Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.33.90.67, 192.33.90.68 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/16/2012 23:59:00.735 PDT Gen. Time: 07/17/2012 00:06:36.041 PDT INBOUND SCAN EXPLOIT 192.33.90.67 (00:01:03.958 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2029<-2013 (00:01:03.958 PDT) 192.33.90.68 (00:02:45.276 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2023<-2025 (00:02:45.276 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (23:59:00.735 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (23:59:00.735 PDT) DECLARE BOT tcpslice 1342508340.735 1342508340.736 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:07:17.979 PDT Gen. Time: 07/17/2012 00:07:17.979 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (00:07:17.979 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 55325->17914 (00:07:17.979 PDT) DECLARE BOT tcpslice 1342508837.979 1342508837.980 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 157.159.226.72 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:07:17.979 PDT Gen. Time: 07/17/2012 00:12:00.226 PDT INBOUND SCAN EXPLOIT 157.159.226.72 (00:08:40.636 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2009<-2001 (00:08:40.636 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (00:07:17.979 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 55325->17914 (00:07:17.979 PDT) 130.104.72.201 (00:09:00.227 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (00:09:00.227 PDT) DECLARE BOT tcpslice 1342508837.979 1342508837.980 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.91.55.10 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:12:39.391 PDT Gen. Time: 07/17/2012 00:15:31.627 PDT INBOUND SCAN EXPLOIT 165.91.55.10 (00:12:39.391 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2002<-2020 (00:12:39.391 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 169.226.40.2 (00:15:31.627 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2022->2003 (00:15:31.627 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342509159.391 1342509159.392 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.91.55.10, 156.17.10.51 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:12:39.391 PDT Gen. Time: 07/17/2012 00:20:10.388 PDT INBOUND SCAN EXPLOIT 165.91.55.10 (00:12:39.391 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2002<-2020 (00:12:39.391 PDT) 156.17.10.51 (00:17:01.701 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2014 (00:17:01.701 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 169.226.40.2 (00:15:31.627 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2022->2003 (00:15:31.627 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (00:19:02.796 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (00:19:02.796 PDT) DECLARE BOT tcpslice 1342509159.391 1342509159.392 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:29:02.475 PDT Gen. Time: 07/17/2012 00:29:02.475 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (00:29:02.475 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (00:29:02.475 PDT) DECLARE BOT tcpslice 1342510142.475 1342510142.476 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 161.106.240.19, 163.117.253.22, 165.230.49.114 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:29:02.475 PDT Gen. Time: 07/17/2012 00:36:31.537 PDT INBOUND SCAN EXPLOIT 161.106.240.19 (00:32:19.990 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2023 (00:32:19.990 PDT) 163.117.253.22 (00:33:13.005 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2001<-2022 (00:33:13.005 PDT) 165.230.49.114 (00:33:22.739 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2023<-2020 (00:33:22.739 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.6.26.33 (00:32:20.435 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2016->2013 (00:32:20.435 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (00:33:30.233 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 52657->17914 (00:33:30.233 PDT) 130.104.72.201 (00:29:02.475 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (00:29:02.475 PDT) DECLARE BOT tcpslice 1342510142.475 1342510142.476 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 193.10.64.36 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:36:46.682 PDT Gen. Time: 07/17/2012 00:39:03.696 PDT INBOUND SCAN EXPLOIT 193.10.64.36 (00:36:46.682 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2009<-2018 (00:36:46.682 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (00:39:03.696 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (00:39:03.696 PDT) DECLARE BOT tcpslice 1342510606.682 1342510606.683 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.16.125.12, 193.10.64.36 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:36:46.682 PDT Gen. Time: 07/17/2012 00:43:07.592 PDT INBOUND SCAN EXPLOIT 192.16.125.12 (00:39:32.551 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2030 (00:39:32.551 PDT) 193.10.64.36 (00:36:46.682 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2009<-2018 (00:36:46.682 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (00:39:03.696 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (00:39:03.696 PDT) DECLARE BOT tcpslice 1342510606.682 1342510606.683 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.230.49.114 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:46:21.011 PDT Gen. Time: 07/17/2012 00:46:46.874 PDT INBOUND SCAN EXPLOIT 165.230.49.114 (00:46:21.011 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2025 (00:46:21.011 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.230.49.114 (00:46:46.874 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2004->2004 (00:46:46.874 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342511181.011 1342511181.012 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 161.106.240.19 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:48:38.796 PDT Gen. Time: 07/17/2012 00:49:04.851 PDT INBOUND SCAN EXPLOIT 161.106.240.19 (00:48:38.796 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2015<-2029 (00:48:38.796 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (00:49:04.851 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (00:49:04.851 PDT) DECLARE BOT tcpslice 1342511318.796 1342511318.797 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 161.106.240.19 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:48:38.796 PDT Gen. Time: 07/17/2012 00:52:58.048 PDT INBOUND SCAN EXPLOIT 161.106.240.19 (00:48:38.796 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2015<-2029 (00:48:38.796 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 206.207.248.34 (00:49:04.851 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (00:49:04.851 PDT) 129.93.229.138 (00:49:06.076 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 37158->17914 (00:49:06.076 PDT) DECLARE BOT tcpslice 1342511318.796 1342511318.797 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.33.90.195 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:55:11.104 PDT Gen. Time: 07/17/2012 00:55:11.388 PDT INBOUND SCAN EXPLOIT 192.33.90.195 (00:55:11.104 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2024 (00:55:11.104 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 169.226.40.2 (00:55:11.388 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2005->2005 (00:55:11.388 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342511711.104 1342511711.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.197.121.3 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:58:46.695 PDT Gen. Time: 07/17/2012 00:59:05.676 PDT INBOUND SCAN EXPLOIT 192.197.121.3 (00:58:46.695 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2003 (00:58:46.695 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (00:59:05.676 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (00:59:05.676 PDT) DECLARE BOT tcpslice 1342511926.695 1342511926.696 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.197.121.2, 192.197.121.3 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 00:58:46.695 PDT Gen. Time: 07/17/2012 01:03:51.767 PDT INBOUND SCAN EXPLOIT 192.197.121.2 (00:59:46.003 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2031 (00:59:46.003 PDT) 192.197.121.3 (00:58:46.695 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2003 (00:58:46.695 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (00:59:05.676 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (00:59:05.676 PDT) DECLARE BOT tcpslice 1342511926.695 1342511926.696 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:05:09.753 PDT Gen. Time: 07/17/2012 01:05:09.753 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (01:05:09.753 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 43154->17914 (01:05:09.753 PDT) DECLARE BOT tcpslice 1342512309.753 1342512309.754 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:09:07.032 PDT Gen. Time: 07/17/2012 01:09:07.032 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (01:09:07.032 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (01:09:07.032 PDT) DECLARE BOT tcpslice 1342512547.032 1342512547.033 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:19:10.063 PDT Gen. Time: 07/17/2012 01:19:10.063 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (01:19:10.063 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (01:19:10.063 PDT) DECLARE BOT tcpslice 1342513150.063 1342513150.064 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:23:50.344 PDT Gen. Time: 07/17/2012 01:23:50.344 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (01:23:50.344 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 59324->17914 (01:23:50.344 PDT) DECLARE BOT tcpslice 1342513430.344 1342513430.345 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:29:10.472 PDT Gen. Time: 07/17/2012 01:29:10.472 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (01:29:10.472 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (01:29:10.472 PDT) DECLARE BOT tcpslice 1342513750.472 1342513750.473 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:39:01.287 PDT Gen. Time: 07/17/2012 01:39:01.287 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (01:39:01.287 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 45656->17914 (01:39:01.287 PDT) DECLARE BOT tcpslice 1342514341.287 1342514341.288 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:39:01.287 PDT Gen. Time: 07/17/2012 01:43:08.548 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (01:39:01.287 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 45656->17914 (01:39:01.287 PDT) 130.104.72.201 (01:39:15.111 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (01:39:15.111 PDT) DECLARE BOT tcpslice 1342514341.287 1342514341.288 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.33.90.67, 192.41.135.219 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:46:51.917 PDT Gen. Time: 07/17/2012 01:49:23.753 PDT INBOUND SCAN EXPLOIT 192.33.90.67 (01:48:37.808 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2007 (01:48:37.808 PDT) 192.41.135.219 (01:46:51.917 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2022<-2018 (01:46:51.917 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (01:49:23.753 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (01:49:23.753 PDT) DECLARE BOT tcpslice 1342514811.917 1342514811.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.33.90.67, 192.33.90.195, 192.41.135.219, 155.246.12.163, 192.197.121.3 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:46:51.917 PDT Gen. Time: 07/17/2012 01:56:25.417 PDT INBOUND SCAN EXPLOIT 192.33.90.67 (01:48:37.808 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2007 (01:48:37.808 PDT) 192.33.90.195 (2) (01:50:40.679 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2025 (01:50:40.679 PDT) 2017<-2013 (01:50:41.189 PDT) 192.41.135.219 (01:46:51.917 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2022<-2018 (01:46:51.917 PDT) 155.246.12.163 (01:53:27.074 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2016<-2029 (01:53:27.074 PDT) 192.197.121.3 (01:50:02.357 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2001<-2010 (01:50:02.357 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (01:56:25.417 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 41252->17914 (01:56:25.417 PDT) 130.104.72.201 (01:49:23.753 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (01:49:23.753 PDT) DECLARE BOT tcpslice 1342514811.917 1342514811.918 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 01:59:26.311 PDT Gen. Time: 07/17/2012 01:59:26.311 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (01:59:26.311 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (01:59:26.311 PDT) DECLARE BOT tcpslice 1342515566.311 1342515566.312 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 160.80.221.37 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:09:25.261 PDT Gen. Time: 07/17/2012 02:09:26.683 PDT INBOUND SCAN EXPLOIT 160.80.221.37 (02:09:25.261 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2016<-2019 (02:09:25.261 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (02:09:26.683 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (02:09:26.683 PDT) DECLARE BOT tcpslice 1342516165.261 1342516165.262 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:13:57.058 PDT Gen. Time: 07/17/2012 02:13:57.058 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (02:13:57.058 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 51401->17914 (02:13:57.058 PDT) DECLARE BOT tcpslice 1342516437.058 1342516437.059 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:19:27.104 PDT Gen. Time: 07/17/2012 02:19:27.104 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (02:19:27.104 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (02:19:27.104 PDT) DECLARE BOT tcpslice 1342516767.104 1342516767.105 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.138.213.238, 192.42.43.23 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:23:29.155 PDT Gen. Time: 07/17/2012 02:29:32.874 PDT INBOUND SCAN EXPLOIT 192.138.213.238 (02:24:53.554 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2004 (02:24:53.554 PDT) 192.42.43.23 (02:23:29.155 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2026<-2006 (02:23:29.155 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (02:29:32.874 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (02:29:32.874 PDT) DECLARE BOT tcpslice 1342517009.155 1342517009.156 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:29:35.507 PDT Gen. Time: 07/17/2012 02:29:35.507 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (02:29:35.507 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 45977->17914 (02:29:35.507 PDT) DECLARE BOT tcpslice 1342517375.507 1342517375.508 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 157.92.44.101 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:29:35.507 PDT Gen. Time: 07/17/2012 02:31:57.682 PDT INBOUND SCAN EXPLOIT 157.92.44.101 (02:30:37.053 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2008 (02:30:37.053 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.91.55.9 (02:30:40.737 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2016->2027 (02:30:40.737 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (02:29:35.507 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 45977->17914 (02:29:35.507 PDT) DECLARE BOT tcpslice 1342517375.507 1342517375.508 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.91.55.10, 155.246.12.164, 192.33.90.195 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:37:21.215 PDT Gen. Time: 07/17/2012 02:39:37.651 PDT INBOUND SCAN EXPLOIT 165.91.55.10 (02:37:21.215 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2001<-2006 (02:37:21.215 PDT) 155.246.12.164 (02:38:04.463 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2018<-2022 (02:38:04.463 PDT) 192.33.90.195 (02:38:01.739 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2027<-2023 (02:38:01.739 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (02:39:37.651 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (02:39:37.651 PDT) DECLARE BOT tcpslice 1342517841.215 1342517841.216 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:46:06.479 PDT Gen. Time: 07/17/2012 02:46:06.479 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (02:46:06.479 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 35990->17914 (02:46:06.479 PDT) DECLARE BOT tcpslice 1342518366.479 1342518366.