (20:31:47.019 PDT) 192.114.4.3 (20:21:55.285 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2026<-2009 (20:21:55.285 PDT) 193.136.191.25 (20:32:45.061 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2008<-2023 (20:32:45.061 PDT) 193.10.64.36 (2) (20:24:21.627 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2008 (20:24:21.627 PDT) 2003<-2008 (20:34:42.103 PDT) 165.230.49.119 (20:29:21.292 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2014 (20:29:21.292 PDT) 192.138.213.238 (20:26:34.020 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2012 (20:26:34.020 PDT) 165.230.49.115 (20:34:51.855 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2009<-2027 (20:34:51.855 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.42.43.23 (20:28:04.164 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2011->2012 (20:28:04.164 PDT) 192.42.43.22 (20:30:46.263 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2027->1902 (20:30:46.263 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (20:31:19.971 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (20:31:19.971 PDT) 132.239.17.226 (20:21:56.807 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 51159->42781 (20:21:56.807 PDT) 128.163.142.20 (20:34:43.926 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 58790->54593 (20:34:43.926 PDT) DECLARE BOT tcpslice 1342495315.285 1342495315.286 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.138.213.238 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:38:59.748 PDT Gen. Time: 07/16/2012 20:41:27.227 PDT INBOUND SCAN EXPLOIT 192.138.213.238 (20:38:59.748 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2001<-2023 (20:38:59.748 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (20:41:27.227 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 54593->54593 (20:41:27.227 PDT) DECLARE BOT tcpslice 1342496339.748 1342496339.749 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.33.90.69, 192.197.121.3 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:50:15.340 PDT Gen. Time: 07/16/2012 20:51:30.371 PDT INBOUND SCAN EXPLOIT 192.33.90.69 (2) (20:50:20.092 PDT-20:50:21.810 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2: 2023<-2009 (20:50:20.092 PDT-20:50:21.810 PDT) 192.197.121.3 (20:50:15.340 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2016<-2024 (20:50:15.340 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (20:51:30.371 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (20:51:30.371 PDT) DECLARE BOT tcpslice 1342497015.340 1342497021.811 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:51:38.050 PDT Gen. Time: 07/16/2012 20:51:38.050 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (20:51:38.050 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 37412->54593 (20:51:38.050 PDT) DECLARE BOT tcpslice 1342497098.050 1342497098.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 161.106.240.19, 165.91.55.9, 192.42.83.251, 192.42.43.22 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 20:51:38.050 PDT Gen. Time: 07/16/2012 21:01:33.324 PDT INBOUND SCAN EXPLOIT 161.106.240.19 (20:55:05.682 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2028<-2026 (20:55:05.682 PDT) 165.91.55.9 (20:52:23.340 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2023<-2013 (20:52:23.340 PDT) 192.42.83.251 (20:51:54.862 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2019<-2015 (20:51:54.862 PDT) 192.42.43.22 (2) (20:56:17.349 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2016<-2025 (20:56:17.349 PDT) 2008<-2025 (20:57:32.466 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 157.92.44.102 (20:55:46.211 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2004->2007 (20:55:46.211 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (21:01:33.324 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (21:01:33.324 PDT) 195.37.16.125 (20:51:38.050 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 37412->54593 (20:51:38.050 PDT) DECLARE BOT tcpslice 1342497098.050 1342497098.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.107.171.147, 192.33.90.66 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:08:00.622 PDT Gen. Time: 07/16/2012 21:08:32.327 PDT INBOUND SCAN EXPLOIT 192.107.171.147 (21:08:11.878 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2003<-2003 (21:08:11.878 PDT) 192.33.90.66 (21:08:00.622 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2019 (21:08:00.622 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.138.213.236 (21:08:32.327 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2020->2003 (21:08:32.327 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342498080.622 1342498080.623 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.107.171.147, 192.33.90.66 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:08:00.622 PDT Gen. Time: 07/16/2012 21:12:33.836 PDT INBOUND SCAN EXPLOIT 192.107.171.147 (21:08:11.878 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2003<-2003 (21:08:11.878 PDT) 192.33.90.66 (21:08:00.622 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2007<-2019 (21:08:00.622 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.138.213.236 (21:08:32.327 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2020->2003 (21:08:32.327 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (21:11:39.786 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2119->2119 (21:11:39.786 PDT) DECLARE BOT tcpslice 1342498080.622 1342498080.623 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.230.49.114 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:15:30.812 PDT Gen. Time: 07/16/2012 21:16:04.909 PDT INBOUND SCAN EXPLOIT 165.230.49.114 (21:16:04.909 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2021<-2005 (21:16:04.909 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 199.255.189.60 (21:15:30.812 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:EC:40 59714->80 (21:15:30.812 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342498530.812 1342498530.813 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.197.121.2, 165.230.49.114 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:16:04.909 PDT Gen. Time: 07/16/2012 21:22:53.228 PDT INBOUND SCAN EXPLOIT 192.197.121.2 (21:16:57.383 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2013<-2004 (21:16:57.383 PDT) 165.230.49.114 (21:16:04.909 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2021<-2005 (21:16:04.909 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 156.56.250.226 (21:19:01.816 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2010->2009 (21:19:01.816 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 134.34.246.5 (21:21:39.986 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (21:21:39.986 PDT) DECLARE BOT tcpslice 1342498564.909 1342498564.910 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 165.230.49.114 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:27:34.564 PDT Gen. Time: 07/16/2012 21:28:04.408 PDT INBOUND SCAN EXPLOIT 165.230.49.114 (21:27:34.564 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2017<-2011 (21:27:34.564 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 169.235.24.133 (21:28:04.408 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2001->2012 (21:28:04.408 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342499254.564 1342499254.565 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 156.17.10.51, 169.226.40.2, 193.10.64.35, 165.230.49.114 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:27:34.564 PDT Gen. Time: 07/16/2012 21:35:11.809 PDT INBOUND SCAN EXPLOIT 156.17.10.51 (21:29:01.533 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2006<-2024 (21:29:01.533 PDT) 169.226.40.2 (21:29:21.360 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2019<-2004 (21:29:21.360 PDT) 193.10.64.35 (21:30:11.914 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2004<-2014 (21:30:11.914 PDT) 165.230.49.114 (21:27:34.564 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2017<-2011 (21:27:34.564 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 190.227.163.141 (21:28:29.963 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2028->2019 (21:28:29.963 PDT) 156.17.10.51 (21:31:38.892 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2025->2005 (21:31:38.892 PDT) 169.235.24.133 (21:28:04.408 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2001->2012 (21:28:04.408 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (21:31:44.974 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (21:31:44.974 PDT) DECLARE BOT tcpslice 1342499254.564 1342499254.565 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 155.246.12.164, 165.230.49.119 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:38:57.544 PDT Gen. Time: 07/16/2012 21:41:55.212 PDT INBOUND SCAN EXPLOIT 155.246.12.164 (21:38:57.544 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2016<-2010 (21:38:57.544 PDT) 165.230.49.119 (21:39:10.589 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2021<-2012 (21:39:10.589 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (21:41:55.212 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 4121->4121 (21:41:55.212 PDT) DECLARE BOT tcpslice 1342499937.544 1342499937.545 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.114.4.3, 192.138.213.238, 165.230.49.114 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:43:14.725 PDT Gen. Time: 07/16/2012 21:48:55.796 PDT INBOUND SCAN EXPLOIT 192.114.4.3 (21:43:14.725 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2025<-2006 (21:43:14.725 PDT) 192.138.213.238 (21:45:35.513 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2004 (21:45:35.513 PDT) 165.230.49.114 (21:44:51.877 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2017<-2026 (21:44:51.877 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 162.105.205.21 (21:48:55.796 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2005->2027 (21:48:55.796 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342500194.725 1342500194.726 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.114.4.3, 192.138.213.238, 165.230.49.114, 192.33.90.68 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:43:14.725 PDT Gen. Time: 07/16/2012 21:51:25.027 PDT INBOUND SCAN EXPLOIT 192.114.4.3 (21:43:14.725 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2025<-2006 (21:43:14.725 PDT) 192.138.213.238 (21:45:35.513 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2004 (21:45:35.513 PDT) 165.230.49.114 (21:44:51.877 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2017<-2026 (21:44:51.877 PDT) 192.33.90.68 (21:49:09.871 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2008<-2026 (21:49:09.871 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 162.105.205.21 (21:48:55.796 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2005->2027 (21:48:55.796 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342500194.725 1342500194.726 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 169.226.40.4 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:52:01.917 PDT Gen. Time: 07/16/2012 21:52:17.341 PDT INBOUND SCAN EXPLOIT 169.226.40.4 (21:52:01.917 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 1901<-2005 (21:52:01.917 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (21:52:17.341 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (21:52:17.341 PDT) DECLARE BOT tcpslice 1342500721.917 1342500721.