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.42.83.251 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:46:06.479 PDT Gen. Time: 07/17/2012 02:49:50.201 PDT INBOUND SCAN EXPLOIT 192.42.83.251 (02:46:31.585 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2004<-2019 (02:46:31.585 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (02:46:06.479 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 35990->17914 (02:46:06.479 PDT) 130.104.72.201 (02:49:50.201 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (02:49:50.201 PDT) DECLARE BOT tcpslice 1342518366.479 1342518366.480 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.42.43.23, 192.33.90.68 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:54:38.599 PDT Gen. Time: 07/17/2012 02:57:53.755 PDT INBOUND SCAN EXPLOIT 192.42.43.23 (02:54:38.599 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2017<-2012 (02:54:38.599 PDT) 192.33.90.68 (02:55:03.443 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2015<-2013 (02:55:03.443 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (02:57:53.755 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 38046->49302 (02:57:53.755 PDT) DECLARE BOT tcpslice 1342518878.599 1342518878.600 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.42.43.23, 192.197.121.3, 192.33.90.68 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 02:54:38.599 PDT Gen. Time: 07/17/2012 03:01:13.084 PDT INBOUND SCAN EXPLOIT 192.42.43.23 (02:54:38.599 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2017<-2012 (02:54:38.599 PDT) 192.197.121.3 (02:58:10.986 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2026<-2029 (02:58:10.986 PDT) 192.33.90.68 (02:55:03.443 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2015<-2013 (02:55:03.443 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (2) (02:57:53.755 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 38046->49302 (02:57:53.755 PDT) ------------------------- event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (02:59:52.100 PDT) DECLARE BOT tcpslice 1342518878.599 1342518878.600 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.114.4.3, 155.246.12.163 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:05:48.938 PDT Gen. Time: 07/17/2012 03:09:52.404 PDT INBOUND SCAN EXPLOIT 192.114.4.3 (03:05:48.938 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 1901<-2026 (03:05:48.938 PDT) 155.246.12.163 (03:08:24.451 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2006 (03:08:24.451 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (03:09:52.404 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (03:09:52.404 PDT) DECLARE BOT tcpslice 1342519548.938 1342519548.939 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.33.90.67, 192.114.4.3, 192.33.90.195, 192.33.90.66, 155.246.12.163, 169.226.40.4 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:05:48.938 PDT Gen. Time: 07/17/2012 03:20:16.906 PDT INBOUND SCAN EXPLOIT 192.33.90.67 (03:16:48.682 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2016<-2001 (03:16:48.682 PDT) 192.114.4.3 (03:05:48.938 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 1901<-2026 (03:05:48.938 PDT) 192.33.90.195 (03:15:02.906 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2026<-2014 (03:15:02.906 PDT) 192.33.90.66 (03:12:16.785 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2004<-2004 (03:12:16.785 PDT) 155.246.12.163 (03:08:24.451 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2006 (03:08:24.451 PDT) 169.226.40.4 (03:13:58.651 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2028<-2002 (03:13:58.651 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (03:19:52.476 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (03:19:52.476 PDT) 129.93.229.138 (03:09:52.404 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (03:09:52.404 PDT) DECLARE BOT tcpslice 1342519548.938 1342519548.939 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.91.55.9, 192.42.43.22 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:20:25.883 PDT Gen. Time: 07/17/2012 03:20:44.251 PDT INBOUND SCAN EXPLOIT 165.91.55.9 (03:20:25.883 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2004 (03:20:25.883 PDT) 192.42.43.22 (03:20:34.065 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2023<-2018 (03:20:34.065 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 169.235.24.232 (03:20:44.251 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2011->2027 (03:20:44.251 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342520425.883 1342520425.884 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.16.125.12, 165.91.55.9, 192.42.43.22 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:20:25.883 PDT Gen. Time: 07/17/2012 03:26:40.696 PDT INBOUND SCAN EXPLOIT 192.16.125.12 (03:23:22.526 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2025 (03:23:22.526 PDT) 165.91.55.9 (03:20:25.883 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2004 (03:20:25.883 PDT) 192.42.43.22 (03:20:34.065 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2023<-2018 (03:20:34.065 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 169.235.24.232 (03:20:44.251 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2011->2027 (03:20:44.251 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 199.255.189.160 (03:21:21.153 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 58269->80 (03:21:21.153 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342520425.883 1342520425.884 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:30:01.273 PDT Gen. Time: 07/17/2012 03:30:01.273 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (03:30:01.273 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (03:30:01.273 PDT) DECLARE BOT tcpslice 1342521001.273 1342521001.274 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.107.171.145, 192.33.90.195, 165.91.55.11, 156.56.250.227, 192.42.43.23, 160.80.221.39, 163.117.253.22, 160.80.221.37, 192.33.90.67, 157.92.44.102, 192.42.83.251 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:30:01.273 PDT Gen. Time: 07/17/2012 03:49:25.333 PDT INBOUND SCAN EXPLOIT 192.107.171.145 (03:45:03.011 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2024<-2001 (03:45:03.011 PDT) 192.33.90.195 (03:45:30.676 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2009 (03:45:30.676 PDT) 165.91.55.11 (03:42:46.455 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2023<-2024 (03:42:46.455 PDT) 156.56.250.227 (03:37:56.401 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2009 (03:37:56.401 PDT) 192.42.43.23 (03:37:42.435 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2023<-2020 (03:37:42.435 PDT) 160.80.221.39 (03:35:05.905 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2014<-2023 (03:35:05.905 PDT) 163.117.253.22 (03:42:05.202 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2012 (03:42:05.202 PDT) 160.80.221.37 (2) (03:36:27.572 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2020<-2023 (03:36:27.572 PDT) 2009<-2019 (03:43:51.889 PDT) 192.33.90.67 (03:42:05.206 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2016<-2014 (03:42:05.206 PDT) 157.92.44.102 (03:37:20.962 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2014<-2011 (03:37:20.962 PDT) 192.42.83.251 (03:30:22.598 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2017<-2014 (03:30:22.598 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.230.49.115 (2) (03:33:02.607 PDT) event=1:52012087 (2) {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2025->2004 (03:33:02.607 PDT) 2011->2006 (03:39:10.805 PDT) 192.16.125.11 (03:32:12.035 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2023->2010 (03:32:12.035 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (03:30:01.273 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (03:30:01.273 PDT) 130.104.72.201 (03:40:01.061 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (03:40:01.061 PDT) DECLARE BOT tcpslice 1342521001.273 1342521001.274 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:50:04.705 PDT Gen. Time: 07/17/2012 03:50:11.564 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 169.235.24.232 (03:50:04.705 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2006->2021 (03:50:04.705 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (03:50:11.564 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (03:50:11.564 PDT) DECLARE BOT tcpslice 1342522204.705 1342522204.706 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.197.121.2, 156.56.250.227, 165.91.55.9, 192.138.213.236 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 03:50:04.705 PDT Gen. Time: 07/17/2012 03:56:22.523 PDT INBOUND SCAN EXPLOIT 192.197.121.2 (03:52:40.302 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2028<-2001 (03:52:40.302 PDT) 156.56.250.227 (03:53:30.431 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2013 (03:53:30.431 PDT) 165.91.55.9 (2) (03:50:22.182 PDT-03:50:23.263 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2: 2024<-2004 (03:50:22.182 PDT-03:50:23.263 PDT) 192.138.213.236 (03:54:23.482 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2020 (03:54:23.482 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 155.98.35.8 (2) (03:54:14.335 PDT) event=1:52012087 (2) {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2012->2005 (03:54:14.335 PDT) 2013->2001 (03:54:38.844 PDT) 165.230.49.115 (03:54:21.471 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2013->2003 (03:54:21.471 PDT) 169.235.24.232 (03:50:04.705 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2006->2021 (03:50:04.705 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (03:50:11.564 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (03:50:11.564 PDT) DECLARE BOT tcpslice 1342522204.705 1342522223.264 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:00:27.125 PDT Gen. Time: 07/17/2012 04:00:27.125 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (04:00:27.125 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (04:00:27.125 PDT) DECLARE BOT tcpslice 1342522827.125 1342522827.126 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.42.83.253, 192.197.121.3 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:07:01.933 PDT Gen. Time: 07/17/2012 04:10:34.714 PDT INBOUND SCAN EXPLOIT 192.42.83.253 (04:09:45.067 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2029 (04:09:45.067 PDT) 192.197.121.3 (04:07:01.933 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2029<-2012 (04:07:01.933 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (04:10:34.714 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (04:10:34.714 PDT) DECLARE BOT tcpslice 1342523221.933 1342523221.934 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.42.83.253, 192.197.121.2, 192.197.121.3 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:07:01.933 PDT Gen. Time: 07/17/2012 04:13:29.353 PDT INBOUND SCAN EXPLOIT 192.42.83.253 (04:09:45.067 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2029 (04:09:45.067 PDT) 192.197.121.2 (04:12:33.118 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2028<-2019 (04:12:33.118 PDT) 192.197.121.3 (04:07:01.933 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2029<-2012 (04:07:01.933 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (04:10:34.714 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (04:10:34.714 PDT) DECLARE BOT tcpslice 1342523221.933 1342523221.934 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 157.181.175.249 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:16:03.777 PDT Gen. Time: 07/17/2012 04:17:50.442 PDT INBOUND SCAN EXPLOIT 157.181.175.249 (04:16:03.777 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2021<-2026 (04:16:03.777 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 199.255.189.60 (04:17:50.442 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 56797->80 (04:17:50.442 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342523763.777 1342523763.778 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.42.43.23, 192.42.83.251, 157.159.226.74, 157.181.175.249 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:16:03.777 PDT Gen. Time: 07/17/2012 04:23:04.408 PDT INBOUND SCAN EXPLOIT 192.42.43.23 (2) (04:19:52.842 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2004<-2007 (04:19:52.842 PDT) 2012<-2021 (04:21:27.765 PDT) 192.42.83.251 (04:19:13.433 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2012<-2005 (04:19:13.433 PDT) 157.159.226.74 (04:21:13.671 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2014<-2022 (04:21:13.671 PDT) 157.181.175.249 (04:16:03.777 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2021<-2026 (04:16:03.777 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.149.49.136 (2) (04:18:40.942 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 52097->49301 (04:18:40.942 PDT) ------------------------- event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49301->49301 (04:20:38.084 PDT) DECLARE BOT tcpslice 1342523763.777 1342523763.778 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 162.105.205.21 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:27:03.753 PDT Gen. Time: 07/17/2012 04:29:17.580 PDT INBOUND SCAN EXPLOIT 162.105.205.21 (04:29:17.580 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2020<-2019 (04:29:17.580 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 162.105.205.21 (04:27:03.753 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2004->2028 (04:27:03.753 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342524423.753 1342524423.754 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 156.17.10.52, 192.42.83.253, 162.105.205.21 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:27:03.753 PDT Gen. Time: 07/17/2012 04:33:34.028 PDT INBOUND SCAN EXPLOIT 156.17.10.52 (04:30:12.043 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2020<-2002 (04:30:12.043 PDT) 192.42.83.253 (04:32:26.701 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2005<-2017 (04:32:26.701 PDT) 162.105.205.21 (04:29:17.580 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2020<-2019 (04:29:17.580 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.242.90.129 (04:31:22.641 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2027->2002 (04:31:22.641 PDT) 162.105.205.21 (04:27:03.753 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2004->2028 (04:27:03.753 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (04:30:50.389 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (04:30:50.389 PDT) DECLARE BOT tcpslice 1342524423.753 1342524423.754 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:40:55.971 PDT Gen. Time: 07/17/2012 04:40:55.971 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (04:40:55.971 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49301->49301 (04:40:55.971 PDT) DECLARE BOT tcpslice 1342525255.971 1342525255.972 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.33.90.67, 160.193.163.106, 165.230.49.119, 161.106.240.18, 165.230.49.118, 192.33.90.69, 192.42.43.22, 192.138.213.236 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:40:55.971 PDT Gen. Time: 07/17/2012 04:47:23.990 PDT INBOUND SCAN EXPLOIT 192.33.90.67 (04:43:12.614 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2012<-2017 (04:43:12.614 PDT) 160.193.163.106 (04:41:04.069 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2023 (04:41:04.069 PDT) 165.230.49.119 (04:41:25.628 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2020<-2018 (04:41:25.628 PDT) 161.106.240.18 (04:41:40.623 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2029<-2028 (04:41:40.623 PDT) 165.230.49.118 (04:41:30.766 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2021<-2006 (04:41:30.766 PDT) 192.33.90.69 (04:41:21.646 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2022<-2029 (04:41:21.646 PDT) 192.42.43.22 (04:41:30.333 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2001<-2002 (04:41:30.333 PDT) 192.138.213.236 (04:42:43.650 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2015<-2014 (04:42:43.650 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (04:40:55.971 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49301->49301 (04:40:55.971 PDT) DECLARE BOT tcpslice 1342525255.971 1342525255.972 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:48:17.980 PDT Gen. Time: 07/17/2012 04:48:17.980 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 137.165.1.111 (04:48:17.980 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 55675->42781 (04:48:17.980 PDT) DECLARE BOT tcpslice 1342525697.980 1342525697.981 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:51:02.484 PDT Gen. Time: 07/17/2012 04:51:02.484 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (04:51:02.484 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (04:51:02.484 PDT) DECLARE BOT tcpslice 1342525862.484 1342525862.485 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 156.17.10.52, 165.230.49.119, 157.92.44.102, 155.246.12.163, 193.10.64.35, 192.33.90.68 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 04:51:02.484 PDT Gen. Time: 07/17/2012 05:09:03.061 PDT INBOUND SCAN EXPLOIT 156.17.10.52 (05:04:57.147 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 1901<-2011 (05:04:57.147 PDT) 165.230.49.119 (05:01:03.003 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2029<-2002 (05:01:03.003 PDT) 157.92.44.102 (04:53:55.961 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2029<-2002 (04:53:55.961 PDT) 155.246.12.163 (05:02:16.080 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2015<-2006 (05:02:16.080 PDT) 193.10.64.35 (04:57:07.891 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2019<-2017 (04:57:07.891 PDT) 192.33.90.68 (04:59:10.722 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2016 (04:59:10.722 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.230.49.115 (04:51:06.727 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2025->2010 (04:51:06.727 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (2) (04:51:02.484 PDT) event=1:9930006 (2) {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (04:51:02.484 PDT) 2121->2121 (05:01:02.371 PDT) DECLARE BOT tcpslice 1342525862.484 1342525862.485 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:11:02.299 PDT Gen. Time: 07/17/2012 05:11:02.299 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (05:11:02.299 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (05:11:02.299 PDT) DECLARE BOT tcpslice 1342527062.299 1342527062.300 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.41.135.219, 156.17.10.51, 192.42.83.251, 157.92.44.101, 165.91.55.11 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:16:41.310 PDT Gen. Time: 07/17/2012 05:17:08.817 PDT INBOUND SCAN EXPLOIT 192.41.135.219 (05:16:44.907 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2008 (05:16:44.907 PDT) 156.17.10.51 (05:16:41.817 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2021 (05:16:41.817 PDT) 192.42.83.251 (05:17:01.162 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2020<-2030 (05:17:01.162 PDT) 157.92.44.101 (05:16:45.935 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2020 (05:16:45.935 PDT) 165.91.55.11 (05:16:41.310 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2029<-2006 (05:16:41.310 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 156.56.250.226 (05:17:08.817 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2024->2005 (05:17:08.817 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342527401.310 1342527401.311 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 193.136.191.25, 192.33.90.195, 165.230.49.115, 165.91.55.11, 155.98.35.8, 169.226.40.2, 156.17.10.52, 156.17.10.51, 157.92.44.101, 192.42.83.251, 192.41.135.219 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:16:41.310 PDT Gen. Time: 07/17/2012 05:30:25.320 PDT INBOUND SCAN EXPLOIT 193.136.191.25 (2) (05:24:21.068 PDT-05:28:57.145 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2: 2020<-2026 (05:24:21.068 PDT-05:28:57.145 PDT) 192.33.90.195 (05:18:39.554 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2024 (05:18:39.554 PDT) 165.230.49.115 (05:26:18.563 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2026 (05:26:18.563 PDT) 165.91.55.11 (05:16:41.310 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2029<-2006 (05:16:41.310 PDT) 155.98.35.8 (05:23:11.327 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2017 (05:23:11.327 PDT) 169.226.40.2 (05:19:14.045 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2001 (05:19:14.045 PDT) 156.17.10.52 (05:22:38.245 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2004 (05:22:38.245 PDT) 156.17.10.51 (05:16:41.817 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2021 (05:16:41.817 PDT) 157.92.44.101 (05:16:45.935 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2020 (05:16:45.935 PDT) 192.42.83.251 (05:17:01.162 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2020<-2030 (05:17:01.162 PDT) 192.41.135.219 (05:16:44.907 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2008 (05:16:44.907 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.12 (05:26:49.879 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2029->2023 (05:26:49.879 PDT) 156.56.250.226 (05:17:08.817 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2024->2005 (05:17:08.817 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 134.34.246.5 (05:18:14.327 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 36919->49301 (05:18:14.327 PDT) 128.2.211.114 (05:21:02.103 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (05:21:02.103 PDT) DECLARE BOT tcpslice 1342527401.310 1342528137.146 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:31:02.431 PDT Gen. Time: 07/17/2012 05:31:02.431 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (05:31:02.431 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (05:31:02.431 PDT) DECLARE BOT tcpslice 1342528262.431 1342528262.432 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.91.55.10 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:39:45.332 PDT Gen. Time: 07/17/2012 05:41:02.279 PDT INBOUND SCAN EXPLOIT 165.91.55.10 (05:39:45.332 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2012<-2007 (05:39:45.332 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (05:41:02.279 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (05:41:02.279 PDT) DECLARE BOT tcpslice 1342528785.332 1342528785.333 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.91.55.10, 193.10.64.35, 157.181.175.249 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:39:45.332 PDT Gen. Time: 07/17/2012 05:48:24.318 PDT INBOUND SCAN EXPLOIT 165.91.55.10 (05:39:45.332 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2012<-2007 (05:39:45.332 PDT) 193.10.64.35 (05:42:36.088 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2012 (05:42:36.088 PDT) 157.181.175.249 (05:43:15.927 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2029<-2019 (05:43:15.927 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.114.4.3 (05:45:26.680 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2010->2016 (05:45:26.680 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (05:41:02.279 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (05:41:02.279 PDT) DECLARE BOT tcpslice 1342528785.332 1342528785.333 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:51:02.758 PDT Gen. Time: 07/17/2012 05:51:02.758 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (05:51:02.758 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (05:51:02.758 PDT) DECLARE BOT tcpslice 1342529462.758 1342529462.759 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 169.235.24.133, 165.242.90.129, 157.159.226.72, 169.226.40.4, 163.117.253.23, 192.33.90.69, 155.246.12.163, 160.80.221.37, 165.230.49.118, 192.42.83.253, 192.107.171.147, 192.42.83.251, 193.10.64.36 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 05:51:02.758 PDT Gen. Time: 07/17/2012 06:10:47.524 PDT INBOUND SCAN EXPLOIT 169.235.24.133 (06:03:27.572 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 1901<-2011 (06:03:27.572 PDT) 165.242.90.129 (05:55:09.827 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2013 (05:55:09.827 PDT) 157.159.226.72 (05:55:45.357 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2019<-2027 (05:55:45.357 PDT) 169.226.40.4 (05:56:23.460 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2023<-2013 (05:56:23.460 PDT) 163.117.253.23 (06:00:10.879 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2003 (06:00:10.879 PDT) 192.33.90.69 (05:53:14.536 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2001<-2013 (05:53:14.536 PDT) 155.246.12.163 (06:04:31.646 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2010<-2026 (06:04:31.646 PDT) 160.80.221.37 (06:07:33.037 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2021 (06:07:33.037 PDT) 165.230.49.118 (06:08:32.732 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2004<-2018 (06:08:32.732 PDT) 192.42.83.253 (2) (05:53:23.135 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2014<-2008 (05:53:23.135 PDT) 2024<-2016 (05:55:06.113 PDT) 192.107.171.147 (05:56:27.361 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2016<-2009 (05:56:27.361 PDT) 192.42.83.251 (05:52:57.975 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2025<-2020 (05:52:57.975 PDT) 193.10.64.36 (2) (05:57:08.605 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2028<-2010 (05:57:08.605 PDT) 2024<-2014 (06:06:32.097 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.12 (06:01:48.675 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2010->2004 (06:01:48.675 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (2) (05:51:02.758 PDT-06:01:02.048 PDT) event=1:9930006 (2) {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2121->2121 (05:51:02.758 PDT-06:01:02.048 PDT) 129.93.229.138 (05:52:08.913 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 50133->17914 (05:52:08.913 PDT) DECLARE BOT tcpslice 1342529462.758 1342530062.049 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:11:16.186 PDT Gen. Time: 07/17/2012 06:11:16.186 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (06:11:16.186 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (06:11:16.186 PDT) DECLARE BOT tcpslice 1342530676.186 1342530676.187 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 156.17.10.52, 157.92.44.101, 165.242.90.129, 165.91.55.11, 190.227.163.142 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:11:16.186 PDT Gen. Time: 07/17/2012 06:23:38.482 PDT INBOUND SCAN EXPLOIT 156.17.10.52 (06:14:08.505 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2012<-2004 (06:14:08.505 PDT) 157.92.44.101 (2) (06:18:15.966 PDT-06:18:17.154 PDT) event=1:22012087 (2) {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2: 2012<-2029 (06:18:15.966 PDT-06:18:17.154 PDT) 165.242.90.129 (06:16:42.366 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2002 (06:16:42.366 PDT) 165.91.55.11 (06:13:09.437 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2002<-2001 (06:13:09.437 PDT) 190.227.163.142 (06:18:23.254 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2012<-2019 (06:18:23.254 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 193.10.64.35 (06:19:52.562 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2027->2018 (06:19:52.562 PDT) 157.159.226.74 (06:18:02.626 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2002->2012 (06:18:02.626 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (2) (06:11:16.186 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 39421->17914 (06:16:53.980 PDT) ------------------------- event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (06:11:16.186 PDT) 130.104.72.201 (06:21:24.292 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (06:21:24.292 PDT) DECLARE BOT tcpslice 1342530676.186 1342531097.155 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 160.193.163.106, 192.41.135.219, 156.17.10.51 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:28:37.551 PDT Gen. Time: 07/17/2012 06:30:22.071 PDT INBOUND SCAN EXPLOIT 160.193.163.106 (06:28:37.551 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2002<-2027 (06:28:37.551 PDT) 192.41.135.219 (06:29:39.355 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2002 (06:29:39.355 PDT) 156.17.10.51 (06:28:41.088 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2012 (06:28:41.088 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 199.255.189.160 (06:30:22.071 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 52794->80 (06:30:22.071 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342531717.551 1342531717.552 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 190.227.163.141, 165.91.55.10, 160.193.163.106, 192.41.135.219, 156.17.10.51 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:28:37.551 PDT Gen. Time: 07/17/2012 06:37:11.930 PDT INBOUND SCAN EXPLOIT 190.227.163.141 (06:32:55.363 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2027<-2009 (06:32:55.363 PDT) 165.91.55.10 (06:31:06.974 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2002<-2007 (06:31:06.974 PDT) 160.193.163.106 (06:28:37.551 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2002<-2027 (06:28:37.551 PDT) 192.41.135.219 (06:29:39.355 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2002 (06:29:39.355 PDT) 156.17.10.51 (06:28:41.088 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2012 (06:28:41.088 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (2) (06:31:27.657 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 48257->17914 (06:34:20.350 PDT) ------------------------- event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (06:31:27.657 PDT) DECLARE BOT tcpslice 1342531717.551 1342531717.552 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.230.49.119, 192.33.90.66 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:37:32.171 PDT Gen. Time: 07/17/2012 06:41:27.618 PDT INBOUND SCAN EXPLOIT 165.230.49.119 (06:39:35.377 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2018<-2017 (06:39:35.377 PDT) 192.33.90.66 (06:37:32.171 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2015<-2025 (06:37:32.171 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (06:41:27.618 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (06:41:27.618 PDT) DECLARE BOT tcpslice 1342532252.171 1342532252.172 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.230.49.119, 192.33.90.66, 169.235.24.232, 165.230.49.118, 192.33.90.68 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:37:32.171 PDT Gen. Time: 07/17/2012 06:47:56.455 PDT INBOUND SCAN EXPLOIT 165.230.49.119 (06:39:35.377 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2018<-2017 (06:39:35.377 PDT) 192.33.90.66 (06:37:32.171 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2015<-2025 (06:37:32.171 PDT) 169.235.24.232 (06:44:09.806 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2020<-2015 (06:44:09.806 PDT) 165.230.49.118 (06:44:08.629 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2016<-2018 (06:44:08.629 PDT) 192.33.90.68 (06:43:04.219 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2009<-2015 (06:43:04.219 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (06:41:27.618 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (06:41:27.618 PDT) DECLARE BOT tcpslice 1342532252.171 1342532252.172 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:49:23.020 PDT Gen. Time: 07/17/2012 06:49:23.020 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (06:49:23.020 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 36232->17914 (06:49:23.020 PDT) DECLARE BOT tcpslice 1342532963.020 1342532963.021 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 163.117.253.23, 155.246.12.163 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 06:49:23.020 PDT Gen. Time: 07/17/2012 06:55:21.589 PDT INBOUND SCAN EXPLOIT 163.117.253.23 (06:50:41.446 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2014<-2028 (06:50:41.446 PDT) 155.246.12.163 (06:51:33.618 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2018<-2020 (06:51:33.618 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (06:51:28.336 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (06:51:28.336 PDT) 129.93.229.138 (06:49:23.020 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 36232->17914 (06:49:23.020 PDT) DECLARE BOT tcpslice 1342532963.020 1342532963.021 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:01:38.876 PDT Gen. Time: 07/17/2012 07:01:38.876 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (07:01:38.876 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (07:01:38.876 PDT) DECLARE BOT tcpslice 1342533698.876 1342533698.877 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 160.80.221.39 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:05:29.037 PDT Gen. Time: 07/17/2012 07:05:45.728 PDT INBOUND SCAN EXPLOIT 160.80.221.39 (07:05:29.037 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2018 (07:05:29.037 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (07:05:45.728 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 36777->17914 (07:05:45.728 PDT) DECLARE BOT tcpslice 1342533929.037 1342533929.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 160.80.221.39, 170.140.119.69 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:05:29.037 PDT Gen. Time: 07/17/2012 07:10:20.338 PDT INBOUND SCAN EXPLOIT 160.80.221.39 (07:05:29.037 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2018 (07:05:29.037 PDT) 170.140.119.69 (07:06:08.596 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2029<-2008 (07:06:08.596 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (07:05:45.728 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 36777->17914 (07:05:45.728 PDT) DECLARE BOT tcpslice 1342533929.037 1342533929.038 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:11:45.653 PDT Gen. Time: 07/17/2012 07:11:45.653 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (07:11:45.653 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (07:11:45.653 PDT) DECLARE BOT tcpslice 1342534305.653 1342534305.654 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 155.98.35.7, 163.117.253.22 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:11:45.653 PDT Gen. Time: 07/17/2012 07:21:53.146 PDT INBOUND SCAN EXPLOIT 155.98.35.7 (07:15:25.599 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2019<-2013 (07:15:25.599 PDT) 163.117.253.22 (07:18:20.086 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2023<-2023 (07:18:20.086 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (07:21:45.804 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (07:21:45.804 PDT) 129.93.229.138 (2) (07:11:45.653 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 47898->17914 (07:20:15.788 PDT) ------------------------- event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (07:11:45.653 PDT) DECLARE BOT tcpslice 1342534305.653 1342534305.654 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 160.193.163.106, 165.230.49.115, 192.33.90.69 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:21:53.216 PDT Gen. Time: 07/17/2012 07:25:12.694 PDT INBOUND SCAN EXPLOIT 160.193.163.106 (07:21:53.216 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2021 (07:21:53.216 PDT) 165.230.49.115 (07:22:18.587 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2023<-2026 (07:22:18.587 PDT) 192.33.90.69 (07:22:51.134 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2024<-2022 (07:22:51.134 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.114.4.3 (07:25:12.694 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2024->2002 (07:25:12.694 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342534913.216 1342534913.217 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.4 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 160.193.163.106, 165.230.49.115, 192.33.90.69 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:21:53.216 PDT Gen. Time: 07/17/2012 07:26:41.072 PDT INBOUND SCAN EXPLOIT 160.193.163.106 (07:21:53.216 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2021 (07:21:53.216 PDT) 165.230.49.115 (07:22:18.587 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2023<-2026 (07:22:18.587 PDT) 192.33.90.69 (07:22:51.134 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2024<-2022 (07:22:51.134 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.114.4.3 (2) (07:25:12.694 PDT-07:25:14.116 PDT) event=1:52012087 (2) {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2024->2002 (07:25:12.694 PDT-07:25:14.116 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 199.255.189.60 (07:26:41.072 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 35445->80 (07:26:41.072 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342534913.216 1342535114.117 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:31:49.055 PDT Gen. Time: 07/17/2012 07:31:49.055 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (07:31:49.055 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (07:31:49.055 PDT) DECLARE BOT tcpslice 1342535509.055 1342535509.