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.42.83.253, 192.33.90.66, 169.226.40.4 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 21:52:01.917 PDT Gen. Time: 07/16/2012 21:56:58.276 PDT INBOUND SCAN EXPLOIT 192.42.83.253 (21:52:51.704 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2018<-2001 (21:52:51.704 PDT) 192.33.90.66 (21:54:32.056 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2005<-2026 (21:54:32.056 PDT) 169.226.40.4 (21:52:01.917 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 1901<-2005 (21:52:01.917 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (21:52:17.341 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (21:52:17.341 PDT) DECLARE BOT tcpslice 1342500721.917 1342500721.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:02:17.496 PDT Gen. Time: 07/16/2012 22:02:17.496 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (22:02:17.496 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:02:17.496 PDT) DECLARE BOT tcpslice 1342501337.496 1342501337.497 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.33.90.67, 192.41.135.219, 155.246.12.163 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:02:17.496 PDT Gen. Time: 07/16/2012 22:17:16.217 PDT INBOUND SCAN EXPLOIT 192.33.90.67 (22:06:54.546 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2021<-2026 (22:06:54.546 PDT) 192.41.135.219 (22:13:28.132 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2024<-2016 (22:13:28.132 PDT) 155.246.12.163 (22:05:08.820 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2009<-2018 (22:05:08.820 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 169.235.24.133 (22:09:56.587 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2002->2016 (22:09:56.587 PDT) 192.33.90.69 (22:07:52.903 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2029->2003 (22:07:52.903 PDT) 157.181.175.249 (22:06:37.062 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2004->2013 (22:06:37.062 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (2) (22:02:17.496 PDT-22:12:17.714 PDT) event=1:9930006 (2) {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2: 2121->2121 (22:02:17.496 PDT-22:12:17.714 PDT) DECLARE BOT tcpslice 1342501337.496 1342501937.715 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 192.138.213.238 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:19:57.618 PDT Gen. Time: 07/16/2012 22:22:29.519 PDT INBOUND SCAN EXPLOIT 192.138.213.238 (22:19:57.618 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2011<-2016 (22:19:57.618 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (22:22:29.519 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:22:29.519 PDT) DECLARE BOT tcpslice 1342502397.618 1342502397.619 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:32:29.027 PDT Gen. Time: 07/16/2012 22:32:29.027 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (22:32:29.027 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:32:29.027 PDT) DECLARE BOT tcpslice 1342503149.027 1342503149.028 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:32:29.027 PDT Gen. Time: 07/16/2012 22:35:17.504 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (22:32:37.102 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 40445->42781 (22:32:37.102 PDT) 128.2.211.114 (22:32:29.027 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:32:29.027 PDT) DECLARE BOT tcpslice 1342503149.027 1342503149.028 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:42:29.185 PDT Gen. Time: 07/16/2012 22:42:29.185 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (22:42:29.185 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:42:29.185 PDT) DECLARE BOT tcpslice 1342503749.185 1342503749.186 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 160.80.221.39, 192.33.90.66 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:42:29.185 PDT Gen. Time: 07/16/2012 22:47:22.636 PDT INBOUND SCAN EXPLOIT 160.80.221.39 (22:44:16.223 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2029 (22:44:16.223 PDT) 192.33.90.66 (22:43:10.310 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2005<-2015 (22:43:10.310 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (22:42:29.185 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:42:29.185 PDT) DECLARE BOT tcpslice 1342503749.185 1342503749.186 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:47:58.121 PDT Gen. Time: 07/16/2012 22:51:05.124 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 160.193.163.106 (22:47:58.121 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:EC:40 2021->2028 (22:47:58.121 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 134.34.246.5 (22:51:05.124 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 39866->49302 (22:51:05.124 PDT) DECLARE BOT tcpslice 1342504078.121 1342504078.122 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.102 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:52:29.324 PDT Gen. Time: 07/16/2012 22:52:29.324 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (22:52:29.324 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:52:29.324 PDT) DECLARE BOT tcpslice 1342504349.324 1342504349.325 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.102 Infector List: 169.235.24.232 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 22:52:29.324 PDT Gen. Time: 07/16/2012 22:56:13.971 PDT INBOUND SCAN EXPLOIT 169.235.24.232 (22:52:31.011 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:EC:40 2014<-2019 (22:52:31.011 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (22:52:29.324 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:EC:40 2121->2121 (22:52:29.324 PDT) DECLARE BOT tcpslice 1342504349.324 1342504349.325 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.102' ============================== SEPARATOR ================================