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:31:49.055 PDT Gen. Time: 07/17/2012 07:36:37.659 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (07:31:49.055 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (07:31:49.055 PDT) 129.93.229.138 (07:35:17.920 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 34798->17914 (07:35:17.920 PDT) DECLARE BOT tcpslice 1342535509.055 1342535509.056 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:41:49.201 PDT Gen. Time: 07/17/2012 07:41:49.201 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (07:41:49.201 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (07:41:49.201 PDT) DECLARE BOT tcpslice 1342536109.201 1342536109.202 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 155.246.12.163 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:41:49.201 PDT Gen. Time: 07/17/2012 07:45:42.499 PDT INBOUND SCAN EXPLOIT 155.246.12.163 (07:42:27.294 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2004<-2007 (07:42:27.294 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (07:41:49.201 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (07:41:49.201 PDT) DECLARE BOT tcpslice 1342536109.201 1342536109.202 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:51:56.606 PDT Gen. Time: 07/17/2012 07:51:56.606 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (07:51:56.606 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (07:51:56.606 PDT) DECLARE BOT tcpslice 1342536716.606 1342536716.607 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 161.106.240.19, 156.56.250.227, 165.91.55.10, 192.16.125.11, 192.197.121.3 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 07:51:56.606 PDT Gen. Time: 07/17/2012 08:04:37.300 PDT INBOUND SCAN EXPLOIT 161.106.240.19 (07:57:22.386 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2004 (07:57:22.386 PDT) 156.56.250.227 (07:54:53.308 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2018<-2024 (07:54:53.308 PDT) 165.91.55.10 (07:53:30.865 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2005<-2009 (07:53:30.865 PDT) 192.16.125.11 (07:57:39.573 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2011 (07:57:39.573 PDT) 192.197.121.3 (08:01:04.654 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2021 (08:01:04.654 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (08:01:56.968 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (08:01:56.968 PDT) 128.2.211.114 (07:51:56.606 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (07:51:56.606 PDT) 129.93.229.138 (07:52:07.342 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 56599->17914 (07:52:07.342 PDT) DECLARE BOT tcpslice 1342536716.606 1342536716.607 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 162.105.205.21 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:07:49.504 PDT Gen. Time: 07/17/2012 08:07:56.854 PDT INBOUND SCAN EXPLOIT 162.105.205.21 (08:07:49.504 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2005<-2017 (08:07:49.504 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (08:07:56.854 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 58038->17914 (08:07:56.854 PDT) DECLARE BOT tcpslice 1342537669.504 1342537669.505 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:11:56.200 PDT Gen. Time: 07/17/2012 08:11:56.200 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (08:11:56.200 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (08:11:56.200 PDT) DECLARE BOT tcpslice 1342537916.200 1342537916.201 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.42.83.253, 192.33.90.67, 192.107.171.147, 192.42.83.251, 192.33.90.68 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:11:56.200 PDT Gen. Time: 07/17/2012 08:24:21.140 PDT INBOUND SCAN EXPLOIT 192.42.83.253 (08:18:31.390 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2021<-2025 (08:18:31.390 PDT) 192.33.90.67 (08:15:43.763 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2022<-2029 (08:15:43.763 PDT) 192.107.171.147 (08:16:04.557 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2018<-2003 (08:16:04.557 PDT) 192.42.83.251 (08:15:44.430 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2022<-2007 (08:15:44.430 PDT) 192.33.90.68 (08:20:56.855 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2018<-2004 (08:20:56.855 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.41.135.219 (08:15:58.033 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2028->2028 (08:15:58.033 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (2) (08:11:56.200 PDT-08:21:56.311 PDT) event=1:9930006 (2) {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2121->2121 (08:11:56.200 PDT-08:21:56.311 PDT) DECLARE BOT tcpslice 1342537916.200 1342538516.312 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:25:20.901 PDT Gen. Time: 07/17/2012 08:25:20.901 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (08:25:20.901 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 52227->17914 (08:25:20.901 PDT) DECLARE BOT tcpslice 1342538720.901 1342538720.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 155.98.35.8, 190.227.163.141, 165.91.55.10, 156.56.250.226, 161.106.240.18 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:25:20.901 PDT Gen. Time: 07/17/2012 08:40:30.992 PDT INBOUND SCAN EXPLOIT 155.98.35.8 (08:32:56.070 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2019<-2021 (08:32:56.070 PDT) 190.227.163.141 (08:31:16.315 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2014 (08:31:16.315 PDT) 165.91.55.10 (08:28:00.569 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2012<-2008 (08:28:00.569 PDT) 156.56.250.226 (08:36:04.463 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2024<-2026 (08:36:04.463 PDT) 161.106.240.18 (08:34:46.983 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2019<-2028 (08:34:46.983 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (08:31:56.785 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (08:31:56.785 PDT) 129.93.229.138 (2) (08:25:20.901 PDT) event=1:9930005 (2) {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 52227->17914 (08:25:20.901 PDT) 38837->17914 (08:40:30.992 PDT) DECLARE BOT tcpslice 1342538720.901 1342538720.902 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:41:56.930 PDT Gen. Time: 07/17/2012 08:41:56.930 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (08:41:56.930 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (08:41:56.930 PDT) DECLARE BOT tcpslice 1342539716.930 1342539716.931 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 157.92.44.102, 157.159.226.74 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:41:56.930 PDT Gen. Time: 07/17/2012 08:47:52.249 PDT INBOUND SCAN EXPLOIT 157.92.44.102 (08:44:46.370 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2001<-2004 (08:44:46.370 PDT) 157.159.226.74 (08:41:59.798 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2008 (08:41:59.798 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (08:41:56.930 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (08:41:56.930 PDT) DECLARE BOT tcpslice 1342539716.930 1342539716.931 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:51:56.566 PDT Gen. Time: 07/17/2012 08:51:56.566 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (08:51:56.566 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (08:51:56.566 PDT) DECLARE BOT tcpslice 1342540316.566 1342540316.567 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 193.136.191.25 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:51:56.566 PDT Gen. Time: 07/17/2012 08:56:30.463 PDT INBOUND SCAN EXPLOIT 193.136.191.25 (08:53:39.632 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2029<-2011 (08:53:39.632 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (08:51:56.566 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (08:51:56.566 PDT) DECLARE BOT tcpslice 1342540316.566 1342540316.567 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:57:27.900 PDT Gen. Time: 07/17/2012 08:57:27.900 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (08:57:27.900 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 34727->17914 (08:57:27.900 PDT) DECLARE BOT tcpslice 1342540647.900 1342540647.901 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 160.80.221.39, 156.17.10.51, 193.10.64.35, 192.42.43.23 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 08:57:27.900 PDT Gen. Time: 07/17/2012 09:06:13.957 PDT INBOUND SCAN EXPLOIT 160.80.221.39 (09:04:16.203 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2017<-2015 (09:04:16.203 PDT) 156.17.10.51 (09:03:06.485 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2028<-2027 (09:03:06.485 PDT) 193.10.64.35 (09:00:58.501 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2019<-2005 (09:00:58.501 PDT) 192.42.43.23 (09:00:47.864 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2009<-2007 (09:00:47.864 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.16.125.12 (08:59:35.442 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2011->2015 (08:59:35.442 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (09:01:56.135 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (09:01:56.135 PDT) 129.93.229.138 (08:57:27.900 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 34727->17914 (08:57:27.900 PDT) DECLARE BOT tcpslice 1342540647.900 1342540647.901 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:11:56.559 PDT Gen. Time: 07/17/2012 09:11:56.559 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (09:11:56.559 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (09:11:56.559 PDT) DECLARE BOT tcpslice 1342541516.559 1342541516.560 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.107.171.147, 160.80.221.37, 192.42.43.22 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:11:56.559 PDT Gen. Time: 07/17/2012 09:21:56.657 PDT INBOUND SCAN EXPLOIT 192.107.171.147 (09:16:18.348 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2005 (09:16:18.348 PDT) 160.80.221.37 (09:18:40.645 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2014 (09:18:40.645 PDT) 192.42.43.22 (09:13:04.801 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2012<-2021 (09:13:04.801 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.138.213.236 (09:16:16.164 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2012->2007 (09:16:16.164 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (2) (09:11:56.559 PDT-09:21:56.657 PDT) event=1:9930006 (2) {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2121->2121 (09:11:56.559 PDT-09:21:56.657 PDT) 129.93.229.138 (09:14:05.951 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 32862->17914 (09:14:05.951 PDT) DECLARE BOT tcpslice 1342541516.559 1342542116.658 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:27:34.512 PDT Gen. Time: 07/17/2012 09:27:34.512 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (09:27:34.512 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 46293->49301 (09:27:34.512 PDT) DECLARE BOT tcpslice 1342542454.512 1342542454.513 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 156.56.250.227, 170.140.119.70, 163.117.253.23, 192.138.213.238, 157.159.226.72, 160.80.221.37, 165.230.49.114 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:27:34.512 PDT Gen. Time: 07/17/2012 09:47:45.757 PDT INBOUND SCAN EXPLOIT 156.56.250.227 (09:36:39.339 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2028<-2021 (09:36:39.339 PDT) 170.140.119.70 (09:33:29.376 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2013<-2014 (09:33:29.376 PDT) 163.117.253.23 (09:43:44.752 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2017<-2027 (09:43:44.752 PDT) 192.138.213.238 (09:32:43.366 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2020<-2025 (09:32:43.366 PDT) 157.159.226.72 (09:28:41.579 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2019<-2007 (09:28:41.579 PDT) 160.80.221.37 (09:38:32.984 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2014<-2006 (09:38:32.984 PDT) 165.230.49.114 (09:30:45.224 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2008 (09:30:45.224 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 161.106.240.19 (09:44:42.149 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2004->2004 (09:44:42.149 PDT) 160.80.221.39 (09:40:44.735 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2007->2006 (09:40:44.735 PDT) 165.230.49.115 (09:33:34.877 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2018->2019 (09:33:34.877 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (2) (09:31:56.540 PDT-09:41:56.903 PDT) event=1:9930006 (2) {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2: 2121->2121 (09:31:56.540 PDT-09:41:56.903 PDT) 129.93.229.138 (2) (09:27:34.512 PDT) event=1:9930005 (2) {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 46293->49301 (09:27:34.512 PDT) 44411->17914 (09:44:36.516 PDT) DECLARE BOT tcpslice 1342542454.512 1342543316.904 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:49:54.813 PDT Gen. Time: 07/17/2012 09:51:56.284 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 162.105.205.21 (09:49:54.813 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2004->2016 (09:49:54.813 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (09:51:56.284 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (09:51:56.284 PDT) DECLARE BOT tcpslice 1342543794.813 1342543794.814 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.33.90.195, 156.56.250.226 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 09:49:54.813 PDT Gen. Time: 07/17/2012 09:58:41.454 PDT INBOUND SCAN EXPLOIT 192.33.90.195 (09:54:23.486 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2024 (09:54:23.486 PDT) 156.56.250.226 (09:53:05.098 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2005<-2025 (09:53:05.098 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.242.90.129 (09:54:32.923 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2010->2005 (09:54:32.923 PDT) 162.105.205.21 (09:49:54.813 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2004->2016 (09:49:54.813 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (09:51:56.284 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (09:51:56.284 PDT) DECLARE BOT tcpslice 1342543794.813 1342543794.814 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:00:54.446 PDT Gen. Time: 07/17/2012 10:00:54.446 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (10:00:54.446 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 59822->17914 (10:00:54.446 PDT) DECLARE BOT tcpslice 1342544454.446 1342544454.447 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:00:54.446 PDT Gen. Time: 07/17/2012 10:05:28.264 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (10:01:56.369 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (10:01:56.369 PDT) 129.93.229.138 (10:00:54.446 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 59822->17914 (10:00:54.446 PDT) DECLARE BOT tcpslice 1342544454.446 1342544454.447 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 158.130.6.253, 165.91.55.10, 192.33.90.69 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:06:47.572 PDT Gen. Time: 07/17/2012 10:11:40.224 PDT INBOUND SCAN EXPLOIT 158.130.6.253 (10:06:47.572 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2022<-2003 (10:06:47.572 PDT) 165.91.55.10 (10:07:41.097 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2016<-2023 (10:07:41.097 PDT) 192.33.90.69 (10:09:32.373 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2015<-2004 (10:09:32.373 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 134.34.246.5 (10:11:40.224 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 45266->49301 (10:11:40.224 PDT) DECLARE BOT tcpslice 1342544807.572 1342544807.573 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 158.130.6.253, 165.91.55.10, 192.33.90.69 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:06:47.572 PDT Gen. Time: 07/17/2012 10:12:48.261 PDT INBOUND SCAN EXPLOIT 158.130.6.253 (10:06:47.572 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2022<-2003 (10:06:47.572 PDT) 165.91.55.10 (10:07:41.097 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2016<-2023 (10:07:41.097 PDT) 192.33.90.69 (10:09:32.373 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2015<-2004 (10:09:32.373 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 134.34.246.5 (10:11:40.224 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 45266->49301 (10:11:40.224 PDT) 128.2.211.114 (10:11:56.204 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (10:11:56.204 PDT) DECLARE BOT tcpslice 1342544807.572 1342544807.573 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 170.140.119.69 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:21:38.428 PDT Gen. Time: 07/17/2012 10:21:57.270 PDT INBOUND SCAN EXPLOIT 170.140.119.69 (10:21:38.428 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2019<-2005 (10:21:38.428 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (10:21:57.270 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (10:21:57.270 PDT) DECLARE BOT tcpslice 1342545698.428 1342545698.429 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.42.83.253, 170.140.119.70, 193.10.64.36, 163.117.253.22, 165.242.90.129 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:25:41.860 PDT Gen. Time: 07/17/2012 10:31:57.355 PDT INBOUND SCAN EXPLOIT 192.42.83.253 (10:27:33.342 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2013 (10:27:33.342 PDT) 170.140.119.70 (10:26:19.299 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2002<-2015 (10:26:19.299 PDT) 193.10.64.36 (10:27:46.530 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2014 (10:27:46.530 PDT) 163.117.253.22 (10:25:41.860 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2018<-2002 (10:25:41.860 PDT) 165.242.90.129 (10:29:44.610 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2026<-2022 (10:29:44.610 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (10:31:57.355 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (10:31:57.355 PDT) DECLARE BOT tcpslice 1342545941.860 1342545941.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.42.83.253, 170.140.119.70, 193.10.64.36, 163.117.253.22, 165.242.90.129 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:25:41.860 PDT Gen. Time: 07/17/2012 10:35:58.451 PDT INBOUND SCAN EXPLOIT 192.42.83.253 (10:27:33.342 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2013 (10:27:33.342 PDT) 170.140.119.70 (10:26:19.299 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2002<-2015 (10:26:19.299 PDT) 193.10.64.36 (10:27:46.530 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2014 (10:27:46.530 PDT) 163.117.253.22 (10:25:41.860 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2018<-2002 (10:25:41.860 PDT) 165.242.90.129 (10:29:44.610 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2026<-2022 (10:29:44.610 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.107.171.145 (10:33:01.335 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2015->2010 (10:33:01.335 PDT) 192.6.26.33 (10:32:50.947 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2021->2006 (10:32:50.947 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (10:31:57.355 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (10:31:57.355 PDT) 129.93.229.138 (10:35:02.183 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 57151->17914 (10:35:02.183 PDT) DECLARE BOT tcpslice 1342545941.860 1342545941.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 157.159.226.74 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:40:48.144 PDT Gen. Time: 07/17/2012 10:41:19.854 PDT INBOUND SCAN EXPLOIT 157.159.226.74 (10:40:48.144 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2025<-2009 (10:40:48.144 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.6.26.31 (10:41:19.854 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2009->2004 (10:41:19.854 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342546848.144 1342546848.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 157.159.226.74 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:40:48.144 PDT Gen. Time: 07/17/2012 10:45:33.902 PDT INBOUND SCAN EXPLOIT 157.159.226.74 (10:40:48.144 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2025<-2009 (10:40:48.144 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.41.135.218 (10:43:10.745 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2009->2004 (10:43:10.745 PDT) 192.6.26.31 (10:41:19.854 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2009->2004 (10:41:19.854 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (10:41:57.268 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (10:41:57.268 PDT) DECLARE BOT tcpslice 1342546848.144 1342546848.145 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:50:22.864 PDT Gen. Time: 07/17/2012 10:50:22.864 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (10:50:22.864 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 54151->17914 (10:50:22.864 PDT) DECLARE BOT tcpslice 1342547422.864 1342547422.865 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.107.171.145, 156.17.10.51, 193.136.191.25, 157.159.226.72, 169.226.40.2, 170.140.119.69, 165.91.55.9 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 10:50:22.864 PDT Gen. Time: 07/17/2012 11:06:16.488 PDT INBOUND SCAN EXPLOIT 192.107.171.145 (11:02:35.657 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2002 (11:02:35.657 PDT) 156.17.10.51 (11:04:49.471 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2027<-2027 (11:04:49.471 PDT) 193.136.191.25 (10:58:32.791 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2011<-2014 (10:58:32.791 PDT) 157.159.226.72 (10:52:12.633 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2021 (10:52:12.633 PDT) 169.226.40.2 (10:50:37.293 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2016<-2011 (10:50:37.293 PDT) 170.140.119.69 (11:00:21.742 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2014<-2023 (11:00:21.742 PDT) 165.91.55.9 (10:54:01.238 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2021<-2027 (10:54:01.238 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (10:51:57.848 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (10:51:57.848 PDT) 206.207.248.34 (11:01:59.541 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (11:01:59.541 PDT) 129.93.229.138 (10:50:22.864 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 54151->17914 (10:50:22.864 PDT) DECLARE BOT tcpslice 1342547422.864 1342547422.865 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:07:11.195 PDT Gen. Time: 07/17/2012 11:07:11.195 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (11:07:11.195 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 54581->17914 (11:07:11.195 PDT) DECLARE BOT tcpslice 1342548431.195 1342548431.196 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 169.226.40.4 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:07:11.195 PDT Gen. Time: 07/17/2012 11:10:34.033 PDT INBOUND SCAN EXPLOIT 169.226.40.4 (11:07:34.990 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2024<-2004 (11:07:34.990 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (11:07:11.195 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 54581->17914 (11:07:11.195 PDT) DECLARE BOT tcpslice 1342548431.195 1342548431.196 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:11:59.097 PDT Gen. Time: 07/17/2012 11:11:59.097 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (11:11:59.097 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (11:11:59.097 PDT) DECLARE BOT tcpslice 1342548719.097 1342548719.098 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:21:59.029 PDT Gen. Time: 07/17/2012 11:21:59.029 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (11:21:59.029 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (11:21:59.029 PDT) DECLARE BOT tcpslice 1342549319.029 1342549319.030 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:21:59.029 PDT Gen. Time: 07/17/2012 11:26:21.909 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (11:22:53.678 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 47579->17914 (11:22:53.678 PDT) 130.104.72.201 (11:21:59.029 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (11:21:59.029 PDT) DECLARE BOT tcpslice 1342549319.029 1342549319.030 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:32:02.341 PDT Gen. Time: 07/17/2012 11:32:02.341 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (11:32:02.341 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (11:32:02.341 PDT) DECLARE BOT tcpslice 1342549922.341 1342549922.342 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:32:02.341 PDT Gen. Time: 07/17/2012 11:36:17.490 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (11:34:55.507 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 51104->49301 (11:34:55.507 PDT) 130.104.72.201 (11:32:02.341 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (11:32:02.341 PDT) DECLARE BOT tcpslice 1342549922.341 1342549922.342 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:42:04.864 PDT Gen. Time: 07/17/2012 11:42:04.864 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (11:42:04.864 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (11:42:04.864 PDT) DECLARE BOT tcpslice 1342550524.864 1342550524.865 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:52:04.026 PDT Gen. Time: 07/17/2012 11:52:04.026 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (11:52:04.026 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2003->2002 (11:52:04.026 PDT) DECLARE BOT tcpslice 1342551124.026 1342551124.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 156.17.10.52 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 11:52:04.026 PDT Gen. Time: 07/17/2012 11:57:41.231 PDT INBOUND SCAN EXPLOIT 156.17.10.52 (11:54:13.849 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2008 (11:54:13.849 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 165.91.55.11 (11:53:27.281 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2003->2004 (11:53:27.281 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (11:52:04.026 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2003->2002 (11:52:04.026 PDT) 129.93.229.138 (11:54:23.587 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 56978->17914 (11:54:23.587 PDT) DECLARE BOT tcpslice 1342551124.026 1342551124.027 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:02:04.488 PDT Gen. Time: 07/17/2012 12:02:04.488 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (12:02:04.488 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2008->2002 (12:02:04.488 PDT) DECLARE BOT tcpslice 1342551724.488 1342551724.489 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 138.251.214.77 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:02:04.488 PDT Gen. Time: 07/17/2012 12:09:38.709 PDT INBOUND SCAN EXPLOIT 138.251.214.77 (12:04:57.576 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2005<-2005 (12:04:57.576 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (12:02:04.488 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2008->2002 (12:02:04.488 PDT) DECLARE BOT tcpslice 1342551724.488 1342551724.489 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:10:44.189 PDT Gen. Time: 07/17/2012 12:10:44.189 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (12:10:44.189 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49328->17914 (12:10:44.189 PDT) DECLARE BOT tcpslice 1342552244.189 1342552244.190 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:10:44.189 PDT Gen. Time: 07/17/2012 12:14:45.715 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (12:12:04.502 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2005->2005 (12:12:04.502 PDT) 129.93.229.138 (12:10:44.189 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49328->17914 (12:10:44.189 PDT) DECLARE BOT tcpslice 1342552244.189 1342552244.190 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:22:09.944 PDT Gen. Time: 07/17/2012 12:22:09.944 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (12:22:09.944 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (12:22:09.944 PDT) DECLARE BOT tcpslice 1342552929.944 1342552929.945 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:26:10.324 PDT Gen. Time: 07/17/2012 12:26:10.324 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (12:26:10.324 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 38384->17914 (12:26:10.324 PDT) DECLARE BOT tcpslice 1342553170.324 1342553170.325 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:32:09.775 PDT Gen. Time: 07/17/2012 12:32:09.775 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (12:32:09.775 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2005->2004 (12:32:09.775 PDT) DECLARE BOT tcpslice 1342553529.775 1342553529.776 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:42:09.765 PDT Gen. Time: 07/17/2012 12:42:09.765 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (12:42:09.765 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2008->2005 (12:42:09.765 PDT) DECLARE BOT tcpslice 1342554129.765 1342554129.766 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:42:09.765 PDT Gen. Time: 07/17/2012 12:46:14.222 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (12:45:21.175 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 46417->17914 (12:45:21.175 PDT) 143.89.49.74 (12:42:09.765 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2008->2005 (12:42:09.765 PDT) DECLARE BOT tcpslice 1342554129.765 1342554129.766 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 12:52:09.452 PDT Gen. Time: 07/17/2012 12:52:09.452 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (12:52:09.452 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2003->2001 (12:52:09.452 PDT) DECLARE BOT tcpslice 1342554729.452 1342554729.453 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:02:09.385 PDT Gen. Time: 07/17/2012 13:02:09.385 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (13:02:09.385 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2001 (13:02:09.385 PDT) DECLARE BOT tcpslice 1342555329.385 1342555329.386 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 149.43.80.22, 147.229.10.250 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:02:09.385 PDT Gen. Time: 07/17/2012 13:09:51.168 PDT INBOUND SCAN EXPLOIT 149.43.80.22 (13:06:20.780 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2006 (13:06:20.780 PDT) 147.229.10.250 (13:05:01.605 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2005<-2001 (13:05:01.605 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (13:02:09.385 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2001 (13:02:09.385 PDT) DECLARE BOT tcpslice 1342555329.385 1342555329.386 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:12:09.247 PDT Gen. Time: 07/17/2012 13:12:09.247 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (13:12:09.247 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2007->2001 (13:12:09.247 PDT) DECLARE BOT tcpslice 1342555929.247 1342555929.248 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 138.96.116.20, 162.105.205.21 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:15:22.094 PDT Gen. Time: 07/17/2012 13:16:19.579 PDT INBOUND SCAN EXPLOIT 138.96.116.20 (13:15:49.557 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2003 (13:15:49.557 PDT) 162.105.205.21 (13:15:22.094 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2005 (13:15:22.094 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (13:16:19.579 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 36274->17914 (13:16:19.579 PDT) DECLARE BOT tcpslice 1342556122.094 1342556122.095 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.33.90.195 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:21:14.041 PDT Gen. Time: 07/17/2012 13:22:09.708 PDT INBOUND SCAN EXPLOIT 192.33.90.195 (13:21:14.041 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2001 (13:21:14.041 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (13:22:09.708 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2001 (13:22:09.708 PDT) DECLARE BOT tcpslice 1342556474.041 1342556474.042 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:31:25.240 PDT Gen. Time: 07/17/2012 13:31:25.240 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (13:31:25.240 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 58236->17914 (13:31:25.240 PDT) DECLARE BOT tcpslice 1342557085.240 1342557085.241 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:31:25.240 PDT Gen. Time: 07/17/2012 13:33:51.496 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (13:31:25.240 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 58236->17914 (13:31:25.240 PDT) 130.104.72.201 (13:32:16.942 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (13:32:16.942 PDT) DECLARE BOT tcpslice 1342557085.240 1342557085.241 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.230.49.115 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:38:09.370 PDT Gen. Time: 07/17/2012 13:39:05.855 PDT INBOUND SCAN EXPLOIT 165.230.49.115 (13:38:09.370 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2006 (13:38:09.370 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 143.107.111.235 (13:39:05.855 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2006->2003 (13:39:05.855 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342557489.370 1342557489.371 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.230.49.115 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:38:09.370 PDT Gen. Time: 07/17/2012 13:43:17.208 PDT INBOUND SCAN EXPLOIT 165.230.49.115 (13:38:09.370 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2006 (13:38:09.370 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 143.107.111.235 (13:39:05.855 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2006->2003 (13:39:05.855 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (13:42:17.989 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2006->2002 (13:42:17.989 PDT) DECLARE BOT tcpslice 1342557489.370 1342557489.371 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:46:37.728 PDT Gen. Time: 07/17/2012 13:46:37.728 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (13:46:37.728 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 39344->17914 (13:46:37.728 PDT) DECLARE BOT tcpslice 1342557997.728 1342557997.729 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 13:52:17.474 PDT Gen. Time: 07/17/2012 13:52:17.474 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (13:52:17.474 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2004->2006 (13:52:17.474 PDT) DECLARE BOT tcpslice 1342558337.474 1342558337.475 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:02:06.620 PDT Gen. Time: 07/17/2012 14:02:06.620 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (14:02:06.620 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 46313->17914 (14:02:06.620 PDT) DECLARE BOT tcpslice 1342558926.620 1342558926.621 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:02:06.620 PDT Gen. Time: 07/17/2012 14:05:54.946 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (14:02:17.137 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2007->2001 (14:02:17.137 PDT) 129.93.229.138 (14:02:06.620 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 46313->17914 (14:02:06.620 PDT) DECLARE BOT tcpslice 1342558926.620 1342558926.621 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:12:17.325 PDT Gen. Time: 07/17/2012 14:12:17.325 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (14:12:17.325 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2002->2001 (14:12:17.325 PDT) DECLARE BOT tcpslice 1342559537.325 1342559537.326 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:18:00.872 PDT Gen. Time: 07/17/2012 14:18:00.872 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (14:18:00.872 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 51861->17914 (14:18:00.872 PDT) DECLARE BOT tcpslice 1342559880.872 1342559880.873 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 140.192.249.204 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:18:00.872 PDT Gen. Time: 07/17/2012 14:23:51.323 PDT INBOUND SCAN EXPLOIT 140.192.249.204 (14:20:14.584 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2004<-2003 (14:20:14.584 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (14:22:17.100 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2007->2002 (14:22:17.100 PDT) 129.93.229.138 (14:18:00.872 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 51861->17914 (14:18:00.872 PDT) DECLARE BOT tcpslice 1342559880.872 1342559880.873 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:29:25.193 PDT Gen. Time: 07/17/2012 14:29:25.193 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.163.142.20 (14:29:25.193 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 57301->49301 (14:29:25.193 PDT) DECLARE BOT tcpslice 1342560565.193 1342560565.194 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:32:18.103 PDT Gen. Time: 07/17/2012 14:32:18.103 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (14:32:18.103 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2005 (14:32:18.103 PDT) DECLARE BOT tcpslice 1342560738.103 1342560738.104 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:42:21.867 PDT Gen. Time: 07/17/2012 14:42:21.867 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (14:42:21.867 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (14:42:21.867 PDT) DECLARE BOT tcpslice 1342561341.867 1342561341.868 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:46:19.728 PDT Gen. Time: 07/17/2012 14:46:19.728 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (14:46:19.728 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 34199->49302 (14:46:19.728 PDT) DECLARE BOT tcpslice 1342561579.728 1342561579.729 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.42.83.253 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:46:19.728 PDT Gen. Time: 07/17/2012 14:49:57.411 PDT INBOUND SCAN EXPLOIT 192.42.83.253 (14:46:26.322 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2001 (14:46:26.322 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 132.239.17.226 (14:46:19.728 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 34199->49302 (14:46:19.728 PDT) DECLARE BOT tcpslice 1342561579.728 1342561579.729 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 14:52:21.360 PDT Gen. Time: 07/17/2012 14:52:21.360 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (14:52:21.360 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2002->2001 (14:52:21.360 PDT) DECLARE BOT tcpslice 1342561941.360 1342561941.361 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:01:33.324 PDT Gen. Time: 07/17/2012 15:01:55.066 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 141.213.4.201 (15:01:33.324 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2006->2003 (15:01:33.324 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 199.255.189.160 (15:01:55.066 PDT) event=1:9920005 {tcp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 59278->80 (15:01:55.066 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342562493.324 1342562493.325 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:12:23.046 PDT Gen. Time: 07/17/2012 15:12:23.046 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (15:12:23.046 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (15:12:23.046 PDT) DECLARE BOT tcpslice 1342563143.046 1342563143.047 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:20:01.219 PDT Gen. Time: 07/17/2012 15:20:01.219 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (15:20:01.219 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 39290->49301 (15:20:01.219 PDT) DECLARE BOT tcpslice 1342563601.219 1342563601.220 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 151.97.9.225 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:20:01.219 PDT Gen. Time: 07/17/2012 15:24:32.490 PDT INBOUND SCAN EXPLOIT 151.97.9.225 (15:21:18.655 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2006<-2004 (15:21:18.655 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (15:22:24.203 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2007->2001 (15:22:24.203 PDT) 128.2.211.114 (15:20:01.219 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 39290->49301 (15:20:01.219 PDT) DECLARE BOT tcpslice 1342563601.219 1342563601.220 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:32:29.658 PDT Gen. Time: 07/17/2012 15:32:29.658 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 195.37.16.125 (15:32:29.658 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (15:32:29.658 PDT) DECLARE BOT tcpslice 1342564349.658 1342564349.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:42:29.167 PDT Gen. Time: 07/17/2012 15:42:29.167 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (15:42:29.167 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2001 (15:42:29.167 PDT) DECLARE BOT tcpslice 1342564949.167 1342564949.168 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:42:29.167 PDT Gen. Time: 07/17/2012 15:45:32.745 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (15:42:29.167 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2001 (15:42:29.167 PDT) 129.93.229.138 (15:43:54.091 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 37979->17914 (15:43:54.091 PDT) DECLARE BOT tcpslice 1342564949.167 1342564949.168 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:52:34.549 PDT Gen. Time: 07/17/2012 15:52:34.549 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (15:52:34.549 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (15:52:34.549 PDT) DECLARE BOT tcpslice 1342565554.549 1342565554.550 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:58:57.530 PDT Gen. Time: 07/17/2012 15:58:57.530 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (15:58:57.530 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 34113->17914 (15:58:57.530 PDT) DECLARE BOT tcpslice 1342565937.530 1342565937.531 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 15:58:57.530 PDT Gen. Time: 07/17/2012 16:02:51.878 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (16:02:34.003 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2004->2006 (16:02:34.003 PDT) 129.93.229.138 (15:58:57.530 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 34113->17914 (15:58:57.530 PDT) DECLARE BOT tcpslice 1342565937.530 1342565937.531 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 152.14.93.140 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:11:48.907 PDT Gen. Time: 07/17/2012 16:12:35.389 PDT INBOUND SCAN EXPLOIT 152.14.93.140 (16:11:48.907 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2004<-2006 (16:11:48.907 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (16:12:35.389 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2001 (16:12:35.389 PDT) DECLARE BOT tcpslice 1342566708.907 1342566708.908 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 152.14.93.140 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:11:48.907 PDT Gen. Time: 07/17/2012 16:16:02.003 PDT INBOUND SCAN EXPLOIT 152.14.93.140 (16:11:48.907 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2004<-2006 (16:11:48.907 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (16:12:35.389 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2001 (16:12:35.389 PDT) 129.93.229.138 (16:14:19.004 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 46393->17914 (16:14:19.004 PDT) DECLARE BOT tcpslice 1342566708.907 1342566708.908 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:22:35.434 PDT Gen. Time: 07/17/2012 16:22:35.434 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (16:22:35.434 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2005->2008 (16:22:35.434 PDT) DECLARE BOT tcpslice 1342567355.434 1342567355.435 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:29:13.664 PDT Gen. Time: 07/17/2012 16:29:13.664 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (16:29:13.664 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 40632->17914 (16:29:13.664 PDT) DECLARE BOT tcpslice 1342567753.664 1342567753.665 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:29:13.664 PDT Gen. Time: 07/17/2012 16:33:13.506 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (16:32:35.064 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2002 (16:32:35.064 PDT) 129.93.229.138 (16:29:13.664 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 40632->17914 (16:29:13.664 PDT) DECLARE BOT tcpslice 1342567753.664 1342567753.665 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:42:35.829 PDT Gen. Time: 07/17/2012 16:42:35.829 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (16:42:35.829 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2004->2002 (16:42:35.829 PDT) DECLARE BOT tcpslice 1342568555.829 1342568555.830 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:42:35.829 PDT Gen. Time: 07/17/2012 16:44:56.836 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (16:42:35.829 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2004->2002 (16:42:35.829 PDT) 129.93.229.138 (16:44:15.330 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 52356->17914 (16:44:15.330 PDT) DECLARE BOT tcpslice 1342568555.829 1342568555.830 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:52:36.121 PDT Gen. Time: 07/17/2012 16:52:36.121 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (16:52:36.121 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2002->2004 (16:52:36.121 PDT) DECLARE BOT tcpslice 1342569156.121 1342569156.122 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:59:37.344 PDT Gen. Time: 07/17/2012 16:59:37.344 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (16:59:37.344 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 32963->17914 (16:59:37.344 PDT) DECLARE BOT tcpslice 1342569577.344 1342569577.345 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 16:59:37.344 PDT Gen. Time: 07/17/2012 17:03:39.992 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (16:59:37.344 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 32963->17914 (16:59:37.344 PDT) 130.104.72.201 (17:02:41.720 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (17:02:41.720 PDT) DECLARE BOT tcpslice 1342569577.344 1342569577.345 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:12:41.546 PDT Gen. Time: 07/17/2012 17:12:41.546 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (17:12:41.546 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2001 (17:12:41.546 PDT) DECLARE BOT tcpslice 1342570361.546 1342570361.547 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:12:41.546 PDT Gen. Time: 07/17/2012 17:15:36.287 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (17:12:41.546 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2001 (17:12:41.546 PDT) 129.93.229.138 (17:14:55.894 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33612->17914 (17:14:55.894 PDT) DECLARE BOT tcpslice 1342570361.546 1342570361.547 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:22:41.050 PDT Gen. Time: 07/17/2012 17:26:12.515 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (17:22:41.050 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2003->2001 (17:22:41.050 PDT) DECLARE BOT tcpslice 1342570961.050 1342570961.051 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:29:59.240 PDT Gen. Time: 07/17/2012 17:29:59.240 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (17:29:59.240 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 41839->17914 (17:29:59.240 PDT) DECLARE BOT tcpslice 1342571399.240 1342571399.241 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:29:59.240 PDT Gen. Time: 07/17/2012 17:33:43.023 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (17:32:41.630 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2002->2004 (17:32:41.630 PDT) 129.93.229.138 (17:29:59.240 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 41839->17914 (17:29:59.240 PDT) DECLARE BOT tcpslice 1342571399.240 1342571399.241 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:42:43.068 PDT Gen. Time: 07/17/2012 17:42:43.068 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (17:42:43.068 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (17:42:43.068 PDT) DECLARE BOT tcpslice 1342572163.068 1342572163.069 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 160.193.163.106 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:42:43.068 PDT Gen. Time: 07/17/2012 17:46:59.814 PDT INBOUND SCAN EXPLOIT 160.193.163.106 (17:42:43.727 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2003 (17:42:43.727 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (17:42:43.068 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (17:42:43.068 PDT) 195.37.16.125 (17:43:11.499 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 36035->54593 (17:43:11.499 PDT) DECLARE BOT tcpslice 1342572163.068 1342572163.069 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:52:46.367 PDT Gen. Time: 07/17/2012 17:52:46.367 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (17:52:46.367 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (17:52:46.367 PDT) DECLARE BOT tcpslice 1342572766.367 1342572766.368 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 193.10.64.36 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 17:52:46.367 PDT Gen. Time: 07/17/2012 17:57:12.399 PDT INBOUND SCAN EXPLOIT 193.10.64.36 (17:55:12.061 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2008 (17:55:12.061 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (17:52:46.367 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (17:52:46.367 PDT) DECLARE BOT tcpslice 1342572766.367 1342572766.368 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:01:25.318 PDT Gen. Time: 07/17/2012 18:01:25.318 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (18:01:25.318 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 39627->17914 (18:01:25.318 PDT) DECLARE BOT tcpslice 1342573285.318 1342573285.319 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.197.121.3 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:01:25.318 PDT Gen. Time: 07/17/2012 18:08:53.119 PDT INBOUND SCAN EXPLOIT 192.197.121.3 (18:05:38.022 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 1901<-2005 (18:05:38.022 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (18:01:25.318 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 39627->17914 (18:01:25.318 PDT) 130.104.72.201 (18:02:47.139 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (18:02:47.139 PDT) DECLARE BOT tcpslice 1342573285.318 1342573285.319 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:12:48.496 PDT Gen. Time: 07/17/2012 18:12:48.496 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (18:12:48.496 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (18:12:48.496 PDT) DECLARE BOT tcpslice 1342573968.496 1342573968.497 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:22:48.449 PDT Gen. Time: 07/17/2012 18:22:48.449 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (18:22:48.449 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2002->2006 (18:22:48.449 PDT) DECLARE BOT tcpslice 1342574568.449 1342574568.450 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:32:48.686 PDT Gen. Time: 07/17/2012 18:32:48.686 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (18:32:48.686 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (18:32:48.686 PDT) DECLARE BOT tcpslice 1342575168.686 1342575168.687 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:32:48.686 PDT Gen. Time: 07/17/2012 18:35:50.286 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (18:32:48.686 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (18:32:48.686 PDT) 129.93.229.138 (18:35:50.286 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33648->17914 (18:35:50.286 PDT) DECLARE BOT tcpslice 1342575168.686 1342575168.687 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:42:48.795 PDT Gen. Time: 07/17/2012 18:42:48.795 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (18:42:48.795 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2119->2119 (18:42:48.795 PDT) DECLARE BOT tcpslice 1342575768.795 1342575768.796 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:52:48.410 PDT Gen. Time: 07/17/2012 18:52:48.410 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (18:52:48.410 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2002->2002 (18:52:48.410 PDT) DECLARE BOT tcpslice 1342576368.410 1342576368.411 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 18:52:48.410 PDT Gen. Time: 07/17/2012 18:57:27.200 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (18:52:48.410 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2002->2002 (18:52:48.410 PDT) 129.93.229.138 (18:53:53.908 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 52002->17914 (18:53:53.908 PDT) DECLARE BOT tcpslice 1342576368.410 1342576368.411 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 157.92.44.102, 140.109.17.181 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:00:22.666 PDT Gen. Time: 07/17/2012 19:02:30.656 PDT INBOUND SCAN EXPLOIT 157.92.44.102 (19:02:22.882 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 1901<-2006 (19:02:22.882 PDT) 140.109.17.181 (19:00:22.666 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2004 (19:00:22.666 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 147.229.10.250 (19:02:30.656 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2005->2003 (19:02:30.656 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342576822.666 1342576822.667 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 157.92.44.102, 140.109.17.181 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:00:22.666 PDT Gen. Time: 07/17/2012 19:05:35.955 PDT INBOUND SCAN EXPLOIT 157.92.44.102 (19:02:22.882 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 1901<-2006 (19:02:22.882 PDT) 140.109.17.181 (19:00:22.666 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2004 (19:00:22.666 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 147.229.10.250 (19:02:30.656 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2005->2003 (19:02:30.656 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (19:02:49.015 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2002->2001 (19:02:49.015 PDT) DECLARE BOT tcpslice 1342576822.666 1342576822.667 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:12:50.827 PDT Gen. Time: 07/17/2012 19:12:50.827 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (19:12:50.827 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2001 (19:12:50.827 PDT) DECLARE BOT tcpslice 1342577570.827 1342577570.828 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:12:50.827 PDT Gen. Time: 07/17/2012 19:15:11.141 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (19:12:50.827 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2001->2001 (19:12:50.827 PDT) 128.163.142.20 (19:13:10.137 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 36989->42781 (19:13:10.137 PDT) DECLARE BOT tcpslice 1342577570.827 1342577570.828 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:22:56.564 PDT Gen. Time: 07/17/2012 19:22:56.564 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (19:22:56.564 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (19:22:56.564 PDT) DECLARE BOT tcpslice 1342578176.564 1342578176.565 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:29:19.758 PDT Gen. Time: 07/17/2012 19:29:19.758 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (19:29:19.758 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 42149->17914 (19:29:19.758 PDT) DECLARE BOT tcpslice 1342578559.758 1342578559.759 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:29:19.758 PDT Gen. Time: 07/17/2012 19:32:56.854 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (19:29:19.758 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 42149->17914 (19:29:19.758 PDT) 130.104.72.201 (19:32:56.854 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (19:32:56.854 PDT) DECLARE BOT tcpslice 1342578559.758 1342578559.759 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:42:56.952 PDT Gen. Time: 07/17/2012 19:42:56.952 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (19:42:56.952 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2006->2001 (19:42:56.952 PDT) DECLARE BOT tcpslice 1342579376.952 1342579376.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:42:56.952 PDT Gen. Time: 07/17/2012 19:46:43.381 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (19:42:56.952 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2006->2001 (19:42:56.952 PDT) 129.93.229.138 (19:44:19.843 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 42331->17914 (19:44:19.843 PDT) DECLARE BOT tcpslice 1342579376.952 1342579376.953 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:52:56.532 PDT Gen. Time: 07/17/2012 19:52:56.532 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (19:52:56.532 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (19:52:56.532 PDT) DECLARE BOT tcpslice 1342579976.532 1342579976.533 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 163.117.253.23 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 19:52:56.532 PDT Gen. Time: 07/17/2012 19:59:20.445 PDT INBOUND SCAN EXPLOIT 163.117.253.23 (19:55:14.321 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2008<-2002 (19:55:14.321 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (19:59:20.445 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 57206->17914 (19:59:20.445 PDT) 130.104.72.201 (19:52:56.532 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (19:52:56.532 PDT) DECLARE BOT tcpslice 1342579976.532 1342579976.533 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:02:56.012 PDT Gen. Time: 07/17/2012 20:02:56.012 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (20:02:56.012 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (20:02:56.012 PDT) DECLARE BOT tcpslice 1342580576.012 1342580576.013 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 165.230.49.119 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:02:56.012 PDT Gen. Time: 07/17/2012 20:07:10.877 PDT INBOUND SCAN EXPLOIT 165.230.49.119 (20:06:07.948 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2007<-2007 (20:06:07.948 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (20:02:56.012 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (20:02:56.012 PDT) DECLARE BOT tcpslice 1342580576.012 1342580576.013 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:12:56.059 PDT Gen. Time: 07/17/2012 20:12:56.059 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (20:12:56.059 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (20:12:56.059 PDT) DECLARE BOT tcpslice 1342581176.059 1342581176.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:12:56.059 PDT Gen. Time: 07/17/2012 20:19:50.021 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 148.81.140.193 (20:15:52.406 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2006->2002 (20:15:52.406 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (20:12:56.059 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (20:12:56.059 PDT) DECLARE BOT tcpslice 1342581176.059 1342581176.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:22:56.529 PDT Gen. Time: 07/17/2012 20:22:56.529 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (20:22:56.529 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (20:22:56.529 PDT) DECLARE BOT tcpslice 1342581776.529 1342581776.530 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:22:56.529 PDT Gen. Time: 07/17/2012 20:30:22.046 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 192.33.90.195 (20:25:50.385 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2003->2002 (20:25:50.385 PDT) ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (20:23:19.716 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 35427->17914 (20:23:19.716 PDT) 130.104.72.201 (20:22:56.529 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (20:22:56.529 PDT) DECLARE BOT tcpslice 1342581776.529 1342581776.530 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:33:06.492 PDT Gen. Time: 07/17/2012 20:33:06.492 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (20:33:06.492 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (20:33:06.492 PDT) DECLARE BOT tcpslice 1342582386.492 1342582386.493 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 161.106.240.19, 157.159.226.72 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:39:00.874 PDT Gen. Time: 07/17/2012 20:41:50.146 PDT INBOUND SCAN EXPLOIT 161.106.240.19 (20:39:00.874 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2002<-2008 (20:39:00.874 PDT) 157.159.226.72 (20:40:39.673 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2001<-2004 (20:40:39.673 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (20:41:50.146 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 32999->17914 (20:41:50.146 PDT) DECLARE BOT tcpslice 1342582740.874 1342582740.875 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 161.106.240.19, 157.159.226.72 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:39:00.874 PDT Gen. Time: 07/17/2012 20:44:31.657 PDT INBOUND SCAN EXPLOIT 161.106.240.19 (20:39:00.874 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2002<-2008 (20:39:00.874 PDT) 157.159.226.72 (20:40:39.673 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2001<-2004 (20:40:39.673 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (20:43:06.080 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2004->2005 (20:43:06.080 PDT) 129.93.229.138 (20:41:50.146 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 32999->17914 (20:41:50.146 PDT) DECLARE BOT tcpslice 1342582740.874 1342582740.875 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:53:06.217 PDT Gen. Time: 07/17/2012 20:53:06.217 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 143.89.49.74 (20:53:06.217 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2006->2004 (20:53:06.217 PDT) DECLARE BOT tcpslice 1342583586.217 1342583586.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 20:53:06.217 PDT Gen. Time: 07/17/2012 20:56:38.236 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 137.165.1.111 (20:55:23.535 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 39832->49301 (20:55:23.535 PDT) 143.89.49.74 (20:53:06.217 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2006->2004 (20:53:06.217 PDT) DECLARE BOT tcpslice 1342583586.217 1342583586.218 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:03:08.456 PDT Gen. Time: 07/17/2012 21:03:08.456 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (21:03:08.456 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (21:03:08.456 PDT) DECLARE BOT tcpslice 1342584188.456 1342584188.457 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:10:50.237 PDT Gen. Time: 07/17/2012 21:10:50.237 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (21:10:50.237 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 39273->49301 (21:10:50.237 PDT) DECLARE BOT tcpslice 1342584650.237 1342584650.238 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:10:50.237 PDT Gen. Time: 07/17/2012 21:14:58.176 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (2) (21:10:50.237 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 39273->49301 (21:10:50.237 PDT) ------------------------- event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2005->2001 (21:13:08.008 PDT) DECLARE BOT tcpslice 1342584650.237 1342584650.238 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:23:08.008 PDT Gen. Time: 07/17/2012 21:23:08.008 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (21:23:08.008 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2003->2007 (21:23:08.008 PDT) DECLARE BOT tcpslice 1342585388.008 1342585388.009 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:23:08.008 PDT Gen. Time: 07/17/2012 21:27:16.715 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (2) (21:23:08.008 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 35694->49302 (21:23:44.674 PDT) ------------------------- event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2003->2007 (21:23:08.008 PDT) DECLARE BOT tcpslice 1342585388.008 1342585388.009 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 193.10.64.36 Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:29:41.412 PDT Gen. Time: 07/17/2012 21:31:35.696 PDT INBOUND SCAN EXPLOIT 193.10.64.36 (21:31:35.696 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2004<-2008 (21:31:35.696 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port 80.82.144.94 (21:29:41.412 PDT) event=1:9920006 {udp} E8[std] BotHunter REPO confirmed botnet control server on standard port, [] MAC_Src: 00:21:5A:08:BB:0C 42968->53 (21:29:41.412 PDT) DECLARE BOT Non-standard Port DECLARE BOT tcpslice 1342585781.412 1342585781.413 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.2 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 193.10.64.36 Egg Source List: C & C List: 84.22.106.30 Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:31:35.696 PDT Gen. Time: 07/17/2012 21:35:18.928 PDT INBOUND SCAN EXPLOIT 193.10.64.36 (21:31:35.696 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2004<-2008 (21:31:35.696 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 84.22.106.30 (21:34:03.715 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 35567->53 (21:34:03.715 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (21:33:08.014 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2002->2001 (21:33:08.014 PDT) 206.207.248.34 (21:34:41.456 PDT) event=1:9930005 {tcp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 36324->42781 (21:34:41.456 PDT) DECLARE BOT tcpslice 1342585895.696 1342585895.697 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:36:34.620 PDT Gen. Time: 07/17/2012 21:36:34.620 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 81.19.66.51 (21:36:34.620 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 58339->53 (21:36:34.620 PDT) tcpslice 1342586194.620 1342586194.621 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:36:34.620 PDT Gen. Time: 07/17/2012 21:38:40.268 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 81.19.66.51 (21:36:34.620 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 58339->53 (21:36:34.620 PDT) 81.89.64.2 (21:37:31.407 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 34198->53 (21:37:31.407 PDT) tcpslice 1342586194.620 1342586194.621 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:38:55.879 PDT Gen. Time: 07/17/2012 21:38:55.879 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 82.209.213.60 (21:38:55.879 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 41837->53 (21:38:55.879 PDT) tcpslice 1342586335.879 1342586335.880 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 84.22.106.30 Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:44:15.592 PDT Gen. Time: 07/17/2012 21:45:16.824 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 84.22.106.30 (21:44:15.592 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 50204->53 (21:44:15.592 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 80.82.150.2 (21:45:16.824 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 32862->53 (21:45:16.824 PDT) tcpslice 1342586655.592 1342586655.593 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 84.22.106.30 Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:44:15.592 PDT Gen. Time: 07/17/2012 21:47:35.189 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 84.22.106.30 (21:44:15.592 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 50204->53 (21:44:15.592 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 81.28.128.34 (21:46:28.364 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 60463->53 (21:46:28.364 PDT) 82.97.146.3 (21:47:35.189 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 59276->53 (21:47:35.189 PDT) 80.82.150.2 (21:45:16.824 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 32862->53 (21:45:16.824 PDT) tcpslice 1342586655.592 1342586655.593 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 21:53:16.031 PDT Gen. Time: 07/17/2012 21:53:53.653 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (21:53:16.031 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (21:53:16.031 PDT) DECLARE BOT tcpslice 1342587196.031 1342587196.032 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 82.195.235.37, 84.15.112.10 Observed Start: 07/17/2012 21:54:28.891 PDT Gen. Time: 07/17/2012 21:55:05.217 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 82.195.235.37 (21:54:28.891 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 57739->53 (21:54:28.891 PDT) 84.15.112.10 (21:54:48.380 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 53709->53 (21:54:48.380 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 84.247.193.3 (21:55:05.217 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 46185->53 (21:55:05.217 PDT) tcpslice 1342587268.891 1342587268.892 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.6 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 138.238.250.155 Egg Source List: C & C List: Peer Coord. List: Resource List: 82.195.235.37, 84.15.112.10 Observed Start: 07/17/2012 21:54:28.891 PDT Gen. Time: 07/17/2012 21:57:20.793 PDT INBOUND SCAN EXPLOIT 138.238.250.155 (21:55:09.941 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2001<-2006 (21:55:09.941 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 82.195.235.37 (21:54:28.891 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 57739->53 (21:54:28.891 PDT) 84.15.112.10 (21:54:48.380 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 53709->53 (21:54:48.380 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 84.247.193.3 (21:55:05.217 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 46185->53 (21:55:05.217 PDT) tcpslice 1342587268.891 1342587268.892 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.9 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: 84.22.106.30 Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:00:16.147 PDT Gen. Time: 07/17/2012 22:02:36.072 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) 84.22.106.30 (22:00:16.147 PDT) event=1:3810008 {udp} E4[nbr] ET Known Russian Business Network Monitored Domain, [] MAC_Src: 00:21:5A:08:BB:0C 53859->53 (22:00:16.147 PDT) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 81.21.34.35 (22:02:36.072 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 60007->53 (22:02:36.072 PDT) 80.82.150.2 (22:01:31.862 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 40478->53 (22:01:31.862 PDT) tcpslice 1342587616.147 1342587616.148 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:08:59.658 PDT Gen. Time: 07/17/2012 22:08:59.658 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 216.104.128.37 (22:08:59.658 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 54555->53 (22:08:59.658 PDT) tcpslice 1342588139.658 1342588139.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 216.19.223.25, 216.52.65.33, 216.39.112.5, 216.235.1.26, 216.8.252.218, 216.129.232.14 Observed Start: 07/17/2012 22:08:59.658 PDT Gen. Time: 07/17/2012 22:13:07.524 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 216.19.223.25 (22:09:51.447 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 42655->53 (22:09:51.447 PDT) 216.52.65.33 (22:10:22.735 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 57458->53 (22:10:22.735 PDT) 216.39.112.5 (22:10:11.488 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 57189->53 (22:10:11.488 PDT) 216.235.1.26 (22:09:59.673 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 38888->53 (22:09:59.673 PDT) 216.8.252.218 (22:10:40.458 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 45763->53 (22:10:40.458 PDT) 216.129.232.14 (22:09:07.691 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 41391->53 (22:09:07.691 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 216.224.224.10 (22:09:58.651 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 39689->53 (22:09:58.651 PDT) 216.104.128.37 (22:08:59.658 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 54555->53 (22:08:59.658 PDT) tcpslice 1342588139.658 1342588139.659 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:13:27.111 PDT Gen. Time: 07/17/2012 22:13:27.111 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (22:13:27.111 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (22:13:27.111 PDT) DECLARE BOT tcpslice 1342588407.111 1342588407.112 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 216.47.143.90, 216.19.2.83, 216.116.96.2, 216.7.191.4, 216.139.94.1, 216.241.29.51 Observed Start: 07/17/2012 22:13:27.111 PDT Gen. Time: 07/17/2012 22:16:21.930 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 216.47.143.90 (22:14:54.106 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 60759->53 (22:14:54.106 PDT) 216.19.2.83 (22:14:35.006 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 59614->53 (22:14:35.006 PDT) 216.116.96.2 (22:14:07.934 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 55645->53 (22:14:07.934 PDT) 216.7.191.4 (22:15:05.984 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 48301->53 (22:15:05.984 PDT) 216.139.94.1 (22:14:13.785 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 58294->53 (22:14:13.785 PDT) 216.241.29.51 (22:14:45.918 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 60557->53 (22:14:45.918 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 129.93.229.138 (22:13:27.111 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 33832->17914 (22:13:27.111 PDT) DECLARE BOT tcpslice 1342588407.111 1342588407.112 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 212.68.66.182 Observed Start: 07/17/2012 22:17:59.300 PDT Gen. Time: 07/17/2012 22:18:12.981 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 212.68.66.182 (22:17:59.300 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 49513->53 (22:17:59.300 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 216.104.128.37 (22:18:12.981 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 43133->53 (22:18:12.981 PDT) tcpslice 1342588679.300 1342588679.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 216.241.132.2, 216.116.96.2, 212.68.66.182, 216.57.170.5, 216.47.128.12, 216.163.32.52, 216.18.201.130 Observed Start: 07/17/2012 22:17:59.300 PDT Gen. Time: 07/17/2012 22:22:07.514 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 216.241.132.2 (22:18:44.025 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 36860->53 (22:18:44.025 PDT) 216.116.96.2 (22:18:16.939 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 35148->53 (22:18:16.939 PDT) 212.68.66.182 (22:17:59.300 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 49513->53 (22:17:59.300 PDT) 216.57.170.5 (22:19:07.383 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 42000->53 (22:19:07.383 PDT) 216.47.128.12 (22:18:56.889 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 48437->53 (22:18:56.889 PDT) 216.163.32.52 (22:18:24.213 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 40330->53 (22:18:24.213 PDT) 216.18.201.130 (22:18:33.848 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 43747->53 (22:18:33.848 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 216.7.225.7 (22:19:10.975 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 52013->53 (22:19:10.975 PDT) 216.104.128.37 (22:18:12.981 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 43133->53 (22:18:12.981 PDT) tcpslice 1342588679.300 1342588679.301 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 212.68.66.182 Observed Start: 07/17/2012 22:22:57.680 PDT Gen. Time: 07/17/2012 22:23:10.884 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 212.68.66.182 (22:22:57.680 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 46470->53 (22:22:57.680 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 216.104.128.37 (22:23:10.884 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 38922->53 (22:23:10.884 PDT) tcpslice 1342588977.680 1342588977.681 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 216.54.2.10, 216.211.191.9, 212.68.66.182, 216.240.135.98, 216.40.192.109, 216.162.160.248, 216.118.209.5 Observed Start: 07/17/2012 22:22:57.680 PDT Gen. Time: 07/17/2012 22:27:40.772 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 216.54.2.10 (22:24:13.350 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 46816->53 (22:24:13.350 PDT) 216.211.191.9 (22:23:47.754 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 52792->53 (22:23:47.754 PDT) 212.68.66.182 (22:22:57.680 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 46470->53 (22:22:57.680 PDT) 216.240.135.98 (22:23:55.628 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 46360->53 (22:23:55.628 PDT) 216.40.192.109 (22:24:05.279 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 57949->53 (22:24:05.279 PDT) 216.162.160.248 (22:23:24.247 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 53280->53 (22:23:24.247 PDT) 216.118.209.5 (22:23:16.069 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 47846->53 (22:23:16.069 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 138.238.250.155 (22:23:28.286 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 2121->2121 (22:23:28.286 PDT) DECLARE BOT tcpslice 1342588977.680 1342588977.681 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 66.233.104.5 Observed Start: 07/17/2012 22:28:04.320 PDT Gen. Time: 07/17/2012 22:28:12.294 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 66.233.104.5 (22:28:04.320 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 39576->53 (22:28:04.320 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 66.28.209.5 (22:28:12.294 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 45534->53 (22:28:12.294 PDT) tcpslice 1342589284.320 1342589284.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 66.6.152.93, 66.35.228.157, 66.233.104.5, 69.29.96.3, 69.227.255.7, 69.50.57.10, 68.28.178.91 Observed Start: 07/17/2012 22:28:04.320 PDT Gen. Time: 07/17/2012 22:32:07.386 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 66.6.152.93 (22:28:24.509 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 55959->53 (22:28:24.509 PDT) 66.35.228.157 (22:28:12.481 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 55548->53 (22:28:12.481 PDT) 66.233.104.5 (22:28:04.320 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 39576->53 (22:28:04.320 PDT) 69.29.96.3 (22:29:33.644 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 41809->53 (22:29:33.644 PDT) 69.227.255.7 (22:29:24.138 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 33425->53 (22:29:24.138 PDT) 69.50.57.10 (22:29:43.265 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 44966->53 (22:29:43.265 PDT) 68.28.178.91 (22:29:10.704 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 58170->53 (22:29:10.704 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 66.28.209.5 (22:28:12.294 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 45534->53 (22:28:12.294 PDT) 69.144.49.29 (22:29:14.952 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 51687->53 (22:29:14.952 PDT) tcpslice 1342589284.320 1342589284.321 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 66.234.16.14 Observed Start: 07/17/2012 22:32:31.847 PDT Gen. Time: 07/17/2012 22:32:38.966 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 66.234.16.14 (22:32:31.847 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 42314->53 (22:32:31.847 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 66.35.228.158 (22:32:38.966 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 48611->53 (22:32:38.966 PDT) tcpslice 1342589551.847 1342589551.848 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 2.1 (>= 0.8) Infected Target: 192.168.1.100 Infector List: 192.41.135.219, 141.213.4.202 Egg Source List: C & C List: Peer Coord. List: Resource List: 69.183.28.4, 69.197.153.253, 66.90.130.24, 66.38.150.194, 69.43.143.41, 66.51.206.100, 66.234.16.14 (3), 66.63.192.2, 68.28.58.92, 66.92.12.50, 68.252.180.11, 69.39.46.150, 66.76.175.71, 69.6.190.6 Observed Start: 07/17/2012 22:32:31.847 PDT Gen. Time: 07/17/2012 22:41:21.386 PDT INBOUND SCAN EXPLOIT 192.41.135.219 (22:34:39.700 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2003<-2004 (22:34:39.700 PDT) 141.213.4.202 (22:34:48.107 PDT) event=1:22012087 {udp} E2[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Dst: 00:21:5A:08:BB:0C 2005<-2007 (22:34:48.107 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN 138.48.3.201 (22:38:54.695 PDT) event=1:52012087 {udp} E5[rb] (experimental) SHELLCODE Possible Call with No Offset UDP Shellcode, [] MAC_Src: 00:21:5A:08:BB:0C 2004->2003 (22:38:54.695 PDT) ATTACK PREP 69.183.28.4 (22:33:41.121 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 39538->53 (22:33:41.121 PDT) 69.197.153.253 (22:37:44.604 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 52942->53 (22:37:44.604 PDT) 66.90.130.24 (22:33:14.072 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 42946->53 (22:33:14.072 PDT) 66.38.150.194 (22:32:41.750 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 37658->53 (22:32:41.750 PDT) 69.43.143.41 (22:37:53.974 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 55306->53 (22:37:53.974 PDT) 66.51.206.100 (22:36:58.377 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 45822->53 (22:36:58.377 PDT) 66.234.16.14 (3) (22:32:31.847 PDT) event=1:2003330 (3) {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 42314->53 (22:32:31.847 PDT) 46444->53 (22:36:43.408 PDT) 54075->53 (22:41:21.386 PDT) 66.63.192.2 (22:32:48.984 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 40341->53 (22:32:48.984 PDT) 68.28.58.92 (22:33:32.708 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 54343->53 (22:33:32.708 PDT) 66.92.12.50 (22:37:24.529 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 39257->53 (22:37:24.529 PDT) 68.252.180.11 (22:37:37.437 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 44648->53 (22:37:37.437 PDT) 69.39.46.150 (22:33:51.945 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 50166->53 (22:33:51.945 PDT) 66.76.175.71 (22:37:06.215 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 47240->53 (22:37:06.215 PDT) 69.6.190.6 (22:34:02.627 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 41965->53 (22:34:02.627 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 128.2.211.114 (22:33:28.117 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 4121->4121 (22:33:28.117 PDT) DECLARE BOT tcpslice 1342589551.847 1342589551.848 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:41:27.359 PDT Gen. Time: 07/17/2012 22:41:27.359 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 66.35.228.158 (22:41:27.359 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 46678->53 (22:41:27.359 PDT) tcpslice 1342590087.359 1342590087.360 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 69.50.60.8, 69.90.67.11, 68.87.66.199, 68.186.37.195, 66.63.192.2, 66.90.130.24, 69.28.104.5, 66.37.238.30 Observed Start: 07/17/2012 22:41:30.202 PDT Gen. Time: 07/17/2012 22:45:44.494 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 69.50.60.8 (22:42:39.334 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 54379->53 (22:42:39.334 PDT) 69.90.67.11 (22:45:44.494 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 37671->53 (22:45:44.494 PDT) 68.87.66.199 (22:42:19.090 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 42777->53 (22:42:19.090 PDT) 68.186.37.195 (22:42:12.823 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 55529->53 (22:42:12.823 PDT) 66.63.192.2 (22:41:37.972 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 41865->53 (22:41:37.972 PDT) 66.90.130.24 (22:42:02.744 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 35158->53 (22:42:02.744 PDT) 69.28.104.5 (22:42:30.359 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 45026->53 (22:42:30.359 PDT) 66.37.238.30 (22:41:30.202 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 34241->53 (22:41:30.202 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (22:43:36.353 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (22:43:36.353 PDT) DECLARE BOT tcpslice 1342590090.202 1342590090.203 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: 07/17/2012 22:45:49.860 PDT Gen. Time: 07/17/2012 22:45:49.860 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 72.2.10.4 (22:45:49.860 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 44041->53 (22:45:49.860 PDT) tcpslice 1342590349.860 1342590349.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 72.51.142.46, 76.164.128.4, 74.124.203.65 Observed Start: 07/17/2012 22:45:49.860 PDT Gen. Time: 07/17/2012 22:50:06.572 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 72.51.142.46 (22:45:56.183 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 46278->53 (22:45:56.183 PDT) 76.164.128.4 (22:46:20.321 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 46650->53 (22:46:20.321 PDT) 74.124.203.65 (22:46:04.251 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 58830->53 (22:46:04.251 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 80.244.244.244 (22:47:20.156 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 57482->53 (22:47:20.156 PDT) 72.2.10.4 (22:45:49.860 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 44041->53 (22:45:49.860 PDT) tcpslice 1342590349.860 1342590349.861 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 69.90.67.11 Observed Start: 07/17/2012 22:50:30.059 PDT Gen. Time: 07/17/2012 22:50:33.358 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 69.90.67.11 (22:50:30.059 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 59596->53 (22:50:30.059 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port DECLARE BOT 72.2.10.4 (22:50:33.358 PDT) event=1:9910001 {udp} E8[rb] ET POLICY Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 40274->53 (22:50:33.358 PDT) tcpslice 1342590630.059 1342590630.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================ Score: 1.3 (>= 0.8) Infected Target: 192.168.1.100 Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: 80.252.130.254, 77.220.64.36, 69.90.67.11, 76.14.0.9, 74.113.105.201, 74.253.12.12 Observed Start: 07/17/2012 22:50:30.059 PDT Gen. Time: 07/17/2012 22:53:39.234 PDT INBOUND SCAN EXPLOIT EXPLOIT MALWARE DNS EGG DOWNLOAD C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP 80.252.130.254 (22:52:04.407 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 36743->53 (22:52:04.407 PDT) 77.220.64.36 (22:51:14.607 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 53254->53 (22:51:14.607 PDT) 69.90.67.11 (22:50:30.059 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 59596->53 (22:50:30.059 PDT) 76.14.0.9 (22:51:05.190 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 60549->53 (22:51:05.190 PDT) 74.113.105.201 (22:50:43.305 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 45878->53 (22:50:43.305 PDT) 74.253.12.12 (22:50:52.351 PDT) event=1:2003330 {udp} E6[rb] ET POLICY Possible Spambot Host DNS MX Query High Count, [] MAC_Src: 00:21:5A:08:BB:0C 45722->53 (22:50:52.351 PDT) PEER COORDINATION DECLARE BOT Standard Port DECLARE BOT Non-standard Port 130.104.72.201 (22:53:39.234 PDT) event=1:9930006 {udp} E8[unk] BotHunter REPO confirmed botnet control server on non-standard port, [] MAC_Src: 00:21:5A:08:BB:0C 49302->49302 (22:53:39.234 PDT) DECLARE BOT tcpslice 1342590630.059 1342590630.060 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.100' ============================== SEPARATOR ================================